Solved Problems with virus attack

Ant S · 2010/10/15

[Resolved] Problems with virus attack

Good afternoon...

I think I've got some nasty problems with my PC following a virus attack. I’d be very grateful for some help.

The symptoms are as follows.

(1) On booting up, Windows gives me a “Generic Host Process for Win32 Services encountered a problem...” message.

(2) System Restore isn’t working properly: around 50% of the time it either doesn’t start up or won’t start the restore. I get a “System Restore is unable to protect your computer. Please restart your computer, and run System Restore again.” message then it drops out.

(3) My Internet connection breaks down. If I swap to the other USB port (I have two), it works fine. However, the problem is not fixed to a particular USB port: the connection fails on whichever USB port was connected to the Internet on start-up.

(4) My Internet browser is re-directing to other sites. It isn’t just anti-virus sites that I’m directed away from and some of the re-directions are to respectable sites, such as eBay.

(5) Media player won’t play music files. It says there is a problem with the sound card. However, this is intermittent and Sound Recorder plays files.

Brief history

Before this, my PC was working perfectly fine. The problems began yesterday (14 October 2010) around 18:00. I’d been using the Internet ... with antivrus off. (Idiot!)

The hard-drive went into overdrive for a while and one of those ‘You have a virus!’ fake AV-tools popped up with an icon in the System Tray. I found a process running (called something like ‘sgff....exe’.) I shut it down and removed the file. From then on I’ve had the above.

Attempted remedies

(1) System Restore with three different restore points from before the problems started.

(2) A scan with Microsoft Security Essentials reported three W32/obfuscator.jz files in embedded in the System Restore Volume. These were removed. The files were dated around 14 October 2010 18:30.

(3) Latest Microsoft virus removal tool. (Nothing reported.)

(4) ‘net stop dnscache’ at the command prompt, but this has limited effect. (Re-direction still occurs even after the service is stopped.)

(5) Have checked Device Manager, but it reports no problems.

I’m running XP SP3 and the browser in use at the time was IE6. (I also have Google Chrome, which is possibly not so badly affected with the re-directions.) Am using Microsoft Security Essentials.

I’ll put a HijackThis log and the DDS reports in separate posts below.

My replies might be a bit slow, so I apologise in advance.

Any ideas?

Ant

Ant S · 2010/10/15

DDS.txt

DDS (Ver_10-10-10.03) - FAT32x86
Run by Ant at 14:42:51.26 on 15/10/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.367.94 [GMT 1:00]

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Ant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe
C:\Documents and Settings\Ant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ant\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Defraggler\Defraggler.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Ant\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://search.live.com
uSearch Bar = hxxp://search.live.com/sphome.aspx
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://search.live.com/sphome.aspx
uURLSearchHooks: H - No File
BHO: AutorunsDisabled - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search

helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows

live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Nectar Search Toolbar BHO: {b7c2f0d8-2209-4693-a15d-5a537211d48b} - c:\program files\nectar search toolbar\Toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Nectar Search Toolbar: {8020143d-5926-4394-a04d-dd0b649da121} - c:\program files\nectar search toolbar\Toolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [Tpwrtray] TPWRTRAY.EXE
mRun: [TFncKy] TFncKy.exe /Type 10
mRun: [TosHKCW.exe] c:\program files\toshiba\wireless hotkey\TosHKCW.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\ant\startm~1\programs\startup\bookso~1.lnk - c:\book\BOOKSU.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows

live\writer\WriterBrowserExtension.dll
Trusted Zone: ebay.co.uk
Trusted Zone: google.co.uk
Trusted Zone: google.com
Trusted Zone: hotmail.com
Trusted Zone: live.com
Trusted Zone: msn.com
Trusted Zone: passport.com
Trusted Zone: three.co.uk
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/E/1/F/E1F6B9B3-49AA-42BB-9115-

D9FB57768CC2/wmavax.CAB
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-

ab9c403a978f/wvc1dmo.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-

94901338C922/wmv9VCM.CAB
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-

E4CAB36EB01F/wmvadvd.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {F7377401-CFF9-4BE5-936B-19CFEF7C2DD6} = 217.171.132.1 217.171.135.1

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 BecHelperService;BecHelperService;c:\program files\3 mobile broadband\3connect\BecHelperService.exe [2010-4-13 1737464]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-5-1 54752]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [2001-12-6 221824]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\drivers\genericmount.sys --> c:\windows\system32\drivers\GenericMount.sys [?]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\HPUATA.sys [2001-9-24 75776]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-9-7 7680]

=============== Created Last 30 ================

2010-10-15 12:43:36 -------- d-sh--w- C:\FOUND.000
2010-10-15 12:10:29 -------- d-----w- c:\program files\Speccy
2010-10-15 12:01:10 -------- d--h--w- c:\windows\PIF
2010-10-15 11:38:02 -------- d-----w- c:\program files\Trend Micro
2010-10-15 11:26:08 6084944 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{b8301fcf-0383-

45d3-b937-237b0c9b75b2}\mpengine.dll
2010-10-15 11:24:12 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-15 11:24:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-15 00:06:32 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 00:06:28 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 00:06:24 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 00:01:41 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-14 23:58:47 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-10-14 23:52:54 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-10-08 19:39:23 -------- d-----w- c:\docume~1\ant\locals~1\applic~1\Deployment
2010-10-03 19:20:48 360 ----a-w- c:\windows\system32\drivers\sjskpvmj.dat
2010-10-02 23:02:46 -------- d-----w- c:\program files\LAME
2010-10-02 22:43:21 -------- d-----w- c:\docume~1\ant\applic~1\AccurateRip
2010-09-22 22:51:55 -------- d-----w- c:\program files\Defraggler
2010-09-18 11:23:26 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll

==================== Find3M ====================

2010-09-18 11:23:26 974848 ----a-w- c:\windows\system32\MFC42u.DLL
2010-09-18 06:53:26 974848 ----a-w- c:\windows\system32\MFC42.DLL
2010-09-18 06:53:26 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:26 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-09 14:16:32 667136 ----a-w- c:\windows\system32\WININET.DLL
2010-09-09 14:16:30 81920 ------w- c:\windows\system32\ieencode.dll
2010-09-09 14:16:30 61952 ----a-w- c:\windows\system32\tdc.ocx
2010-09-08 16:49:50 369664 ------w- c:\windows\system32\html.iec
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\WIN32K.SYS
2010-08-27 08:02:30 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:44 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:46 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\COMCTL32.DLL
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\SPOOLSV.EXE
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\RPCRT4.DLL

============= FINISH: 14:45:47.31 ===============

Ant S · 2010/10/15

Attach.txt

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 14/03/2010 18:43:22
System Uptime: 15/10/2010 13:39:37 (1 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel Celeron processor | 370-PIN PGA ZIF SOCKET | 1095/100mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 9 GiB total, 0.479 GiB free.
D: is CDROM ()
F: is Removable
G: is CDROM (CDFS)
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {6BDD1FC5-810F-11D0-BEC7-08002BE2092F}
Description: SMC IrCC - Fast Infrared Port
Device ID: ACPI\SMCF010\4&2E6719A8&0
Manufacturer: SMC
Name: SMC IrCC - Fast Infrared Port
PNP Device ID: ACPI\SMCF010\4&2E6719A8&0
Service: SMCIRDA

Class GUID: {72631E54-78A4-11D0-BCF7-00AA00B7B32A}
Description: Microsoft ACPI-Compliant Control Method Battery
Device ID: ACPI\PNP0C0A\1
Manufacturer: Microsoft
Name: Microsoft ACPI-Compliant Control Method Battery
PNP Device ID: ACPI\PNP0C0A\1
Service: CmBatt

==== System Restore Points ===================

RP186: 15/10/2010 10:12:34 - Restore Operation
RP187: 15/10/2010 10:26:29 - Restore Operation
RP188: 15/10/2010 12:15:19 - Restore Operation

==== Installed Programs ======================

3Connect
ABBYY FineReader 4.0 Sprint
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0.9
Adobe SVG Viewer 3.0
ALi Audio Accelerator WDM Driver
ALPS Touch Pad Driver
CCleaner
CmdHere Powertoy For Windows XP
Defraggler
ExamDiff 1.8 (Build 1.8.0.5)
File List Viewer
GetDataBack for FAT
Google Chrome
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB976002-v5)
HP Product Detection
HP RecordNow
IrfanView (remove only)
Junk Mail filter update
L&H TTS3000 British English
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Search Enhancement Pack
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MSVCRT
Nectar Search Toolbar
Network Device Switch
ReadPlease 2003/ReadPlease PLUS 2003
Recuva
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB975558)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Segoe UI
Speccy
STARWARS: The Battle of Endor version 2.1
STARWARS: The Battle of Yavin version 1.1
TOSHIBA Console
TOSHIBA Controls
Toshiba Manuals
TOSHIBA Power Saver
Toshiba Soft Modem AMR
TOSHIBA Software Modem
Toshiba Utilities
Tweak UI
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Support Tools
Windows XP Service Pack 3
WinMerge 2.12.4
Wireless Hotkey
WordWeb
ZTE_MF627_USB_MODEM_1.2059.0.4

==== Event Viewer Messages From Past Week ========

10/10/2010 22:31:53, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It

has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
10/10/2010 20:03:10, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SeaPort with arguments "-

Service" in order to run the server: {D6381B4A-D254-46EB-9018-A62E0F4BA6BA}
10/10/2010 15:12:30, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service LiveUpdate with arguments " "

in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
10/10/2010 12:58:00, error: Service Control Manager [7023] - The Application Management service terminated with the following error:

The specified module could not be found.
10/10/2010 12:52:06, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service SymSnapService with

arguments " " in order to run the server: {A62FB47E-2A72-44A7-B83D-16FB51636AAC}

==== End Of File ===========================

broni · 2010/10/15

Welcome aboard

I can see some Kaspersky's leftovers.
Please, run this tool: http://support.kasperskyamericas.com/knowledge-base-article/1464 to remove them.

===============================================================

STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Quick Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

STEP 3. Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Ant S · 2010/10/15

Thanks for the welcome, broni. It's good to be here.

Initially, mbam.exe wouldn't run. It'd drop out of Task Manager after a couple of seconds. It picked up 7 infected registry entries, which I removed.

The Malwarebytes, GMER and MBRCheck logs are posted below. What do you suggest?

Well done for spotting the Kaspersky files.

Ant S · 2010/10/15

Malwarebytes log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

15/10/2010 21:12:08
mbam-log-2010-10-15 (21-12-08).txt

Scan type: Quick scan
Objects scanned: 134125
Time elapsed: 24 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ant S · 2010/10/15

GMER log

GMER 1.0.15.15319 - http://www.gmer.net
Rootkit scan 2010-10-15 21:30:37
Windows 5.1.2600 Service Pack 3
Running: wddmj6mc.exe; Driver: C:\DOCUME~1\Ant\LOCALS~1\Temp\awtorpoc.sys

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[1444] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 46CAE71D C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1444] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 46CAEEE9 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1444] WS2_32.dll!socket 71AB4211 5 Bytes JMP 46CAE59E C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1444] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 46CAE62A C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1444] WS2_32.dll!send 71AB4C27 5 Bytes JMP 46CAE9ED C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1444] WS2_32.dll!recv 71AB676F 5 Bytes JMP 46CAF1C3 C:\Program Files\Microsoft\Search Enhancement Pack\SeaNote\SeaNote.dll (Microsoft Search Note/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mdvrmng.sys

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82CCFAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82CCFAEA
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 82CCFAEA

AttachedDevice \Driver\Tcpip \Device\Udp mdvrmng.sys
AttachedDevice \Driver\Tcpip \Device\RawIp mdvrmng.sys
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 82CCFEC5

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Ant S · 2010/10/15

MBRCheck log

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000dd

Kernel Drivers (total 116):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7999000 \WINDOWS\system32\KDCOM.DLL
0xF78A9000 \WINDOWS\system32\BOOTVID.dll
0xF744A000 ACPI.sys
0xF799B000 \WINDOWS\System32\DRIVERS\WMILIB.SYS
0xF7439000 pci.sys
0xF7499000 isapnp.sys
0xF78AD000 compbatt.sys
0xF78B1000 \WINDOWS\System32\DRIVERS\BATTC.SYS
0xF799D000 aliide.sys
0xF7719000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF741B000 pcmcia.sys
0xF74A9000 MountMgr.sys
0xF73FC000 ftdisk.sys
0xF7721000 PartMgr.sys
0xF74B9000 VolSnap.sys
0xF73E4000 atapi.sys
0xF74C9000 disk.sys
0xF74D9000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS
0xF73C4000 fltmgr.sys
0xF73B2000 sr.sys
0xF78B5000 PxHelp20.sys
0xF738E000 Fastfat.sys
0xF7377000 KSecDD.sys
0xF734A000 NDIS.sys
0xF799F000 TVALD.SYS
0xF7330000 Mup.sys
0xF74E9000 alim1541.sys
0xF7519000 \SystemRoot\System32\DRIVERS\p3.sys
0xF72B1000 \SystemRoot\System32\DRIVERS\tridxpm.sys
0xF729D000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS
0xF7741000 \SystemRoot\System32\DRIVERS\usbohci.sys
0xF7279000 \SystemRoot\System32\DRIVERS\USBPORT.SYS
0xF7529000 \SystemRoot\System32\DRIVERS\cdrom.sys
0xF7539000 \SystemRoot\System32\DRIVERS\redbook.sys
0xF7256000 \SystemRoot\System32\DRIVERS\ks.sys
0xF721D000 \SystemRoot\system32\drivers\ac97ali.sys
0xF71F9000 \SystemRoot\system32\drivers\portcls.sys
0xF7549000 \SystemRoot\system32\drivers\drmk.sys
0xF7559000 \SystemRoot\System32\DRIVERS\i8042prt.sys
0xF7749000 \SystemRoot\System32\DRIVERS\kbdclass.sys
0xF7569000 \SystemRoot\System32\DRIVERS\Apfiltr.sys
0xF7751000 \SystemRoot\System32\DRIVERS\mouclass.sys
0xF7759000 \SystemRoot\System32\DRIVERS\fdc.sys
0xF7579000 \SystemRoot\System32\DRIVERS\serial.sys
0xF7931000 \SystemRoot\System32\DRIVERS\serenum.sys
0xF71E5000 \SystemRoot\System32\DRIVERS\parport.sys
0xF7935000 \SystemRoot\System32\DRIVERS\CmBatt.sys
0xF7B75000 \SystemRoot\System32\DRIVERS\audstub.sys
0xF7761000 \SystemRoot\System32\DRIVERS\rasirda.sys
0xF7769000 \SystemRoot\System32\DRIVERS\TDI.SYS
0xF7589000 \SystemRoot\System32\DRIVERS\rasl2tp.sys
0xF793D000 \SystemRoot\System32\DRIVERS\ndistapi.sys
0xF71CE000 \SystemRoot\System32\DRIVERS\ndiswan.sys
0xF7599000 \SystemRoot\System32\DRIVERS\raspppoe.sys
0xF75A9000 \SystemRoot\System32\DRIVERS\raspptp.sys
0xF71BD000 \SystemRoot\System32\DRIVERS\psched.sys
0xF75B9000 \SystemRoot\System32\DRIVERS\msgpc.sys
0xF7771000 \SystemRoot\System32\DRIVERS\ptilink.sys
0xF7779000 \SystemRoot\System32\DRIVERS\raspti.sys
0xF75C9000 \SystemRoot\System32\DRIVERS\termdd.sys
0xF79A3000 \SystemRoot\System32\DRIVERS\swenum.sys
0xF7137000 \SystemRoot\System32\DRIVERS\update.sys
0xF794D000 \SystemRoot\System32\DRIVERS\mssmbios.sys
0xF75E9000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF75F9000 \SystemRoot\System32\DRIVERS\usbhub.sys
0xF79A5000 \SystemRoot\System32\DRIVERS\USBD.SYS
0xF2BB3000 \SystemRoot\System32\DRIVERS\LTSM.sys
0xF7781000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7789000 \SystemRoot\System32\DRIVERS\flpydisk.sys
0xF2B90000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xF79A7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B8E000 \SystemRoot\System32\Drivers\Null.SYS
0xF79A9000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7799000 \SystemRoot\System32\drivers\vga.sys
0xF79AB000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79AD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF77A1000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF77A9000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7975000 \SystemRoot\System32\DRIVERS\rasacd.sys
0xF2B5D000 \SystemRoot\System32\DRIVERS\ipsec.sys
0xF2B04000 \SystemRoot\System32\DRIVERS\tcpip.sys
0xF2ADC000 \SystemRoot\System32\DRIVERS\netbt.sys
0xF2ABA000 \SystemRoot\System32\drivers\afd.sys
0xF7619000 \SystemRoot\System32\DRIVERS\netbios.sys
0xF2A8F000 \SystemRoot\System32\DRIVERS\rdbss.sys
0xF29F7000 \SystemRoot\System32\DRIVERS\mrxsmb.sys
0xF7649000 \SystemRoot\System32\Drivers\Fips.SYS
0xF29D1000 \SystemRoot\System32\DRIVERS\ipnat.sys
0xF7659000 \SystemRoot\System32\DRIVERS\wanarp.sys
0xF76D9000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF72F8000 \SystemRoot\System32\drivers\Dxapi.sys
0xF77E1000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A83000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\tridxp.dll
0xF7639000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xF07ED000 \SystemRoot\System32\DRIVERS\irda.sys
0xF07B1000 \??\C:\WINDOWS\system32\drivers\mdvrmng.sys
0xF082F000 \SystemRoot\System32\DRIVERS\ndisuio.sys
0xF05A4000 \SystemRoot\System32\DRIVERS\mrxdav.sys
0xF058F000 \SystemRoot\system32\drivers\wdmaud.sys
0xF220B000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7A39000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xF03A9000 \SystemRoot\System32\DRIVERS\srv.sys
0xEFF92000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7851000 \SystemRoot\System32\DRIVERS\USBSTOR.SYS
0xEF7FC000 \??\C:\DOCUME~1\Ant\LOCALS~1\Temp\awtorpoc.sys
0xF7831000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEF7E2000 \SystemRoot\system32\DRIVERS\ZTEusbser6k.sys
0xEF7C8000 \SystemRoot\system32\DRIVERS\ZTEusbnmea.sys
0xEF7AE000 \SystemRoot\system32\DRIVERS\ZTEusbmdm6k.sys
0xF0139000 \SystemRoot\System32\DRIVERS\asyncmac.sys
0x7C900000 \WINDOWS\System32\ntdll.dll

Processes (total 32):
0 System Idle Process
4 System
376 C:\WINDOWS\System32\SMSS.EXE
476 csrss.exe
500 C:\WINDOWS\System32\winlogon.exe
544 C:\WINDOWS\System32\services.exe
556 C:\WINDOWS\System32\lsass.exe
700 C:\WINDOWS\System32\svchost.exe
816 svchost.exe
856 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
892 C:\WINDOWS\System32\svchost.exe
984 svchost.exe
1056 svchost.exe
1208 C:\WINDOWS\System32\spoolsv.exe
1288 C:\WINDOWS\Explorer.EXE
1356 svchost.exe
1428 C:\Program Files\3 Mobile Broadband\3Connect\BecHelperService.exe
1912 C:\WINDOWS\System32\00THotkey.exe
1920 C:\Program Files\Apoint2K\Apoint.exe
1932 C:\WINDOWS\System32\TPWRTRAY.EXE
1956 C:\Program Files\Toshiba\Toshiba Controls\TFncKy.exe
1964 C:\Program Files\Toshiba\Wireless Hotkey\TosHKCW.exe
1972 C:\Program Files\Microsoft Security Essentials\MSSECES.EXE
1996 C:\Program Files\Apoint2K\ApntEx.exe
2028 C:\WINDOWS\System32\ntvdm.exe
392 C:\WINDOWS\System32\WSCNTFY.EXE
444 ALG.EXE
1444 C:\Program Files\Internet Explorer\iexplore.exe
2364 C:\WINDOWS\System32\taskmgr.exe
2400 C:\Program Files\3 Mobile Broadband\3Connect\Wilog.exe
2716 C:\WINDOWS\System32\wuauclt.exe
2980 C:\Documents and Settings\Ant\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: HITACHI_DK23BA-10, Rev: 00E2A0A0

Size Device Name MBR Status
--------------------------------------------
9 GB \\.\PhysicalDrive0 Windows 98 MBR code detected
SHA1: 48F01D7E76A0F3C038D08611E3FDC0EE4EF9FD3E

Done!

broni · 2010/10/15

Your MBAM log says "No action taken" after each line.

Please, re-run MBAM, FIX all issues and post new log.

When done...

Download TDSSKiller and save it to your desktop.

Extract (unzip) its contents to your desktop.

Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

Ant S · 2010/10/15

I think the Malwarebytes log was produced before I removed the seven infected entries. TDSSKiller found one threat.

mbam.exe was often shutting down shortly after starting, which sounds sinister. Also, the Win32 Service and System Restore problems don't seem to occur when the PC is running in Safe Mode.

Malwarebytes (full-scan) and TDSSKiller logs to follow.

Ant S · 2010/10/15

Malwarebytes log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

15/10/2010 23:59:04
mbam-log-2010-10-15 (23-59-04).txt

Scan type: Full scan (A:\|C:\|)
Objects scanned: 172532
Time elapsed: 1 hour(s), 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ant S · 2010/10/15

TDSSKiller log

2010/10/16 00:26:12.0312 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/16 00:26:12.0312 ================================================================================
2010/10/16 00:26:12.0312 SystemInfo:
2010/10/16 00:26:12.0312
2010/10/16 00:26:12.0312 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/16 00:26:12.0312 Product type: Workstation
2010/10/16 00:26:12.0312 ComputerName: SATELLITE1800
2010/10/16 00:26:12.0312 UserName: Ant
2010/10/16 00:26:12.0312 Windows directory: C:\WINDOWS
2010/10/16 00:26:12.0312 System windows directory: C:\WINDOWS
2010/10/16 00:26:12.0322 Processor architecture: Intel x86
2010/10/16 00:26:12.0322 Number of processors: 1
2010/10/16 00:26:12.0322 Page size: 0x1000
2010/10/16 00:26:12.0322 Boot type: Normal boot
2010/10/16 00:26:12.0322 ================================================================================
2010/10/16 00:26:16.0878 Initialize success
2010/10/16 00:26:28.0485 ================================================================================
2010/10/16 00:26:28.0485 Scan started
2010/10/16 00:26:28.0485 Mode: Manual;
2010/10/16 00:26:28.0485 ================================================================================
2010/10/16 00:26:33.0372 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/16 00:26:33.0983 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/16 00:26:35.0876 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/16 00:26:36.0607 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/16 00:26:40.0122 ALiADWDM (065a6d38a79216592de03f3525d6296e) C:\WINDOWS\system32\drivers\ac97ali.sys
2010/10/16 00:26:40.0903 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/16 00:26:42.0034 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/16 00:26:43.0957 ApfiltrService (58cf0ef8b5c8ccbad8973695a1622cf3) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2010/10/16 00:26:47.0843 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/16 00:26:48.0844 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/16 00:26:50.0346 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/16 00:26:51.0318 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/16 00:26:51.0909 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/16 00:26:52.0820 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/16 00:26:54.0382 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/16 00:26:55.0213 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/16 00:26:56.0075 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/16 00:26:57.0206 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/16 00:27:40.0869 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/16 00:27:46.0858 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/16 00:27:48.0780 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/16 00:27:50.0703 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/16 00:27:51.0675 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/16 00:27:53.0037 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/16 00:27:55.0851 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/16 00:27:57.0102 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/16 00:27:58.0364 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/16 00:27:59.0346 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/16 00:28:00.0537 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/16 00:28:01.0739 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/16 00:28:03.0191 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/16 00:28:05.0074 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2010/10/16 00:28:05.0755 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/16 00:28:06.0536 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/16 00:28:09.0390 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/16 00:28:14.0167 HPUATA (04462676036659eac991d84214785026) C:\WINDOWS\system32\DRIVERS\HPUATA.sys
2010/10/16 00:28:15.0259 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/16 00:28:28.0538 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/16 00:28:29.0519 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/16 00:28:34.0536 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/16 00:28:35.0728 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/16 00:28:36.0729 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/16 00:28:38.0011 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/16 00:28:39.0113 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/16 00:28:40.0645 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/10/16 00:28:42.0027 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/16 00:28:43.0419 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/16 00:28:44.0521 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/16 00:28:45.0542 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/16 00:28:47.0405 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/16 00:28:49.0618 massfilter (59f57b06d1e3c7a3f22d62c7c5b4c3c3) C:\WINDOWS\system32\drivers\massfilter.sys
2010/10/16 00:28:51.0340 MBAMSwissArmy (c7dd7d9739785bd3a6b8499eec1dee7e) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010/10/16 00:28:52.0202 mdvrmng (4e10e84320a8ec1c12bd0d00973b22ab) C:\WINDOWS\system32\drivers\mdvrmng.sys
2010/10/16 00:28:53.0463 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/16 00:28:54.0195 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/16 00:28:55.0026 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/16 00:28:55.0777 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/16 00:28:57.0599 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2010/10/16 00:29:00.0614 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/16 00:29:03.0087 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/16 00:29:05.0591 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/16 00:29:07.0434 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/16 00:29:08.0335 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/16 00:29:08.0856 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/16 00:29:10.0688 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/16 00:29:12.0060 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/16 00:29:13.0673 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/16 00:29:15.0105 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/16 00:29:15.0976 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/16 00:29:17.0087 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/16 00:29:18.0940 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/16 00:29:28.0524 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/16 00:29:33.0050 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/16 00:29:36.0045 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/16 00:29:37.0867 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/16 00:29:40.0761 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/16 00:29:42.0664 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/16 00:29:44.0787 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/16 00:29:47.0361 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/10/16 00:29:55.0633 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/16 00:30:12.0527 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/16 00:30:21.0410 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/16 00:30:23.0543 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/16 00:30:24.0845 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/16 00:30:35.0260 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/16 00:30:35.0741 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/16 00:30:36.0682 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/16 00:30:40.0227 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/16 00:30:51.0653 PxHelp20 (cdead57b9944c7cfa52e30a69455a51e) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2010/10/16 00:31:01.0678 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/16 00:31:09.0409 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/10/16 00:31:10.0651 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/16 00:31:12.0023 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/16 00:31:13.0745 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/16 00:31:14.0977 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/16 00:31:16.0619 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/16 00:31:18.0442 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/16 00:31:20.0635 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/16 00:31:22.0598 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/16 00:31:23.0679 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/16 00:31:24.0781 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/16 00:31:26.0043 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/16 00:31:28.0947 SMCIRDA (9951b523fe6820f29ef010680cb692d2) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2010/10/16 00:31:31.0451 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/16 00:31:32.0712 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/16 00:31:34.0074 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/16 00:31:35.0496 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/16 00:31:36.0548 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/16 00:31:50.0668 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/16 00:31:54.0233 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/16 00:31:56.0336 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/16 00:31:56.0897 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/16 00:31:57.0698 TermDD (e1bbd07d35446f3c35a8ea437383fd00) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/16 00:31:57.0698 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: e1bbd07d35446f3c35a8ea437383fd00, Fake md5: 88155247177638048422893737429d9e
2010/10/16 00:31:57.0999 TermDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/16 00:32:06.0341 TOSHIBASoftModem (fb978ef3d4f53382ee4ee7c2293ae1c5) C:\WINDOWS\system32\DRIVERS\LTSM.sys
2010/10/16 00:32:15.0184 tridxp (f17c59ec51b649077eb7c44079a8f449) C:\WINDOWS\system32\DRIVERS\tridxpm.sys
2010/10/16 00:32:17.0787 TVALD (20b6be2a69c7547a09f67c3e67a2bdd5) C:\WINDOWS\system32\DRIVERS\TVALD.SYS
2010/10/16 00:32:18.0338 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/16 00:32:24.0677 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/16 00:32:32.0318 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/16 00:32:33.0460 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/16 00:32:34.0431 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/16 00:32:35.0373 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/16 00:32:36.0454 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/16 00:32:38.0727 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/16 00:32:39.0829 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/16 00:32:40.0820 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/10/16 00:32:42.0092 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/16 00:32:43.0114 wlluc48 (dca17912a1926ae427537648fc0e74d5) C:\WINDOWS\system32\DRIVERS\wlluc48.sys
2010/10/16 00:32:44.0676 ZTEusbmdm6k (d169ecbde1291b7d720441550d15d104) C:\WINDOWS\system32\DRIVERS\ZTEusbmdm6k.sys
2010/10/16 00:32:45.0717 ZTEusbnmea (d169ecbde1291b7d720441550d15d104) C:\WINDOWS\system32\DRIVERS\ZTEusbnmea.sys
2010/10/16 00:32:46.0779 ZTEusbser6k (d169ecbde1291b7d720441550d15d104) C:\WINDOWS\system32\DRIVERS\ZTEusbser6k.sys
2010/10/16 00:32:47.0610 ================================================================================
2010/10/16 00:32:47.0610 Scan finished
2010/10/16 00:32:47.0610 ================================================================================
2010/10/16 00:32:47.0740 Detected object count: 1
2010/10/16 00:33:36.0230 TermDD (e1bbd07d35446f3c35a8ea437383fd00) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/16 00:33:36.0230 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: e1bbd07d35446f3c35a8ea437383fd00, Fake md5: 88155247177638048422893737429d9e
2010/10/16 00:33:44.0602 Backup copy found, using it..
2010/10/16 00:33:45.0493 C:\WINDOWS\system32\DRIVERS\termdd.sys - will be cured after reboot
2010/10/16 00:33:45.0493 Rootkit.Win32.TDSS.tdl3(TermDD) - User select action: Cure
2010/10/16 00:40:46.0869 Deinitialize success

broni · 2010/10/15

Good

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

Ant S · 2010/10/15

Just to keep you informed, so far the first re-start/logon after the last set of scans has produced none of the five symptoms. (The symptoms aren't inconsistent with the Vundo torjan and termdd.sys infections found.)

However, it's too early yet to tell. I'll run combofix and post back.

broni · 2010/10/15

Ok

Ant S · 2010/10/16

Good morning, broni...

ComboFix deleted three files. Early in the scan Windows reported that PEV.EXE needed to close. (Otherwise the Command Prompt process ran to completion.) Shortly after, the Start Menu misbehaved but seems fine now.

ComboFix has dealt with most of the disk-bloat (700MB) since the problems started, which is a relief. (The Vundo virus can cause disk-bloat.)

So far this is my third symptom-free start-up/logon.

ComboFix log to follow.

Should I be worried about the files in the ComboFix log..? For example, moviemk.exe (which I think is Windows Movie Maker although I've never used/re-installed this) and sjskpvmj.dat (its timestamp is close to that of a Win32/Zbot.gen!Y virus intercepted up by MSSE.)

Ant S · 2010/10/16

ComboFix log

ComboFix 10-10-15.01 - Ant 16/10/2010 9:22.1.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.367.34 [GMT 1:00]
Running from: c:\documents and settings\Ant\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_002094_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2010-09-16 to 2010-10-16 )))))))))))))))))))))))))))))))
.

2010-10-16 07:47 . 2010-10-16 07:47 -------- d-----w- C:\FOUND.002
2010-10-15 19:45 . 2010-10-15 19:45 -------- d-----w- c:\documents and settings\Ant\Application Data\Malwarebytes
2010-10-15 19:37 . 2010-10-15 19:37 -------- d-----w- C:\FOUND.001
2010-10-15 18:29 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 18:28 . 2010-10-15 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-15 18:28 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 18:28 . 2010-10-15 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 13:53 . 2010-09-09 22:52 6084944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{70174B67-6FC6-4E0C-B8F2-BCAC47E6EF1B}\mpengine.dll
2010-10-15 12:43 . 2010-10-15 12:43 -------- d-----w- C:\FOUND.000
2010-10-15 12:10 . 2010-10-15 12:10 -------- d-----w- c:\program files\Speccy
2010-10-15 12:01 . 2010-10-15 12:01 -------- d--h--w- c:\windows\PIF
2010-10-15 11:38 . 2010-10-15 11:38 -------- d-----w- c:\program files\Trend Micro
2010-10-15 11:24 . 2010-10-15 11:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-15 00:06 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 00:06 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 00:06 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 00:01 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-14 23:58 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-10-14 23:52 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-10-08 19:39 . 2010-10-08 19:39 -------- d-----w- c:\documents and settings\Ant\Local Settings\Application Data\Deployment
2010-10-03 19:20 . 2010-10-03 19:20 360 ----a-w- c:\windows\system32\drivers\sjskpvmj.dat
2010-10-02 23:02 . 2010-10-02 23:02 -------- d-----w- c:\program files\LAME
2010-10-02 22:43 . 2010-10-02 22:43 -------- d-----w- c:\documents and settings\Ant\Application Data\AccurateRip
2010-09-22 22:51 . 2010-09-22 22:51 -------- d-----w- c:\program files\Defraggler
2010-09-18 11:23 . 2010-09-18 11:23 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7C2F0D8-2209-4693-A15D-5A537211D48B}]
2010-08-05 05:08 1498624 ----a-w- c:\program files\Nectar Search Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8020143D-5926-4394-A04D-DD0B649DA121} "= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2010-08-05 1498624]

[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8020143D-5926-4394-A04D-DD0B649DA121} "= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2010-08-05 1498624]

[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey "= "c:\windows\system32\00THotkey.exe" [2001-11-21 98304]
"Apoint "= "c:\program files\Apoint2K\Apoint.exe" [2001-08-09 118784]
"Tpwrtray "= "TPWRTRAY.EXE" [2001-11-20 188416]
"TFncKy "= "TFncKy.exe" [BU]
"TosHKCW.exe "= "c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2001-07-25 45056]
"MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Ant\Start Menu\Programs\Startup\
Books on Loan.lnk - c:\book\BOOKSU.EXE [1980-1-1 64267]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\MSMSGS.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\System32\\mmc.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\Nectar Search Toolbar\\TroubleShooter.exe "=
"c:\\Program Files\\Nectar Search Toolbar\\ToolbarUpdate.exe "=

R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [06/12/2001 11:42 221824]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\HPUATA.sys [24/09/2001 04:36 75776]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [07/09/2009 15:55 7680]
.
Contents of the 'Scheduled Tasks' folder

2010-10-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]

2010-10-16 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2856520603-3802400216-3657561249-1005Core.job
- c:\documents and settings\Ant\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-08 19:43]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: ebay.co.uk
Trusted Zone: google.co.uk
Trusted Zone: google.com
Trusted Zone: hotmail.com
Trusted Zone: live.com
Trusted Zone: msn.com
Trusted Zone: passport.com
Trusted Zone: three.co.uk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-10-16 09:38:11
ComboFix-quarantined-files.txt 2010-10-16 08:38

Pre-Run: 1,306,132,480 bytes free
Post-Run: 1,303,871,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug= "do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 49F060DEBA115A8E84775023589BA667

broni · 2010/10/16

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
File::
c:\windows\system32\drivers\sjskpvmj.dat
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

Ant S · 2010/10/17

Thanks, broni. ComboFix log to follow.

It's looking good. Still no problems! I think it might be safe to sound the all clear.

Ant S · 2010/10/17

ComboFix log

ComboFix 10-10-15.01 - Ant 17/10/2010 17:11:47.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.367.197 [GMT 1:00]
Running from: c:\documents and settings\Ant\Desktop\AV Done\ComboFix.exe
Command switches used :: c:\documents and settings\Ant\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

FILE ::
"c:\windows\system32\drivers\sjskpvmj.dat "
.

((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
.

2010-10-16 15:34 . 2010-10-16 15:34 -------- d-----w- c:\documents and settings\Ant\Application Data\Windows Live Writer
2010-10-16 15:33 . 2010-10-16 15:33 -------- d-----w- c:\documents and settings\Ant\Local Settings\Application Data\Windows Live Writer
2010-10-16 09:58 . 2010-10-16 09:58 -------- d-s---w- c:\documents and settings\Ant\UserData
2010-10-16 08:47 . 2010-09-09 22:52 6084944 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{22F75448-4033-407F-9D65-73461ECE48B5}\mpengine.dll
2010-10-16 07:47 . 2010-10-16 07:47 -------- d-----w- C:\FOUND.002
2010-10-15 19:45 . 2010-10-15 19:45 -------- d-----w- c:\documents and settings\Ant\Application Data\Malwarebytes
2010-10-15 19:37 . 2010-10-15 19:37 -------- d-----w- C:\FOUND.001
2010-10-15 18:29 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-15 18:28 . 2010-10-15 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-15 18:28 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-15 18:28 . 2010-10-15 18:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-15 12:43 . 2010-10-15 12:43 -------- d-----w- C:\FOUND.000
2010-10-15 12:10 . 2010-10-15 12:10 -------- d-----w- c:\program files\Speccy
2010-10-15 12:01 . 2010-10-15 12:01 -------- d--h--w- c:\windows\PIF
2010-10-15 11:38 . 2010-10-15 11:38 -------- d-----w- c:\program files\Trend Micro
2010-10-15 11:24 . 2010-10-15 11:24 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-15 00:06 . 2010-09-18 06:53 954368 ------w- c:\windows\system32\dllcache\mfc40.dll
2010-10-15 00:06 . 2010-09-18 06:53 953856 ------w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-15 00:06 . 2010-09-18 06:53 974848 ------w- c:\windows\system32\dllcache\mfc42.dll
2010-10-15 00:01 . 2010-08-23 16:12 617472 ------w- c:\windows\system32\dllcache\comctl32.dll
2010-10-14 23:58 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-10-14 23:52 . 2010-06-18 13:36 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
2010-10-08 19:39 . 2010-10-08 19:39 -------- d-----w- c:\documents and settings\Ant\Local Settings\Application Data\Deployment
2010-10-03 19:20 . 2010-10-03 19:20 360 ----a-w- c:\windows\system32\drivers\sjskpvmj.dat
2010-10-02 23:02 . 2010-10-02 23:02 -------- d-----w- c:\program files\LAME
2010-10-02 22:43 . 2010-10-02 22:43 -------- d-----w- c:\documents and settings\Ant\Application Data\AccurateRip
2010-09-22 22:51 . 2010-09-22 22:51 -------- d-----w- c:\program files\Defraggler
2010-09-18 11:23 . 2010-09-18 11:23 974848 ------w- c:\windows\system32\dllcache\mfc42u.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7C2F0D8-2209-4693-A15D-5A537211D48B}]
2010-08-05 05:08 1498624 ----a-w- c:\program files\Nectar Search Toolbar\Toolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8020143D-5926-4394-A04D-DD0B649DA121} "= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2010-08-05 1498624]

[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8020143D-5926-4394-A04D-DD0B649DA121} "= "c:\program files\Nectar Search Toolbar\Toolbar.dll" [2010-08-05 1498624]

[HKEY_CLASSES_ROOT\clsid\{8020143d-5926-4394-a04d-dd0b649da121}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{22466F1F-0B10-41B0-A971-3A28599AA7C7}]
[HKEY_CLASSES_ROOT\FCTB000061465.IEToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00THotkey "= "c:\windows\system32\00THotkey.exe" [2001-11-21 98304]
"Apoint "= "c:\program files\Apoint2K\Apoint.exe" [2001-08-09 118784]
"Tpwrtray "= "TPWRTRAY.EXE" [2001-11-20 188416]
"TFncKy "= "TFncKy.exe" [BU]
"TosHKCW.exe "= "c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2001-07-25 45056]
"MSSE "= "c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Ant\Start Menu\Programs\Startup\
Books on Loan.lnk - c:\book\BOOKSU.EXE [1980-1-1 64267]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Messenger\\MSMSGS.EXE "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\System32\\mmc.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe "=
"c:\\Program Files\\Nectar Search Toolbar\\TroubleShooter.exe "=
"c:\\Program Files\\Nectar Search Toolbar\\ToolbarUpdate.exe "=

R2 BecHelperService;BecHelperService;c:\program files\3 Mobile Broadband\3Connect\BecHelperService.exe [13/04/2010 22:35 1737464]
R3 tridxp;tridxp;c:\windows\system32\drivers\tridxpm.sys [06/12/2001 11:42 221824]
S3 GenericMount;Generic Mount Driver;c:\windows\system32\DRIVERS\GenericMount.sys --> c:\windows\system32\DRIVERS\GenericMount.sys [?]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\HPUATA.sys [24/09/2001 04:36 75776]
S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [07/09/2009 15:55 7680]
.
Contents of the 'Scheduled Tasks' folder

2010-10-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]

2010-10-17 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]

2010-10-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2856520603-3802400216-3657561249-1005Core.job
- c:\documents and settings\Ant\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-08 19:43]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: ebay.co.uk
Trusted Zone: google.co.uk
Trusted Zone: google.com
Trusted Zone: hotmail.com
Trusted Zone: live.com
Trusted Zone: msn.com
Trusted Zone: passport.com
Trusted Zone: three.co.uk
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
Completion time: 2010-10-17 17:24:06

ComboFix-quarantined-files.txt 2010-10-17 16:24

Pre-Run: 1,114,038,272 bytes free
Post-Run: 1,207,500,800 bytes free

- - End Of File - - F61A292B9E78872FCE33756EC51CCB21

Log in or Sign up

Solved Problems with virus attack

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Share This Page

Log in or Sign up

Solved Problems with virus attack

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

broni Moderator Malware Analyst

Ant S Inactive Thread Starter

Ant S Inactive Thread Starter

Share This Page

Useful Searches