1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Jump + redirect in IE6--HELP!!

Discussion in 'Virus & Other Malware Removal' started by savagepat, Jan 14, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    Tech Support Guy System Info Utility version 1.0.0.1
    OS Version: Microsoft Windows XP Home Edition, Service Pack 3, 32 bit
    Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz, x86 Family 15 Model 1 Stepping 2
    Processor Count: 1
    RAM: 255 Mb
    Graphics Card: NVIDIA GeForce2 MX/MX 400 (Microsoft Corporation), 64 Mb
    Hard Drives: C: Total - 78152 MB, Free - 70628 MB;
    Motherboard: Dell Computer Corporation, Dimension 8200 , ,
    Antivirus: avast! Antivirus, Updated: Yes, On-Demand Scanner: Enabled

    I get the jump redirect thing going on every link I click on in Google search. Here are all the logs requested. I already tried the Combofix thing mentioned in other posts. It will not work-when I 1st tried it, it would flash a black screen quickly, then nothing. I deleted it and downloaded it again, making sure my antivirus and firewall were off, and still, nothing after I click on "run". It just doesn't do anything. I have also run my Malwarebytes, Superanti-spyware and Ccleaner. Ya ya I know...IE6...I've tried to download IE7 + IE8--niether one will work right on this computer.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:12:47 AM, on 1/14/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\trend micro\HijackThis\HijackThis.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1.2\SSaver\Ussshreg.exe /r
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243356350030
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (file missing)
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\system32\ImapiRox.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    --
    End of file - 5133 bytes



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    DDS (Ver_10-12-12.02)
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/22/2009 6:37:08 PM
    System Uptime: 1/11/2011 8:32:27 PM (63 hours ago)
    Motherboard: Dell Computer Corporation | | Dimension 8200
    Processor: Intel(R) Pentium(R) 4 CPU 1.80GHz | Microprocessor | 1794/100mhz
    ==== Disk Partitions =========================
    A: is Removable
    C: is FIXED (NTFS) - 76 GiB total, 69.144 GiB free.
    D: is CDROM ()
    ==== Disabled Device Manager Items =============
    ==== System Restore Points ===================
    No restore point in system.
    ==== Installed Programs ======================
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.1
    avast! Free Antivirus
    CCleaner
    Easy CD Creator 5 Basic
    Google Update Helper
    HijackThis 2.0.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    hp deskjet 960c series (Remove only)
    Java Auto Updater
    Java(TM) 6 Update 23
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Search Enhancement Pack
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.6.13)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2416400)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SUPERAntiSpyware
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB980182)
    Windows Live OneCare safety scanner
    ZipGenius 6 (6.3.1.2590)
    ==== Event Viewer Messages From Past Week ========
    1/10/2011 9:58:54 PM, error: Service Control Manager [7000] - The avast! iAVS4 Control Service service failed to start due to the following error: The system cannot find the path specified.
    1/10/2011 9:58:45 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    1/10/2011 9:58:45 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    1/10/2011 8:29:10 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    1/10/2011 8:29:06 PM, error: Service Control Manager [7000] - The SABKUTIL service failed to start due to the following error: The system cannot find the file specified.
    ==== End Of File ===========================



    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Josie at 11:03:14.92 on Fri 01/14/2011
    Internet Explorer: 6.0.2900.5512
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.21 [GMT -6:00]
    AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
    C:\Program Files\Windows Live\Toolbar\wltuser.exe
    C:\Documents and Settings\Josie\Local Settings\Temporary Internet Files\Content.IE5\8HUNG1M7\dds[1].scr
    ============== Pseudo HJT Report ===============
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.yahoo.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
    mRun: [POINTER] point32.exe
    mRun: [USSShReg] c:\progra~1\uleads~1\uleadp~1.2\ssaver\Ussshreg.exe /r
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1243356350030
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
    DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
    ================= FIREFOX ===================
    FF - ProfilePath - c:\docume~1\josie\applic~1\mozilla\firefox\profiles\jdm6kbz4.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    ============= SERVICES / DRIVERS ===============
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-15 165584]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-15 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-5 54752]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-15 40384]
    R3 SMC2208;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [2009-5-23 26525]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]
    S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
    S3 RtlPacket;RtlPacket;c:\windows\system32\drivers\packet.sys --> c:\windows\system32\drivers\packet.sys [?]
    =============== Created Last 30 ================
    2011-01-11 04:05:41 -------- d-----w- c:\docume~1\josie\applic~1\Uniblue
    2011-01-11 04:04:58 -------- d-----w- c:\docume~1\josie\locals~1\applic~1\PackageAware
    2010-12-15 18:22:34 45568 -c----w- c:\windows\system32\dllcache\wab.exe
    ==================== Find3M ====================
    2010-11-27 19:38:42 398744 ----a-r- c:\windows\system32\cpnprt2.cid
    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-13 00:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 22:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-05 05:05:36 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-11-05 05:05:36 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-11-05 05:05:35 81920 ----a-w- c:\windows\system32\ieencode.dll
    2010-11-03 12:59:07 369664 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-06-15 18:47:44 50688 ----a-w- c:\program files\ATF-Cleaner.exe
    =================== ROOTKIT ====================
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Maxtor_6Y080P0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
    device: opened successfully
    user: MBR read successfully
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8203EEC5]<<
    _asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xfec8a872; SUB DWORD [EBP-0x4], 0xfec8a12e; PUSH EDI; CALL 0xffffffffffffdf33; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x823DE5E0]
    3 CLASSPNP[0xF9872FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x81F71030]
    [0x820EE1D0] -> IRP_MJ_CREATE -> 0x8203EEC5
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y080P0__________________________YAR41BW0#325930334e4e4334202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8203EAEA
    user & kernel MBR OK
    sectors 160086526 (+255): user != kernel
    Warning: possible TDL3 rootkit infection !
    ============= FINISH: 11:05:57.04 ===============


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-01-14 11:11:56
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6Y080P0 rev.YAR41BW0
    Running: ljxc4t59.exe; Driver: C:\DOCUME~1\Josie\LOCALS~1\Temp\fgrdraoc.sys

    ---- Disk sectors - GMER 1.0.15 ----
    Disk \Device\Harddisk0\DR0 sectors 160086272 (+254): rootkit-like behavior;
    ---- System - GMER 1.0.15 ----
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF73EABAE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xF73EA9D2]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xF73EAB0C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
    ---- Devices - GMER 1.0.15 ----
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8203EAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8203EAEA
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8203EAEA
    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y080P0__________________________YAR41BW0#325930334e4e4334202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    ---- EOF - GMER 1.0.15 ----


    Like I said, I already tried the Combofix and it wouldn't work at all. Won't open after I click on "run". I had my Avast anti-virus shut down and the Firewall also. What do I do next to rid my bozoputer of this very annoying stuff?
     
  2. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    I see on the bottom of page 7 that some posts have not been replied to yet. Am I in for a weeks long wait to get an answer?? I posted on the 14th--the one on page 7 posted on the 9th. wow. I guess I won't be using my computer much for a month or so. Bummer.

    :eek:

    BUMP???
     
  3. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    OK. I saw in another post that the guy ran combofix in safe mode. I was going to try this, but when I double click on the icon, a instructional box comes up, in gigantic format, so I cannot get to the button at the bottom of the box that I assume I must click on to initiate the program. I even reset my screen resolution, but in safe mode, everything comes up gigantic. Now what the hell do I do???
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya savagepat,

    I'm kevinf80 and I will be helping with any malware issues you may have with your system.
    • Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
    • Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
    • Either print or Save to Notepad all instructions and please follow them carefully, if there's something you don't understand or that will not work please let me know and we will go through it together.
    • Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
    • If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.

    Please proceed as follows :-

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


      [​IMG]

    • If an infected file is detected, the default action will be Cure, click on Continue.


      [​IMG]

    • If a suspicious file is detected, the default action will be Skip, click on Continue.


      [​IMG]

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


      [​IMG]

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    Let me see the log in your reply

    Kevin
     
  5. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    Kevinf80, you da MAN. I can't believe it was that simple. The TDSSkiller seems to have done the trick. Here is the log you requested. 2011/01/18 17:24:30.0859 TDSS rootkit removing tool 2.4.14.0 Jan 18 2011 09:33:512011/01/18 17:24:30.0859 ================================================================================2011/01/18 17:24:30.0859 SystemInfo:2011/01/18 17:24:30.0859 2011/01/18 17:24:30.0859 OS Version: 5.1.2600 ServicePack: 3.02011/01/18 17:24:30.0859 Product type: Workstation2011/01/18 17:24:30.0859 ComputerName: CRASHMASTER2011/01/18 17:24:30.0859 UserName: Josie2011/01/18 17:24:30.0859 Windows directory: C:\WINDOWS2011/01/18 17:24:30.0859 System windows directory: C:\WINDOWS2011/01/18 17:24:30.0859 Processor architecture: Intel x862011/01/18 17:24:30.0859 Number of processors: 12011/01/18 17:24:30.0859 Page size: 0x10002011/01/18 17:24:30.0859 Boot type: Normal boot2011/01/18 17:24:30.0859 ================================================================================2011/01/18 17:24:31.0312 Initialize success2011/01/18 17:24:36.0828 ================================================================================2011/01/18 17:24:36.0828 Scan started2011/01/18 17:24:36.0828 Mode: Manual; 2011/01/18 17:24:36.0828 ================================================================================2011/01/18 17:24:38.0000 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys2011/01/18 17:24:38.0234 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys2011/01/18 17:24:38.0343 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys2011/01/18 17:24:38.0421 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys2011/01/18 17:24:38.0546 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys2011/01/18 17:24:38.0656 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys2011/01/18 17:24:38.0718 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys2011/01/18 17:24:39.0234 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys2011/01/18 17:24:39.0328 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys2011/01/18 17:24:39.0390 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys2011/01/18 17:24:39.0468 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys2011/01/18 17:24:39.0562 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys2011/01/18 17:24:39.0671 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys2011/01/18 17:24:39.0718 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys2011/01/18 17:24:39.0843 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys2011/01/18 17:24:39.0937 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys2011/01/18 17:24:40.0046 basic2 (9372cc48814a17e67c28945eb4acc189) C:\WINDOWS\system32\DRIVERS\basic2.sys2011/01/18 17:24:40.0140 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys2011/01/18 17:24:40.0234 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys2011/01/18 17:24:40.0375 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys2011/01/18 17:24:40.0468 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys2011/01/18 17:24:40.0531 Cdr4_xp (4ac2e023b8bbee458816d30db0bf149a) C:\WINDOWS\system32\drivers\Cdr4_xp.sys2011/01/18 17:24:40.0625 Cdralw2k (7e56d7ab50e08b393b640c0be898c752) C:\WINDOWS\system32\drivers\Cdralw2k.sys2011/01/18 17:24:40.0703 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys2011/01/18 17:24:40.0796 cdudf_xp (5b20a47b0413240cdb93106bd58602a1) C:\WINDOWS\system32\drivers\cdudf_xp.sys2011/01/18 17:24:41.0250 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys2011/01/18 17:24:41.0359 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys2011/01/18 17:24:41.0468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys2011/01/18 17:24:41.0531 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys2011/01/18 17:24:41.0625 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys2011/01/18 17:24:41.0750 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys2011/01/18 17:24:41.0843 dvd_2K (3677e155d87dda2bc53142d7d234d12a) C:\WINDOWS\system32\drivers\dvd_2K.sys2011/01/18 17:24:41.0953 Fallback (9ea76a7f28cd968f8adc709e479f23b2) C:\WINDOWS\system32\DRIVERS\fallback.sys2011/01/18 17:24:42.0046 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys2011/01/18 17:24:42.0156 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys2011/01/18 17:24:42.0234 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys2011/01/18 17:24:42.0296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys2011/01/18 17:24:42.0375 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys2011/01/18 17:24:42.0453 Fsks (b7b262d0431374f3afd1349e35b368d9) C:\WINDOWS\system32\DRIVERS\fsksnt.sys2011/01/18 17:24:42.0546 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys2011/01/18 17:24:42.0625 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys2011/01/18 17:24:42.0718 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys2011/01/18 17:24:42.0796 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys2011/01/18 17:24:43.0015 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys2011/01/18 17:24:43.0156 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys2011/01/18 17:24:43.0343 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys2011/01/18 17:24:43.0437 Imapi (52fa4d5bf104c7b02adc49c414b484ed) C:\WINDOWS\system32\drivers\ImapiRox.sys2011/01/18 17:24:43.0562 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys2011/01/18 17:24:43.0625 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys2011/01/18 17:24:43.0718 IPFilter (5f0a0b4bc604aa1cc3f56a50e57bf054) C:\WINDOWS\system32\DRIVERS\IPFilter.sys2011/01/18 17:24:43.0796 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys2011/01/18 17:24:43.0859 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys2011/01/18 17:24:43.0937 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys2011/01/18 17:24:44.0046 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys2011/01/18 17:24:44.0125 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys2011/01/18 17:24:44.0187 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys2011/01/18 17:24:44.0281 K56 (a4e3277398c8aba999483d4c658c9696) C:\WINDOWS\system32\DRIVERS\k56nt.sys2011/01/18 17:24:44.0375 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys2011/01/18 17:24:44.0437 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys2011/01/18 17:24:44.0515 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys2011/01/18 17:24:44.0718 mmc_2K (a54fd7e564c996cfcee6ee7491f3c318) C:\WINDOWS\system32\drivers\mmc_2K.sys2011/01/18 17:24:44.0781 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys2011/01/18 17:24:44.0859 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys2011/01/18 17:24:44.0937 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys2011/01/18 17:24:45.0031 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys2011/01/18 17:24:45.0093 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys2011/01/18 17:24:45.0203 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys2011/01/18 17:24:45.0296 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys2011/01/18 17:24:45.0375 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys2011/01/18 17:24:45.0468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys2011/01/18 17:24:45.0546 msloop (64e8b7c65eb4796939c0f64f8170821b) C:\WINDOWS\system32\DRIVERS\loop.sys2011/01/18 17:24:45.0625 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys2011/01/18 17:24:45.0687 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys2011/01/18 17:24:45.0765 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys2011/01/18 17:24:45.0843 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys2011/01/18 17:24:45.0921 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys2011/01/18 17:24:45.0984 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys2011/01/18 17:24:46.0062 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys2011/01/18 17:24:46.0156 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys2011/01/18 17:24:46.0234 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys2011/01/18 17:24:46.0296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys2011/01/18 17:24:46.0359 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys2011/01/18 17:24:46.0484 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys2011/01/18 17:24:46.0578 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys2011/01/18 17:24:46.0671 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys2011/01/18 17:24:46.0859 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys2011/01/18 17:24:47.0015 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys2011/01/18 17:24:47.0156 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys2011/01/18 17:24:47.0250 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys2011/01/18 17:24:47.0343 OMCI (e1e54131462b63efefaf14aca8e4012b) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS2011/01/18 17:24:47.0468 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys2011/01/18 17:24:47.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys2011/01/18 17:24:47.0734 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys2011/01/18 17:24:47.0828 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys2011/01/18 17:24:48.0046 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys2011/01/18 17:24:48.0546 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys2011/01/18 17:24:48.0625 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys2011/01/18 17:24:48.0703 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys2011/01/18 17:24:48.0796 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys2011/01/18 17:24:48.0875 pwd_2K (dd37e1d9f08eec0cb0fc84e010f33c3b) C:\WINDOWS\system32\drivers\pwd_2K.sys2011/01/18 17:24:49.0203 RasAcd (04855932b76100b8f554f89b0752f4b4) C:\WINDOWS\system32\DRIVERS\rasacd.sys2011/01/18 17:24:49.0203 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\rasacd.sys. Real md5: 04855932b76100b8f554f89b0752f4b4, Fake md5: fe0d99d6f31e4fad8159f690d68ded9c2011/01/18 17:24:49.0218 RasAcd - detected Rootkit.Win32.TDSS.tdl3 (0)2011/01/18 17:24:49.0296 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys2011/01/18 17:24:49.0375 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys2011/01/18 17:24:49.0453 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys2011/01/18 17:24:49.0500 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys2011/01/18 17:24:49.0562 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys2011/01/18 17:24:49.0656 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys2011/01/18 17:24:49.0750 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys2011/01/18 17:24:49.0859 Rksample (4c35e57300a2dc5932a8e29efa527c32) C:\WINDOWS\system32\DRIVERS\rksample.sys2011/01/18 17:24:50.0109 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS2011/01/18 17:24:50.0140 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS2011/01/18 17:24:50.0250 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys2011/01/18 17:24:50.0343 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys2011/01/18 17:24:50.0421 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys2011/01/18 17:24:50.0531 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys2011/01/18 17:24:50.0671 SMC2208 (142f1fe694f38dbd4fafcd6f86f325a4) C:\WINDOWS\system32\DRIVERS\SMC2208.SYS2011/01/18 17:24:50.0781 smwdm (bd3e236281547c681dfc7c947531b726) C:\WINDOWS\system32\drivers\smwdm.sys2011/01/18 17:24:50.0875 SoftFax (413cfa795cad19a010889df0ec060408) C:\WINDOWS\system32\DRIVERS\faxnt.sys2011/01/18 17:24:51.0000 SpeakerPhone (c11082c80723771c1979eacf7fdde1c3) C:\WINDOWS\system32\DRIVERS\spkpnt.sys2011/01/18 17:24:51.0109 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys2011/01/18 17:24:51.0250 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys2011/01/18 17:24:51.0359 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys2011/01/18 17:24:51.0453 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys2011/01/18 17:24:51.0546 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys2011/01/18 17:24:51.0812 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys2011/01/18 17:24:51.0937 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys2011/01/18 17:24:52.0031 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys2011/01/18 17:24:52.0125 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys2011/01/18 17:24:52.0203 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys2011/01/18 17:24:52.0312 Tones (e0f10a379239b4fab319c55a9cd6bc96) C:\WINDOWS\system32\DRIVERS\tonesnt.sys2011/01/18 17:24:52.0468 UdfReadr_xp (3af8116d049e6f98a6d37913da989984) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys2011/01/18 17:24:52.0515 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys2011/01/18 17:24:52.0640 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys2011/01/18 17:24:52.0750 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys2011/01/18 17:24:52.0828 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys2011/01/18 17:24:52.0921 V124 (177b65899d418f8c8f037b20567a99d6) C:\WINDOWS\system32\DRIVERS\v124nt.sys2011/01/18 17:24:53.0000 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys2011/01/18 17:24:53.0171 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys2011/01/18 17:24:53.0281 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys2011/01/18 17:24:53.0406 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys2011/01/18 17:24:53.0515 winachsf (a941aa38e3951058e584c4bbddd56ed9) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys2011/01/18 17:24:53.0703 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys2011/01/18 17:24:53.0812 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys2011/01/18 17:24:53.0890 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys2011/01/18 17:24:54.0093 ================================================================================2011/01/18 17:24:54.0093 Scan finished2011/01/18 17:24:54.0093 ================================================================================2011/01/18 17:24:54.0109 Detected object count: 12011/01/18 17:25:41.0906 RasAcd (04855932b76100b8f554f89b0752f4b4) C:\WINDOWS\system32\DRIVERS\rasacd.sys2011/01/18 17:25:41.0906 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\rasacd.sys. Real md5: 04855932b76100b8f554f89b0752f4b4, Fake md5: fe0d99d6f31e4fad8159f690d68ded9c2011/01/18 17:25:43.0531 Backup copy found, using it..2011/01/18 17:25:43.0578 C:\WINDOWS\system32\DRIVERS\rasacd.sys - will be cured after reboot2011/01/18 17:25:43.0578 Rootkit.Win32.TDSS.tdl3(RasAcd) - User select action: Cure 2011/01/18 17:25:58.0171 Deinitialize success
     
  6. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya savagepat,

    Run the following scans to double check your system for any little friends that nuisance may have called in :-

    Step 1

    [​IMG] Please download Malwarebytes Anti-Malware and save it to your desktop.
    Alernative D/L mirror
    Alternative D/L mirror

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
    • Please save the log to a location you will remember.
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.

    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

    Step 2

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take between one and several hours to complete depending on the size of your system.

    Step 3

    Run this scan to give overview of your security, also status of Java and Adobe etc...

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    What i`d like in your reply :

    • Log from Malwarebytes
    • Log from ESET
    • Log from Security Checks
    • System review, any specific issues?

    Kevin
     
  7. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    I ran the 3 things you asked for. The ESET came up with "no threats found" and did not create a logfile. I am posting the logs from Malwarebytes and Checkup...Thanks again for all the help. I will check back later today in case you want me to run anything else.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org
    Database version: 5553
    Windows 5.1.2600 Service Pack 3
    Internet Explorer 6.0.2900.5512
    1/19/2011 7:44:12 AM
    mbam-log-2011-01-19 (07-44-12).txt
    Scan type: Full scan (C:\|)
    Objects scanned: 154220
    Time elapsed: 19 minute(s), 32 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    (No malicious items detected)
    Registry Keys Infected:
    (No malicious items detected)
    Registry Values Infected:
    (No malicious items detected)
    Registry Data Items Infected:
    (No malicious items detected)
    Folders Infected:
    (No malicious items detected)
    Files Infected:
    (No malicious items detected)

    -------------------------------------------------------------------
    -------------------------------------------------------------------

    Results of screen317's Security Check version 0.99.8
    Windows XP Service Pack 3
    Internet Explorer 6 Out of date!
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    avast! Free Antivirus
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    HijackThis 2.0.2
    CCleaner
    Java(TM) 6 Update 23
    Adobe Flash Player 10.1.102.64
    Adobe Reader 9.4.1
    Out of date Adobe Reader installed!
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Alwil Software Avast5 AvastSvc.exe
    ALWILS~1 Avast5 avastUI.exe
    ``````````End of Log````````````

    ----------------------------------------------------------------------
    ----------------------------------------------------------------------

    Again thanks for all the help. I see my Adobe reader is out of date. I will update it right away. As far as updating the browser--I have tried several times to upgrade to IE8. It downloads just fine, but when I open it, it stays open for about 5 seconds and then closes itself. I have deleted and re-downloaded it several times, with similar results. Any idea's? I would like to upgrade, as many websites now require it, and tell me that my IE6 is obsolete. I will check back later today to see if you have any idea's for that. Thanks !!!
     
  8. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Have you tried updating Internet Explorer since we removed the Rootkit infection?

    Kevin
     
  9. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    I updated the Adobe. I just downloaded the IE8 from "Windows Update". Same as before. I open it and about 5 seconds later it closes itself. I got as far as through the "settings" the 1st time, then it ran into a problem and had to close. After that, every time I open it, it closes by itself. So I deleted it and went back to IE6. This is about the 4th time I've been through this. Everything else seems to be working OK.
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Try the IE8 update from Here see if that will install OK....

    Kevin
     
  11. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    Pardon my French but, same shite, different download site. It downloads and installs fine. I open it up, didn't even get to the settings, and it pops up that IE8 has encountered a problem and needs to close. Then it says it wants to send a report to Microsoft. The little box cannot be moved or minimized, so I can't get to the text file it says that it's sending. I also cannot copy and paiste, or print it out. The text file it wants to send is called: 4578_appcompat.txt. After sending it, it can not be found on computer, so it must be a self-deleting temp file. I know IE8 will work once I figure out how to keep it from closing itself. I quickly typed in something and it went to a websight list--then closed itself. So it's working, just won't stay open.
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya savagepat,

    Let`s make sure your system is 100% clean before we go any further with IE8

    Proceed as follows :-

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop. <--Very important

    Before saving Combofix to the Desktop rename to Gotcha.exe as below:

    [​IMG]

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection


    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the log in your reply,

    Kevin
     
  13. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    OK I ran Combofix following your instructions to the T. It worked as described. It did find and delete or quarentine 6 things. Here's the log. Let me know if I should try downloading IE8 now, or whatever... Thanks!!--Also, should I delete the Qoobox and stuff that it saved? Let me know.

    ComboFix 11-01-20.01 - Josie 01/20/2011 20:54:53.1.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.117 [GMT -6:00]
    Running from: c:\documents and settings\Josie\Desktop\Gotcha.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    c:\windows\explorer(2).exe
    c:\windows\system32\linkinfo(2).dll
    .
    ((((((((((((((((((((((((( Files Created from 2010-12-21 to 2011-01-21 )))))))))))))))))))))))))))))))
    .
    2011-01-20 16:05 . 2010-11-05 05:05 81920 ----a-w- c:\windows\system32\ieencode.dll
    2011-01-20 16:05 . 2010-11-05 05:05 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
    2011-01-19 14:34 . 2011-01-19 14:35 879047 ----a-w- c:\program files\SecurityCheck.exe
    2011-01-18 23:24 . 2011-01-18 15:34 1349208 ----a-w- c:\program files\TDSSKiller.exe
    2011-01-15 17:29 . 2011-01-15 17:30 -------- d-----w- c:\documents and settings\Josie\Application Data\PCFix
    2011-01-14 22:31 . 2011-01-14 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2011-01-14 21:17 . 2011-01-14 21:55 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2011-01-11 04:05 . 2011-01-11 04:05 -------- d-----w- c:\documents and settings\Josie\Application Data\Uniblue
    2011-01-11 04:04 . 2011-01-11 04:04 -------- d-----w- c:\documents and settings\Josie\Local Settings\Application Data\PackageAware
    2010-12-30 19:59 . 2010-12-30 19:59 -------- d-----w- c:\documents and settings\Josie\Local Settings\Application Data\Mozilla
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-18 23:26 . 2001-08-18 12:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
    2011-01-13 08:47 . 2010-09-05 20:58 38848 ----a-w- c:\windows\avastSS.scr
    2011-01-13 08:47 . 2010-06-15 18:13 188216 ----a-w- c:\windows\system32\aswBoot.exe
    2011-01-13 08:41 . 2010-06-15 18:14 294608 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-01-13 08:40 . 2010-06-15 18:14 47440 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-01-13 08:40 . 2010-06-15 18:14 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-01-13 08:39 . 2010-06-15 18:14 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-01-13 08:37 . 2010-06-15 18:14 23632 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-01-13 08:37 . 2010-06-15 18:14 29392 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-01-13 08:37 . 2010-06-15 18:14 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-12-21 00:09 . 2010-12-02 17:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 00:08 . 2010-12-02 17:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-27 19:38 . 2009-06-13 01:12 398744 ----a-r- c:\windows\system32\cpnprt2.cid
    2010-11-18 18:12 . 2009-05-22 23:32 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-13 00:53 . 2010-11-21 23:40 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2010-11-12 22:34 . 2009-06-09 19:55 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-09 14:52 . 2001-08-18 12:00 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-05 05:05 . 2001-08-18 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
    2010-11-05 05:05 . 2001-08-18 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
    2010-11-03 12:59 . 2004-08-04 05:59 369664 ----a-w- c:\windows\system32\html.iec
    2010-11-02 15:17 . 2001-08-18 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
    2010-10-28 13:13 . 2001-08-18 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2001-08-18 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-06-15 18:47 . 2010-06-15 18:47 50688 ----a-w- c:\program files\ATF-Cleaner.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-09-12 196608]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/15/2010 12:14 PM 294608]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/15/2010 12:14 PM 17744]
    R3 SMC2208;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [5/23/2009 3:40 PM 26525]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
    S3 RtlPacket;RtlPacket;c:\windows\system32\Drivers\packet.sys --> c:\windows\system32\Drivers\packet.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder
    2011-01-20 c:\windows\Tasks\Synchronize.job
    - c:\windows\system32\mobsync.exe [2001-08-18 00:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://www.yahoo.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -
    ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
    SafeBoot-klmdb.sys

    **************************************************************************
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-20 21:03
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    [HKEY_LOCAL_MACHINE\software\ALWIL Software\Avast\4.0]
    @DACL=(02 0000)
    "Label"="Sep2009"
    "Avast4DataFolder"="c:\\Program Files\\Alwil Software\\Avast4\\DATA"
    "Avast4SkinFolder"="c:\\Program Files\\Alwil Software\\Avast4\\DATA\\Skin"
    "Version"="4.8"
    "VersionShort"="4.8"
    "SetupVersion"=dword:00000558
    "Avast4ProgramFolder"="c:\\Program Files\\Alwil Software\\Avast4"
    "Product"="av_pro"
    "OSPlatform"=dword:00000002
    "OSVersion"=dword:00050001
    "RegData"=hex:59,4b,26,41,39,40,26,41,39,31,26,4c,3e,49,56,48,3a,48,26,55,54,
    2a,2f,4b,48,2d,22,3b,0e,1a,20,78,0e,79,17,78
    "MailScannerSafeToRestart"=dword:00000001
    "WebScannerSafeToRestart"=dword:00000001
    "UpdateReady"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    - - - - - - - > 'winlogon.exe'(624)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    Completion time: 2011-01-20 21:05:52
    ComboFix-quarantined-files.txt 2011-01-21 03:05
    Pre-Run: 73,717,944,320 bytes free
    Post-Run: 73,765,892,096 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
    - - End Of File - - 706651F7646C12052F352A3D3E7A4C4E
     
  14. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya savagepat,

    There is an uninstall procedure for Combofix, please do not delete any folders/files it creates including the Desktop icon. If you do it will complicate things when we try to do an uninstall later.

    Leave IE update for now, I want you to upload a file for analysis first.

    We need to upload a file to Jotti

    1. Click HERE to get to Jotti's site.

    2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

    c:\windows\system32\Drivers\packet.sys

    3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

    4. Please provide me with the results of the analysis.

    Upload same File to Virustotal
    Please visit Virustotal
    • Click the Browse... button
    • Navigate to the file c:\windows\system32\Drivers\packet.sys
    • Click the Open button
    • Click the Send button
    • If you get a message saying File has already been analyzed: click Reanalyze file now
    • Copy and paste the results back here please.

    Let me see the results from Jotti and VirusTotal please. Also do you have StopZilla or anything from UniBlue installed?

    Kevin
     
  15. savagepat

    savagepat Thread Starter

    Joined:
    Jan 14, 2011
    Messages:
    22
    I went browsing for the file you listed, and could not find it-I even used the search function-file is not there. I manually went into the drivers folder and still could not find that file. (The package.sys file)

    As for the Stopzilla and UniBlue-I had downloaded them and ran the scans-only to find out they were not freeware, so I deleted them. Or so I thought. (This was before I started working with you.) I looked them up in the search box today, and it said they were in a folder that doesn't exist. So I deleted them from the search box window. And I jettisoned them from the recycle bin. My Bad. Should I run Combofix again, or what next?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Jump redirect HELP
  1. MsiTrident3
    Replies:
    1
    Views:
    251
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/974671

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice