1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Need some help please

Discussion in 'Virus & Other Malware Removal' started by bricks_, Jan 6, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. bricks_

    bricks_ Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    82
    Trying to clean up my aunt's computer. She had no anti-virus software so I installed Microsoft Security Essentials and the free version of Malwarebytes. Ran both those scans and they cleaned up a few things but I suspect there is still something wrong with the computer because Firefox usually refuses to open up when double clicked. Here are the requested logs. Thanks in advance.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 4:23:53 PM, on 1/6/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\idt\wdm\STacSV.exe
    C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\HP\HPBTWD.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\WINDOWS\system32\AESTFltr.exe
    C:\Program Files\Hewlett-Packard\HP QuickSync\QuickSync.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Hewlett-Packard\HP QuickSync\jre\bin\javaw.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Mary\My Documents\Downloads\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
    O2 - BHO: Searchqu Toolbar - {7FF99715-3016-4381-84CE-E4E4C9673020} - C:\PROGRA~1\WI9130~1\ToolBar\SearchquDx.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Searchqu Toolbar - {7FF99715-3016-4381-84CE-E4E4C9673020} - C:\PROGRA~1\WI9130~1\ToolBar\SearchquDx.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [HP BTW Detect Program] C:\Program Files\HP\HPBTWD.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
    O4 - HKLM\..\Run: [HP] C:\Program Files\Hewlett-Packard\HP QuickSync\QuickSync.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
    O23 - Service: BOTService - Sonic Solutions - C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\HP Game Console\GameConsoleService.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - c:\program files\idt\wdm\STacSV.exe

    --
    End of file - 6553 bytes

    _____________________________________________________________________________________

    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Mary at 17:39:21.17 on Thu 01/06/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.425 [GMT -5:00]

    AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\idt\wdm\STacSV.exe
    svchost.exe
    C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\HP\HPBTWD.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\WINDOWS\system32\AESTFltr.exe
    C:\Program Files\Hewlett-Packard\HP QuickSync\QuickSync.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Hewlett-Packard\HP QuickSync\jre\bin\javaw.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Documents and Settings\Mary\My Documents\Downloads\HijackThis.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Documents and Settings\Mary\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.com/
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
    BHO: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wi9130~1\toolbar\SearchquDx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Searchqu Toolbar: {7ff99715-3016-4381-84ce-e4e4c9673020} - c:\progra~1\wi9130~1\toolbar\SearchquDx.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [HP BTW Detect Program] c:\program files\hp\HPBTWD.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
    mRun: [HP] c:\program files\hewlett-packard\hp quicksync\QuickSync.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\mary\applic~1\mozilla\firefox\profiles\chl7ze00.default\
    FF - prefs.js: browser.startup.homepage - google.ca
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}

    ============= SERVICES / DRIVERS ===============

    R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-8-25 21488]
    R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-8-25 15856]
    R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2009-7-2 103792]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
    R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-8-25 25584]
    R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2009-6-2 457200]
    R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2009-7-9 199152]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-8-25 113664]
    R3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\drivers\cam3820a.sys [2009-6-18 308608]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-31 39424]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
    S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]

    =============== Created Last 30 ================

    2011-01-06 06:42:36 -------- d-----w- c:\program files\CCleaner
    2011-01-06 02:14:44 -------- d-----w- c:\program files\Foxit Software
    2011-01-06 01:51:43 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    2011-01-06 01:51:42 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-06 01:40:25 -------- d-----w- c:\windows\pss
    2011-01-06 01:03:26 -------- d-----w- c:\docume~1\mary\applic~1\Malwarebytes
    2011-01-06 01:02:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-06 01:02:19 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2011-01-06 01:02:16 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-06 01:02:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-06 01:02:06 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{cb0dd75d-d3df-4ee5-be41-08bd604dd88e}\mpengine.dll
    2011-01-06 01:02:06 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-06 00:55:53 -------- d-----w- c:\program files\Microsoft Security Client
    2011-01-06 00:46:05 -------- d-----w- c:\docume~1\mary\locals~1\applic~1\Mozilla
    2011-01-06 00:46:00 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
    2010-12-15 12:08:02 45568 ----a-w- c:\program files\outlook express\wab.exe
    2010-12-15 12:08:02 45568 ------w- c:\windows\system32\dllcache\wab.exe

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 21:34:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25:54 385024 ----a-w- c:\windows\system32\html.iec
    2010-10-28 13:13:22 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25:00 1853312 ----a-w- c:\windows\system32\win32k.sys

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: SAMSUNG_ rev.HH10 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys SahdIa32.sys >>UNKNOWN [0x86530555]<<
    c:\windows\system32\drivers\SahdIa32.sys Sonic Solutions
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865367b0]; MOV EAX, [0x8653682c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8657D550]
    3 CLASSPNP[0xF75C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8657DAB8]
    5 SahdIa32[0xF75E9939] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86543028]
    \Driver\iaStor[0x86563EB8] -> IRP_MJ_CREATE -> 0x86530555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-15#4&9cf173c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 312581806 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 17:41:43.34 ===============

    ______________________________________________________________________________________

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2011-01-06 18:03:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 SAMSUNG_ rev.HH10
    Running: hfvhfoyi.exe; Driver: C:\DOCUME~1\Mary\LOCALS~1\Temp\fwldqpog.sys


    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\DOCUME~1\Mary\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A
    .text C:\WINDOWS\System32\svchost.exe[1280] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BF000A
    .text C:\WINDOWS\System32\svchost.exe[1280] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BD000C
    .text C:\WINDOWS\System32\svchost.exe[1280] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0221000A
    .text C:\WINDOWS\System32\svchost.exe[1280] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00C7000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1400] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0167000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1400] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0168000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1400] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0166000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[1400] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
    .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1848] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
    .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
    .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
    .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)

    Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-15#4&9cf173c&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 54: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----
     
  2. bricks_

    bricks_ Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    82
    sorry I forgot to attach the second DDS text file. here it is.
     

    Attached Files:

    • ark.txt
      File size:
      5.8 KB
      Views:
      1
  3. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya Bricks_

    As follows please :-

    Step 1

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


      [​IMG]

    • If an infected file is detected, the default action will be Cure, click on Continue.


      [​IMG]

    • If a suspicious file is detected, the default action will be Skip, click on Continue.


      [​IMG]

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


      [​IMG]

    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

    Step 2

    We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    Combofix

    Don`t forget Combofix must be saved to your desktop. <--Very important

    Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

    Please include the C:\ComboFix.txt in your next reply for further review.

    Examples of how to disable realtime protection available at the following link :-

    Disable realtime protection

    Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

    *EXTRA NOTES*
    • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

    Post the logs from TDSSKiller and Combofix in your reply,

    Kevin
     
  4. bricks_

    bricks_ Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    82
    Thanks for the quick response. Here are the logs you asked for.

    2011/01/06 18:27:05.0625 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
    2011/01/06 18:27:05.0625 ================================================================================
    2011/01/06 18:27:05.0625 SystemInfo:
    2011/01/06 18:27:05.0625
    2011/01/06 18:27:05.0625 OS Version: 5.1.2600 ServicePack: 3.0
    2011/01/06 18:27:05.0625 Product type: Workstation
    2011/01/06 18:27:05.0625 ComputerName: KITCHEN
    2011/01/06 18:27:05.0625 UserName: Mary
    2011/01/06 18:27:05.0625 Windows directory: C:\WINDOWS
    2011/01/06 18:27:05.0625 System windows directory: C:\WINDOWS
    2011/01/06 18:27:05.0625 Processor architecture: Intel x86
    2011/01/06 18:27:05.0625 Number of processors: 2
    2011/01/06 18:27:05.0625 Page size: 0x1000
    2011/01/06 18:27:05.0625 Boot type: Normal boot
    2011/01/06 18:27:05.0625 ================================================================================
    2011/01/06 18:27:06.0359 Initialize success
    2011/01/06 18:27:15.0593 ================================================================================
    2011/01/06 18:27:15.0593 Scan started
    2011/01/06 18:27:15.0593 Mode: Manual;
    2011/01/06 18:27:15.0593 ================================================================================
    2011/01/06 18:27:15.0984 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2011/01/06 18:27:16.0031 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/01/06 18:27:16.0062 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/01/06 18:27:16.0109 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2011/01/06 18:27:16.0171 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/01/06 18:27:16.0234 AESTAud (822d53766d57c90c437536232ece9023) C:\WINDOWS\system32\drivers\AESTAud.sys
    2011/01/06 18:27:16.0312 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/01/06 18:27:16.0375 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/01/06 18:27:16.0406 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2011/01/06 18:27:16.0453 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2011/01/06 18:27:16.0484 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2011/01/06 18:27:16.0515 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2011/01/06 18:27:16.0562 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2011/01/06 18:27:16.0593 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2011/01/06 18:27:16.0640 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2011/01/06 18:27:16.0671 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2011/01/06 18:27:16.0703 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2011/01/06 18:27:16.0734 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2011/01/06 18:27:16.0765 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2011/01/06 18:27:16.0828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/01/06 18:27:16.0890 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/01/06 18:27:16.0953 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/01/06 18:27:16.0984 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/01/06 18:27:17.0109 BCM43XX (69dd2805f42f2de52a5fcbcfa9d8848f) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2011/01/06 18:27:17.0171 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/01/06 18:27:17.0265 Cam3820 (5af2367c6e70d0488eb47a87d5d899c8) C:\WINDOWS\system32\Drivers\cam3820a.sys
    2011/01/06 18:27:17.0312 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2011/01/06 18:27:17.0328 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/01/06 18:27:17.0390 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/01/06 18:27:17.0453 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2011/01/06 18:27:17.0484 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/01/06 18:27:17.0531 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/01/06 18:27:17.0578 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/01/06 18:27:17.0656 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/01/06 18:27:17.0734 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2011/01/06 18:27:17.0781 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/01/06 18:27:17.0843 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2011/01/06 18:27:17.0906 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2011/01/06 18:27:17.0937 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2011/01/06 18:27:17.0984 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/01/06 18:27:18.0078 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/01/06 18:27:18.0156 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/01/06 18:27:18.0203 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/01/06 18:27:18.0265 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/01/06 18:27:18.0328 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2011/01/06 18:27:18.0359 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/01/06 18:27:18.0453 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/01/06 18:27:18.0500 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/01/06 18:27:18.0531 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/01/06 18:27:18.0562 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/01/06 18:27:18.0593 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/01/06 18:27:18.0640 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/01/06 18:27:18.0671 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/01/06 18:27:18.0703 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/01/06 18:27:18.0750 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/01/06 18:27:18.0812 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2011/01/06 18:27:18.0906 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/01/06 18:27:18.0953 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2011/01/06 18:27:19.0000 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2011/01/06 18:27:19.0031 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/01/06 18:27:19.0265 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2011/01/06 18:27:19.0546 iaStor (d483687eace0c065ee772481a96e05f5) C:\WINDOWS\system32\DRIVERS\iaStor.sys
    2011/01/06 18:27:19.0640 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/01/06 18:27:19.0703 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2011/01/06 18:27:19.0734 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/01/06 18:27:19.0781 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/01/06 18:27:19.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/01/06 18:27:19.0843 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/01/06 18:27:19.0906 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/01/06 18:27:19.0953 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/01/06 18:27:19.0984 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/01/06 18:27:20.0015 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/01/06 18:27:20.0078 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/01/06 18:27:20.0156 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/01/06 18:27:20.0234 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/01/06 18:27:20.0281 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/01/06 18:27:20.0328 L1c (140f9b777fa84e2f5eeea5cadc112e53) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
    2011/01/06 18:27:20.0484 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/01/06 18:27:20.0546 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/01/06 18:27:20.0593 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/01/06 18:27:20.0625 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/01/06 18:27:20.0703 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
    2011/01/06 18:27:20.0734 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2011/01/06 18:27:20.0765 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/01/06 18:27:20.0859 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/01/06 18:27:20.0921 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/01/06 18:27:21.0000 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/01/06 18:27:21.0046 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/01/06 18:27:21.0078 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/01/06 18:27:21.0140 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/01/06 18:27:21.0187 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/01/06 18:27:21.0234 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/01/06 18:27:21.0265 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/01/06 18:27:21.0312 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/01/06 18:27:21.0343 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/01/06 18:27:21.0375 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/01/06 18:27:21.0421 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/01/06 18:27:21.0453 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/01/06 18:27:21.0500 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/01/06 18:27:21.0531 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/01/06 18:27:21.0562 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/01/06 18:27:21.0640 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/01/06 18:27:21.0703 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/01/06 18:27:21.0750 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/01/06 18:27:21.0796 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/01/06 18:27:21.0828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/01/06 18:27:21.0890 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/01/06 18:27:21.0906 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/01/06 18:27:21.0937 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/01/06 18:27:21.0984 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/01/06 18:27:22.0031 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/01/06 18:27:22.0062 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/01/06 18:27:22.0203 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2011/01/06 18:27:22.0234 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2011/01/06 18:27:22.0328 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/01/06 18:27:22.0375 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/01/06 18:27:22.0390 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/01/06 18:27:22.0453 PxHelp20 (5491e4e7d93804f43abe8ce3c39f5a86) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/01/06 18:27:22.0484 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2011/01/06 18:27:22.0531 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2011/01/06 18:27:22.0546 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2011/01/06 18:27:22.0578 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2011/01/06 18:27:22.0609 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2011/01/06 18:27:22.0656 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/01/06 18:27:22.0687 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/01/06 18:27:22.0734 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/01/06 18:27:22.0750 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/01/06 18:27:22.0796 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/01/06 18:27:22.0828 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/01/06 18:27:22.0890 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/01/06 18:27:22.0937 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/01/06 18:27:22.0984 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/01/06 18:27:23.0062 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
    2011/01/06 18:27:23.0140 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
    2011/01/06 18:27:23.0218 SahdIa32 (0b2d5d2341437d7d7e1a6c7bbce3786a) C:\WINDOWS\system32\Drivers\SahdIa32.sys
    2011/01/06 18:27:23.0250 SaibIa32 (7a5f65b16249af2bc9d18d815f5d7172) C:\WINDOWS\system32\Drivers\SaibIa32.sys
    2011/01/06 18:27:23.0312 SaibVd32 (e333c9515822de586a3ff759a0c9b7bf) C:\WINDOWS\system32\Drivers\SaibVd32.sys
    2011/01/06 18:27:23.0375 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/01/06 18:27:23.0437 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/01/06 18:27:23.0515 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/01/06 18:27:23.0609 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/01/06 18:27:23.0656 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/01/06 18:27:23.0687 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2011/01/06 18:27:23.0765 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/01/06 18:27:23.0812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/01/06 18:27:23.0890 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/01/06 18:27:24.0031 STHDA (4f500b19d3e5e7d0ffb4488e404a95b4) C:\WINDOWS\system32\drivers\sthda.sys
    2011/01/06 18:27:24.0140 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/01/06 18:27:24.0187 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/01/06 18:27:24.0250 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/01/06 18:27:24.0296 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2011/01/06 18:27:24.0328 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2011/01/06 18:27:24.0359 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2011/01/06 18:27:24.0390 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2011/01/06 18:27:24.0500 SynTP (8da49473f997d4c5d821f1e358f94f2d) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/01/06 18:27:24.0562 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/01/06 18:27:24.0625 SysCow (9c1c6212623484331cce11ebbbfa3139) C:\WINDOWS\system32\drivers\syscow32x.sys
    2011/01/06 18:27:24.0750 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/01/06 18:27:24.0796 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/01/06 18:27:24.0828 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/01/06 18:27:24.0875 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/01/06 18:27:24.0937 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2011/01/06 18:27:25.0000 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/01/06 18:27:25.0046 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2011/01/06 18:27:25.0109 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/01/06 18:27:25.0203 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/01/06 18:27:25.0296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/01/06 18:27:25.0328 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/01/06 18:27:25.0406 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/01/06 18:27:25.0468 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/01/06 18:27:25.0531 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/01/06 18:27:25.0562 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/01/06 18:27:25.0625 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/01/06 18:27:25.0671 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/01/06 18:27:25.0718 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2011/01/06 18:27:25.0765 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/01/06 18:27:25.0796 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/01/06 18:27:25.0875 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/01/06 18:27:25.0953 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2011/01/06 18:27:26.0046 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/01/06 18:27:26.0156 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/01/06 18:27:26.0250 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/01/06 18:27:26.0328 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/01/06 18:27:26.0359 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/01/06 18:27:26.0468 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/01/06 18:27:26.0468 ================================================================================
    2011/01/06 18:27:26.0468 Scan finished
    2011/01/06 18:27:26.0468 ================================================================================
    2011/01/06 18:27:26.0500 Detected object count: 1
    2011/01/06 18:28:00.0609 \HardDisk0 - will be cured after reboot
    2011/01/06 18:28:00.0609 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/01/06 18:28:08.0875 Deinitialize success
    _____________________________________________________________________________


    ComboFix 11-01-06.03 - Mary 01/06/2011 18:58:25.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.532 [GMT -5:00]
    Running from: c:\documents and settings\Mary\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\NetworkService\Application Data\searchqutb
    c:\documents and settings\NetworkService\Application Data\searchqutb\dtx.ini
    c:\documents and settings\NetworkService\Application Data\searchqutb\guid.dat
    c:\documents and settings\NetworkService\Application Data\searchqutb\setupCfg.xml

    .
    ((((((((((((((((((((((((( Files Created from 2010-12-07 to 2011-01-07 )))))))))))))))))))))))))))))))
    .

    2011-01-06 06:42 . 2011-01-06 06:42 -------- d-----w- c:\program files\CCleaner
    2011-01-06 04:29 . 2011-01-06 04:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2011-01-06 02:14 . 2011-01-06 02:14 -------- d-----w- c:\program files\Foxit Software
    2011-01-06 01:52 . 2011-01-06 01:52 -------- d-----w- c:\program files\Common Files\Java
    2011-01-06 01:51 . 2010-11-12 23:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-01-06 01:03 . 2011-01-06 01:03 -------- d-----w- c:\documents and settings\Mary\Application Data\Malwarebytes
    2011-01-06 01:02 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-01-06 01:02 . 2011-01-06 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-01-06 01:02 . 2011-01-06 01:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-01-06 01:02 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-01-06 01:02 . 2010-11-16 17:01 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{CB0DD75D-D3DF-4EE5-BE41-08BD604DD88E}\mpengine.dll
    2011-01-06 01:02 . 2010-10-19 15:41 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-06 00:55 . 2011-01-06 00:56 -------- d-----w- c:\program files\Microsoft Security Client
    2011-01-06 00:46 . 2011-01-06 00:46 -------- d-----w- c:\documents and settings\Mary\Local Settings\Application Data\Mozilla
    2010-12-31 20:29 . 2010-12-31 20:29 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2010-12-15 12:08 . 2010-10-11 14:59 45568 ----a-w- c:\program files\Outlook Express\wab.exe
    2010-12-15 12:08 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-18 18:12 . 2010-11-18 18:12 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-12 21:34 . 2009-08-26 00:57 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-11-03 17:20 . 2010-11-03 17:20 53248 ----a-r- c:\documents and settings\Mary\Application Data\Microsoft\Installer\{23C12370-3A82-4558-B727-F345B473AD87}\ARPPRODUCTICON.exe
    2010-10-28 13:13 . 2010-10-28 13:13 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-26 13:25 . 2010-10-26 13:25 1853312 ----a-w- c:\windows\system32\win32k.sys
    2010-10-25 03:25 . 2010-10-25 03:25 165264 ----a-w- c:\windows\system32\drivers\MpFilter.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
    "HP BTW Detect Program"="c:\program files\HP\HPBTWD.exe" [2009-03-30 319488]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]
    "AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-07-06 737280]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2009-07-23 498744]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-10-19 1983816]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-15 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\startupfolder\C:^Documents and Settings^Mary^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\Mary\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Hewlett-Packard\\HP QuickSync\\jre\\bin\\javaw.exe"=

    R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [8/25/2009 7:31 PM 21488]
    R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [8/25/2009 7:31 PM 15856]
    R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [7/2/2009 1:10 AM 103792]
    R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [8/25/2009 7:31 PM 25584]
    R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 9:05 PM 457200]
    R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [7/9/2009 6:08 AM 199152]
    R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [8/25/2009 7:18 PM 113664]
    R3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\drivers\cam3820a.sys [6/18/2009 11:36 AM 308608]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/31/2009 3:11 PM 39424]
    S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
    S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-06 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
    - c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-07-09 11:09]

    2011-01-06 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_CA&c=94&bd=Pavilion&pf=cnnb
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Mary\Application Data\Mozilla\Firefox\Profiles\chl7ze00.default\
    FF - prefs.js: browser.startup.homepage - google.ca
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-06 19:06
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2011-01-06 19:09:09
    ComboFix-quarantined-files.txt 2011-01-07 00:09

    Pre-Run: 138,461,192,192 bytes free
    Post-Run: 138,703,003,648 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

    - - End Of File - - D37ADEFC623373675438CFAB9D56BEA9
     
  5. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    How is your system responding, any issues? logs look OK
     
  6. bricks_

    bricks_ Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    82
    It seems pretty good now. No delays when opening programs and no redirecting in the browser so far. Thanks for the help Kevin. Can you tell me what the problem was? I don't really know how to read those logs.
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    TDL4 rootkit infection, very common symptom is re-directs. Nearly 1 am for me local time my friend. Need an online AV scan for confirmation system is clean and check for any remnants, as follows please :-

    Step 1

    Run ESET Online Scan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on [​IMG] to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check [​IMG]
    • Click the [​IMG] button.
    • Accept any security warnings from your browser.
    • Check [​IMG]
    • Leave the tick out of remove found threats
    • Push the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push [​IMG]
    • Push [​IMG], and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Push the [​IMG] button.
    • Push [​IMG]
    You can refer to this animation by neomage if needed.
    Frequently asked questions available Here Please read them before running the scan.

    Also be aware this scan can take several hours to complete depending on the size of your
    system.

    Step 2

    Need to look at security overview and check Java and Adobe etc.....

    Download Security Check by screen317 from HERE or HERE.
    Save it to your Desktop.
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Post logs from ESET and Security Checks in reply, I`ll have to check them later, sleepy time for me...

    Kevin
     
  8. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,248
    kevin, what in the name of all that's holy are you doing up at this hour? :)
     
  9. bricks_

    bricks_ Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    82
    That's ok I won't be able to run those last two scans till tomorrow anyway. Thanks again for the help. I will post again when the scans are done.
     
  10. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya Timothy,

    I`m up watching the Ashes Test Match with Australia. The guy who made the world round has a lot to answer for, if he`d left it flat we`d have no time differences!!

    Bricks_, just post the logs when you`re ready, i`ll be around later.

    Kevin
     
  11. valis

    valis Moderator

    Joined:
    Sep 24, 2004
    Messages:
    77,248
    yup, the Ashes is a valid reason to stay up late........You are forgiven.

    And happy birthday, btw.......I'm sure I'll find the official thread somewhere, but in case I don't........:)
     
  12. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Birthday is not until the 10th, you`re aging me prematurely Timothy...... England won the final test in the Ashes series so won 3 - 1 in tests, well worth staying up for...

    Kevin
     
  13. bricks_

    bricks_ Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    82
    Alright, I couldn't figure out how to get a log from ESET but it didn't detect any threats anyways. Here's the log from Security Check.

    Results of screen317's Security Check version 0.99.8
    Windows XP Service Pack 3
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:

    Windows Firewall Enabled!
    ESET Online Scanner v3
    Microsoft Security Essentials
    ```````````````````````````````
    Anti-malware/Other Utilities Check:

    Malwarebytes' Anti-Malware
    CCleaner
    Java(TM) 6 Update 23
    Adobe Flash Player 10.1.102.64
    Mozilla Firefox (3.6.13)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent

    Windows Defender MSMpEng.exe
    Microsoft Security Essentials msseces.exe
    ESET ESET Online Scanner OnlineScannerApp.exe
    Microsoft Security Client Antimalware MsMpEng.exe
    ``````````End of Log````````````
     
  14. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    11,383
    First Name:
    Kevin
    Hiya bricks_

    Last set of logs were fine, needed the ESET scan for confirmation. Security Checks was to look at system security, Java and Adobe etc. All looks good to me, lets clean up.
    ESET saves a log here "C:\Program Files\ESET\EsetOnlineScanner\log.txt". not required if it found nothing.

    Step 1

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
    The above procedure will delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:_OtMoveIt folder, if present
    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Reset System Restore.

    Step 2

    • Download OTC by OldTimer and save it to your desktop. Alternative mirror
    • Double click [​IMG] icon to start the program.
      If you are using Vista or Windows 7, please right-click and choose run as administrator
    • Then Click the big [​IMG] button.
    • You will get a prompt saying "Begining Cleanup Process". Please select Yes.
    • Restart your computer when prompted.

    Any tools/logs left on the Desktop can be deleted or dragged to the Recycle bin.

    Step 3

    Remove the ESET Online Scanner components from your computer, start the Add or Remove Programs applet from Control Panel, select the ESET Online Scanner entry and click Remove. The uninstall will happen very quickly, only re-boot if requested.

    Step 4

    I see you have CCleaner installed, now would be a good time to run the cleaner section.

    Post back and let me know if all of the above steps completed OK, especially the Combofix /Uninstall command.

    Kevin.
     
  15. bricks_

    bricks_ Thread Starter

    Joined:
    Jun 28, 2004
    Messages:
    82
    Hey Kevin,

    I'm having trouble uninstalling Combofix. The reason probably being that after the ESET and the Security Check scans were done I moved all the logs and executables off of the desktop and into My Documents folder before I read your last message. Now when I type Combofix /Uninstall into the run box it is telling me it can't find Combofix. I shouldn't have moved everything before I heard back from you but I thought it would be alright. I guess I was wrong haha.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/973057

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice