1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Firefox hijacked, Safe mode won't load but regular will

Discussion in 'Virus & Other Malware Removal' started by uscjas, Nov 29, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    Hello,

    After reading some of the more recent posts, it seems I may have a problem similar to the following post "871963-browser-hijacked-keeps-redirecting." I think I was infected about 4 days ago. One night I received an error when logging off my laptop, I think I hit end program so it would shut down, the next day when I turned my laptop on I noticed the problem.

    My symptoms include:

    -Blue Screen when trying to boot to Safe mode - STOP: 0x0000007E (0xC0000005, 0x80537009, 0xF7AEA508, 0xF7AEA204)
    -Windows Media Center not working... when you double click, it does show an instance running in processes, it just doesn't ever open.
    -Initially, I was getting redirects in firefox when using google or bing. Now I am getting tabs that randomly open of their own accord.

    I too have CA security installed... have always been less than impressed with it's ability to detect and block anything. That's keep the free version of malwarebytes on my computer for backup. However, the current piece of malware infecting my computer has been illusive. In attempt to detect it, I have run the following:

    1) CA (of course)
    2) malwarebytes - I have a log
    3) avira (online CD and rescue CD w/o update)
    4) kaspersky (rescue CD w/o update) - free online scan is currently down - I have a log of rescue cd
    5) bitdefender & chkrootkit (online quickscan and rescue CD w/o update)
    6) trendmicro housecall (online)
    7) superantispyware - I have a log
    8) GMER - I have a log

    Please find the hijackthis log posted below. I may post GMER in the next thread, as I think it will also be helpful (both were run within the last hour and a half).

    Thanks! Jessica

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:54:00, on 11/29/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 8916 bytes
     
  2. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    Please find the GMER log attached. Thanks!
     

    Attached Files:

  3. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    Bump
     
  4. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    Please help! I have continued to research to try and fix this on my own with no luck. Last night I found a thread here that is almost identical to my problem and NeonFx solved it!

    I don't dare use ComboFix or The Avenger on my own. I could really use some instruction.

    I re-ran a number of scans last night.

    -SuperAntiSpyware, MBAM and Kasperkey Online all came up with nothing!

    I will post the quickscan GMER log and the HJT log below, and attach the long GMER log and OTS log. Thank you in advance!

    GMER 1.0.15.15252 - http://www.gmer.net
    Rootkit quick scan 2009-12-05 01:04:57
    Windows 5.1.2600 Service Pack 3
    Running: 6tol09ym.1.2D0D17.exe; Driver: C:\DOCUME~1\JESS&S~1\LOCALS~1\Temp\pxrdipod.sys


    ---- System - GMER 1.0.15 ----

    Code \??\C:\DOCUME~1\JESS&S~1\LOCALS~1\Temp\catchme.sys pIofCallDriver

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs KmxFile.sys (HIPS File Guard driver/CA)
    AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs kmxagent.sys (HIPS Agent Driver/CA)
    AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

    Device \Driver\Tcpip \Device\Ip kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\Tcp kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\Udp kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\RawIp kmxfw.sys (HIPS Firewall Driver/CA)

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 872FF369

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:39:11, on 12/5/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
    C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Java\jre6\bin\java.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [CaPPcl] C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe /scan /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 8194 bytes
     

    Attached Files:

  5. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Hello there :cool: Welcome to the TSG Forums.
    My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.


    Please note the following:

    • The fixes are specific to your problem and should only be used on this machine.
    • Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
    • It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
    • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
    • Please reply to this thread. Do not start a new topic.




    Step 1


    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
    • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

      "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

    • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
    • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
     
  6. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    Host Name: FAMILYROOM
    OS Name: Microsoft Windows XP Professional
    OS Version: 5.1.2600 Service Pack 3 Build 2600
    OS Manufacturer: Microsoft Corporation
    OS Configuration: Standalone Workstation
    OS Build Type: Multiprocessor Free
    Registered Owner: JESS & SHEILA
    Registered Organization:
    Product ID: 76487-OEM-0011903-00825
    Original Install Date: 3/21/2006, 23:58:33
    System Up Time: 0 Days, 0 Hours, 16 Minutes, 13 Seconds
    System Manufacturer: Dell Inc.
    System Model: MM061
    System type: X86-based PC
    Processor(s): 1 Processor(s) Installed.
    [01]: x86 Family 6 Model 14 Stepping 8 GenuineIntel ~1662 Mhz
    BIOS Version: DELL - 27d60301
    Windows Directory: C:\WINDOWS
    System Directory: C:\WINDOWS\system32
    Boot Device: \Device\HarddiskVolume2
    System Locale: en-us;English (United States)
    Input Locale: en-us;English (United States)
    Time Zone: (GMT-05:00) Eastern Time (US & Canada)
    Total Physical Memory: 1,014 MB
    Available Physical Memory: 607 MB
    Virtual Memory: Max Size: 2,048 MB
    Virtual Memory: Available: 2,001 MB
    Virtual Memory: In Use: 47 MB
    Page File Location(s): C:\pagefile.sys
    Domain: MSHOME
    Logon Server: \\FAMILYROOM
    Hotfix(s): 219 Hotfix(s) Installed.
    [01]: EmeraldQFE2 - Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
    [02]: File 1
    [03]: File 1
    [04]: File 1
    [05]: File 1
    [06]: File 1
    [07]: File 1
    [08]: File 1
    [09]: File 1
    [10]: File 1
    [11]: File 1
    [12]: File 1
    [13]: File 1
    [14]: File 1
    [15]: File 1
    [16]: File 1
    [17]: File 1
    [18]: File 1
    [19]: File 1
    [20]: File 1
    [21]: File 1
    [22]: File 1
    [23]: File 1
    [24]: File 1
    [25]: File 1
    [26]: File 1
    [27]: File 1
    [28]: File 1
    [29]: File 1
    [30]: File 1
    [31]: File 1
    [32]: File 1
    [33]: File 1
    [34]: File 1
    [35]: File 1
    [36]: File 1
    [37]: File 1
    [38]: File 1
    [39]: File 1
    [40]: File 1
    [41]: File 1
    [42]: File 1
    [43]: File 1
    [44]: File 1
    [45]: File 1
    [46]: File 1
    [47]: File 1
    [48]: File 1
    [49]: File 1
    [50]: File 1
    [51]: File 1
    [52]: File 1
    [53]: File 1
    [54]: File 1
    [55]: File 1
    [56]: File 1
    [57]: File 1
    [58]: File 1
    [59]: File 1
    [60]: File 1
    [61]: File 1
    [62]: File 1
    [63]: File 1
    [64]: File 1
    [65]: File 1
    [66]: File 1
    [67]: File 1
    [68]: File 1
    [69]: File 1
    [70]: File 1
    [71]: File 1
    [72]: File 1
    [73]: File 1
    [74]: File 1
    [75]: File 1
    [76]: File 1
    [77]: File 1
    [78]: File 1
    [79]: File 1
    [80]: File 1
    [81]: File 1
    [82]: File 1
    [83]: File 1
    [84]: File 1
    [85]: File 1
    [86]: File 1
    [87]: File 1
    [88]: File 1
    [89]: File 1
    [90]: File 1
    [91]: File 1
    [92]: File 1
    [93]: File 1
    [94]: Q147222
    [95]: KB887998 - QFE
    [96]: KB930494 - QFE
    [97]: KB953295 - QFE
    [98]: SP3 - SP
    [99]: M953297 - Update
    [100]: S867460 - Update
    [101]: KB900325 - Update
    [102]: Q927978
    [103]: Q936181
    [104]: Q954430
    [105]: Q973688
    [106]: IDNMitigationAPIs - Update
    [107]: NLSDownlevelMapping - Update
    [108]: KB929399
    [109]: KB952069_WM9
    [110]: KB954155_WM9
    [111]: KB968816_WM9
    [112]: KB973540_WM9
    [113]: KB911565
    [114]: KB913800
    [115]: KB917734_WMP10
    [116]: KB926251
    [117]: KB936782_WMP10
    [118]: EmeraldQFE2 - Update
    [119]: KB936782_WMP11
    [120]: KB939683
    [121]: KB954154_WM11
    [122]: KB959772_WM11
    [123]: KB925398_WMP64
    [124]: KB923689
    [125]: KB941569
    [126]: KB928090-IE7 - Update
    [127]: KB929969 - Update
    [128]: KB931768-IE7 - Update
    [129]: KB933566-IE7 - Update
    [130]: KB937143-IE7 - Update
    [131]: KB938127-IE7 - Update
    [132]: KB939653-IE7 - Update
    [133]: KB942615-IE7 - Update
    [134]: KB944533-IE7 - Update
    [135]: KB947864-IE7 - Update
    [136]: KB950759-IE7 - Update
    [137]: KB953838-IE7 - Update
    [138]: KB956390-IE7 - Update
    [139]: KB958215-IE7 - Update
    [140]: KB960714-IE7 - Update
    [141]: KB961260-IE7 - Update
    [142]: KB963027-IE7 - Update
    [143]: KB969897-IE8 - Update
    [144]: KB971180-IE8 - Update
    [145]: KB971961-IE8 - Update
    [146]: KB972260-IE8 - Update
    [147]: KB974455-IE8 - Update
    [148]: KB976749-IE8 - Update
    [149]: MSCompPackV1 - Update
    [150]: KB936929 - Service Pack
    [151]: KB953295 - Update
    [152]: KB923561 - Update
    [153]: KB938464 - Update
    [154]: KB946648 - Update
    [155]: KB950760 - Update
    [156]: KB950762 - Update
    [157]: KB950974 - Update
    [158]: KB951066 - Update
    [159]: KB951072-v2 - Update
    [160]: KB951376 - Update
    [161]: KB951376-v2 - Update
    [162]: KB951698 - Update
    [163]: KB951748 - Update
    [164]: KB951978 - Update
    [165]: KB952004 - Update
    [166]: KB952287 - Update
    [167]: KB952954 - Update
    [168]: KB953839 - Update
    [169]: KB954211 - Update
    [170]: KB954459 - Update
    [171]: KB954600 - Update
    [172]: KB955069 - Update
    [173]: KB955839 - Update
    [174]: KB956391 - Update
    [175]: KB956572 - Update
    [176]: KB956744 - Update
    [177]: KB956802 - Update
    [178]: KB956803 - Update
    [179]: KB956841 - Update
    [180]: KB956844 - Update
    [181]: KB957095 - Update
    [182]: KB957097 - Update
    [183]: KB958644 - Update
    [184]: KB958687 - Update
    [185]: KB958690 - Update
    [186]: KB958869 - Update
    [187]: KB959426 - Update
    [188]: KB960225 - Update
    [189]: KB960715 - Update
    [190]: KB960803 - Update
    [191]: KB960859 - Update
    [192]: KB961371 - Update
    [193]: KB961373 - Update
    [194]: KB961501 - Update
    [195]: KB967715 - Update
    [196]: KB968389 - Update
    [197]: KB968537 - Update
    [198]: KB969059 - Update
    [199]: KB969898 - Update
    [200]: KB969947 - Update
    [201]: KB970238 - Update
    [202]: KB970653-v3 - Update
    [203]: KB971486 - Update
    [204]: KB971557 - Update
    [205]: KB971633 - Update
    [206]: KB971657 - Update
    [207]: K

    NetWork Card(s): 3 NIC(s) Installed.
    [01]: Intel(R) PRO/Wireless 3945ABG Network Connection
    Connection Name: Wireless Network Connection
    DHCP Enabled: Yes
    DHCP Server: 192.168.1.1
    IP address(es)
    [01]: 192.168.1.3
    [02]: Broadcom 440x 10/100 Integrated Controller
    Connection Name: Local Area Connection
    [03]: 1394 Net Adapter
    Connection Name: 1394 Connection
    23:42:35:16 1296 ForceUnloadDriver: NtUnloadDriver error 2
    23:42:35:31 1296 ForceUnloadDriver: NtUnloadDriver error 2
    23:42:35:31 1296 ForceUnloadDriver: NtUnloadDriver error 2
    23:42:35:63 1296 main: Driver KLMD successfully dropped
    23:42:35:109 1296 main: Driver KLMD successfully loaded
    23:42:35:109 1296
    Scanning Registry ...
    23:42:35:156 1296 ScanServices: Searching service UACd.sys
    23:42:35:156 1296 ScanServices: Open/Create key error 2
    23:42:35:156 1296 ScanServices: Searching service TDSSserv.sys
    23:42:35:156 1296 ScanServices: Open/Create key error 2
    23:42:35:156 1296 ScanServices: Searching service gaopdxserv.sys
    23:42:35:156 1296 ScanServices: Open/Create key error 2
    23:42:35:156 1296 ScanServices: Searching service gxvxcserv.sys
    23:42:35:156 1296 ScanServices: Open/Create key error 2
    23:42:35:156 1296 ScanServices: Searching service MSIVXserv.sys
    23:42:35:156 1296 ScanServices: Open/Create key error 2
    23:42:35:156 1296 UnhookRegistry: Kernel module file name: C:\windows\system32\ntkrnlpa.exe, base addr: 804D7000
    23:42:35:156 1296 UnhookRegistry: Kernel local addr: 1030000
    23:42:35:172 1296 UnhookRegistry: KeServiceDescriptorTable addr: 10B5700
    23:42:35:234 1296 UnhookRegistry: KiServiceTable addr: 105D460
    23:42:35:250 1296 UnhookRegistry: NtEnumerateKey service number (local): 47
    23:42:35:250 1296 UnhookRegistry: NtEnumerateKey local addr: 117CFF2
    23:42:35:250 1296 KLMD_OpenDevice: Trying to open KLMD device
    23:42:35:250 1296 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
    23:42:35:250 1296 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
    23:42:35:250 1296 KLMD_ReadMem: Trying to ReadMemory 0x805002C9[0x4]
    23:42:35:250 1296 UnhookRegistry: NtEnumerateKey service number (kernel): 47
    23:42:35:250 1296 KLMD_ReadMem: Trying to ReadMemory 0x8050457C[0x4]
    23:42:35:250 1296 UnhookRegistry: NtEnumerateKey real addr: 80623FF2
    23:42:35:250 1296 UnhookRegistry: NtEnumerateKey calc addr: 80623FF2
    23:42:35:250 1296 UnhookRegistry: No SDT hooks found on NtEnumerateKey
    23:42:35:250 1296 KLMD_ReadMem: Trying to ReadMemory 0x80623FF2[0xA]
    23:42:35:250 1296 UnhookRegistry: No splicing found on NtEnumerateKey
    23:42:35:250 1296
    Scanning Kernel memory ...
    23:42:35:250 1296 KLMD_OpenDevice: Trying to open KLMD device
    23:42:35:266 1296 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
    23:42:35:266 1296 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
    23:42:35:266 1296 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8731BA08
    23:42:35:266 1296 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
    23:42:35:266 1296 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 87316C68
    23:42:35:266 1296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87316C68
    23:42:35:266 1296 KLMD_ReadMem: Trying to ReadMemory 0x87316C68[0x38]
    23:42:35:266 1296 DetectCureTDL3: DRIVER_OBJECT addr: 8731BA08
    23:42:35:266 1296 KLMD_ReadMem: Trying to ReadMemory 0x8731BA08[0xA8]
    23:42:35:266 1296 KLMD_ReadMem: Trying to ReadMemory 0xE1021CA0[0x208]
    23:42:35:266 1296 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (0) addr: F76C3BB0
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (1) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (2) addr: F76C3BB0
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (3) addr: F76BDD1F
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (4) addr: F76BDD1F
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (5) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (6) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (7) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (8) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (9) addr: F76BE2E2
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (10) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (11) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (12) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (13) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (14) addr: F76BE3BB
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (15) addr: F76C1F28
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (16) addr: F76BE2E2
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (17) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (18) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (19) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (20) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (21) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (22) addr: F76BFC82
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (23) addr: F76C499E
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (24) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (25) addr: 804F4562
    23:42:35:266 1296 DetectCureTDL3: IrpHandler (26) addr: 804F4562
    23:42:35:266 1296 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
    23:42:35:266 1296 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
    23:42:35:359 1296 DetectCureTDL3: 1 Curr stack PDEVICE_OBJECT: 87334C68
    23:42:35:359 1296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87334C68
    23:42:35:359 1296 KLMD_ReadMem: Trying to ReadMemory 0x87334C68[0x38]
    23:42:35:359 1296 DetectCureTDL3: DRIVER_OBJECT addr: 8731BA08
    23:42:35:359 1296 KLMD_ReadMem: Trying to ReadMemory 0x8731BA08[0xA8]
    23:42:35:359 1296 KLMD_ReadMem: Trying to ReadMemory 0xE1021CA0[0x208]
    23:42:35:359 1296 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    23:42:35:359 1296 DetectCureTDL3: IrpHandler (0) addr: F76C3BB0
    23:42:35:359 1296 DetectCureTDL3: IrpHandler (1) addr: 804F4562
    23:42:35:359 1296 DetectCureTDL3: IrpHandler (2) addr: F76C3BB0
    23:42:35:359 1296 DetectCureTDL3: IrpHandler (3) addr: F76BDD1F
    23:42:35:359 1296 DetectCureTDL3: IrpHandler (4) addr: F76BDD1F
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (5) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (6) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (7) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (8) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (9) addr: F76BE2E2
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (10) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (11) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (12) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (13) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (14) addr: F76BE3BB
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (15) addr: F76C1F28
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (16) addr: F76BE2E2
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (17) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (18) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (19) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (20) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (21) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (22) addr: F76BFC82
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (23) addr: F76C499E
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (24) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (25) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (26) addr: 804F4562
    23:42:35:375 1296 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
    23:42:35:375 1296 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
    23:42:35:375 1296 DetectCureTDL3: 2 Curr stack PDEVICE_OBJECT: 8737BC68
    23:42:35:375 1296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8737BC68
    23:42:35:375 1296 KLMD_ReadMem: Trying to ReadMemory 0x8737BC68[0x38]
    23:42:35:375 1296 DetectCureTDL3: DRIVER_OBJECT addr: 8731BA08
    23:42:35:375 1296 KLMD_ReadMem: Trying to ReadMemory 0x8731BA08[0xA8]
    23:42:35:375 1296 KLMD_ReadMem: Trying to ReadMemory 0xE1021CA0[0x208]
    23:42:35:375 1296 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (0) addr: F76C3BB0
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (1) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (2) addr: F76C3BB0
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (3) addr: F76BDD1F
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (4) addr: F76BDD1F
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (5) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (6) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (7) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (8) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (9) addr: F76BE2E2
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (10) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (11) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (12) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (13) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (14) addr: F76BE3BB
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (15) addr: F76C1F28
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (16) addr: F76BE2E2
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (17) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (18) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (19) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (20) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (21) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (22) addr: F76BFC82
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (23) addr: F76C499E
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (24) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (25) addr: 804F4562
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (26) addr: 804F4562
    23:42:35:375 1296 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\Disk.sys
    23:42:35:375 1296 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\Disk.sys
    23:42:35:375 1296 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 8737CAB8
    23:42:35:375 1296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8737CAB8
    23:42:35:375 1296 DetectCureTDL3: 3 Curr stack PDEVICE_OBJECT: 87380940
    23:42:35:375 1296 KLMD_GetLowerDeviceObject: Trying to get lower device object for 87380940
    23:42:35:375 1296 KLMD_ReadMem: Trying to ReadMemory 0x87380940[0x38]
    23:42:35:375 1296 DetectCureTDL3: DRIVER_OBJECT addr: 87335030
    23:42:35:375 1296 KLMD_ReadMem: Trying to ReadMemory 0x87335030[0xA8]
    23:42:35:375 1296 KLMD_ReadMem: Trying to ReadMemory 0x87381030[0x38]
    23:42:35:375 1296 KLMD_ReadMem: Trying to ReadMemory 0x87382630[0xA8]
    23:42:35:375 1296 KLMD_ReadMem: Trying to ReadMemory 0xE1BB56A8[0x208]
    23:42:35:375 1296 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (0) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (1) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (2) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (3) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (4) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (5) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (6) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (7) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (8) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (9) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (10) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (11) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (12) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (13) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (14) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (15) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (16) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (17) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (18) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (19) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (20) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (21) addr: 8733E369
    23:42:35:375 1296 DetectCureTDL3: IrpHandler (22) addr: 8733E369
    23:42:35:391 1296 DetectCureTDL3: IrpHandler (23) addr: 8733E369
    23:42:35:391 1296 DetectCureTDL3: IrpHandler (24) addr: 8733E369
    23:42:35:391 1296 DetectCureTDL3: IrpHandler (25) addr: 8733E369
    23:42:35:391 1296 DetectCureTDL3: IrpHandler (26) addr: 8733E369
    23:42:35:391 1296 DetectCureTDL3: All IRP handlers pointed to one addr: 8733E369
    23:42:35:391 1296 KLMD_ReadMem: Trying to ReadMemory 0x8733E369[0x400]
    23:42:35:391 1296 TDL3_HookDetect: CheckParameters: 4, FFDF0308, 313, 101, 3, 89
    23:42:35:391 1296 Driver atapi infected by TDSS rootkit ... 23:42:35:391 1296 TDL3_HookCure: Processing driver in memory: atapi
    23:42:35:391 1296 KLMD_WriteMem: Trying to WriteMemory 0x8733E3CE[0xD]
    23:42:35:391 1296 cured
    23:42:35:391 1296 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
    23:42:35:391 1296 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
    23:42:35:391 1296 File C:\WINDOWS\system32\Drivers\atapi.sys infected by TDSS rootkit ... 23:42:35:391 1296 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\Drivers\atapi.sys
    23:42:35:391 1296 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
    23:42:35:391 1296 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\Drivers\atapi.sys
    23:42:35:531 1296 cured
    23:42:35:531 1296
    Completed

    Results:
    23:42:35:531 1296 Infected / Cured drivers in memory: 1 / 1
    23:42:35:531 1296 Infected / Cured drivers on disk: 1 / 1
    23:42:35:531 1296 Files deleted on next reboot: 0
    23:42:35:531 1296 Registry nodes deleted on next reboot: 0
    23:42:35:531 1296
     
  7. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Good, that actually seems to have done it :)

    Please run GMER again to confirm it.
     
  8. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    Yea! I was able to open media player for the first time in two weeks! I didn't double check to see if i could log into safe mode yet... maybe i will do that in the morning and run MBAM while I am at it.

    In the meantime, here's the quickscan GMER. I will run the long one overnight and post it in the morning. That was almost way too easy...

    GMER 1.0.15.15252 - http://www.gmer.net
    Rootkit quick scan 2009-12-06 00:27:13
    Windows 5.1.2600 Service Pack 3
    Running: 6tol09ym.1.2D0D17.exe; Driver: C:\DOCUME~1\JESS&S~1\LOCALS~1\Temp\pxrdipod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs KmxFile.sys (HIPS File Guard driver/CA)
    AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)
    AttachedDevice \FileSystem\Ntfs \Ntfs kmxagent.sys (HIPS Agent Driver/CA)
    AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)

    Device \Driver\Tcpip \Device\Ip kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\Tcp kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\Udp kmxfw.sys (HIPS Firewall Driver/CA)
    Device \Driver\Tcpip \Device\RawIp kmxfw.sys (HIPS Firewall Driver/CA)

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    ---- EOF - GMER 1.0.15 ----
     
  9. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    Alright, along with those two please also do the following for a little cleaning up:

    Run OTS


    • Under the Paste Fix Here box on the right, paste in the contents of following code box


    Code:
    [Unregister Dlls]
    [Empty Temp Folders]
    [ClearAllRestorePoints]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • This will create a log in C:\_OTS\MovedFiles\<date>_<time>.log where date and time are those of when the fix was run. Open it from there if it does not appear automatically on reboot. Please copy and paste or attach the contents of that file here.


    Note: You may receive some errors while running the fix. Just press Ok and the fix should continue normally.
    If it seems to get stuck, give it some time. It's probably still working.



    Also, please don't delete Combo-Fix.exe off your Desktop just yet. It needs to be removed properly.


    I'll review the logs as they come in. Let me know if you notice any more symptoms.
     
  10. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    I have attached the new long GMER log below. Will work on running OTS and MBAM next.
     

    Attached Files:

  11. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    All Processes Killed
    [Empty Temp Folders]


    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: JESS & SHEILA
    ->Temp folder emptied: 4238306 bytes
    ->Temporary Internet Files folder emptied: 3468158 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 117092480 bytes
    ->Apple Safari cache emptied: 10245925 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 3624465 bytes
    Windows Temp folder emptied: 664 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 34562 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 132.34 mb


    Restorepoints cleared and new one set!
    < End of fix log >
    OTS by OldTimer - Version 3.1.8.5 fix logfile created on 12062009_080703

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  12. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    Hi,

    I ran MBAM in safe mode (no problems loading safe mode today (y)) the scan was clean! I'm going to post one more HJT log below... partially to triple check that you don't see anything, and partially to help clean up.

    I'd like to get rid of the following programs that I downloaded while trying to fix this mess: TDSSKiller, OTS, GMER, ComboFix and rkill.

    I'm going to keep SuperAntiSpyware along with MBAM (which I already had) to use as a back-up to CA (which I don't trust, but my parents bought a year subscription for me, so I would feel bad removing it in favor of something else).

    Here's the HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:37:11, on 12/6/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
    O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
    O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
    O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
    O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

    --
    End of file - 8737 bytes
     
  13. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    CA is a great program. I understand that you don't trust it because of what's happened, but honestly you would have gotten infected regardless of the type of protection you had in place because this new infection is still not targeted by the antivirus companies. They don't know enough about it yet.


    Excellent. Let's cleanup.

    STEP 1

    The following will implement some cleanup procedures as well as reset System Restore points:

    Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

    (If you use Vista or 7 just paste it into the text box that appears next to your start button)

    ComboFix /Uninstall


    Note: If you renamed ComboFix to something else (Combo-Fix or Gotcha for example) you might have to change the command accordingly: Combo-Fix /Uninstall

    STEP 2

    To clean up OldTimer's tools, along with a few others, do the following:


    • Run OTS.exe by double clicking on it
    • Click on the "CleanUp" button on the top.
    • You will be asked if you wish to reboot your system, select "Yes"


    STEP 3

    Remove any other tools or files we used by right-clicking on them or any folders they created, hold down the Shift key, and select "Delete" by clicking on it. This will delete the files without sending them to the RecycleBin.

    You can also uninstall the other programs (HijackThis or MalwareBytes if we used them) by going to Start > Control Panel > Add/Remove programs (The Control Panel is different in different versions of Windows. It will be Programs and Features in Vista and Programs > Uninstall a Program in 7)

    You might want to keep MalwareBytes AntiMalware though and that's fine :) Make sure you update it before you run the scans in the future.

    All Clean

    Congratulations!, [​IMG], your system is now clean. Now that your system is safe we would like you to keep it that way. Take the time to follow these instructions and it will greatly reduce the risk of further infections and greatly diminish the chances of you having to visit here again.

    Microsoft Windows Update
    Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Install the updates immediately if they are found.
    To update Windows
    Go to (Start) > (All) Programs > Windows Update
    To update Office
    Open up any Office program.
    Go to Help > Check for Updates


    Download and Install a HOSTS File
    A HOSTS file is a big list of bad web sites. The list has a specific format, a specific name, (name is just HOSTS with no file extension), and a specific location. Your machine always looks at that file in that location before connecting to a web site to verify the address. A HOSTS listing can be used to "short circuit" a request to a bad website by giving it the address of your own machine and prevent your computer from connecting to that website.

    See how to get it HERE
    (For Vista and 7 see HERE )

    You can also use a tool to update your Hosts file. See HERE and HERE

    If you have a separate party firewall or Winpatrol, you may have to give permissions at various times to Unlock the present default HOSTS file and install the new one.

    Note: A Hosts file can slow some systems down. If it is slowed down beyond tolerable you might want to empty the Hosts file or reset it using one of the tools.

    Install WinPatrol
    Download it HERE
    You can find information about how WinPatrol works HERE and HERE

    Note: This program will work alongside all other security programs without conflicts. It might ask you to allow certain actions that security programs perform often, but if you tell Scotty to remember the action by checking the option, the alerts will lessen.

    Other Software Updates
    It is very important to update the other software on your computer to patch up any security issues you may have. Go HERE to scan your computer for any out of date software. In particular make sure you download the updates for Java and Adobe as these are subject to many security vulnerabilities.

    Setting up Automatic Updates
    So that it is not necessary to have to remember to update your computer regularly (something very important to securing your system), automatic updates should be configured on your computer. Microsoft has guides for XP and Vista on how to do this. See HERE for Windows 7.

    Read further information HERE, HERE, and HERE on how to prevent Malware infections and keep yourself clean.




    Please mark this thread as "Solved" by clicking on the button at the top of this page when you're done. Let me know if you need anything else.
     
  14. uscjas

    uscjas Thread Starter

    Joined:
    Nov 29, 2009
    Messages:
    10
    :) All fixed and running well. Thank you for your assistance.
     
  15. NeonFx

    NeonFx Malware Specialist

    Joined:
    Oct 22, 2008
    Messages:
    4,811
    You're welcome. Have a good one :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/881568

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice