WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

directrdr trouble

Started by ericjschroeder , Jun 23 2010 02:22 PM

This topic is locked

15 replies to this topic

#1 ericjschroeder

Authentic Member

Authentic Member
97 posts

Posted 23 June 2010 - 02:22 PM

I am having trouble starting this post. I am trying with no DDS report first. next try: I do tech support but this is a bit beyond me, I guess. I have run MalwareBytes, Spybot, Lavasoft Adaware and Adwatch, Avast, and even the online EST(?I think) which said it found an infected atapi.sys.org (I renamed it trying to copy/replace the suspected file first) but I am still getting these annoying popups. Also, the last time I manually tried to shut down my PC it rebooted instead, and today while starting this process, everything stopped responding and I had to hard boot. Here is my DDS output: I seem to be unable to post the DSS text so I will attach it. Hmm, had to zip it first.

Attached Files

DDS.zip 6.39KB 162 downloads

Edited by ericjschroeder, 23 June 2010 - 02:26 PM.

Advertisements

Register to Remove

#2 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 25 June 2010 - 05:16 AM

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:
1. These tools MUST be run from the executable. (.exe) every time you run them
2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Uncheck "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Uncheck "Hide protected operating system files."
Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.
Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.
When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
Double-click on the Folder Options icon.
Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.
Click on Show Hidden Files or Folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

We've been seeing some Java infections lately.
Go here and follow the instructions to clear your Java Cache

Next:

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
[/list]If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Then click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.

Also please describe how your computer behaves at the moment.

Please don't attach the scans / logs, use "copy/paste".

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#3 ericjschroeder

Authentic Member

Authentic Member
97 posts

Posted 25 June 2010 - 12:34 PM

I have done what you asked. No infections found this time with Malwarebytes, but I had run it before contacting you. I am currently running MSCONFIG so have limited startup but still have seen the Directrdr issue in both IE and Firefox. In fact, in IE, I couldn't even get to your website until I turned the MB protection back on. I am going to reboot now and see what happens. NOTE: the last time I tried to shut my PC off, it rebooted, and 3 times this week I have had Explorer stop responding, then Task Manager and can't even end task on anything and had to hard boot. I do make weekly backups of my OS using Acronis, but unless I can figure out when I got this problem, I don't know which ones are clean. Ok, PC rebooted, but I noticed that an entry in Win.ini was turned on, that I didn't specifically set in MSCONFIG. It is under a [PARID] section: ComputerID={AD2733E6-8BFB-4390-B405-266D1EFC67DE}. Also when I simply click on OK or Close in MSCONFIG, I get an error that I "may need to log on using an Administrator account", but I am an Admin acct. PROBLEM STILL EXISTS. I have been redirected to several web sites. In my first post, I was unable to paste in the results of the DDS because I got an error every time I tried to submit my post, until I zipped it. Here is the MB log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4239 Windows 5.1.2600 Service Pack 2 Internet Explorer 7.0.5730.13 6/25/2010 10:35:38 AM mbam-log-2010-06-25 (10-35-38).txt Scan type: Quick scan Objects scanned: 131003 Time elapsed: 3 minute(s), 59 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 June 2010 - 10:06 AM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
It doesn't take long to run, once it is finished move onto the next step

Download TDSSKiller and save it to your Desktop.

Make sure all other windows are closed and to let it run uninterrupted.
Extract the file and run it.
Reboot your machine and please post the contents of that log TDSSKiller and GooredFix log.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 ericjschroeder

Authentic Member

Authentic Member
97 posts

Posted 27 June 2010 - 11:47 AM

GooredFix by jpshortstuff (08.01.10.1) Log created at 10:36 on 27/06/2010 (ericjs) Firefox version 3.6.4 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [20:45 16/06/2010] {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [21:11 16/06/2010] C:\Documents and Settings\ericjs\Application Data\Mozilla\Firefox\Profiles\bwi5qfu2.default\extensions\ {20a82645-c095-46ed-80e3-08825760534b} [21:26 16/06/2010] {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [21:26 16/06/2010] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [05:58 08/08/2009] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [02:37 12/01/2009] -=E.O.F=-

#6 ericjschroeder

Authentic Member

Authentic Member
97 posts

Posted 27 June 2010 - 11:47 AM

10:38:40:562 3456 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48 10:38:40:562 3456 ================================================================================ 10:38:40:562 3456 SystemInfo: 10:38:40:562 3456 OS Version: 5.1.2600 ServicePack: 2.0 10:38:40:562 3456 Product type: Workstation 10:38:40:562 3456 ComputerName: MAIN 10:38:40:562 3456 UserName: ericjs 10:38:40:562 3456 Windows directory: C:\WINDOWS 10:38:40:562 3456 Processor architecture: Intel x86 10:38:40:562 3456 Number of processors: 2 10:38:40:562 3456 Page size: 0x1000 10:38:40:562 3456 Boot type: Normal boot 10:38:40:562 3456 ================================================================================ 10:38:40:906 3456 Initialize success 10:38:40:906 3456 10:38:40:906 3456 Scanning Services ... 10:38:41:281 3456 Raw services enum returned 364 services 10:38:41:281 3456 10:38:41:281 3456 Scanning Drivers ... 10:38:42:359 3456 Aavmker4 (a5246ed2586aa807af0bcf63165a71cc) C:\WINDOWS\system32\drivers\Aavmker4.sys 10:38:42:406 3456 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys 10:38:42:437 3456 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 10:38:42:468 3456 Ad-Watch Connect Filter (45d4685a049ee5cac5840dafa72e9b83) C:\WINDOWS\system32\drivers\NSDriver.sys 10:38:42:515 3456 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys 10:38:42:546 3456 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys 10:38:42:578 3456 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys 10:38:42:640 3456 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys 10:38:42:671 3456 androidusb (0a43169e115b5e9346a4ba1effcb04cb) C:\WINDOWS\system32\Drivers\motoandroid.sys 10:38:42:687 3456 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 10:38:42:734 3456 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\WINDOWS\system32\drivers\aswFsBlk.sys 10:38:42:765 3456 aswMon2 (81432b1a4b31036c822eb967decf613c) C:\WINDOWS\system32\drivers\aswMon2.sys 10:38:42:781 3456 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\WINDOWS\system32\drivers\aswRdr.sys 10:38:42:796 3456 aswSP (d78b644816db540e103d0b0766fd9967) C:\WINDOWS\system32\drivers\aswSP.sys 10:38:42:828 3456 aswTdi (606d731008d98b6ef946730c597c1642) C:\WINDOWS\system32\drivers\aswTdi.sys 10:38:42:843 3456 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 10:38:42:875 3456 atapi (ef975a58f852ccd6f95bab04ee0ea94e) C:\WINDOWS\system32\DRIVERS\atapi.sys 10:38:42:875 3456 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: ef975a58f852ccd6f95bab04ee0ea94e, Fake md5: cdfe4411a69c224bd1d11b2da92dac51 10:38:42:875 3456 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 10:38:43:093 3456 Backup copy found, using it.. 10:38:43:109 3456 will be cured on next reboot 10:38:43:203 3456 ati2mtag (067fca861588b18399555412a456de12) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 10:38:43:250 3456 AtiHdmiService (41c8f0eda10da14378d304c20ba6e558) C:\WINDOWS\system32\drivers\AtiHdmi.sys 10:38:43:265 3456 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 10:38:43:296 3456 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 10:38:43:312 3456 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys 10:38:43:343 3456 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 10:38:43:359 3456 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 10:38:43:390 3456 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys 10:38:43:406 3456 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 10:38:43:421 3456 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys 10:38:43:453 3456 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys 10:38:43:484 3456 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys 10:38:43:515 3456 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys 10:38:43:546 3456 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys 10:38:43:578 3456 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys 10:38:43:593 3456 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys 10:38:43:609 3456 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 10:38:43:625 3456 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys 10:38:43:640 3456 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys 10:38:43:671 3456 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys 10:38:43:687 3456 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys 10:38:43:687 3456 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys 10:38:43:718 3456 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys 10:38:43:734 3456 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys 10:38:43:750 3456 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 10:38:43:781 3456 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys 10:38:43:796 3456 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 10:38:43:812 3456 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 10:38:43:828 3456 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys 10:38:43:859 3456 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 10:38:43:890 3456 HidBatt (13c0d55da4b7148ef980e130b85d9f2c) C:\WINDOWS\system32\DRIVERS\HidBatt.sys 10:38:43:906 3456 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys 10:38:43:953 3456 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys 10:38:44:000 3456 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 10:38:44:015 3456 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys 10:38:44:125 3456 IntcAzAudAddService (41ef008d7b089ce6f5f2e4a61d5638e6) C:\WINDOWS\system32\drivers\RtkHDAud.sys 10:38:44:171 3456 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys 10:38:44:203 3456 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 10:38:44:203 3456 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys 10:38:44:234 3456 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys 10:38:44:250 3456 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys 10:38:44:281 3456 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys 10:38:44:296 3456 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys 10:38:44:328 3456 Iviaspi (4ac11b2250106774f694df2db4ffed61) C:\WINDOWS\system32\drivers\iviaspi.sys 10:38:44:343 3456 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 10:38:44:359 3456 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys 10:38:44:390 3456 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys 10:38:44:421 3456 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys 10:38:44:453 3456 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys 10:38:44:484 3456 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys 10:38:44:515 3456 LVRS (37072ec9299e825f4335cc554b6fac6a) C:\WINDOWS\system32\DRIVERS\lvrs.sys 10:38:44:703 3456 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys 10:38:44:750 3456 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys 10:38:44:781 3456 mcdbus (cf156a4797551f88fea61567e052dcec) C:\WINDOWS\system32\DRIVERS\mcdbus.sys 10:38:44:812 3456 mirrorv3 (d96ea49ab9a9174331bc023fd0cadc18) C:\WINDOWS\system32\DRIVERS\rminiv3.sys 10:38:44:828 3456 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 10:38:44:859 3456 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys 10:38:44:875 3456 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys 10:38:44:875 3456 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 10:38:44:921 3456 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys 10:38:44:953 3456 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 10:38:44:984 3456 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 10:38:45:015 3456 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys 10:38:45:031 3456 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys 10:38:45:046 3456 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 10:38:45:062 3456 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys 10:38:45:078 3456 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 10:38:45:093 3456 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys 10:38:45:140 3456 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys 10:38:45:140 3456 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys 10:38:45:171 3456 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys 10:38:45:187 3456 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys 10:38:45:218 3456 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys 10:38:45:234 3456 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 10:38:45:265 3456 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 10:38:45:281 3456 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 10:38:45:296 3456 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys 10:38:45:312 3456 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys 10:38:45:328 3456 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys 10:38:45:359 3456 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys 10:38:45:359 3456 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys 10:38:45:390 3456 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys 10:38:45:406 3456 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 10:38:45:562 3456 nv (83780f3a86d2804912f22f6e37cd2254) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 10:38:45:609 3456 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 10:38:45:609 3456 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 10:38:45:625 3456 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 10:38:45:640 3456 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys 10:38:45:656 3456 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys 10:38:45:687 3456 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 10:38:45:703 3456 pavboot (3adb8bd6154a3ef87496e8fce9c22493) C:\WINDOWS\system32\drivers\pavboot.sys 10:38:45:718 3456 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys 10:38:45:734 3456 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 10:38:45:765 3456 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys 10:38:45:828 3456 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys 10:38:45:828 3456 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys 10:38:45:843 3456 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys 10:38:45:859 3456 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 10:38:45:921 3456 raddrvv3 (ae16ed60522b3c0df0627776ec0f2aeb) C:\WINDOWS\system32\rserver30\raddrvv3.sys 10:38:45:937 3456 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 10:38:45:953 3456 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 10:38:45:968 3456 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 10:38:45:984 3456 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 10:38:46:000 3456 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys 10:38:46:015 3456 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 10:38:46:031 3456 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 10:38:46:062 3456 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys 10:38:46:093 3456 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys 10:38:46:140 3456 regi (001b4278407f4303efc902a2b16f2453) C:\WINDOWS\system32\drivers\regi.sys 10:38:46:156 3456 RTLE8023xp (25be98c05808c57e4d8d26477dc12d39) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys 10:38:46:187 3456 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 10:38:46:203 3456 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys 10:38:46:218 3456 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys 10:38:46:234 3456 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys 10:38:46:265 3456 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys 10:38:46:281 3456 snapman (e78c98378a071ce4d48a7c514fa98fa1) C:\WINDOWS\system32\DRIVERS\snapman.sys 10:38:46:328 3456 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys 10:38:46:343 3456 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys 10:38:46:390 3456 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys 10:38:46:406 3456 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys 10:38:46:437 3456 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys 10:38:46:453 3456 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys 10:38:46:500 3456 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys 10:38:46:531 3456 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys 10:38:46:546 3456 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys 10:38:46:562 3456 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys 10:38:46:593 3456 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys 10:38:46:625 3456 tifsfilter (1ad143f1779f87996b20979cf4b48714) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 10:38:46:640 3456 timounter (64694b2a5c772e1c61feac300ed90ca6) C:\WINDOWS\system32\DRIVERS\timntr.sys 10:38:46:671 3456 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys 10:38:46:750 3456 UltraMonUtility (5a5bd0f66e84eb039cb227520d49908c) C:\Program Files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys 10:38:46:765 3456 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys 10:38:46:796 3456 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys 10:38:46:828 3456 usbbus (5353218b3265e3b8190335059f697a11) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys 10:38:46:843 3456 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 10:38:46:859 3456 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys 10:38:46:890 3456 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys 10:38:46:906 3456 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys 10:38:46:921 3456 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys 10:38:46:937 3456 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys 10:38:46:968 3456 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys 10:38:46:984 3456 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys 10:38:47:000 3456 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 10:38:47:015 3456 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys 10:38:47:046 3456 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys 10:38:47:078 3456 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys 10:38:47:109 3456 wacmoumonitor (85f2115fea646693c195c101e15f5667) C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys 10:38:47:156 3456 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys 10:38:47:171 3456 wacomvhid (a45bc72e1bbf4286a58ef9b894871394) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys 10:38:47:187 3456 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys 10:38:47:203 3456 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys 10:38:47:250 3456 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys 10:38:47:281 3456 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys 10:38:47:296 3456 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS 10:38:47:296 3456 Reboot required for cure complete.. 10:38:47:703 3456 Cure on reboot scheduled successfully 10:38:47:703 3456 10:38:47:703 3456 Completed 10:38:47:703 3456 10:38:47:703 3456 Results: 10:38:47:703 3456 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 10:38:47:703 3456 File objects infected / cured / cured on reboot: 1 / 0 / 1 10:38:47:703 3456 10:38:47:703 3456 KLMD(ARK) unloaded successfully

#7 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 June 2010 - 12:03 PM

Download ComboFix from one of these locations:

Link 1
Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.

Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.

Note: If you have SP3, use the SP2 package.
If Vista or Windows 7, skip the Recovery Console part
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#8 ericjschroeder

Authentic Member

Authentic Member
97 posts

Posted 27 June 2010 - 05:01 PM

ComboFix 10-06-27.02 - ericjs 06/27/2010 11:28:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3198.2383 [GMT -7:00]
Running from: c:\documents and settings\ericjs\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\ericjs\g2mdlhlpx.exe
c:\windows\system32\kungsfepayseua.dat
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-27 to 2010-06-27 )))))))))))))))))))))))))))))))
.

2010-06-25 18:39 . 2010-06-27 17:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet
2010-06-24 00:39 . 2010-06-24 00:41 -------- d-----w- c:\documents and settings\PU\Local Settings\Application Data\Microsoft
2010-06-24 00:39 . 2010-06-24 00:39 -------- d-----w- c:\documents and settings\PU
2010-06-24 00:39 . 2009-08-08 05:58 -------- d-sh--w- c:\documents and settings\PU\IETldCache
2010-06-23 01:07 . 2010-06-23 01:07 -------- d-----w- c:\program files\Trend Micro
2010-06-22 18:42 . 2010-06-22 18:42 -------- d-----w- c:\program files\ESET
2010-06-22 14:52 . 2004-08-04 05:59 95360 ----a-w- C:\atapi.sys
2010-06-16 23:56 . 2010-06-22 00:02 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-06-16 23:49 . 2010-06-22 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-06-16 23:49 . 2010-06-16 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-06-16 23:49 . 2010-06-16 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-06-16 21:21 . 2010-06-16 21:21 -------- d-----w- c:\program files\Common Files\Java
2010-06-16 21:11 . 2010-06-16 21:11 61440 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c0688b0-n\decora-sse.dll
2010-06-16 21:11 . 2010-06-16 21:11 503808 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad6d70d-n\msvcp71.dll
2010-06-16 21:11 . 2010-06-16 21:11 499712 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad6d70d-n\jmc.dll
2010-06-16 21:11 . 2010-06-16 21:11 12800 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c0688b0-n\decora-d3d.dll
2010-06-16 21:11 . 2010-06-16 21:11 348160 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad6d70d-n\msvcr71.dll
2010-06-16 21:11 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-16 21:00 . 2010-06-16 21:00 -------- d-----w- c:\program files\QuickTime
2010-06-16 21:00 . 2010-06-16 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-16 20:46 . 2010-06-16 20:46 0 ----a-w- c:\windows\nsreg.dat
2010-06-16 20:46 . 2010-06-16 20:46 -------- d-----w- c:\documents and settings\ericjs\Local Settings\Application Data\Mozilla
2010-06-11 05:53 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-11 05:53 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-11 05:52 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-11 05:52 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-11 05:52 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-11 05:52 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-11 05:52 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-11 05:52 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-11 05:52 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-11 05:52 . 2010-06-11 05:52 -------- d-----w- c:\program files\Alwil Software
2010-06-11 05:52 . 2010-06-11 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-10 02:22 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-10 02:22 . 2010-06-10 02:22 -------- d-----w- c:\program files\Panda Security
2010-06-09 04:30 . 2010-06-09 04:30 24280 ----a-w- c:\documents and settings\ericjs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-09 03:58 . 2010-06-09 03:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-08 22:31 . 2010-06-08 22:31 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll
2010-06-05 23:02 . 2010-06-26 16:42 -------- d-----w- c:\program files\VodBurner
2010-06-05 23:01 . 2010-06-05 23:01 826880 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\slplugin.dll
2010-06-05 23:01 . 2010-06-05 23:01 626688 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\msvcr80.dll
2010-06-05 23:01 . 2010-06-05 23:01 620032 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\SLHook.dll
2010-06-05 23:01 . 2010-06-05 23:01 603648 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\refine.exe
2010-06-05 23:01 . 2010-06-05 23:01 5161984 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\VodBurner.exe
2010-06-05 23:01 . 2010-06-05 23:01 428032 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\rubit.exe
2010-06-05 23:01 . 2010-06-05 23:01 29696 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_wmf.dll
2010-06-05 23:01 . 2010-06-05 23:01 2608128 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\Desk.exe
2010-06-05 23:01 . 2010-06-05 23:01 17920 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_asf.dll
2010-06-05 23:01 . 2010-06-05 23:01 1700352 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\GdiPlus.dll
2010-05-30 02:23 . 2009-05-18 21:47 3007352 ----a-w- c:\documents and settings\ericjs\Application Data\Simply Super Software\Trojan Remover\ksr1.exe
2010-05-29 22:10 . 2010-05-29 22:58 -------- d-----w- c:\program files\Tomb Raider - Anniversary

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-27 18:38 . 2008-12-02 05:24 -------- d-----w- c:\program files\Taskbar Shuffle
2010-06-27 18:37 . 2008-11-28 06:50 -------- d-----w- c:\documents and settings\ericjs\Application Data\WTablet
2010-06-27 18:36 . 2010-03-11 04:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-27 18:36 . 2010-03-11 04:27 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-06-27 17:39 . 2004-08-04 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-27 07:28 . 2008-11-28 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Zoom Player
2010-06-27 06:09 . 2009-02-17 11:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-25 18:51 . 2008-11-30 02:46 -------- d-----w- c:\program files\Macro Express3
2010-06-24 01:39 . 2010-06-24 00:39 -------- d-----w- c:\documents and settings\PU\Application Data\WTablet
2010-06-24 00:41 . 2010-06-24 00:41 24280 ----a-w- c:\documents and settings\PU\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 00:41 . 2010-06-24 00:41 -------- d-----w- c:\documents and settings\PU\Application Data\Realtime Soft
2010-06-24 00:41 . 2010-06-24 00:41 -------- d-----w- c:\documents and settings\PU\Application Data\ATI
2010-06-16 21:10 . 2009-01-12 02:37 -------- d-----w- c:\program files\Java
2010-06-10 19:32 . 2009-12-27 18:09 -------- d-----w- c:\documents and settings\ericjs\Application Data\Skype
2010-06-10 16:23 . 2009-12-27 18:11 -------- d-----w- c:\documents and settings\ericjs\Application Data\skypePM
2010-06-10 16:20 . 2009-06-06 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 22:31 . 2010-04-11 00:19 -------- d-----w- c:\program files\Quicken
2010-06-08 22:31 . 2010-04-11 00:24 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-06-08 17:31 . 2009-02-15 22:55 -------- d-----w- c:\program files\MetaTrader - Alpari (US)
2010-06-06 18:40 . 2010-03-18 14:14 -------- d-----w- c:\program files\MetaTrader 4 at FOREX.com
2010-05-30 02:25 . 2009-06-06 22:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-05-23 13:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2004-08-04 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-06-06 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-06-06 16:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 03:36 . 2010-04-28 03:36 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll
2010-04-20 05:51 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-11 00:25 . 2010-04-11 00:25 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2010-04-11 00:25 . 2010-04-11 00:25 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2010-04-11 00:24 . 2010-04-11 00:24 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll
2010-04-11 00:23 . 2010-04-11 00:23 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll
2010-04-11 00:23 . 2010-04-11 00:23 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll
2010-04-11 00:23 . 2010-04-11 00:23 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll
2010-04-11 00:21 . 2010-04-11 00:21 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2010-04-11 00:21 . 2010-04-11 00:21 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-01-31 1129232]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-05-18 1059720]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 16125440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-23 2209224]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-08-21 4382720]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 1862112]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 140832]

c:\documents and settings\ericjs\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-11-28 534016]
NetPerSec.lnk - f:\dl\Utils\NetPerSec\NetPerSec.exe [2009-5-21 192512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-2-3 221247]
Macro Express 3.lnk - c:\program files\Macro Express3\MacExp.exe [2008-11-29 3556864]
UltraMon.lnk - c:\windows\Installer\{B49673F8-7AB6-4A14-8213-C8A7BE370010}\IcoUltraMon.ico [2010-2-21 29310]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe"=
"c:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Radmin Viewer 3\\Radmin.exe"=
"c:\\Program Files\\OEC\\Trader\\Trader.exe"=
"c:\\Program Files\\MetaTrader 4 at FOREX.com\\terminal.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Metatrader 4 by Gallant FX\\terminal.exe"=
"f:\\NewsBin5\\nbpro.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"23:TCP"= 23:TCP:Radmin

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/9/2010 7:22 PM 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/10/2010 10:53 PM 164048]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [10/31/2007 4:30 PM 45976]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/10/2010 10:53 PM 19024]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/6/2009 9:47 AM 304464]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [3/19/2010 8:39 PM 91392]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [12/6/2008 2:22 PM 1246536]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [11/27/2008 11:49 PM 3032360]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 3:11 AM 17184]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/6/2009 9:47 AM 20952]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [11/27/2008 11:49 PM 15144]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [3/19/2010 8:40 PM 25856]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [8/21/2009 9:37 PM 428184]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AD-WATCH_REAL-TIME_SCANNER
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\ericjs\Application Data\Mozilla\Firefox\Profiles\bwi5qfu2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-dxlock - (no file)
HKCU-Run-AppVodBurner - (no file)
SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 11:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1080)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(7332)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Macro Express3\mexhook.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\rserver30\FamItrfc.Exe
c:\windows\RTHDCPL.EXE
c:\program files\UltraMon\UltraMon.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
.
**************************************************************************
.
Completion time: 2010-06-27 11:42:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-27 18:42

Pre-Run: 8,401,735,680 bytes free
Post-Run: 8,549,789,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
;timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 3DC37AD6147F7C5A92B6AA6DAE6762ED

My PC did lock up once running Acronis backup but after a hard boot it was successful. Also have not yet gotten any directrdr popups; hopeful. I did get at least one suspicious web warning from Malwarebytes for IP 221.192.199.35; not sure if that's related.

#9 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 June 2010 - 05:12 PM

I'll assume the Norton / Symantec are leftovers.
If not, don't run this fix.

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

File::

Folder::
c:\program files\Common Files\Symantec Shared
c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\NortonInstaller

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:
1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#10 ericjschroeder

Authentic Member

Authentic Member
97 posts

Posted 27 June 2010 - 05:37 PM

Ok, I'm confused. First, I don't use any Norton or Symantec products; I did have a Norton quick scan that I let slip onto my PC but I removed it, so I don't mind removing these. However, Second, you say to rename the file to "CFScript" (all files) but your picture shows it as "CFScript.txt". Which should it be?

Advertisements

Register to Remove

#11 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 27 June 2010 - 05:39 PM

It will be saved as a .txt file so it's name after saving it will be combofix.txt

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#12 ericjschroeder

Authentic Member

Authentic Member
97 posts

Posted 27 June 2010 - 06:11 PM

I'm still a little confused but here's what I did:

You didn't say if the CFScript file needed the .txt so I left it off and dragged it onto Combofix.exe. As it started to run, it said there was an update available and did I want it? I said No, then it suggested I delete my current copy and download a new one, but it ran anyway. However, it again told me that Recovery Console was not installed, even though it supposedly installed it the first time, so I let it install again (still didn't see the RC window on boot up, but I use Acronis Boot Loader and maybe that side-steps it). Here is the new log:

ComboFix 10-06-27.02 - ericjs 06/27/2010 16:53:16.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3198.1952 [GMT -7:00]
Running from: c:\documents and settings\ericjs\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\ericjs\Desktop\CFScript
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Norton
c:\documents and settings\All Users\Application Data\Norton\symdata.xml
c:\documents and settings\All Users\Application Data\NortonInstaller
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\06-16-2010-16h49m25s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\06-16-2010-16h49m25s\NortonInstall-06-16-2010-16h49m25s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\06-21-2010-17h02m41s\Install.1.mft.7z
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\06-21-2010-17h02m41s\NortonInstall-06-21-2010-17h02m41s.log
c:\documents and settings\All Users\Application Data\NortonInstaller\Logs\06-21-2010-17h03m00s\NortonInstall-06-21-2010-17h03m00s.log
c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\symdata.xml
c:\program files\Common Files\Symantec Shared
c:\windows\TEMP\logishrd\LVPrcInj01.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-28 to 2010-06-28 )))))))))))))))))))))))))))))))
.

2010-06-27 22:51 . 2010-06-27 22:51 -------- d-----w- c:\documents and settings\ericjs\Local Settings\Application Data\Temp
2010-06-27 22:51 . 2010-06-27 22:51 -------- d-----w- c:\documents and settings\ericjs\Local Settings\Application Data\Google
2010-06-27 19:31 . 2010-06-27 19:31 -------- d-----w- c:\program files\Western Digital Corporation
2010-06-27 19:20 . 2009-05-18 21:47 3007352 ----a-w- c:\documents and settings\ericjs\Application Data\Simply Super Software\Trojan Remover\egp2.exe
2010-06-25 18:39 . 2010-06-27 17:40 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WTablet
2010-06-23 01:07 . 2010-06-23 01:07 -------- d-----w- c:\program files\Trend Micro
2010-06-22 18:42 . 2010-06-22 18:42 -------- d-----w- c:\program files\ESET
2010-06-22 14:52 . 2004-08-04 05:59 95360 ----a-w- C:\atapi.sys
2010-06-16 21:21 . 2010-06-16 21:21 -------- d-----w- c:\program files\Common Files\Java
2010-06-16 21:11 . 2010-06-16 21:11 61440 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c0688b0-n\decora-sse.dll
2010-06-16 21:11 . 2010-06-16 21:11 503808 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad6d70d-n\msvcp71.dll
2010-06-16 21:11 . 2010-06-16 21:11 499712 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad6d70d-n\jmc.dll
2010-06-16 21:11 . 2010-06-16 21:11 12800 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6c0688b0-n\decora-d3d.dll
2010-06-16 21:11 . 2010-06-16 21:11 348160 ----a-w- c:\documents and settings\ericjs\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6ad6d70d-n\msvcr71.dll
2010-06-16 21:11 . 2010-04-13 00:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-16 21:00 . 2010-06-16 21:00 -------- d-----w- c:\program files\QuickTime
2010-06-16 21:00 . 2010-06-16 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-06-16 20:46 . 2010-06-16 20:46 0 ----a-w- c:\windows\nsreg.dat
2010-06-16 20:46 . 2010-06-16 20:46 -------- d-----w- c:\documents and settings\ericjs\Local Settings\Application Data\Mozilla
2010-06-11 05:53 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-11 05:53 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-11 05:52 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-11 05:52 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-11 05:52 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-11 05:52 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-11 05:52 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-11 05:52 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-06-11 05:52 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-11 05:52 . 2010-06-11 05:52 -------- d-----w- c:\program files\Alwil Software
2010-06-11 05:52 . 2010-06-11 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-06-10 02:22 . 2009-06-30 16:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-10 02:22 . 2010-06-10 02:22 -------- d-----w- c:\program files\Panda Security
2010-06-09 04:30 . 2010-06-09 04:30 24280 ----a-w- c:\documents and settings\ericjs\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-09 03:58 . 2010-06-09 03:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-06-08 22:31 . 2010-06-08 22:31 2812928 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191916-191106.dll
2010-06-05 23:02 . 2010-06-26 16:42 -------- d-----w- c:\program files\VodBurner
2010-06-05 23:01 . 2010-06-05 23:01 826880 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\slplugin.dll
2010-06-05 23:01 . 2010-06-05 23:01 626688 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\msvcr80.dll
2010-06-05 23:01 . 2010-06-05 23:01 620032 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\SLHook.dll
2010-06-05 23:01 . 2010-06-05 23:01 603648 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\refine.exe
2010-06-05 23:01 . 2010-06-05 23:01 5161984 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\VodBurner.exe
2010-06-05 23:01 . 2010-06-05 23:01 428032 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\rubit.exe
2010-06-05 23:01 . 2010-06-05 23:01 29696 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_wmf.dll
2010-06-05 23:01 . 2010-06-05 23:01 2608128 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\Desk.exe
2010-06-05 23:01 . 2010-06-05 23:01 17920 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\sl_asf.dll
2010-06-05 23:01 . 2010-06-05 23:01 1700352 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\15369F80F920484EABEE8CCB11D0565F\vodburner\GdiPlus.dll
2010-05-29 22:10 . 2010-05-29 22:58 -------- d-----w- c:\program files\Tomb Raider - Anniversary

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-28 00:01 . 2008-12-02 05:24 -------- d-----w- c:\program files\Taskbar Shuffle
2010-06-28 00:01 . 2008-11-28 06:50 -------- d-----w- c:\documents and settings\ericjs\Application Data\WTablet
2010-06-28 00:00 . 2010-03-11 04:28 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-28 00:00 . 2010-03-11 04:27 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-06-27 23:49 . 2009-02-17 11:44 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-27 19:20 . 2009-06-06 22:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-27 17:39 . 2004-08-04 12:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-06-27 07:28 . 2008-11-28 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Zoom Player
2010-06-25 18:51 . 2008-11-30 02:46 -------- d-----w- c:\program files\Macro Express3
2010-06-16 21:10 . 2009-01-12 02:37 -------- d-----w- c:\program files\Java
2010-06-10 19:32 . 2009-12-27 18:09 -------- d-----w- c:\documents and settings\ericjs\Application Data\Skype
2010-06-10 16:23 . 2009-12-27 18:11 -------- d-----w- c:\documents and settings\ericjs\Application Data\skypePM
2010-06-10 16:20 . 2009-06-06 16:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 22:31 . 2010-04-11 00:19 -------- d-----w- c:\program files\Quicken
2010-06-08 22:31 . 2010-04-11 00:24 243032 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\QWPATCH.EXE
2010-06-08 17:31 . 2009-02-15 22:55 -------- d-----w- c:\program files\MetaTrader - Alpari (US)
2010-06-06 18:40 . 2010-03-18 14:14 -------- d-----w- c:\program files\MetaTrader 4 at FOREX.com
2010-05-04 17:20 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2009-05-23 13:35 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2004-08-04 12:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 22:39 . 2009-06-06 16:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2009-06-06 16:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 03:36 . 2010-04-28 03:36 5487616 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19188-191916.dll
2010-04-20 05:51 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-11 00:25 . 2010-04-11 00:25 6301696 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191127-191222.dll
2010-04-11 00:25 . 2010-04-11 00:25 7032320 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191222-191319.dll
2010-04-11 00:24 . 2010-04-11 00:24 2844160 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191714-19188.dll
2010-04-11 00:23 . 2010-04-11 00:23 7410688 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191319-191429.dll
2010-04-11 00:23 . 2010-04-11 00:23 5686272 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\19153-191714.dll
2010-04-11 00:23 . 2010-04-11 00:23 2776576 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\191429-19153.dll
2010-04-11 00:21 . 2010-04-11 00:21 230752 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\patchw32.dll
2010-04-11 00:21 . 2010-04-11 00:21 956 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\Quicken\Inet\Common\patch\Update\rebase.cmd
2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-06-27_18.38.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-28 00:00 . 2010-06-28 00:00 16384 c:\windows\Temp\Perflib_Perfdata_600.dat
+ 2010-06-27 19:43 . 2010-06-27 19:43 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\f46915dfc57bc7e49c5402e9b8f7ec18\System.Windows.Presentation.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 36864 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\1464c662c302ea6372a885161b983732\System.Web.DynamicData.Design.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 55296 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\4a52287444c36c89310856b38ff52fe0\Microsoft.Vsa.ni.dll
+ 2010-06-27 19:44 . 2010-06-27 19:44 400896 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\747e84d81d1de2041661f0f71b04734a\System.Xml.Linq.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 129536 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Routing\d51dfbd8d5431eb89181baaa24863e15\System.Web.Routing.ni.dll
+ 2010-06-27 19:43 . 2010-06-27 19:43 202240 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\436dde9611932489da3dc8a1be170843\System.Web.RegularExpressions.ni.dll
+ 2010-06-27 19:43 . 2010-06-27 19:43 859648 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\e8ef769b3e899e62b26daadee50b97ed\System.Web.Extensions.Design.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 328704 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity\ce3b446b7bee5c47949c994ec89b1649\System.Web.Entity.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 301056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Entity.D#\ad04fe1182e55e7c01066b62a4bee6b5\System.Web.Entity.Design.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 547328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.DynamicD#\20ba0d4d182a1a9c1f54c00d3bc29a68\System.Web.DynamicData.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Abstract#\c97ecf9250c2f0794262534f27f98b72\System.Web.Abstractions.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 627200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\9c56656c88979cf18de6cbcb6587ba8f\System.Transactions.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 212992 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\5adb0f89d469632511aed9d88cfe05c4\System.ServiceProcess.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 311296 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\3231473e2ec4451c8f218930fda80d19\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 621056 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Net\f90965b9d9a6a6604c9a66f57c37c026\System.Net.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 998400 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\16670b6870746e5a8dc4a73a76a90bed\System.Management.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 330752 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Management.I#\e6bd59fec415e273c173170c6508180a\System.Management.Instrumentation.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 280064 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\e9edc5cd12ebb513b4a3c53cb4640771\System.EnterpriseServices.Wrapper.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 627712 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\e9edc5cd12ebb513b4a3c53cb4640771\System.EnterpriseServices.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 455680 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\9ef70079beca3a9982a3aa76ebc0ddd8\System.DirectoryServices.Protocols.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 881152 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\277619716d9136216065bea970365c65\System.DirectoryServices.AccountManagement.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 939008 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\90b67e13866b176ae6cbdb23144f724d\System.Data.Services.Client.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 354816 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Service#\131a477d41a8669b15696128b94c2636\System.Data.Services.Design.ni.dll
+ 2010-06-27 19:40 . 2010-06-27 19:40 756736 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity.#\d4990681ce373d81a52b231ee4c4afea\System.Data.Entity.Design.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 141312 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\39e4f9a276fb12125d8a1444d8b65a84\System.Configuration.Install.ni.dll
+ 2010-06-27 19:44 . 2010-06-27 19:44 1356288 c:\windows\assembly\NativeImages_v2.0.50727_32\System.WorkflowServ#\016b75f60a18535c8d6b3e5d861ab559\System.WorkflowServices.ni.dll
+ 2010-06-27 19:44 . 2010-06-27 19:44 1908224 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Run#\6dacae37d337004345518976fb57099e\System.Workflow.Runtime.ni.dll
+ 2010-06-27 19:43 . 2010-06-27 19:43 4514304 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Com#\c7b832bbc5bb11c6c7f128c801ce90d7\System.Workflow.ComponentModel.ni.dll
+ 2010-06-27 19:43 . 2010-06-27 19:43 2992640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Workflow.Act#\b9ea6ea910293cd6f13f765775867ebd\System.Workflow.Activities.ni.dll
+ 2010-06-27 19:43 . 2010-06-27 19:43 1840640 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\8ef8d556899a4a10b7f288a80925489f\System.Web.Services.ni.dll
+ 2010-06-27 19:43 . 2010-06-27 19:43 2209280 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\5dfda43f1991ee6ba345d62b2be4801c\System.Web.Mobile.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 2403328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Extensio#\f08b3b8cdf548e3dfe61f342536175eb\System.Web.Extensions.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 1706496 c:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceModel#\169fe0ad9d59982a2a6b89779c09885b\System.ServiceModel.Web.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 1116672 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\7deab2494d53763cd83c567e71e0d8e0\System.DirectoryServices.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 1801216 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\b81efadfee7702624b713c6d86f7e369\System.Deployment.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 1328128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Services\5e6311aff5ada83d0f854922fa62faf6\System.Data.Services.ni.dll
+ 2010-06-27 19:40 . 2010-06-27 19:40 9924096 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data.Entity\6abf820d8ec57a0561c3367727d274df\System.Data.Entity.ni.dll
+ 2010-06-27 19:41 . 2010-06-27 19:41 2332160 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\9db8f9f7fe63ca4451bb5316a3ebb009\Microsoft.JScript.ni.dll
+ 2010-06-27 19:42 . 2010-06-27 19:42 11797504 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\d987cf1de4ba688da92e212a374232c2\System.Web.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Taskbar Shuffle"="c:\program files\Taskbar Shuffle\taskbarshuffle.exe" [2008-04-17 818176]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\ericjs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-27 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageWorkstation\TrueImageMonitor.exe" [2007-01-31 1129232]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-30 61440]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 16125440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"OSSelectorReinstall"="c:\program files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2007-02-23 2209224]
"nwiz"="nwiz.exe" [2008-10-07 1630208]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2007-08-21 4382720]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageWorkstation\TimounterMonitor.exe" [2007-01-31 1862112]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-01-31 140832]

c:\documents and settings\ericjs\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2008-11-28 534016]
NetPerSec.lnk - f:\dl\Utils\NetPerSec\NetPerSec.exe [2009-5-21 192512]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-2-3 221247]
Macro Express 3.lnk - c:\program files\Macro Express3\MacExp.exe [2008-11-29 3556864]
UltraMon.lnk - c:\windows\Installer\{B49673F8-7AB6-4A14-8213-C8A7BE370010}\IcoUltraMon.ico [2010-2-21 29310]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acronis\\TrueImageWorkstation\\TrueImage.exe"=
"c:\\WINDOWS\\system32\\rserver30\\rserver3.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Radmin Viewer 3\\Radmin.exe"=
"c:\\Program Files\\OEC\\Trader\\Trader.exe"=
"c:\\Program Files\\MetaTrader 4 at FOREX.com\\terminal.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Metatrader 4 by Gallant FX\\terminal.exe"=
"f:\\NewsBin5\\nbpro.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"23:TCP"= 23:TCP:Radmin

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [6/9/2010 7:22 PM 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/10/2010 10:53 PM 164048]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [10/31/2007 4:30 PM 45976]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/10/2010 10:53 PM 19024]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/6/2009 9:47 AM 304464]
R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [3/19/2010 8:39 PM 91392]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 9:09 PM 11032]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [12/6/2008 2:22 PM 1246536]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [11/27/2008 11:49 PM 3032360]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 3:11 AM 17184]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/6/2009 9:47 AM 20952]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [11/27/2008 11:49 PM 15144]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\motoandroid.sys [3/19/2010 8:40 PM 25856]
S3 DMService;Whale Component Manager;c:\windows\DOWNLO~1\DMService.exe [8/21/2009 9:37 PM 428184]
S3 UltraMonMirror;UltraMonMirror;c:\windows\system32\DRIVERS\UltraMonMirror.sys --> c:\windows\system32\DRIVERS\UltraMonMirror.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1214440339-839522115-1003Core.job
- c:\documents and settings\ericjs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-27 22:51]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1214440339-839522115-1003UA.job
- c:\documents and settings\ericjs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-27 22:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: windowsupdate.com\download
FF - ProfilePath - c:\documents and settings\ericjs\Application Data\Mozilla\Firefox\Profiles\bwi5qfu2.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 17:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1088)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(8088)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\program files\Macro Express3\mexhook.dll
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\system32\WTablet\Pen_TabletUser.exe
c:\windows\system32\rserver30\FamItrfc.Exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\RTHDCPL.EXE
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\documents and settings\ericjs\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\UltraMon\UltraMon.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
c:\program files\Motorola\MotoConnectService\MotoConnect.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
.
**************************************************************************
.
Completion time: 2010-06-27 17:06:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-28 00:06

Pre-Run: 8,225,398,784 bytes free
Post-Run: 8,272,199,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
;timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 4D0E1DC2E9D3FF1060667B65945F79BF

Also, I switched to Chrome as my browser.

#13 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 28 June 2010 - 05:42 AM

Good job

That all looks good to me.

The following will implement some cleanup procedures as well as reset System Restore points:

Click START run
Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

To be on the safe side, I would also change all my passwords.

Here's my usual all clean post

Log looks good

Make your Internet Explorer more secure - This can be done by following these simple instructions:[list=1]
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
(Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
Without a firewall your computer is succeptible to being hacked and taken over.
I am very serious about this and see it happen almost every day with my clients.
Simply using a Firewall in its default configuration can lower your risk greatly.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site
until there are no more critical updates.
Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would suggest you read How to Prevent Malware:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#14 ericjschroeder

Authentic Member

Authentic Member
97 posts

Posted 28 June 2010 - 10:32 PM

Ok, i've uninstalled Combofix. So far seems ok. Hopefully no more problems. Thanks for the help (if I don't come back soon)

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 29 June 2010 - 05:53 AM

You're more than welcome. Glad we were able to help Peace be with you :wavey:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme