Inactive google redirecting, websites blocked, warnings from windows

[Inactive] google redirecting, websites blocked, warnings from windows

Hey everyone,

A couple days ago my computer contracted a virus. Google search links redirect me to other websites. Also certain websites, including the sites to download rsit and hijackthis, are blocked. I also am unable to update AVG which is the antivirus program I run as the site is blocked and wont establish a connection. I also get many repeated warnings from windows about a Win32.Zafi.B worm in my system, but I can't figure out how to remove it. Windows just sends me to a site for protection software. I'm really at a loss as to what to do. How can I fix the problem when I can't get the programs to run a scan? Please help me out, this is really frustrating me.

-Mike

 

Hi Mike, and welcome to WindowsBBS

Do you have another computer available to download some files, and a means to transfer them such as a usb flash drive?

If not, try the following.

Download RootRepeal to your Desktop.

• Extract the compressed file to it's own folder.
• Open the folder and doubleclick on RootRepeal.exe to run it.
• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.

The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report
Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

Post the contents of the report in a reply here.

 

Thanks for helping me out!

I was able to acquire a flash drive, so if there's anything I need to dl on another machine, let me know. Here is the log from rootrepeal:

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/14 10:04
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF726F000 Size: 98304 File Visible: No
Status: -

Name:
Image Path:
Address: 0x00000000 Size: 0 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xECE69000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B4000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7660000 Size: 45056 File Visible: No
Status: -

Name: TDSSmact.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSmact.sys
Address: 0xEDFEE000 Size: 73728 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\Temp\TDSS6a8c.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS6f3f.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS722d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS74dd.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS775d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\TDSS7ae8.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSScfum.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSlxwp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSnrsr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSosvd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSotxh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSriqp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSStkdv.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\TDSSmact.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\FrostWire\downloads.dat
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Owner\Local Settings\Temp\TDSS738b.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\TDSS73ba.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\fla8.tmp
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Temp\etilqs_oVgcPUuq8mrh8rEcs3Eq
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\prefs.js
Status: Size mismatch (API: 22973, Raw: 22949)

Path: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\sessionstore.js
Status: Size mismatch (API: 11454, Raw: 11171)

Path: C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\stumbleurls5670082
Status: Size mismatch (API: 363, Raw: 507)

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\_CACHE_001_
Status: Size mismatch (API: 2774360, Raw: 2741113)

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\_CACHE_002_
Status: Size mismatch (API: 3381810, Raw: 3345162)

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\_CACHE_003_
Status: Size mismatch (API: 8413560, Raw: 8307130)

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0BBF176Bd01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0BF28001d01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0C271318d01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0C584F79d01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0D9BB8A6d01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0DA0B5AAd01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0DAF698Ad01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0DC18A05d01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\0F0E26B8d01
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\5C71C02Bd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\8992DD69d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\96139027d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\A58B85F9d01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\C41D680Cd01
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\Cache\EE1D83C2d01
Status: Visible to the Windows API, but not on disk.

Processes
-------------------
Path: C:\Documents and Settings\Owner\Application Data\Google\yfijv17721328.exe
PID: 3924 Status: Hidden from the Windows API!

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "a347bus.sys" at address 0xf734f028

#: 041 Function Name: NtCreateKey
Status: Hooked by "a347bus.sys" at address 0xf734efe0

#: 045 Function Name: NtCreatePagingFile
Status: Hooked by "a347bus.sys" at address 0xf7342b00

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "a347bus.sys" at address 0xf73435dc

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "a347bus.sys" at address 0xf734f120

#: 116 Function Name: NtOpenFile
Status: Hooked by "a347bus.sys" at address 0xf7342b40

#: 119 Function Name: NtOpenKey
Status: Hooked by "a347bus.sys" at address 0xf734efa4

#: 160 Function Name: NtQueryKey
Status: Hooked by "a347bus.sys" at address 0xf73435fc

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "a347bus.sys" at address 0xf734f076

#: 241 Function Name: NtSetSystemPowerState
Status: Hooked by "a347bus.sys" at address 0xf734e550

Stealth Objects
-------------------
Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: winlogon.exe (PID: 740) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: services.exe (PID: 788) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: lsass.exe (PID: 800) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: Ati2evxx.exe (PID: 960) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS722d.tmp.dll]
Process: svchost.exe (PID: 984) Address: 0x009a0000 Size: 81920

Object: Hidden Module [Name: TDSSnrsr.dll]
Process: svchost.exe (PID: 984) Address: 0x01120000 Size: 61440

Object: Hidden Module [Name: TDSSriqp.dll]
Process: svchost.exe (PID: 984) Address: 0x01450000 Size: 61440

Object: Hidden Module [Name: TDSScfum.dll]
Process: svchost.exe (PID: 984) Address: 0x01500000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: svchost.exe (PID: 984) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: svchost.exe (PID: 1084) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: svchost.exe (PID: 1124) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: svchost.exe (PID: 1196) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: svchost.exe (PID: 1280) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: spoolsv.exe (PID: 1560) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: AppleMobileDeviceService.exe (PID: 1828) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: mDNSResponder.exe (PID: 1844) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: cisvc.exe (PID: 1872) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: ehRecvr.exe (PID: 1960) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: ehSched.exe (PID: 1980) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: jqs.exe (PID: 280) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: sqlwriter.exe (PID: 420) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: svchost.exe (PID: 492) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: wdfmgr.exe (PID: 512) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSS7ae8.tmp.dll]
Process: dllhost.exe (PID: 1688) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: cidaemon.exe (PID: 3068) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: Ati2evxx.exe (PID: 3172) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: Explorer.EXE (PID: 3556) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: ehtray.exe (PID: 3756) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: shwiconem.exe (PID: 3800) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: atiptaxx.exe (PID: 3880) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: SOUNDMAN.EXE (PID: 3664) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: daemon.exe (PID: 3832) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: MOffice.exe (PID: 2424) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: ehmsas.exe (PID: 3964) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: MOUSE32A.EXE (PID: 4020) Address: 0x00940000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: iTunesHelper.exe (PID: 3372) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: jusched.exe (PID: 432) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: aim.exe (PID: 456) Address: 0x009b0000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: ctfmon.exe (PID: 308) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: svchost.exe (PID: 3396) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: CMCOM.EXE (PID: 1772) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: FrostWire.exe (PID: 2072) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: wscntfy.exe (PID: 220) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: iPodService.exe (PID: 4072) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: svchost.exe (PID: 2824) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: RootRepeal.exe (PID: 2748) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSScfum.dll]
Process: firefox.exe (PID: 3592) Address: 0x10000000 Size: 126976

Object: Hidden Code [ETHREAD: 0x84d134f8]
Process: System Address: 0xedff0d66 Size: -

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x8554c268 Size: -

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]
Process: System Address: 0x84fd7030 Size: -

Object: Hidden Code [Driver: Udfsȅఐ卆浩
, IRP_MJ_READ]
Process: System Address: 0x84f987c8 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x84f13f00 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_READ]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_WRITE]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_EA]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_EA]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLEANUP]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]
Process: System Address: 0x84ef73a8 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x84f0a7c0 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLOSE]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_READ]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_WRITE]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_EA]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_EA]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_SHUTDOWN]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_CLEANUP]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_SECURITY]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_POWER]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_SET_QUOTA]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: d347prt, IRP_MJ_PNP]
Process: System Address: 0x84e88f00 Size: -

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x84b51308 Size: -

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x84a9c3a8 Size: -

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x84b50940 Size: -

Object: Hidden Code [Driver: Npfsȅఆ䵃鿘狠橠橠䀀䀀, IRP_MJ_READ]
Process: System Address: 0x84ba71e8 Size: -

Object: Hidden Code [Driver: Msfsȅఐ卆浩, IRP_MJ_READ]
Process: System Address: 0x84d80aa0 Size: -

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x84baa1e8 Size: -

Object: Hidden Code [Driver: Ma, IRP_MJ_READ]
Process: System Address: 0x84f89be8 Size: -

Hidden Services
-------------------
Service Name: TDSSserv.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSmact.sys

 

Please visit the following webpage for instructions for downloading and running ComboFix

How to use ComboFix


Download ComboFix by sUBs from here and transfer the file to your desktop. Prior to saving it to the desktop, rename it to something like kitty.exe


Disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click kitty.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

It worked! It seems like the malware has been taken care of. No more annoying pop-ups and google is working fine. Here is the log from combofix:

ComboFix 09-01-12.04 - Owner 2009-01-14 12:47:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.597 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\meowmers.exe
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\Google\mjkspc.dll
c:\documents and settings\Owner\Application Data\Google\yfijv17721328.exe
c:\windows\system32\~.exe
c:\windows\system32\drivers\svchost.exe
c:\windows\system32\drivers\TDSSmact.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSotxh.dll
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsihc.dll
c:\windows\system32\TDSStkdv.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys
-------\Legacy_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-12 12:05 . 2009-01-12 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-04 11:47 . 2009-01-04 11:46 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 17:56 --------- d-----w c:\documents and settings\Owner\Application Data\FrostWire
2009-01-14 08:08 --------- d-----w c:\program files\Yahoo!
2009-01-12 23:34 --------- d-----w c:\program files\Google
2009-01-12 16:17 1,938 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-01-12 16:10 --------- d-----w c:\program files\Soulseek
2009-01-12 16:09 --------- d-----w c:\program files\SimPE
2009-01-12 16:09 --------- d-----w c:\program files\PeerGuardian2
2009-01-12 16:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-12 16:04 --------- d-----w c:\program files\AltoMP3 Gold
2009-01-12 02:53 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2009-01-04 16:46 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-05 01:04 --------- d-----w c:\program files\FrostWire
2008-12-04 01:35 --------- d-----w c:\program files\LimeWire
2008-12-02 04:09 --------- d-----w c:\documents and settings\Owner\Application Data\dvdcss
2008-11-20 00:22 --------- d-----w c:\program files\eMule
2008-08-15 20:33 140 ----a-w c:\documents and settings\Guest\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM "= "c:\program files\AIM\aim.exe" [2007-01-15 67160]
"BitComet "= "c:\program files\BitComet\BitComet.exe" [2004-09-23 2105344]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 339968]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder "= "c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"DeadAIM "= "c:\progra~1\AIM\\DeadAIM.ocm" [2005-11-19 144896]
"DAEMON Tools-1033 "= "c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"FLMOFFICE4DMOUSE "= "c:\program files\Wireless Optical Mouse\MOffice.exe" [2006-10-01 958464]
"LXCFCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 69632]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"SoundMan "= "SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-09-03 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Compaq Client Manager.lnk - c:\program files\Compaq Wireless LAN\Client Manager\CMCOM.EXE [2005-11-20 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM\\aim.exe "=
"c:\\Program Files\\BitComet\\BitComet.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Last.fm\\LastFM.exe "=
"c:\\WINDOWS\\system32\\lxcfcoms.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\FrostWire\\FrostWire.exe "=
"%windir%\\system32\\drivers\\svchost.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"411:TCP "= 411:TCP:Stop Tazmo
"411:UDP "= 411:UDP:Stop Tazmo

R3 Tetri5;Tetri5 driver;c:\windows\system32\drivers\Tetri5.sys [2005-12-28 53088]
S3 MSSQL$OALM05;SQL Server (OALM05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
S4 gupdate1c95c6273f12200;Google Update Service (gupdate1c95c6273f12200);c:\program files\Google\Update\GoogleUpdate.exe [2008-12-12 119280]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f256406-7f84-11dd-a9be-0013d3a2bdc1}]
\Shell\AutoRun\command - o:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9017619d-9bc8-11dc-a972-0013d3a2bdc1}]
\Shell\AutoRun\command - o:\jdsecure\Windows\JDSecure20.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-03-16 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
WebBrowser-{86227D9C-0EFE-4F8A-AA55-30386A3F5686} - (no file)
HKCU-Run-Steam - (no file)
HKLM-Run-brwdiag - c:\windows\system32\brwconf.exe
HKLM-Run-wclock - c:\documents and settings\Owner\Application Data\Google\yfijv17721328.exe
Notify-panmavic - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPnsv_vp3_mp3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 12:56:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2930250460-1926461324-592999900-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:10,e3,e8,0a,4f,d1,20,a5,06,b6,99,ef,81,2a,ac,d9,be,69,d6,3a,3a,8c,bb,
e8,ac,df,2d,dd,7c,57,ba,15,62,4b,da,c7,2b,4a,2e,4b,a1,51,a0,69,1f,36,9b,fc,\
"?? "=hex:b3,b9,81,4e,6c,ae,89,c9,83,14,93,32,f0,15,f6,17
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Wireless Optical Mouse\MOUSE32A.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-14 13:00:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-14 18:00:33

Pre-Run: 23,099,142,144 bytes free
Post-Run: 23,640,039,424 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Windows XP Media Center Edition" /noexecute=optin /fastdetect

207 --- E O F --- 2009-01-14 08:01:59




Also, could you recommend for me an anti-virus security program like AVG or NOD32? Which software offers the best protection?

 

Looks great! Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.


I'm partial to Kaspersky Internet Security Suite these days. Not free, but well worth the price.

 

Here's the Kaspersky Report. Looks like I'm not in the clear quite yet:

Saturday, January 17, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, January 16, 2009 19:44:16
Records in database: 1632616
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
O:\

Scan statistics:
Files scanned: 270296
Threat name: 19
Infected objects: 34
Suspicious objects: 0
Duration of the scan: 10:13:00


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\SecTaskMan\confbrw.dll.q_804D000_q Infected: Email-Worm.Win32.Warezov.ra 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\confwmv.dll.q_804D000_q Infected: Email-Worm.Win32.Warezov.ra 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\confwmv.dll.q_804D000_q.old Infected: Email-Worm.Win32.Warezov.ra 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\e1.dll.q_8042400_q Infected: Email-Worm.Win32.Warezov.ls 1
C:\Documents and Settings\All Users\Application Data\SecTaskMan\mtxcmsdm.dll.q_8047000_q Infected: Email-Worm.Win32.Warezov.gen 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\23\1c3a7917-54bdb92c Infected: Trojan-Downloader.Java.OpenStream.w 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\25\650d0659-59b4377c Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\29\775d249d-61290e29 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\34\63206922-13256227 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-521265e2 Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-4b67a2a2 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-5f151cf1 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\5319c679-67ee88e1 Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-1109b54b-3dd74b03.zip Infected: Exploit.Java.ByteVerify 2
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-7ff131b7.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-1d1ece99.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7d43feb5.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-3fb47b78.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-509349d5.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-b825669-6d8b349f.zip Infected: Exploit.Java.Gimsh.b 1
C:\Program Files\BitComet\Downloads\Mogwai\04-Local Authority.mp3 Infected: Trojan-Downloader.WMA.GetCodec.g 1
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\Google\mjkspc.dll.vir Infected: Trojan.Win32.Inject.ner 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Trojan-Downloader.Win32.Agent.bdfu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\__.zip Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfum.dll.vir Infected: Rootkit.Win32.TDSS.dbg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSnrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSotxh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan.Win32.Inject.muc 1
C:\WINDOWS\fwall32.exe Infected: Email-Worm.Win32.Warezov.pk 1
C:\WINDOWS\ndis.exe Infected: Email-Worm.Win32.Warezov.gfe 1
D:\i386\Apps\App03130\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.

 

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Now, disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
C:\Program Files\BitComet\Downloads\Mogwai\04-Local Authority.mp3
C:\WINDOWS\fwall32.exe
C:\WINDOWS\ndis.exe
Folder::
C:\Documents and Settings\All Users\Application Data\SecTaskMan

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

Here's the Combofix Log

ComboFix 09-01-19.01 - Owner 2009-01-19 12:23:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.548 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\meowmers.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)
* Created a new restore point

FILE ::
c:\program files\BitComet\Downloads\Mogwai\04-Local Authority.mp3
c:\windows\fwall32.exe
c:\windows\ndis.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\SecTaskMan
c:\documents and settings\All Users\Application Data\SecTaskMan\_, confwmv wmvstat.dll e1.dll110F0
c:\documents and settings\All Users\Application Data\SecTaskMan\_brwconf12930
c:\documents and settings\All Users\Application Data\SecTaskMan\_CMCOM3B75F004
c:\documents and settings\All Users\Application Data\SecTaskMan\_confbrw12210
c:\documents and settings\All Users\Application Data\SecTaskMan\_confbrw1221D000
c:\documents and settings\All Users\Application Data\SecTaskMan\_confwmv13910
c:\documents and settings\All Users\Application Data\SecTaskMan\_confwmv1391D000
c:\documents and settings\All Users\Application Data\SecTaskMan\_e1 confbrw.dll brwstat.dll mtxcmsdm.dll confwmv.dll wmvstat.dll59BD0
c:\documents and settings\All Users\Application Data\SecTaskMan\_e1AD20
c:\documents and settings\All Users\Application Data\SecTaskMan\_e1AD22400
c:\documents and settings\All Users\Application Data\SecTaskMan\_entreelist.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\_enviewlist.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\_MOffice2D57A00E
c:\documents and settings\All Users\Application Data\SecTaskMan\_MOUSE32A306B0
c:\documents and settings\All Users\Application Data\SecTaskMan\_MOUSE32A306B7005
c:\documents and settings\All Users\Application Data\SecTaskMan\_msdadinp11FF0
c:\documents and settings\All Users\Application Data\SecTaskMan\_msdadinp11FF6000
c:\documents and settings\All Users\Application Data\SecTaskMan\_mtxcmsdm14940
c:\documents and settings\All Users\Application Data\SecTaskMan\_mtxcmsdm14947000
c:\documents and settings\All Users\Application Data\SecTaskMan\_NaviHelper15500
c:\documents and settings\All Users\Application Data\SecTaskMan\_nod32kui133AF00C
c:\documents and settings\All Users\Application Data\SecTaskMan\_panmavic127E0
c:\documents and settings\All Users\Application Data\SecTaskMan\_panmavic127E5BE9
c:\documents and settings\All Users\Application Data\SecTaskMan\_PRISMXL59CD0
c:\documents and settings\All Users\Application Data\SecTaskMan\_PRISMXL59CDA002
c:\documents and settings\All Users\Application Data\SecTaskMan\_qttask1AFE8001
c:\documents and settings\All Users\Application Data\SecTaskMan\_zHotkeyB570
c:\documents and settings\All Users\Application Data\SecTaskMan\_zHotkeyB574A08
c:\documents and settings\All Users\Application Data\SecTaskMan\confbrw.dll.q_804D000_q
c:\documents and settings\All Users\Application Data\SecTaskMan\confwmv.dll.q_804D000_q
c:\documents and settings\All Users\Application Data\SecTaskMan\confwmv.dll.q_804D000_q.old
c:\documents and settings\All Users\Application Data\SecTaskMan\e1.dll.q_8042400_q
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_0B79C053C7D38EE4AB9A00CB3B5D2472.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_12341
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_12345
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1A1DEE1887EA11B4EB746CEAF9E5781F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_1A1DEE1887EA11B4EB746CEAF9E5781F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_27A3DED38A1678B4895AFEB08C30A80A
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_27A3DED38A1678B4895AFEB08C30A80A.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_32418F9EE1126B64A90E8365B85CFCF6
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_32418F9EE1126B64A90E8365B85CFCF6.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5143F8F0A0BC6A942AA38D9340441B72
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_5143F8F0A0BC6A942AA38D9340441B72.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_568774731F3A2774DA34AACFB6FC9FF9
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_568774731F3A2774DA34AACFB6FC9FF9.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A0000000000
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68AB67CA7DA73301B7447A0000000000.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68DF23614AB14CF4B8528A6C556DF386
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_68DF23614AB14CF4B8528A6C556DF386.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510002
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_8A0F842331866D117AB7000B0D510002.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9040110900063D11C8EF10054038389C.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_952CE54D91A465645B882C3C06DD81AE
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_952CE54D91A465645B882C3C06DD81AE.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9C8928403D4AB094F99FBA20A329833F
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9C8928403D4AB094F99FBA20A329833F.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9EC9653600AFC964FAC55E4D9DA3FC19
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_9EC9653600AFC964FAC55E4D9DA3FC19.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AB08D614D6F627647BFC5FD42A8FB044
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_AB08D614D6F627647BFC5FD42A8FB044.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B6BB246AD1AC2414D84D13C8F3D38C43
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_B6BB246AD1AC2414D84D13C8F3D38C43.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C055ECD834AC28E429FDFF4C4AF8B51E
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_C055ECD834AC28E429FDFF4C4AF8B51E.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_DDE7F2BCF1D91C3409CFF425AE1E271A.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E08AC3B60CA65274ABFBB9F0FE88C03B
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E08AC3B60CA65274ABFBB9F0FE88C03B.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E3C773515569F0044B146EF9A0B6AEEF
c:\documents and settings\All Users\Application Data\SecTaskMan\icn_E3C773515569F0044B146EF9A0B6AEEF.dll
c:\documents and settings\All Users\Application Data\SecTaskMan\mtxcmsdm.dll.q_8047000_q
c:\program files\BitComet\Downloads\Mogwai\04-Local Authority.mp3
c:\windows\fwall32.exe
c:\windows\ndis.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-12 12:05 . 2009-01-12 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-04 11:47 . 2009-01-04 11:46 410,984 --a------ c:\windows\system32\deploytk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 20:11 --------- d-----w c:\documents and settings\Owner\Application Data\FrostWire
2009-01-14 18:05 --------- d-----w c:\program files\Google
2009-01-14 08:08 --------- d-----w c:\program files\Yahoo!
2009-01-12 16:17 1,938 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-01-12 16:10 --------- d-----w c:\program files\Soulseek
2009-01-12 16:09 --------- d-----w c:\program files\SimPE
2009-01-12 16:09 --------- d-----w c:\program files\PeerGuardian2
2009-01-12 16:08 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-12 16:04 --------- d-----w c:\program files\AltoMP3 Gold
2009-01-12 02:53 --------- d-----w c:\documents and settings\Owner\Application Data\Apple Computer
2009-01-04 16:46 --------- d-----w c:\program files\Java
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-05 01:04 --------- d-----w c:\program files\FrostWire
2008-12-04 01:35 --------- d-----w c:\program files\LimeWire
2008-12-02 04:09 --------- d-----w c:\documents and settings\Owner\Application Data\dvdcss
2008-11-20 00:22 --------- d-----w c:\program files\eMule
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-08-15 20:33 140 ----a-w c:\documents and settings\Guest\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-14_12.59.47.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-15 17:35:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_514.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM "= "c:\program files\AIM\aim.exe" [2007-01-15 67160]
"BitComet "= "c:\program files\BitComet\BitComet.exe" [2004-09-23 2105344]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM "= "c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-17 339968]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder "= "c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"DeadAIM "= "c:\progra~1\AIM\\DeadAIM.ocm" [2005-11-19 144896]
"DAEMON Tools-1033 "= "c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"FLMOFFICE4DMOUSE "= "c:\program files\Wireless Optical Mouse\MOffice.exe" [2006-10-01 958464]
"LXCFCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 69632]
"IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1 "= "c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-01-04 136600]
"SoundMan "= "SOUNDMAN.EXE" [2005-04-15 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
FrostWire On Startup.lnk - c:\program files\FrostWire\FrostWire.exe [2008-09-03 114688]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
Compaq Client Manager.lnk - c:\program files\Compaq Wireless LAN\Client Manager\CMCOM.EXE [2005-11-20 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe "=
"c:\\Program Files\\AIM\\aim.exe "=
"c:\\Program Files\\BitComet\\BitComet.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\Last.fm\\LastFM.exe "=
"c:\\WINDOWS\\system32\\lxcfcoms.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Total War\\Medieval - Total War\\Medieval_TW.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\FrostWire\\FrostWire.exe "=
"%windir%\\system32\\drivers\\svchost.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"411:TCP "= 411:TCP:Stop Tazmo
"411:UDP "= 411:UDP:Stop Tazmo

R3 MSSQL$OALM05;SQL Server (OALM05);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
R3 Tetri5;Tetri5 driver;c:\windows\system32\drivers\Tetri5.sys [2005-12-28 53088]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f256406-7f84-11dd-a9be-0013d3a2bdc1}]
\Shell\AutoRun\command - o:\wd_windows_tools\WDSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9017619d-9bc8-11dc-a972-0013d3a2bdc1}]
\Shell\AutoRun\command - o:\jdsecure\Windows\JDSecure20.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-03-16 c:\windows\Tasks\Uniblue SpyEraser.job
- c:\program files\Uniblue\SpyEraser\SpyEraser.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\p75bl3ha.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPnsv_vp3_mp3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 12:27:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

? [9032]
? [42760]
? [42768]

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2930250460-1926461324-592999900-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"?? "=hex:10,e3,e8,0a,4f,d1,20,a5,06,b6,99,ef,81,2a,ac,d9,be,69,d6,3a,3a,8c,bb,
e8,ac,df,2d,dd,7c,57,ba,15,62,4b,da,c7,2b,4a,2e,4b,a1,51,a0,69,1f,36,9b,fc,\
"?? "=hex:b3,b9,81,4e,6c,ae,89,c9,83,14,93,32,f0,15,f6,17
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-19 12:30:45
ComboFix-quarantined-files.txt 2009-01-19 17:29:28
ComboFix2.txt 2009-01-14 18:00:59

Pre-Run: 24,035,635,200 bytes free
Post-Run: 24,017,920,000 bytes free

242 --- E O F --- 2009-01-14 08:01:59

 

Hi greyfox878,

I may have been trigger happy. Do you still have installed and use Security Task Manager by Neuber Software?

 

No I do not have that installed. Should I?

 

No ..... I was just checking. The SecTaskMan folder we deleted with ComboFix is the quarantine folder for that application. If it's not installed, the folder was a remnant and best removed anyway. Lets clean up now.

Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.

You can also remove the RootRepeal files.

Download JavaRa and save the file to your desktop.

• Right click and Extract All
• Once extracted, open and run JavaRa.exe
• Click Search For Updates
• Select Update Using jucheck.exe
• Click Search
• If a newer version is found, allow it to be installed
• When complete, click Remove Older Versions in the JavaRa interface and allow it to proceed
• When that is complete, click Additional Tasks, then select Remove Useless JRE Files and click Go
• Exit the tool when complete.

You can remove JavaRa when done or keep it for future use, whichever you want.

That should wrap things up. Everything working normally again?