1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Inactive internet access disabled by virus (i think)

Discussion in 'Malware and Virus Removal Archive' started by deangmoxon, 2011/05/06.

Page 2 of 3
  1. 2011/05/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    That's fine.

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.

    ===================================================

    Please download Rootkit Unhooker from one of the following links and save it to your desktop.
    In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

    • Double-click on RKUnhookerLE.exe to start the program.
      Vista/Windows 7 users right-click and select Run As Administrator.
    • Click the Report tab, then click Scan.
    • Check Drivers, Stealth, and uncheck the rest.
    • Click OK.
    • Wait until it's finished and then go to File > Save Report.
    • Save the report to your Desktop.
    • Copy and paste the contents of the report into your next reply.
    -- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay? ".
     
    broni,
    #21
  2. 2011/05/07
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    i have winzip on my comp but i have no idea how to extract the remover.exe or the unhooker .exe so it will take a while for me to figure it out
     
    deangmoxon,
    #22


  3. to hide this advert.

  4. 2011/05/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    broni,
    #23
  5. 2011/05/07
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    i do not even know what that means so give me time to figure that out
     
    deangmoxon,
    #24
  6. 2011/05/07
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    i think that my friends comp is infected with the same virus so maybe everything i try is bleeped from the get go and i am exhausted n frustrated so i gotta quit this for now b4 i lose it and put in the ubuntu disk or somthing worse
    thnax for all your help n time. go sharks go
     
    deangmoxon,
    #25
  7. 2011/05/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Take your time...

    Go Shaaaaaarks!!
     
    broni,
    #26
  8. 2011/05/09
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    ok so i tried to get the last two programs to work- bootkit remover / rootkit unhooker
    ...nothing
    i could not get them to open or unpack or extract or any thing
    i have used rar/ zip b4 and it was always easy
    not this time even with help from some one here
    my comp must be seriously compromised
    is there another way ?
    i will try to get back to u later today or tomorrow mornish
    thank you
     
    deangmoxon,
    #27
  9. 2011/05/09
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
    broni,
    #28
  10. 2011/05/10
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    2011/05/10 11:00:33.0888 3100 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
    2011/05/10 11:00:33.0918 3100 ================================================================================
    2011/05/10 11:00:33.0918 3100 SystemInfo:
    2011/05/10 11:00:33.0918 3100
    2011/05/10 11:00:33.0918 3100 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/10 11:00:33.0918 3100 Product type: Workstation
    2011/05/10 11:00:33.0918 3100 ComputerName: NEBULA
    2011/05/10 11:00:33.0918 3100 UserName: Administrator
    2011/05/10 11:00:33.0918 3100 Windows directory: C:\WINDOWS
    2011/05/10 11:00:33.0918 3100 System windows directory: C:\WINDOWS
    2011/05/10 11:00:33.0918 3100 Processor architecture: Intel x86
    2011/05/10 11:00:33.0918 3100 Number of processors: 1
    2011/05/10 11:00:33.0918 3100 Page size: 0x1000
    2011/05/10 11:00:33.0918 3100 Boot type: Normal boot
    2011/05/10 11:00:33.0918 3100 ================================================================================
    2011/05/10 11:00:35.0220 3100 Initialize success
    2011/05/10 11:00:39.0946 3124 ================================================================================
    2011/05/10 11:00:39.0946 3124 Scan started
    2011/05/10 11:00:39.0946 3124 Mode: Manual;
    2011/05/10 11:00:39.0946 3124 ================================================================================
    2011/05/10 11:00:42.0270 3124 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
    2011/05/10 11:00:42.0700 3124 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/10 11:00:43.0401 3124 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/05/10 11:00:43.0992 3124 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/10 11:00:44.0573 3124 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/10 11:00:45.0014 3124 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2011/05/10 11:00:47.0517 3124 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/10 11:00:47.0908 3124 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/10 11:00:49.0030 3124 ati2mtag (dd3802e25a9ef4e55eee9a0fc2151611) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
    2011/05/10 11:00:49.0620 3124 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/10 11:00:49.0941 3124 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/10 11:00:50.0632 3124 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
    2011/05/10 11:00:51.0032 3124 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/10 11:00:51.0733 3124 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/10 11:00:52.0304 3124 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/10 11:00:52.0845 3124 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/10 11:00:53.0246 3124 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/10 11:00:53.0997 3124 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/05/10 11:00:54.0578 3124 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/05/10 11:00:55.0939 3124 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/10 11:00:56.0590 3124 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/10 11:00:57.0382 3124 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/10 11:00:57.0952 3124 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/10 11:00:58.0313 3124 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/10 11:00:59.0064 3124 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/10 11:00:59.0445 3124 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/05/10 11:01:00.0045 3124 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/10 11:01:00.0456 3124 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/10 11:01:00.0837 3124 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/10 11:01:01.0367 3124 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/05/10 11:01:01.0768 3124 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/10 11:01:02.0399 3124 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/10 11:01:02.0789 3124 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/10 11:01:03.0420 3124 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/10 11:01:03.0721 3124 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
    2011/05/10 11:01:04.0592 3124 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/10 11:01:05.0704 3124 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/10 11:01:06.0104 3124 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/10 11:01:07.0035 3124 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/05/10 11:01:07.0526 3124 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/10 11:01:07.0907 3124 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/10 11:01:08.0297 3124 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/10 11:01:08.0798 3124 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/10 11:01:09.0199 3124 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/10 11:01:09.0739 3124 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/10 11:01:10.0190 3124 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
    2011/05/10 11:01:10.0761 3124 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/10 11:01:11.0131 3124 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/10 11:01:11.0642 3124 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/10 11:01:12.0053 3124 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/10 11:01:12.0603 3124 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/10 11:01:13.0665 3124 ltmodem5 (9ee18a5a45552673a67532ea37370377) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
    2011/05/10 11:01:14.0226 3124 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/10 11:01:14.0757 3124 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/10 11:01:15.0127 3124 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/10 11:01:15.0528 3124 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/10 11:01:16.0098 3124 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
    2011/05/10 11:01:16.0439 3124 MpKslb49a2816 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AA76089-A72E-42C8-A45C-F6FFFCF1735E}\MpKslb49a2816.sys
    2011/05/10 11:01:17.0320 3124 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/10 11:01:18.0001 3124 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/05/10 11:01:18.0572 3124 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/10 11:01:19.0103 3124 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/10 11:01:19.0463 3124 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/10 11:01:19.0924 3124 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/10 11:01:20.0264 3124 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/10 11:01:20.0625 3124 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/10 11:01:21.0236 3124 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/10 11:01:21.0707 3124 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/10 11:01:22.0207 3124 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/10 11:01:22.0588 3124 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/10 11:01:23.0079 3124 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/10 11:01:23.0459 3124 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/05/10 11:01:23.0900 3124 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/10 11:01:24.0491 3124 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/10 11:01:25.0252 3124 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/10 11:01:25.0812 3124 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/10 11:01:26.0343 3124 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/10 11:01:26.0694 3124 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/10 11:01:27.0054 3124 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/10 11:01:27.0565 3124 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/10 11:01:27.0925 3124 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/10 11:01:28.0436 3124 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/10 11:01:29.0388 3124 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    2011/05/10 11:01:31.0691 3124 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/10 11:01:32.0091 3124 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/10 11:01:32.0602 3124 PSI (1df21f001f3a94eba4a2950c70cc358f) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
    2011/05/10 11:01:32.0973 3124 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/10 11:01:33.0514 3124 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/10 11:01:35.0276 3124 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/10 11:01:35.0767 3124 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
    2011/05/10 11:01:36.0137 3124 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/10 11:01:36.0518 3124 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/10 11:01:37.0009 3124 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/10 11:01:37.0409 3124 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/05/10 11:01:38.0010 3124 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/10 11:01:38.0501 3124 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/05/10 11:01:39.0132 3124 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/10 11:01:39.0572 3124 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/10 11:01:40.0213 3124 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/10 11:01:40.0594 3124 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/10 11:01:41.0114 3124 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/10 11:01:41.0555 3124 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/10 11:01:42.0376 3124 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
    2011/05/10 11:01:42.0737 3124 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
    2011/05/10 11:01:43.0478 3124 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/10 11:01:43.0969 3124 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/10 11:01:44.0509 3124 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/10 11:01:45.0150 3124 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/10 11:01:45.0501 3124 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/10 11:01:47.0153 3124 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/05/10 11:01:47.0584 3124 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/10 11:01:48.0255 3124 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/10 11:01:48.0765 3124 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/10 11:01:49.0236 3124 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/10 11:01:49.0597 3124 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/10 11:01:50.0348 3124 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/10 11:01:51.0049 3124 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/10 11:01:51.0660 3124 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/10 11:01:52.0050 3124 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/10 11:01:52.0591 3124 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/05/10 11:01:53.0072 3124 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/10 11:01:53.0552 3124 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/10 11:01:54.0153 3124 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/10 11:01:54.0764 3124 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/10 11:01:55.0645 3124 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/10 11:01:56.0276 3124 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/05/10 11:01:56.0827 3124 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/05/10 11:01:57.0208 3124 ================================================================================
    2011/05/10 11:01:57.0208 3124 Scan finished
    2011/05/10 11:01:57.0208 3124 ================================================================================
     
    deangmoxon,
    #29
  11. 2011/05/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results ". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion ", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #30
  12. 2011/05/10
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 05/10/2011 at 18:00:28.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:

    C:\WINDOWS\system32\grpconv.exe


    Rkill completed on 05/10/2011 at 18:00:34.


    ComboFix 11-05-09.04 - Administrator 05/10/2011 18:07:07.6.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.646 [GMT -7:00]
    Running from: F:\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-10 17:59 . 2011-05-10 17:59 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AA76089-A72E-42C8-A45C-F6FFFCF1735E}\MpKslb49a2816.sys
    2011-05-08 09:22 . 2011-05-08 09:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2011-05-08 04:13 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AA76089-A72E-42C8-A45C-F6FFFCF1735E}\mpengine.dll
    2011-05-05 20:20 . 2011-05-05 20:20 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-11 07:04 . 2011-03-29 17:13 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-23_19.37.11 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-10 17:58 . 2011-05-10 17:58 16384 c:\windows\temp\Perflib_Perfdata_124.dat
    + 2011-04-29 21:11 . 2011-04-29 21:11 21504 c:\windows\Installer\6eb0d74.msi
    + 2010-03-31 19:14 . 2011-05-06 19:25 574468 c:\windows\system32\Restore\rstrlog.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-10 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
    "MSC "= "c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2005-06-08 04:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2006-10-12 23:28 1282048 ----a-w- c:\windows\system32\WLTRAY.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\BitComet\\BitComet.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12316:TCP "= 12316:TCP:BitComet 12316 TCP
    "12316:UDP "= 12316:UDP:BitComet 12316 UDP
    "1691:TCP "= 1691:TCP:BitComet 1691 TCP
    "1691:UDP "= 1691:UDP:BitComet 1691 UDP
    "18725:TCP "= 18725:TCP:BitComet 18725 TCP
    "18725:UDP "= 18725:UDP:BitComet 18725 UDP
    .
    R1 MpKslb49a2816;MpKslb49a2816;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AA76089-A72E-42C8-A45C-F6FFFCF1735E}\MpKslb49a2816.sys [5/10/2011 10:59 AM 28752]
    R2 Dynex DX-WGPNBC WLService;Dynex Wireless Enhanced G NB Card - DX-WGPNBC Service;c:\program files\Dynex Wireless Enhanced G NB Card - DX-WGPNBC\WLService.exe [5/3/2009 7:11 PM 49152]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/9/2011 9:50 PM 632792]
    S1 MpKsl4ce6211f;MpKsl4ce6211f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E72D8140-FAE1-4CCA-BC07-28D40ACA6A75}\MpKsl4ce6211f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E72D8140-FAE1-4CCA-BC07-28D40ACA6A75}\MpKsl4ce6211f.sys [?]
    S1 MpKsl6524fb40;MpKsl6524fb40;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A11865A-D7D7-42F1-9C43-47E4FCA59C6E}\MpKsl6524fb40.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A11865A-D7D7-42F1-9C43-47E4FCA59C6E}\MpKsl6524fb40.sys [?]
    S1 MpKslcb5b4081;MpKslcb5b4081;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2011 2:05 PM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2011 2:05 PM 136176]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 7:05 AM 14904]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - GTNDIS5
    *NewlyCreated* - MPKSLB49A2816
    *Deregistered* - klmd25
    *Deregistered* - Normandy
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-04 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    2011-05-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-05-10 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
    .
    2011-05-10 c:\windows\Tasks\RMSmartUpdate.job
    - c:\program files\Registry Mechanic\Update.exe [2011-01-10 20:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/ig?hl=en
    uInternet Connection Wizard,ShellNext = iexplore
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\in09o4tz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-10 18:13
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1060284298-2111687655-2146967187-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,ff,b0,1f,e8,19,06,46,b4,05,70,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(732)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(4204)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-05-10 18:17:50
    ComboFix-quarantined-files.txt 2011-05-11 01:17
    ComboFix2.txt 2011-04-13 04:48
    ComboFix3.txt 2011-04-02 05:31
    ComboFix4.txt 2011-03-27 08:18
    ComboFix5.txt 2011-05-11 01:04
    .
    Pre-Run: 9,549,885,440 bytes free
    Post-Run: 9,541,513,216 bytes free
    .
    - - End Of File - - 53202C8D9E61BC1F081E85E8F956BEDB
     
    deangmoxon,
    #31
  13. 2011/05/10
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    My instructions clearly say to run Combofix from the desktop.
    Please copy combofix.exe file to correct location.

    I can see, you ran Combofix twice.
    I'd like to see ComboFix5.txt log.
    It's located in root C:\ directory.

    How is computer doing at the moment?
     
    broni,
    #32
  14. 2011/05/11
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    i hope this is what you wanted !

    ComboFix 11-05-04.04 - Administrator 05/11/2011 12:32:26.7.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.662 [GMT -7:00]
    Running from: F:\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-08 09:22 . 2011-05-08 09:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2011-05-08 04:13 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AA76089-A72E-42C8-A45C-F6FFFCF1735E}\mpengine.dll
    2011-05-05 20:20 . 2011-05-05 20:20 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-11 07:04 . 2011-03-29 17:13 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-23_19.37.11 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-11 01:23 . 2011-05-11 01:23 16384 c:\windows\temp\Perflib_Perfdata_334.dat
    + 2011-04-29 21:11 . 2011-04-29 21:11 21504 c:\windows\Installer\6eb0d74.msi
    + 2010-03-31 19:14 . 2011-05-06 19:25 574468 c:\windows\system32\Restore\rstrlog.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-10 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
    "MSC "= "c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2005-06-08 04:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2006-10-12 23:28 1282048 ----a-w- c:\windows\system32\WLTRAY.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\BitComet\\BitComet.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12316:TCP "= 12316:TCP:BitComet 12316 TCP
    "12316:UDP "= 12316:UDP:BitComet 12316 UDP
    "1691:TCP "= 1691:TCP:BitComet 1691 TCP
    "1691:UDP "= 1691:UDP:BitComet 1691 UDP
    "18725:TCP "= 18725:TCP:BitComet 18725 TCP
    "18725:UDP "= 18725:UDP:BitComet 18725 UDP
    .
    R2 Dynex DX-WGPNBC WLService;Dynex Wireless Enhanced G NB Card - DX-WGPNBC Service;c:\program files\Dynex Wireless Enhanced G NB Card - DX-WGPNBC\WLService.exe [5/3/2009 7:11 PM 49152]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/9/2011 9:50 PM 632792]
    S1 MpKsl4ce6211f;MpKsl4ce6211f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E72D8140-FAE1-4CCA-BC07-28D40ACA6A75}\MpKsl4ce6211f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E72D8140-FAE1-4CCA-BC07-28D40ACA6A75}\MpKsl4ce6211f.sys [?]
    S1 MpKsl6524fb40;MpKsl6524fb40;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A11865A-D7D7-42F1-9C43-47E4FCA59C6E}\MpKsl6524fb40.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A11865A-D7D7-42F1-9C43-47E4FCA59C6E}\MpKsl6524fb40.sys [?]
    S1 MpKslcb5b4081;MpKslcb5b4081;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2011 2:05 PM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2011 2:05 PM 136176]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 7:05 AM 14904]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WUAUSERV
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-05-11 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
    .
    2011-05-11 c:\windows\Tasks\RMSmartUpdate.job
    - c:\program files\Registry Mechanic\Update.exe [2011-01-10 20:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/ig?hl=en
    uInternet Connection Wizard,ShellNext = iexplore
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\in09o4tz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-11 12:33
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1060284298-2111687655-2146967187-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,ff,b0,1f,e8,19,06,46,b4,05,70,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(868)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(5348)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-05-11 12:38:32
    ComboFix-quarantined-files.txt 2011-05-11 19:38
    ComboFix2.txt 2011-05-11 01:17
    ComboFix3.txt 2011-04-13 04:48
    ComboFix4.txt 2011-04-02 05:31
    ComboFix5.txt 2011-05-11 19:29
    .
    Pre-Run: 9,579,982,848 bytes free
    Post-Run: 9,567,444,992 bytes free
    .
    - - End Of File - - 7F89D645B7A112EB6880EDFFC4CF7E8F

    my com is still unable to connect to the web
     
    deangmoxon,
    #33
  15. 2011/05/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You didn't comply.
    I need you to copy combofix.exe file from drive F (whatever it is), paste it to your computer Desktop and run it from there.

    Also, Combofix log says:
    - REDUCED FUNCTIONALITY MODE -
    which means, you refused to update it, when Combofix asked you to do so.

    Please, redo.
     
    broni,
    #34
  16. 2011/05/11
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    i will try this copy paste combo fix thing again
    i right clicked and sent combo fix to the desktop
    but how do i update when i cannot access the web ?
     
    deangmoxon,
    #35
  17. 2011/05/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Delete your Combofix file and download fresh one.
     
    broni,
    #36
  18. 2011/05/11
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    ComboFix 11-05-11.01 - Administrator 05/11/2011 13:45:02.8.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.573 [GMT -7:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-11 to 2011-05-11 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-08 09:22 . 2011-05-08 09:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
    2011-05-08 04:13 . 2011-04-11 07:04 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4AA76089-A72E-42C8-A45C-F6FFFCF1735E}\mpengine.dll
    2011-05-05 20:20 . 2011-05-05 20:20 -------- d-----w- c:\windows\system32\wbem\Repository
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-11 07:04 . 2011-03-29 17:13 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-03-23_19.37.11 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-05-11 01:23 . 2011-05-11 01:23 16384 c:\windows\temp\Perflib_Perfdata_334.dat
    + 2011-04-29 21:11 . 2011-04-29 21:11 21504 c:\windows\Installer\6eb0d74.msi
    + 2010-03-31 19:14 . 2011-05-06 19:25 574468 c:\windows\system32\Restore\rstrlog.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-01-10 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
    "MSC "= "c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting "= "c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @= "Service "
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    2005-06-08 04:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
    2006-10-12 23:28 1282048 ----a-w- c:\windows\system32\WLTRAY.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride "=dword:00000001
    "FirewallOverride "=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\BitComet\\BitComet.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe "=
    "c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "12316:TCP "= 12316:TCP:BitComet 12316 TCP
    "12316:UDP "= 12316:UDP:BitComet 12316 UDP
    "1691:TCP "= 1691:TCP:BitComet 1691 TCP
    "1691:UDP "= 1691:UDP:BitComet 1691 UDP
    "18725:TCP "= 18725:TCP:BitComet 18725 TCP
    "18725:UDP "= 18725:UDP:BitComet 18725 UDP
    .
    R2 Dynex DX-WGPNBC WLService;Dynex Wireless Enhanced G NB Card - DX-WGPNBC Service;c:\program files\Dynex Wireless Enhanced G NB Card - DX-WGPNBC\WLService.exe [5/3/2009 7:11 PM 49152]
    R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/9/2011 9:50 PM 632792]
    S1 MpKsl4ce6211f;MpKsl4ce6211f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E72D8140-FAE1-4CCA-BC07-28D40ACA6A75}\MpKsl4ce6211f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E72D8140-FAE1-4CCA-BC07-28D40ACA6A75}\MpKsl4ce6211f.sys [?]
    S1 MpKsl6524fb40;MpKsl6524fb40;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A11865A-D7D7-42F1-9C43-47E4FCA59C6E}\MpKsl6524fb40.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1A11865A-D7D7-42F1-9C43-47E4FCA59C6E}\MpKsl6524fb40.sys [?]
    S1 MpKslcb5b4081;MpKslcb5b4081;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F3A78850-9880-41E5-BFAE-9DF43A37E2ED}\MpKslcb5b4081.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2011 2:05 PM 136176]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/10/2011 2:05 PM 136176]
    S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [7/7/2010 7:05 AM 14904]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - WUAUSERV
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-05-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-01-10 21:05]
    .
    2011-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500Core.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-05-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-2111687655-2146967187-500UA.job
    - c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-29 20:16]
    .
    2011-05-11 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 19:26]
    .
    2011-05-11 c:\windows\Tasks\RMSmartUpdate.job
    - c:\program files\Registry Mechanic\Update.exe [2011-01-10 20:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.ca/ig?hl=en
    uInternet Connection Wizard,ShellNext = iexplore
    IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
    IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
    IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\in09o4tz.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {B13721C7-F507-4982-B2E5-502A71474FED} - c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    FF - Ext: Clear Cache Button: {563e4790-7e70-11da-a72b-0800200c9a66} - %profile%\extensions\{563e4790-7e70-11da-a72b-0800200c9a66}
    FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
    FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-11 13:50
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-1060284298-2111687655-2146967187-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2a,ff,b0,1f,e8,19,06,46,b4,05,70,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 "=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b6,6c,2b,db,55,25,dd,4c,af,ed,28,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(868)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    - - - - - - - > 'explorer.exe'(17104)
    c:\windows\system32\WININET.dll
    c:\program files\Windows Media Player\wmpband.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-05-11 13:53:41
    ComboFix-quarantined-files.txt 2011-05-11 20:53
    ComboFix2.txt 2011-05-11 19:38
    ComboFix3.txt 2011-05-11 01:17
    ComboFix4.txt 2011-04-13 04:48
    ComboFix5.txt 2011-05-11 20:43
    .
    Pre-Run: 9,568,399,360 bytes free
    Post-Run: 9,556,144,128 bytes free
    .
    - - End Of File - - 09F56B9AD527346F8044ED8946C6CB88
     
    deangmoxon,
    #37
  19. 2011/05/11
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    i am almost timed out on the comp i am on so see u tomorrow
     
    deangmoxon,
    #38
  20. 2011/05/11
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    No problem.

    When you're ready, we'll try to see what's wrong with your internet.

    Please download MiniToolBox and run it.

    Checkmark following boxes:
    • Report IE Proxy Settings
    • List content of Hosts
    • List IP configuration
    • List last 10 Event Viewer log
    Click Go and post the result.
     
    broni,
    #39
  21. 2011/05/12
    deangmoxon

    deangmoxon Inactive Thread Starter

    Joined:
    2010/11/13
    Messages:
    88
    Likes Received:
    0
    MiniToolBox by Farbar
    Ran by Administrator (administrator) on 11-05-2011 at 19:30:44
    Microsoft Windows XP Service Pack 3 (X86)

    ***************************************************************************


    ================= Flush DNS: ==============================================


    Windows IP Configuration



    Successfully flushed the DNS Resolver Cache.


    ================= End of Flush DNS ========================================

    ========================= IE Proxy Settings: ==============================

    Proxy is not enabled.
    No Proxy Server is set.

    ========================= End of IE Proxy Settings ========================

    "Reset IE Proxy Settings ": Proxy Settings were reset.

    =============== Hosts content: ============================================

    127.0.0.1 localhost

    =============== End of Hosts ==============================================

    ================= IP Configuration: =======================================

    # ----------------------------------
    # Interface IP Configuration
    # ----------------------------------
    pushd interface ip


    # Interface IP Configuration for "Local Area Connection "

    set address name= "Local Area Connection" source=dhcp
    set dns name= "Local Area Connection" source=dhcp register=PRIMARY
    set wins name= "Local Area Connection" source=dhcp

    # Interface IP Configuration for "Wireless Network Connection "

    set address name= "Wireless Network Connection" source=dhcp
    set dns name= "Wireless Network Connection" source=dhcp register=PRIMARY
    set wins name= "Wireless Network Connection" source=dhcp


    popd
    # End of interface IP configuration




    Windows IP Configuration



    Host Name . . . . . . . . . . . . : nebula

    Primary Dns Suffix . . . . . . . :

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No



    Ethernet adapter Local Area Connection:



    Media State . . . . . . . . . . . : Media disconnected

    Description . . . . . . . . . . . : Intel(R) PRO/100 VM Network Connection

    Physical Address. . . . . . . . . : 00-08-02-D6-C5-BF



    Ethernet adapter Wireless Network Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Dynex Wireless Enhanced G NB Card - DX-WGPNBC

    Physical Address. . . . . . . . . : 00-1A-73-13-A4-0A

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 10.53.71.205

    Subnet Mask . . . . . . . . . . . : 255.255.255.0

    Default Gateway . . . . . . . . . : 10.53.71.1

    DHCP Server . . . . . . . . . . . : 10.53.71.1

    DNS Servers . . . . . . . . . . . : 10.53.71.1

    Lease Obtained. . . . . . . . . . : Wednesday, May 11, 2011 4:58:59 PM

    Lease Expires . . . . . . . . . . : Friday, May 13, 2011 4:58:59 PM

    Server:
    Address: 10.53.71.1

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    Ping request could not find host google.com. Please check the name and try again.

    Server:
    Address: 10.53.71.1

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    Ping request could not find host yahoo.com. Please check the name and try again.



    Pinging 127.0.0.1 with 32 bytes of data:



    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

    Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



    Ping statistics for 127.0.0.1:

    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x2 ...00 08 02 d6 c5 bf ...... Intel(R) PRO/100 VM Network Connection - Packet Scheduler Miniport
    0x3 ...00 1a 73 13 a4 0a ...... Dynex Wireless Enhanced G NB Card - DX-WGPNBC - Packet Scheduler Miniport
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 10.53.71.1 10.53.71.205 25
    10.53.71.0 255.255.255.0 10.53.71.205 10.53.71.205 25
    10.53.71.205 255.255.255.255 127.0.0.1 127.0.0.1 25
    10.255.255.255 255.255.255.255 10.53.71.205 10.53.71.205 25
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    224.0.0.0 240.0.0.0 10.53.71.205 10.53.71.205 25
    255.255.255.255 255.255.255.255 10.53.71.205 2 1
    255.255.255.255 255.255.255.255 10.53.71.205 10.53.71.205 1
    Default Gateway: 10.53.71.1
    ===========================================================================
    Persistent Routes:
    None

    ================= End of IP Configuration =================================

    ========================= Event log errors: ===============================

    Application errors:
    ==================
    Error: (05/11/2011 00:45:31 PM) (Source: MPSampleSubmission) (User: )
    Description: EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

    Error: (05/10/2011 06:26:16 PM) (Source: Application Error) (User: )
    Description: Faulting application WLanCfgG.exe, version 1.0.8.8, faulting module broadcom.dll, version 2.0.0.9, fault address 0x00003342.
    Processing media-specific event for [WLanCfgG.exe!ws!]

    Error: (05/10/2011 06:25:43 PM) (Source: Application Error) (User: )
    Description: Faulting application WLanCfgG.exe, version 1.0.8.8, faulting module broadcom.dll, version 2.0.0.9, fault address 0x00003342.
    Processing media-specific event for [WLanCfgG.exe!ws!]

    Error: (05/10/2011 06:24:28 PM) (Source: Application Error) (User: )
    Description: Faulting application WLanCfgG.exe, version 1.0.8.8, faulting module broadcom.dll, version 2.0.0.9, fault address 0x00003342.
    Processing media-specific event for [WLanCfgG.exe!ws!]

    Error: (05/10/2011 11:09:45 AM) (Source: MPSampleSubmission) (User: )
    Description: EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

    Error: (05/10/2011 11:04:02 AM) (Source: Application Error) (User: )
    Description: Faulting application WLanCfgG.exe, version 1.0.8.8, faulting module broadcom.dll, version 2.0.0.9, fault address 0x00003342.
    Processing media-specific event for [WLanCfgG.exe!ws!]

    Error: (05/08/2011 07:44:43 PM) (Source: MPSampleSubmission) (User: )
    Description: EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

    Error: (05/08/2011 02:22:45 AM) (Source: MPSampleSubmission) (User: )
    Description: EventType mptelemetry, P1 80070424, P2 beginsearch, P3 search, P4 3.0.8107.0, P5 mpsigdwn.dll, P6 3.0.8107.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 mptelemetry0, P10 mptelemetry1.

    Error: (05/07/2011 09:12:34 PM) (Source: Application Error) (User: )
    Description: Faulting application WLanCfgG.exe, version 1.0.8.8, faulting module broadcom.dll, version 2.0.0.9, fault address 0x00003342.
    Processing media-specific event for [WLanCfgG.exe!ws!]

    Error: (05/07/2011 09:12:00 PM) (Source: Application Error) (User: )
    Description: Faulting application WLanCfgG.exe, version 1.0.8.8, faulting module broadcom.dll, version 2.0.0.9, fault address 0x00003342.
    Processing media-specific event for [WLanCfgG.exe!ws!]


    System errors:
    =============
    Error: (05/11/2011 06:44:17 PM) (Source: W32Time) (User: )
    Description: The time provider NtpClient is configured to acquire time from one or more
    time sources, however none of the sources are currently accessible.
    No attempt to contact a source will be made for 119 minutes.
    NtpClient has no source of accurate time.

    Error: (05/11/2011 06:44:17 PM) (Source: W32Time) (User: )
    Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
    configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120
    minutes.
    The error was: A socket operation was attempted to an unreachable host. (0x80072751)

    Error: (05/11/2011 05:44:16 PM) (Source: W32Time) (User: )
    Description: The time provider NtpClient is configured to acquire time from one or more
    time sources, however none of the sources are currently accessible.
    No attempt to contact a source will be made for 59 minutes.
    NtpClient has no source of accurate time.

    Error: (05/11/2011 05:44:16 PM) (Source: W32Time) (User: )
    Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
    configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60
    minutes.
    The error was: A socket operation was attempted to an unreachable host. (0x80072751)

    Error: (05/11/2011 05:14:16 PM) (Source: W32Time) (User: )
    Description: The time provider NtpClient is configured to acquire time from one or more
    time sources, however none of the sources are currently accessible.
    No attempt to contact a source will be made for 29 minutes.
    NtpClient has no source of accurate time.

    Error: (05/11/2011 05:14:16 PM) (Source: W32Time) (User: )
    Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
    configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30
    minutes.
    The error was: A socket operation was attempted to an unreachable host. (0x80072751)

    Error: (05/11/2011 04:59:16 PM) (Source: W32Time) (User: )
    Description: The time provider NtpClient is configured to acquire time from one or more
    time sources, however none of the sources are currently accessible.
    No attempt to contact a source will be made for 14 minutes.
    NtpClient has no source of accurate time.

    Error: (05/11/2011 04:59:16 PM) (Source: W32Time) (User: )
    Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
    configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15
    minutes.
    The error was: A socket operation was attempted to an unreachable host. (0x80072751)

    Error: (05/11/2011 04:13:34 PM) (Source: W32Time) (User: )
    Description: The time provider NtpClient is configured to acquire time from one or more
    time sources, however none of the sources are currently accessible.
    No attempt to contact a source will be made for 239 minutes.
    NtpClient has no source of accurate time.

    Error: (05/11/2011 04:13:34 PM) (Source: W32Time) (User: )
    Description: Time Provider NtpClient: An error occurred during DNS lookup of the manually
    configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240
    minutes.
    The error was: A socket operation was attempted to an unreachable host. (0x80072751)


    Microsoft Office Sessions:
    =========================
    Error: (05/11/2011 00:45:31 PM) (Source: MPSampleSubmission)(User: )
    Description: mptelemetry8024402cendsearchsearch3.0.8107.0mpsigdwn.dll3.0.8107.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)NILNILNIL

    Error: (05/10/2011 06:26:16 PM) (Source: Application Error)(User: )
    Description: WLanCfgG.exe1.0.8.8broadcom.dll2.0.0.900003342

    Error: (05/10/2011 06:25:43 PM) (Source: Application Error)(User: )
    Description: WLanCfgG.exe1.0.8.8broadcom.dll2.0.0.900003342

    Error: (05/10/2011 06:24:28 PM) (Source: Application Error)(User: )
    Description: WLanCfgG.exe1.0.8.8broadcom.dll2.0.0.900003342

    Error: (05/10/2011 11:09:45 AM) (Source: MPSampleSubmission)(User: )
    Description: mptelemetry80070424beginsearchsearch3.0.8107.0mpsigdwn.dll3.0.8107.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)NILNILNIL

    Error: (05/10/2011 11:04:02 AM) (Source: Application Error)(User: )
    Description: WLanCfgG.exe1.0.8.8broadcom.dll2.0.0.900003342

    Error: (05/08/2011 07:44:43 PM) (Source: MPSampleSubmission)(User: )
    Description: mptelemetry80070424beginsearchsearch3.0.8107.0mpsigdwn.dll3.0.8107.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)NILNILNIL

    Error: (05/08/2011 02:22:45 AM) (Source: MPSampleSubmission)(User: )
    Description: mptelemetry80070424beginsearchsearch3.0.8107.0mpsigdwn.dll3.0.8107.0microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094)NILNILNIL

    Error: (05/07/2011 09:12:34 PM) (Source: Application Error)(User: )
    Description: WLanCfgG.exe1.0.8.8broadcom.dll2.0.0.900003342

    Error: (05/07/2011 09:12:00 PM) (Source: Application Error)(User: )
    Description: WLanCfgG.exe1.0.8.8broadcom.dll2.0.0.900003342


    ========================= End of Event log errors =========================

    ========================= Memory info: ====================================

    Percentage of memory in use: 69%
    Total physical RAM: 1023.36 MB
    Available physical RAM: 311.2 MB
    Total Pagefile: 2461.98 MB
    Available Pagefile: 1764.38 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2000.85 MB

    ======================= Partitions: =======================================

    1 Drive c: () (Fixed) (Total:27.94 GB) (Free:8.92 GB) NTFS
    2 Drive d: (Five Elements NTSC) (CDROM) (Total:1.93 GB) (Free:0 GB) UDF
    3 Drive f: (THE LEXAR !) (Removable) (Total:3.73 GB) (Free:1.12 GB) FAT32

    ================= Users: ==================================================

    User accounts for \\NEBULA

    -------------------------------------------------------------------------------
    Administrator Guest HelpAssistant
    SUPPORT_388945a0
    The command completed successfully.

    ================= End of Users ============================================
     
    deangmoxon,
    #40
Page 2 of 3

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...