Solved Multiple Errors on System - Cannot Uninstall SW

broni · 2010/03/15

We're both in CA, so don't worry and go to your appointment. Usually, I'm around until 11PM, or so.
I'm not sure, how close we're. At least couple more scans.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.

Mr. Chip · 2010/03/15

thanks broni, I just checked out your profile and learned we are "neighbors "

I will be back online around 7 pm or so. I will run your latest instructions and post the results.

One thing, not sure if it is evident from my logs, but my PC is attached to SBS 2003. Do I need to check my other PCs (4 of them) and/or my server? All of them have F-prot and the server has a complete scan twice a day. See you in a few hours.

broni · 2010/03/15

Take your time.
I'd at least run MBAM on those other computers. If anything shows up, start new topic for each computer.

Mr. Chip · 2010/03/15

TDSS log

Hi broni,

I am back. I ran TDSS and here is the log. It seems that everything is OK, but I will wait to hear back from you on next steps.

Chip

19:51:10:401 2172 TDSS rootkit removing tool 2.2.8 Mar 10 2010 15:53:20
19:51:10:401 2172 ================================================================================
19:51:10:401 2172 SystemInfo:

19:51:10:401 2172 OS Version: 5.1.2600 ServicePack: 3.0
19:51:10:401 2172 Product type: Workstation
19:51:10:401 2172 ComputerName: CHIPPC1
19:51:10:401 2172 UserName: chip
19:51:10:401 2172 Windows directory: C:\WINDOWS
19:51:10:401 2172 Processor architecture: Intel x86
19:51:10:401 2172 Number of processors: 2
19:51:10:401 2172 Page size: 0x1000
19:51:10:401 2172 Boot type: Normal boot
19:51:10:401 2172 ================================================================================
19:51:10:401 2172 UnloadDriverW: NtUnloadDriver error 2
19:51:10:401 2172 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
19:51:10:448 2172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
19:51:10:448 2172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:51:10:448 2172 wfopen_ex: Trying to KLMD file open
19:51:10:448 2172 wfopen_ex: File opened ok (Flags 2)
19:51:10:448 2172 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
19:51:10:448 2172 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
19:51:10:448 2172 wfopen_ex: Trying to KLMD file open
19:51:10:448 2172 wfopen_ex: File opened ok (Flags 2)
19:51:10:448 2172 Initialize success
19:51:10:448 2172
19:51:10:448 2172 Scanning Services ...
19:51:10:937 2172 GetAdvancedServicesInfo: Raw services enum returned 329 services
19:51:10:937 2172
19:51:10:937 2172 Scanning Kernel memory ...
19:51:10:937 2172 Devices to scan: 12
19:51:10:937 2172
19:51:10:937 2172 Driver Name: Disk
19:51:10:937 2172 IRP_MJ_CREATE : BA90EBB0
19:51:10:937 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:937 2172 IRP_MJ_CLOSE : BA90EBB0
19:51:10:937 2172 IRP_MJ_READ : BA908D1F
19:51:10:937 2172 IRP_MJ_WRITE : BA908D1F
19:51:10:937 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:937 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:937 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:937 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:937 2172 IRP_MJ_FLUSH_BUFFERS : BA9092E2
19:51:10:937 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:937 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:937 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:937 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:937 2172 IRP_MJ_DEVICE_CONTROL : BA9093BB
19:51:10:937 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
19:51:10:937 2172 IRP_MJ_SHUTDOWN : BA9092E2
19:51:10:937 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:937 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:937 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:937 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:937 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:937 2172 IRP_MJ_POWER : BA90AC82
19:51:10:937 2172 IRP_MJ_SYSTEM_CONTROL : BA90F99E
19:51:10:937 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:937 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:937 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:969 2172 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:51:10:969 2172
19:51:10:969 2172 Driver Name: Disk
19:51:10:969 2172 IRP_MJ_CREATE : BA90EBB0
19:51:10:969 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:969 2172 IRP_MJ_CLOSE : BA90EBB0
19:51:10:969 2172 IRP_MJ_READ : BA908D1F
19:51:10:969 2172 IRP_MJ_WRITE : BA908D1F
19:51:10:969 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:969 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:969 2172 IRP_MJ_FLUSH_BUFFERS : BA9092E2
19:51:10:969 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_DEVICE_CONTROL : BA9093BB
19:51:10:969 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
19:51:10:969 2172 IRP_MJ_SHUTDOWN : BA9092E2
19:51:10:969 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:969 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:969 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:969 2172 IRP_MJ_POWER : BA90AC82
19:51:10:969 2172 IRP_MJ_SYSTEM_CONTROL : BA90F99E
19:51:10:969 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:969 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:969 2172 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:51:10:969 2172
19:51:10:969 2172 Driver Name: Disk
19:51:10:969 2172 IRP_MJ_CREATE : BA90EBB0
19:51:10:969 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:969 2172 IRP_MJ_CLOSE : BA90EBB0
19:51:10:969 2172 IRP_MJ_READ : BA908D1F
19:51:10:969 2172 IRP_MJ_WRITE : BA908D1F
19:51:10:969 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:969 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:969 2172 IRP_MJ_FLUSH_BUFFERS : BA9092E2
19:51:10:969 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_DEVICE_CONTROL : BA9093BB
19:51:10:969 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
19:51:10:969 2172 IRP_MJ_SHUTDOWN : BA9092E2
19:51:10:969 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:969 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:969 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:969 2172 IRP_MJ_POWER : BA90AC82
19:51:10:969 2172 IRP_MJ_SYSTEM_CONTROL : BA90F99E
19:51:10:969 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:969 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:969 2172 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:51:10:969 2172
19:51:10:969 2172 Driver Name: Disk
19:51:10:969 2172 IRP_MJ_CREATE : BA90EBB0
19:51:10:969 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:969 2172 IRP_MJ_CLOSE : BA90EBB0
19:51:10:969 2172 IRP_MJ_READ : BA908D1F
19:51:10:969 2172 IRP_MJ_WRITE : BA908D1F
19:51:10:969 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:969 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:969 2172 IRP_MJ_FLUSH_BUFFERS : BA9092E2
19:51:10:969 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_DEVICE_CONTROL : BA9093BB
19:51:10:969 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
19:51:10:969 2172 IRP_MJ_SHUTDOWN : BA9092E2
19:51:10:969 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:969 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:969 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:969 2172 IRP_MJ_POWER : BA90AC82
19:51:10:969 2172 IRP_MJ_SYSTEM_CONTROL : BA90F99E
19:51:10:969 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:969 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:969 2172 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:51:10:969 2172
19:51:10:969 2172 Driver Name: USBSTOR
19:51:10:969 2172 IRP_MJ_CREATE : 8A3551F8
19:51:10:969 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:969 2172 IRP_MJ_CLOSE : 8A3551F8
19:51:10:969 2172 IRP_MJ_READ : 8A3551F8
19:51:10:969 2172 IRP_MJ_WRITE : 8A3551F8
19:51:10:969 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:969 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:969 2172 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:969 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_DEVICE_CONTROL : 8A3551F8
19:51:10:969 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A3551F8
19:51:10:969 2172 IRP_MJ_SHUTDOWN : 804F4562
19:51:10:969 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:969 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:969 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:969 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:969 2172 IRP_MJ_POWER : 8A3551F8
19:51:10:969 2172 IRP_MJ_SYSTEM_CONTROL : 8A3551F8
19:51:10:969 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:969 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:969 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:985 2172 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
19:51:10:985 2172
19:51:10:985 2172 Driver Name: USBSTOR
19:51:10:985 2172 IRP_MJ_CREATE : 8A3551F8
19:51:10:985 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:985 2172 IRP_MJ_CLOSE : 8A3551F8
19:51:10:985 2172 IRP_MJ_READ : 8A3551F8
19:51:10:985 2172 IRP_MJ_WRITE : 8A3551F8
19:51:10:985 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:985 2172 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_DEVICE_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_SHUTDOWN : 804F4562
19:51:10:985 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:985 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_POWER : 8A3551F8
19:51:10:985 2172 IRP_MJ_SYSTEM_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:985 2172 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
19:51:10:985 2172
19:51:10:985 2172 Driver Name: USBSTOR
19:51:10:985 2172 IRP_MJ_CREATE : 8A3551F8
19:51:10:985 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:985 2172 IRP_MJ_CLOSE : 8A3551F8
19:51:10:985 2172 IRP_MJ_READ : 8A3551F8
19:51:10:985 2172 IRP_MJ_WRITE : 8A3551F8
19:51:10:985 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:985 2172 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_DEVICE_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_SHUTDOWN : 804F4562
19:51:10:985 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:985 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_POWER : 8A3551F8
19:51:10:985 2172 IRP_MJ_SYSTEM_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:985 2172 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
19:51:10:985 2172
19:51:10:985 2172 Driver Name: USBSTOR
19:51:10:985 2172 IRP_MJ_CREATE : 8A3551F8
19:51:10:985 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:985 2172 IRP_MJ_CLOSE : 8A3551F8
19:51:10:985 2172 IRP_MJ_READ : 8A3551F8
19:51:10:985 2172 IRP_MJ_WRITE : 8A3551F8
19:51:10:985 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:985 2172 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_DEVICE_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_SHUTDOWN : 804F4562
19:51:10:985 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:985 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_POWER : 8A3551F8
19:51:10:985 2172 IRP_MJ_SYSTEM_CONTROL : 8A3551F8
19:51:10:985 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:985 2172 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
19:51:10:985 2172
19:51:10:985 2172 Driver Name: Disk
19:51:10:985 2172 IRP_MJ_CREATE : BA90EBB0
19:51:10:985 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:985 2172 IRP_MJ_CLOSE : BA90EBB0
19:51:10:985 2172 IRP_MJ_READ : BA908D1F
19:51:10:985 2172 IRP_MJ_WRITE : BA908D1F
19:51:10:985 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:985 2172 IRP_MJ_FLUSH_BUFFERS : BA9092E2
19:51:10:985 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_DEVICE_CONTROL : BA9093BB
19:51:10:985 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
19:51:10:985 2172 IRP_MJ_SHUTDOWN : BA9092E2
19:51:10:985 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:985 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_POWER : BA90AC82
19:51:10:985 2172 IRP_MJ_SYSTEM_CONTROL : BA90F99E
19:51:10:985 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:985 2172 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:51:10:985 2172
19:51:10:985 2172 Driver Name: Disk
19:51:10:985 2172 IRP_MJ_CREATE : BA90EBB0
19:51:10:985 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:985 2172 IRP_MJ_CLOSE : BA90EBB0
19:51:10:985 2172 IRP_MJ_READ : BA908D1F
19:51:10:985 2172 IRP_MJ_WRITE : BA908D1F
19:51:10:985 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:985 2172 IRP_MJ_FLUSH_BUFFERS : BA9092E2
19:51:10:985 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_DEVICE_CONTROL : BA9093BB
19:51:10:985 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CF28
19:51:10:985 2172 IRP_MJ_SHUTDOWN : BA9092E2
19:51:10:985 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:985 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_POWER : BA90AC82
19:51:10:985 2172 IRP_MJ_SYSTEM_CONTROL : BA90F99E
19:51:10:985 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:10:985 2172 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
19:51:10:985 2172
19:51:10:985 2172 Driver Name: atapi
19:51:10:985 2172 IRP_MJ_CREATE : BA5FCB40
19:51:10:985 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:10:985 2172 IRP_MJ_CLOSE : BA5FCB40
19:51:10:985 2172 IRP_MJ_READ : 804F4562
19:51:10:985 2172 IRP_MJ_WRITE : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_EA : 804F4562
19:51:10:985 2172 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:10:985 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_DEVICE_CONTROL : BA5FCB40
19:51:10:985 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA5FCB40
19:51:10:985 2172 IRP_MJ_SHUTDOWN : 804F4562
19:51:10:985 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:10:985 2172 IRP_MJ_CLEANUP : 804F4562
19:51:10:985 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:10:985 2172 IRP_MJ_POWER : BA5FCB40
19:51:10:985 2172 IRP_MJ_SYSTEM_CONTROL : BA5FCB40
19:51:10:985 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:10:985 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:10:985 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:11:000 2172 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:51:11:000 2172
19:51:11:000 2172 Driver Name: atapi
19:51:11:000 2172 IRP_MJ_CREATE : BA5FCB40
19:51:11:000 2172 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
19:51:11:000 2172 IRP_MJ_CLOSE : BA5FCB40
19:51:11:000 2172 IRP_MJ_READ : 804F4562
19:51:11:000 2172 IRP_MJ_WRITE : 804F4562
19:51:11:000 2172 IRP_MJ_QUERY_INFORMATION : 804F4562
19:51:11:000 2172 IRP_MJ_SET_INFORMATION : 804F4562
19:51:11:000 2172 IRP_MJ_QUERY_EA : 804F4562
19:51:11:000 2172 IRP_MJ_SET_EA : 804F4562
19:51:11:000 2172 IRP_MJ_FLUSH_BUFFERS : 804F4562
19:51:11:000 2172 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
19:51:11:000 2172 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
19:51:11:000 2172 IRP_MJ_DIRECTORY_CONTROL : 804F4562
19:51:11:000 2172 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
19:51:11:000 2172 IRP_MJ_DEVICE_CONTROL : BA5FCB40
19:51:11:000 2172 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA5FCB40
19:51:11:000 2172 IRP_MJ_SHUTDOWN : 804F4562
19:51:11:000 2172 IRP_MJ_LOCK_CONTROL : 804F4562
19:51:11:000 2172 IRP_MJ_CLEANUP : 804F4562
19:51:11:000 2172 IRP_MJ_CREATE_MAILSLOT : 804F4562
19:51:11:000 2172 IRP_MJ_QUERY_SECURITY : 804F4562
19:51:11:000 2172 IRP_MJ_SET_SECURITY : 804F4562
19:51:11:000 2172 IRP_MJ_POWER : BA5FCB40
19:51:11:000 2172 IRP_MJ_SYSTEM_CONTROL : BA5FCB40
19:51:11:000 2172 IRP_MJ_DEVICE_CHANGE : 804F4562
19:51:11:000 2172 IRP_MJ_QUERY_QUOTA : 804F4562
19:51:11:000 2172 IRP_MJ_SET_QUOTA : 804F4562
19:51:11:000 2172 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
19:51:11:000 2172
19:51:11:000 2172 Completed
19:51:11:000 2172
19:51:11:000 2172 Results:
19:51:11:000 2172 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
19:51:11:000 2172 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:51:11:000 2172 File objects infected / cured / cured on reboot: 0 / 0 / 0
19:51:11:000 2172
19:51:11:000 2172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
19:51:11:000 2172 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
19:51:11:016 2172 KLMD(ARK) unloaded successfully

broni · 2010/03/15

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator ").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

Mr. Chip · 2010/03/15

MBR results

broni,

here are the results:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

broni · 2010/03/15

Good

================================================================

Uninstall Combofix:
Go Start > Run [Vista users, go Start> "Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall "
Click OK (Vista users - press Enter).
Restart computer.

================================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

Spyware, Adware, Dialers, and other potentially dangerous programs
[*] Archives
[*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

Post fresh HijackThis log as well.

Mr. Chip · 2010/03/15

server question

Hi broni,

I completed step #1 and am about to start step #2.

Do you know how long the Kapersky scan will take? Whenever I run Trend Micro's housecall the scan can take 3-6 hours. Is Kapersky the same? (I have a very fast internet connection).

While it is running I will check my other PCs. Is there anything I should do to check my SBS 2003 server?

broni · 2010/03/15

Kaspersky shouldn't take that long, but in any case I'm sure, your computer should be pretty safe by now.

I know nothing about servers

Mr. Chip · 2010/03/16

broni,

Not sure if you are done for the night. Just like Trend Micro, the online scan is taking a ton of time. It took 45+ minutes for it to download (despite my connection having 15MB/sec down). It has been running about 15 min and is 3% complete.

Chip

broni · 2010/03/16

It's OK. Leave it running overnight.
Just in case any problems, like Kaspersky being stuck, etc., here is an alternative, since I have to go to work tomorrow:

Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

Mr. Chip · 2010/03/16

Wrap-up on PC #1

broni,

It took 2 hours, but Kaperski basically came back with a clean report. It flagged two settings I have for remote desktop (but indicated they are not viruses).

Now that I am all clean, I thought I would create a system restore point. When I went to do so, I learned System Restore was disabled. Did we do this in one of our steps? I hope it is OK that I turned it back on and created a restore point for today.

broni, you were a huge HUGE help. My second PC tested clear after running Malwarebytes. My third PC came up with two problems. I may start a new thread for that one tomorrow.

One final question, when you said I should change my passwords, which specific passwords did you mean? Please let me know which one(s) I need to change

1. User name and logon passwords for my PC and all of its network connections (I pray this can stay the same)
2. Any user name/ passwords stored in Firefox or IE
3. Anything else? Please describe.

THANK YOU!
Chip

broni · 2010/03/16

You're very welcome
You did a right thing regarding system restore, however....it's always better to wait for my "go ".

As for passwords...
Change any password, which leads to any place accessible form the outside world: banks, web based email, etc.
All internal passwords should be OK, since your computer is now clean and invisible.

Now, I'd like to see fresh HJT log to check for any garbage and leftovers.

Mr. Chip · 2010/03/16

New HJT log

hi broni,

sorry for jumping the gun. here is the latest HJT log - hopefully we are all clear now:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:58 PM, on 3/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\PROGRA~1\VIRTUA~1\CitiVAN.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\OBroker.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mcomm.exe
C:\Program Files\Citrix\GoToMeeting\366\g2mlauncher.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\Program Files\Virtual Account Numbers\BhoCitUS.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe "
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe "
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe "
O4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe "
O4 - HKLM\..\Run: [Citi Virtual Account Numbers] C:\PROGRA~1\VIRTUA~1\CitiVAN.exe /lang=en_RG /dontopenmycards
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF1878.cfxxe" /c "C:\ComboFix\C.bat "
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe "
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\366\g2mstart.exe "/Trigger RunAtLogon "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SnagIt 9.lnk = C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Virtual Account Numbers - {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - C:\PROGRA~1\VIRTUA~1\CitiVAN.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://events.vcall.com
O16 - DPF: {00000033-9593-4264-8B29-930B3E4EDCCD} (HPVirtualRooms33 Class) - https://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall33.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} (NSHelp Class) - http://theoracle2/connectcomputer/nshelp.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228099459805
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://meeting.juniper.net/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = techwiselan.local
O17 - HKLM\Software\..\Telephony: DomainName = techwiselan.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{384397BF-7F03-4A0C-8A9E-AA57194AC88E}: NameServer = 192.168.1.33,192.168.2.34
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = techwiselan.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{384397BF-7F03-4A0C-8A9E-AA57194AC88E}: NameServer = 192.168.1.33,192.168.2.34
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = techwiselan.local
O17 - HKLM\System\CS2\Services\Tcpip\..\{384397BF-7F03-4A0C-8A9E-AA57194AC88E}: NameServer = 192.168.1.33,192.168.2.34
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O23 - Service: Anonymizer Management Service (AnonMgmtSvc) - Anonymizer - C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: F-PROT Antivirus for Windows system (FPAVServer) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 11260 bytes

broni · 2010/03/16

Verify your Java version here: http://www.java.com/en/download/installed.jsp
Update, if necessary.
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista).

==================================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF1878.cfxxe" /c "C:\ComboFix\C.bat "

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe "
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon

5. Click on Fix checked button.

6. Restart computer.

When done....

Your computer is clean

1. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

[SIZE= "4"]5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

Mr. Chip · 2010/03/16

broni,

Thanks so much! Here I thought we were done but there is more to do. I just checked and my Java is 4 versions old. I am going to fix that now and immediately start step 2.

broni · 2010/03/16

Ok .....................

Mr. Chip · 2010/03/16

broni,

Thank you, thank you, thank you!!!

My PC is now clean thanks to you.

Per your advice, I have installed wot. I will also now change all of my important online passwords (probably a good thing to do every now and then anyways). This last step will take a bit.

If I ever have another problem, I hope you are available to help me again. Thanks again and have a great night.

P.S. How do I mark this thread resolved?

broni · 2010/03/16

You can't.
I will.

I'm glad, things are good
Stay safe

Log in or Sign up

Solved Multiple Errors on System - Cannot Uninstall SW

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Multiple Errors on System - Cannot Uninstall SW

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Mr. Chip Well-Known Member Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches