Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Still need help. Was waiting for Kaspersky to finish.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » July 23rd, 2010, 11:48 am

I was just getting on to reply and saw that my post was closed. Heres a new Hijack this log though and a link to my old thread. I had been trying to run Kaspersky online scan which was taking forever and it kept stalling out and Norton would start itself back up and catch some virus action. I have had no audio since the beginning of my problems two weeks ago but all drivers and physical connections are fine. Any help would be greatly appreciated.

http://malwareremoval.com/forum/viewtop ... 12&t=52241

Heres what Norton has grabbed lately. I thought qoobox came in with combofix, why would norton go after it?

Date Filename Threat Threat Type Action Taken Computer User Original Location Status Current Location Primary Action Secondary Action Scan Type Action Description
7/23/2010 1:26 A0005331.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP3\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP3\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/23/2010 1:26 A0005303.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP3\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP3\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/23/2010 1:26 A0005302.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/23/2010 1:26 A0001260.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/23/2010 1:25 kbdhid.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\Qoobox\32788R22FWJFW\ Infected C:\Qoobox\32788R22FWJFW\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 12:47 A0001260.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 SYSTEM C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 11:47 A0001260.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 SYSTEM C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 11:20 A0001260.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 SYSTEM C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 9:15 A0005303.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP3\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP3\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 9:15 A0005302.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 9:15 A0001260.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 9:13 kbdhid.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\Qoobox\32788R22FWJFW\ Infected C:\Qoobox\32788R22FWJFW\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 3:31 A0005302.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 3:31 A0001260.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/22/2010 3:29 kbdhid.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\Qoobox\32788R22FWJFW\ Infected C:\Qoobox\32788R22FWJFW\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/20/2010 13:36 A0001260.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Infected C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP2\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/20/2010 13:36 A0001176.dll Trojan.Zefarch!gen File Deleted USER-6CEBA5E1E4 user C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP1\ Deleted Deleted Clean virus from file Quarantine infected file Auto-Protect scan The file was deleted successfully.
7/20/2010 13:36 nsap50.dll.vir Trojan.Zefarch!gen File Deleted USER-6CEBA5E1E4 user C:\Qoobox\Quarantine\C\WINDOWS\ Deleted Deleted Clean virus from file Quarantine infected file Auto-Protect scan The file was deleted successfully.
7/20/2010 13:36 kbdhid.sys Backdoor.Tidserv!inf File Left alone USER-6CEBA5E1E4 user C:\Qoobox\32788R22FWJFW\ Infected C:\Qoobox\32788R22FWJFW\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.
7/8/2010 22:14 hzGhTnnrxM.exe Trojan.FakeAV!gen27 File Deleted USER-6CEBA5E1E4 SYSTEM C:\WINDOWS\TEMP\ Deleted Deleted Clean virus from file Quarantine infected file Auto-Protect scan The file was deleted successfully.
7/8/2010 22:14 setup[1].exe Trojan.FakeAV!gen27 File Left alone USER-6CEBA5E1E4 SYSTEM C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F477XOLR\ Infected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F477XOLR\ Clean virus from file Quarantine infected file Auto-Protect scan The file was left unchanged.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:11 AM, on 7/23/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://myportal.hcc.mass.edu/site/index_page.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2815210062
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7294 bytes
chefbd
Regular Member
 
Posts: 25
Joined: July 10th, 2010, 1:19 am
Advertisement
Register to Remove

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby MWR 3 day Mod » July 27th, 2010, 1:31 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » July 29th, 2010, 3:07 pm

chefbd,
Sorry for the delay.
There are a few reasons this request has not been answered.
You have run ComboFix in the past and we have no way of knowing what changes it made.
You have signs of a TDSS rootkit.
With the audio problem, it is also likely you have a Master Boot Record infection in the hard drive. This can be difficult or impossible for us to fix online on an HP machine.
There is no Uninstall list.
These things and an HP brand machine mean this may not be fixable without reverting completely to the "as purchased" condition.
So, the chances of fixing this online are small.

We can do some analysis, but be aware that it is likely that any data passed through or stored on this machine has already been stolen.
Take whatever precautions you think best with credit cards, accounts, passwords, etc.

Do you have any installation disks for Windows? Did the machine come with Windows installed? What model is it?
-----------------------------------------------------------
Retrieve the List of Installed programs Using HJT
Open HijackThis, click Open The Misc Tools Section. Then scroll down the list if you need to, click Open Uninstall Manager and Save List...
The List of installed programs will automatically be saved as uninstall_list.txt in your HiJackThis folder.
In addition, the list opens in Notepad so you can also save as another name in another location if you wish.
Please paste the contents into your next reply.
------------------------------------------------
Download and Run Rkill
Please download Rkill from one of the following links and save to your Desktop:
One, Two,Three or Four
  • Double click on Rkill.
  • A command window will open, then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: If your security software warns about Rkill, please ignore and allow the download to continue. If you cannot get one of the downloads to work for you, try one of the other links.
If you cannot get Rkill to run without being stopped, don't proceed further, and post back to tell me about it.
--------------------------------------------
TDSSKiller
  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents to your Desktop.
  • Double-click the TDSSKiller Folder on your desktop.
  • Right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Important!: Run this fix once and once only.
  • Double click the TDSSKiller icon on you're desktop then click Start scan.
  • A box will appear saying System scan completed.
  • If any Malicious objects are found click Cure > Continue > Reboot now.
  • A log file should be created on your C: drive named something like TDSSKiller.2.4.0.0 24.07.2010.
  • To find the log click Start > Computer > C:.
  • Please post the contents of that log in your next reply.
--------------------------------------------
Download Bootkit remover to your desktop
This is a rar file. If you do not have a program to open it, then download and install Peazip
Extract Remover.exe to your desktop
Double click Remover.exe
It will show a Black screen with some data on it.
Right click on the screen and select > Select All
Press Control+C
Open Notepad (Start, All Programs, Accessories) and press Control+V
Post the contents of the resulting Notepad file here please

So we are looking for the answers to the questions, the Uninstall list, The log from TDSSKiller, and the results file from BootkitRemover.
Use separate replies if you prefer.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13904
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » July 29th, 2010, 11:39 pm

This is a used machine I bought from someone I know who does network installations. It was badly infected in the past and I had to cough up the money for him to wipe it clean and reinstall windows from scratch. I have a Windows install disk he gave me awhile back for a different machine but no code to activate it. The Machine is a Dell Precision 340 desktop.

7-Zip 4.65
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
ERUNT 1.1j
Game of Life
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp deskjet 3820 series
HP Image Zone 4.0
HP Software Update
InterActual Player
iTunes
Java(TM) 6 Update 16
LiveUpdate 2.0 (Symantec Corporation)
LizardTech DjVu Control
Malwarebytes' Anti-Malware
MasterCook Deluxe
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Monkey's Audio
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NETGEAR WG311v3 PCI Adapter
Photosmart 320,370,7400,8100,8400 Series
QuickTime
Respondus LockDown Browser
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB982381)
Spelling Dictionaries Support For Adobe Reader 9
Symantec AntiVirus
System Requirements Lab for Intel
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VLC media player 1.0.2
Windows Internet Explorer 7

No results for tdss killer

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 4b041b0dfceed4a41d8496697184874d

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

That's it so far. Keeping fingers crossed. By the way, I was able to get my audio working by going into the device manager and updating the driver from the existing file which gives me audio until I restart or some ad audio keeps playing.
Thanks again for your work!
chefbd
Regular Member
 
Posts: 25
Joined: July 10th, 2010, 1:19 am

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » July 30th, 2010, 6:56 am

chefbd,
Did you run TDSSKiller?
Please go to My Computer, Double click the C: drive and look for a file named something like "TDSSKiller.2.4.0.0 29.07.2010".
If you double click it or right click it and open it with Notepad, please post the contents here.
-----------------------------------------------------------
Download and Run a Diagnostic Tool (MGADiag.exe) from here and save this to your desktop.
http://go.microsoft.com/fwlink/?linkid=56062
* Double-click on MGADiag.exe
* When the program has finished, click on the Validation tab and then click on Copy to Clipboard.
* Please post the results in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13904
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » July 30th, 2010, 11:30 pm

Sorry, when it ran and nothing came up for results, I thought it didn't log anything at all.

2010/07/29 23:28:04.0250 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/29 23:28:04.0250 ================================================================================
2010/07/29 23:28:04.0250 SystemInfo:
2010/07/29 23:28:04.0250
2010/07/29 23:28:04.0250 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/29 23:28:04.0250 Product type: Workstation
2010/07/29 23:28:04.0250 ComputerName: USER-6CEBA5E1E4
2010/07/29 23:28:04.0250 UserName: user
2010/07/29 23:28:04.0250 Windows directory: C:\WINDOWS
2010/07/29 23:28:04.0250 System windows directory: C:\WINDOWS
2010/07/29 23:28:04.0250 Processor architecture: Intel x86
2010/07/29 23:28:04.0250 Number of processors: 1
2010/07/29 23:28:04.0250 Page size: 0x1000
2010/07/29 23:28:04.0250 Boot type: Normal boot
2010/07/29 23:28:04.0250 ================================================================================
2010/07/29 23:28:04.0625 Initialize success
2010/07/29 23:28:26.0203 ================================================================================
2010/07/29 23:28:26.0203 Scan started
2010/07/29 23:28:26.0203 Mode: Manual;
2010/07/29 23:28:26.0203 ================================================================================
2010/07/29 23:28:26.0500 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2010/07/29 23:28:26.0546 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/07/29 23:28:26.0593 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/07/29 23:28:26.0656 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/07/29 23:28:26.0687 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/07/29 23:28:26.0718 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/07/29 23:28:26.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/07/29 23:28:26.0921 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/07/29 23:28:26.0984 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/07/29 23:28:27.0000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/07/29 23:28:27.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/07/29 23:28:27.0203 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/07/29 23:28:27.0281 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/07/29 23:28:27.0312 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/07/29 23:28:27.0343 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/07/29 23:28:27.0484 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
2010/07/29 23:28:27.0593 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/07/29 23:28:27.0671 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/07/29 23:28:27.0765 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/07/29 23:28:27.0828 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/07/29 23:28:27.0875 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/07/29 23:28:27.0921 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/07/29 23:28:27.0968 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2010/07/29 23:28:28.0062 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/07/29 23:28:28.0125 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/07/29 23:28:28.0156 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/07/29 23:28:28.0187 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/07/29 23:28:28.0218 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/07/29 23:28:28.0296 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/07/29 23:28:28.0375 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/07/29 23:28:28.0421 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/07/29 23:28:28.0453 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/07/29 23:28:28.0515 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
2010/07/29 23:28:28.0609 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/07/29 23:28:28.0671 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/07/29 23:28:28.0734 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/07/29 23:28:28.0796 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/07/29 23:28:28.0843 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/07/29 23:28:28.0921 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/07/29 23:28:29.0000 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/07/29 23:28:29.0078 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/07/29 23:28:29.0109 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/07/29 23:28:29.0171 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/07/29 23:28:29.0234 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/07/29 23:28:29.0265 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/07/29 23:28:29.0312 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/07/29 23:28:29.0328 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/07/29 23:28:29.0390 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/07/29 23:28:29.0437 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/07/29 23:28:29.0453 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/07/29 23:28:29.0515 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/07/29 23:28:29.0562 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/07/29 23:28:29.0609 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/07/29 23:28:29.0656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/07/29 23:28:29.0718 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/07/29 23:28:29.0765 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/07/29 23:28:29.0796 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/07/29 23:28:29.0843 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/07/29 23:28:29.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/07/29 23:28:29.0921 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/07/29 23:28:29.0984 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/07/29 23:28:30.0015 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/07/29 23:28:30.0062 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/07/29 23:28:30.0109 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/07/29 23:28:30.0156 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/07/29 23:28:30.0203 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/07/29 23:28:30.0234 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/07/29 23:28:30.0375 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100723.024\naveng.sys
2010/07/29 23:28:30.0453 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100723.024\navex15.sys
2010/07/29 23:28:30.0546 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/07/29 23:28:30.0640 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/07/29 23:28:30.0703 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/07/29 23:28:30.0750 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/07/29 23:28:30.0812 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/07/29 23:28:30.0843 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/07/29 23:28:30.0890 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/07/29 23:28:30.0937 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/07/29 23:28:31.0015 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/07/29 23:28:31.0140 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/07/29 23:28:31.0250 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/07/29 23:28:31.0359 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/07/29 23:28:31.0390 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/07/29 23:28:31.0453 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/07/29 23:28:31.0484 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/07/29 23:28:31.0546 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/07/29 23:28:31.0609 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/07/29 23:28:31.0671 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/07/29 23:28:31.0843 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/07/29 23:28:31.0875 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/07/29 23:28:31.0968 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/07/29 23:28:32.0093 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/07/29 23:28:32.0156 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/07/29 23:28:32.0171 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/07/29 23:28:32.0203 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/07/29 23:28:32.0265 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/07/29 23:28:32.0328 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/07/29 23:28:32.0375 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/07/29 23:28:32.0468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/07/29 23:28:32.0531 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/07/29 23:28:32.0640 SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys
2010/07/29 23:28:32.0703 SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2010/07/29 23:28:32.0781 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/07/29 23:28:32.0859 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/07/29 23:28:32.0921 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/07/29 23:28:32.0953 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/07/29 23:28:33.0031 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/07/29 23:28:33.0078 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/07/29 23:28:33.0171 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/07/29 23:28:33.0250 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/07/29 23:28:33.0312 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/07/29 23:28:33.0375 SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS
2010/07/29 23:28:33.0421 SYMREDRV (145eaae477f5b56f2621956150a143b0) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/07/29 23:28:33.0453 SYMTDI (926efafc087d356bba50bdf6e640bc13) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/07/29 23:28:33.0562 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/07/29 23:28:33.0593 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/07/29 23:28:33.0656 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/07/29 23:28:33.0703 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/07/29 23:28:33.0750 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/07/29 23:28:33.0812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/07/29 23:28:33.0921 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/07/29 23:28:34.0000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/07/29 23:28:34.0046 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/07/29 23:28:34.0093 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/07/29 23:28:34.0156 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/07/29 23:28:34.0187 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/07/29 23:28:34.0250 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/07/29 23:28:34.0328 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/07/29 23:28:34.0421 W8335XP (f0bdc2b474e26117ee77bfdba051fb3c) C:\WINDOWS\system32\DRIVERS\WG311v3XP.sys
2010/07/29 23:28:34.0437 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/07/29 23:28:34.0515 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/07/29 23:28:34.0546 ================================================================================
2010/07/29 23:28:34.0546 Scan finished
2010/07/29 23:28:34.0546 ================================================================================
2010/07/29 23:29:37.0484 Deinitialize success



Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****-T6DFB-Y934T-YD4YT
Windows Product Key Hash: 3g4CZGFEDgbKmn/oB4pa2FZsssU=
Windows Product ID: 76487-OEM-2211906-00102
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {CE52A7CB-2706-4407-81B2-78A9748806C7}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.42.0
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Office Home and Student 2007 - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 7.0; Win32)
Default Browser: C:\Program Files\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{CE52A7CB-2706-4407-81B2-78A9748806C7}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-YD4YT</PKey><PID>76487-OEM-2211906-00102</PID><PIDType>2</PIDType><SID>S-1-5-21-1547161642-515967899-1417001333</SID><SYSTEM><Manufacturer>Dell Computer Corporation</Manufacturer><Model>Precision WorkStation 340 </Model></SYSTEM><BIOS><Manufacturer>Dell Computer Corporation</Manufacturer><Version>A03</Version><SMBIOSVersion major="2" minor="3"/><Date>20020418000000.000000+000</Date><SLPBIOS>Dell System,Dell Computer,Dell System,Dell System</SLPBIOS></BIOS><HWID>C488349F0184C052</HWID><UserLCID>0409</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>Eastern Standard Time(GMT-05:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{91120000-002F-0000-0000-0000000FF1CE}"><LegitResult>100</LegitResult><Name>Microsoft Office Home and Student 2007</Name><Ver>12</Ver><Val>959ABA34FE8E736</Val><Hash>tkeTx4aEQr8AvSacEM+Whn3EkF0=</Hash><Pid>81602-923-3566017-68189</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="12" Result="100"/><App Id="18" Version="12" Result="100"/><App Id="1B" Version="12" Result="100"/><App Id="A1" Version="12" Result="100"/></Applications></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 8000:Dell Inc|8000:Microsoft Corporation
Marker string from OEMBIOS.DAT: Dell System,Dell Computer,Dell System,Dell System

OEM Activation 2.0 Data-->
N/A
chefbd
Regular Member
 
Posts: 25
Joined: July 10th, 2010, 1:19 am

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » July 31st, 2010, 7:06 am

chefbd,
-----------------------------------------------------------
Reset System Restore Points
  • Click Start > Help and Support
  • Click on ->Undo changes to your computer with System Restore.
  • Click Create A Restore Point then click Next. Give it a name and then click Create, then Close.
  • Close Help and Support Center.
  • Click Start > Run and type Cleanmgr
  • Select (C: ) then click OK.
  • Click the More Options tab.
  • Click Clean Up in the System Restore Section.
This will remove all previous restore points except the newly created one.
This System Restore sequence is not to be done regularly, but only as a Special Case after the removal of malware.
-----------------------------------------------------------
Folder Deletion
The \Qoobox\ folder is the quarantine location where ComboFix stores infected files.
In Windows Explorer (My Computer), navigate to the folder shown below shown in red, highlight it, if found, and press Delete.

C:\Qoobox\ <== this folder only

You may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
Make absolutely certain that you do not double click or otherwise activate any of the files inside that folder. They are all infected.
----------------------------------------------
Run Temp File Cleaner
Download Temp File Cleaner and save it to your desktop.
Double click to run it. (Right click and Run as Administrator in Vista)
If you have a lot of junk files to remove, it could take a while, so please be patient and let it finish.
When it's done, if it asks to Reboot, choose to do so. This will remove files that could not be removed while Windows was running.
After Restart, log back in to your usual account.
-----------------------------------------------
Run Eset NOD32 Online AntiVirus
Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

  • Please go Here then click on: Image
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13904
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » August 1st, 2010, 5:32 am

Here's the log. If it's important for you to know; while this was running Symantec Antivirus caught several viruses just like when Kaspersky was running before. I was just looking at the advanced settings and saw that it's set to re-enable after 30 min. Is this something I should change? Here's what it caught though.

8/1/2010 2:25:13 AM,A0012628.sys,Backdoor.Tidserv!inf,File,Left alone,USER-6CEBA5E1E4,user,C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP6\,Infected,C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP6\,Clean virus from file,Quarantine infected file,Auto-Protect scan,The file was left unchanged.

And the log you requested...

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=26c49f0a88c3fe4e934e45d56bc6158e
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-01 03:55:18
# local_time=2010-07-31 11:55:18 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=3416
# found=0
# cleaned=0
# scan_time=941
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=26c49f0a88c3fe4e934e45d56bc6158e
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-08-01 06:39:19
# local_time=2010-08-01 02:39:19 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=32246
# found=0
# cleaned=0
# scan_time=9707
chefbd
Regular Member
 
Posts: 25
Joined: July 10th, 2010, 1:19 am

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » August 1st, 2010, 8:26 am

chefbd,
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox (not the word "Code") into the main textfield:
    Code: Select all
    :filefind
    A0012628.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
----------------------------------------------------------------------------------
Double Click RKill again to run it.
----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt

So we are looking for the SystemLook results, and the log from Malwarebytes' AntiMalware.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13904
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » August 1st, 2010, 9:51 pm

here ya go. Still getting pop ups like crazy from IE even though I don't use it. It's locked into the boot system or something. I try to end the process in my task manager but it just starts up again.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:27 on 01/08/2010 by user (Administrator - Elevation successful)

========== filefind ==========

Searching for "A0012628.sys"
C:\System Volume Information\_restore{E4613FD2-0163-4BBB-BFCA-53DDD7ABC36C}\RP6\A0012628.sys --a--- 14592 bytes [02:51 10/09/2009] [04:09 14/04/2008] (Unable to calculate MD5)

-=End Of File=-

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as user on 08/01/2010 at 21:29:03.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\user\Desktop\rkill.exe


Rkill completed on 08/01/2010 at 21:29:07.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4378

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/1/2010 9:47:54 PM
mbam-log-2010-08-01 (21-47-54).txt

Scan type: Quick scan
Objects scanned: 133321
Time elapsed: 12 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
chefbd
Regular Member
 
Posts: 25
Joined: July 10th, 2010, 1:19 am

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » August 3rd, 2010, 6:20 am

chefbd,
Please erase both the TDSSKiller file and folder from your desktop.
We need to run a new one.
--------------------------------------------
TDSSKiller
  • Please Download TDSSKiller.zip and save it on your desktop.
  • Extract (unzip) its contents to your Desktop.
  • Double-click the TDSSKiller Folder on your desktop.
  • Right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Important!: Run this fix once and once only.
  • Double click the TDSSKiller icon on you're desktop then click Start scan.
  • A box will appear saying System scan completed.
  • If any Malicious objects are found click Cure > Continue > Reboot now.
  • A log file should be created on your C: drive named something like TDSSKiller.2.4.0.0 24.07.2010.
  • To find the log click Start > Computer > C:.
  • Please post the contents of that log in your next reply.

---------------------------------------------------
MBR Rootkit Detector:

Please download The MBR Rootkit Detector by GMER
Be sure to download it to the root of your drive, e.g. directly to C:\mbr.exe


Once the download has finished, click Start > Run. Copy and paste the following into the run box, then click OK:
Code: Select all
cmd /c  mbr.exe -t >> "%Userprofile%\desktop\mbrlog.txt"

A log will be generated on your desktop named mbrlog.txt.
Please open it with Notepad and post the contents in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13904
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » August 3rd, 2010, 12:58 pm

2010/08/03 12:52:19.0187 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/08/03 12:52:19.0187 ================================================================================
2010/08/03 12:52:19.0187 SystemInfo:
2010/08/03 12:52:19.0187
2010/08/03 12:52:19.0187 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/03 12:52:19.0187 Product type: Workstation
2010/08/03 12:52:19.0187 ComputerName: USER-6CEBA5E1E4
2010/08/03 12:52:19.0187 UserName: user
2010/08/03 12:52:19.0187 Windows directory: C:\WINDOWS
2010/08/03 12:52:19.0187 System windows directory: C:\WINDOWS
2010/08/03 12:52:19.0187 Processor architecture: Intel x86
2010/08/03 12:52:19.0187 Number of processors: 1
2010/08/03 12:52:19.0187 Page size: 0x1000
2010/08/03 12:52:19.0187 Boot type: Normal boot
2010/08/03 12:52:19.0187 ================================================================================
2010/08/03 12:52:19.0453 Initialize success
2010/08/03 12:52:21.0156 ================================================================================
2010/08/03 12:52:21.0156 Scan started
2010/08/03 12:52:21.0156 Mode: Manual;
2010/08/03 12:52:21.0156 ================================================================================
2010/08/03 12:52:22.0562 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2010/08/03 12:52:22.0609 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/03 12:52:22.0656 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/03 12:52:22.0734 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/03 12:52:22.0812 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/03 12:52:22.0843 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/08/03 12:52:23.0046 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/03 12:52:23.0125 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/03 12:52:23.0171 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/03 12:52:23.0328 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/03 12:52:23.0421 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/03 12:52:23.0609 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/03 12:52:23.0734 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/03 12:52:23.0812 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/03 12:52:23.0968 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/03 12:52:24.0171 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
2010/08/03 12:52:24.0484 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/03 12:52:24.0593 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/03 12:52:24.0828 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/03 12:52:24.0937 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/03 12:52:25.0046 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/03 12:52:25.0109 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/03 12:52:25.0171 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2010/08/03 12:52:25.0343 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/03 12:52:25.0453 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/08/03 12:52:25.0531 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/03 12:52:25.0625 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/08/03 12:52:25.0750 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/08/03 12:52:25.0828 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/03 12:52:25.0937 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/03 12:52:26.0000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/08/03 12:52:26.0078 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/03 12:52:26.0234 HCF_MSFT (4236e014632f4163f53ebb717f41594c) C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys
2010/08/03 12:52:26.0343 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/03 12:52:26.0515 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/08/03 12:52:26.0593 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/08/03 12:52:26.0671 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/08/03 12:52:26.0765 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/03 12:52:26.0843 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/03 12:52:26.0921 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/03 12:52:27.0000 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/03 12:52:27.0062 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/03 12:52:27.0171 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/08/03 12:52:27.0281 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/03 12:52:27.0359 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/03 12:52:27.0453 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/03 12:52:27.0484 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/03 12:52:27.0578 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/03 12:52:27.0671 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/03 12:52:27.0718 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/03 12:52:27.0828 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/03 12:52:27.0921 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/08/03 12:52:27.0953 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/03 12:52:28.0000 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/03 12:52:28.0078 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/03 12:52:28.0156 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/03 12:52:28.0171 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/03 12:52:28.0281 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/03 12:52:28.0359 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/03 12:52:28.0453 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/03 12:52:28.0578 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/03 12:52:28.0656 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/03 12:52:28.0703 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/03 12:52:28.0765 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/03 12:52:28.0828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/03 12:52:28.0921 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/03 12:52:28.0937 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/03 12:52:29.0093 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100730.002\naveng.sys
2010/08/03 12:52:29.0250 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100730.002\navex15.sys
2010/08/03 12:52:29.0484 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/03 12:52:29.0562 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/03 12:52:29.0640 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/03 12:52:29.0703 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/03 12:52:29.0781 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/03 12:52:29.0875 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/03 12:52:29.0937 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/03 12:52:30.0046 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/03 12:52:30.0109 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/03 12:52:30.0218 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/03 12:52:30.0343 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/03 12:52:30.0515 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/03 12:52:30.0609 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/03 12:52:30.0734 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/03 12:52:30.0843 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/03 12:52:30.0937 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/03 12:52:31.0031 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/03 12:52:31.0140 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/03 12:52:31.0359 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/03 12:52:31.0453 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/03 12:52:31.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/03 12:52:31.0687 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/03 12:52:31.0781 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/03 12:52:31.0812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/03 12:52:31.0875 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/03 12:52:31.0953 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/03 12:52:32.0109 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/03 12:52:32.0203 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/03 12:52:32.0296 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/03 12:52:32.0375 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/03 12:52:32.0531 SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys
2010/08/03 12:52:32.0625 SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2010/08/03 12:52:32.0765 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/03 12:52:32.0859 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/03 12:52:32.0890 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/03 12:52:32.0984 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/03 12:52:33.0062 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/03 12:52:33.0140 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/03 12:52:33.0250 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/03 12:52:33.0296 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/03 12:52:33.0390 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/03 12:52:33.0531 SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS
2010/08/03 12:52:33.0593 SYMREDRV (145eaae477f5b56f2621956150a143b0) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/08/03 12:52:33.0656 SYMTDI (926efafc087d356bba50bdf6e640bc13) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/08/03 12:52:33.0750 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/03 12:52:33.0828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/03 12:52:33.0875 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/03 12:52:33.0937 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/03 12:52:34.0046 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/03 12:52:34.0125 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/03 12:52:34.0234 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/03 12:52:34.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/03 12:52:34.0390 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/03 12:52:34.0468 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/03 12:52:34.0546 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/03 12:52:34.0609 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/03 12:52:34.0750 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/03 12:52:34.0843 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/03 12:52:34.0937 W8335XP (f0bdc2b474e26117ee77bfdba051fb3c) C:\WINDOWS\system32\DRIVERS\WG311v3XP.sys
2010/08/03 12:52:34.0968 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/03 12:52:35.0046 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/03 12:52:35.0125 ================================================================================
2010/08/03 12:52:35.0125 Scan finished
2010/08/03 12:52:35.0125 ================================================================================

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: error reading MBR
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
chefbd
Regular Member
 
Posts: 25
Joined: July 10th, 2010, 1:19 am

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » August 3rd, 2010, 6:43 pm

chefbd,
If you still have ComboFix on your desktop, please delete it.
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE NORTON ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a Imagesign.
    • right-click it -> chose "Disable Auto-Protect."
    • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
    • click "Ok."
    • a popup will warn that protection will now be disabled.
    Norton Antivirus Guard is now disabled.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Reenable your protection software and post the log in your next reply
A copy of the log will be located here -> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13904
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby chefbd » August 4th, 2010, 10:56 pm

ComboFix 10-08-03.04 - user 08/04/2010 12:45:41.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.180 [GMT -4:00]
Running from: C:\Documents and Settings\user\Desktop\zzz.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.

2010-08-03 16:55:17 . 2010-08-03 16:55:18 77312 ----a-w- C:\mbr.exe
2010-08-02 01:56:34 . 2010-08-02 01:56:34 503808 ----a-w- C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-16ff4a8a-n\msvcp71.dll
2010-08-02 01:56:34 . 2010-08-02 01:56:34 499712 ----a-w- C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-16ff4a8a-n\jmc.dll
2010-08-02 01:56:34 . 2010-08-02 01:56:34 348160 ----a-w- C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-16ff4a8a-n\msvcr71.dll
2010-08-01 03:33:53 . 2010-08-01 03:33:53 -------- d-----w- C:\Program Files\ESET
2010-07-31 03:16:10 . 2010-07-31 03:16:10 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2010-07-30 03:31:54 . 2010-07-30 03:41:08 -------- d-----w- C:\Documents and Settings\user\Application Data\PeaZip
2010-07-30 03:31:33 . 2010-07-30 03:31:48 -------- d-----w- C:\Program Files\PeaZip
2010-07-27 17:40:45 . 2010-07-27 17:40:45 -------- d-----w- C:\Program Files\SystemRequirementsLab
2010-07-27 17:40:07 . 2010-07-27 17:40:07 84480 ----a-w- C:\Documents and Settings\user\Application Data\SystemRequirementsLab\srlproxy_intel_4.1.66.0A.dll
2010-07-27 17:40:07 . 2010-07-27 17:40:07 -------- d-----w- C:\Documents and Settings\user\Application Data\SystemRequirementsLab
2010-07-19 15:26:46 . 2010-07-19 15:26:54 -------- d-----w- C:\Program Files\ERUNT
2010-07-15 03:35:19 . 2010-07-25 03:16:07 -------- d-----w- C:\rsit
2010-07-14 13:29:18 . 2010-07-14 13:29:18 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-14 13:29:14 . 2010-07-14 13:29:14 664 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2010-07-10 05:09:46 . 2010-07-10 05:09:46 -------- d-sh--w- C:\WINDOWS\system32\config\systemprofile\UserData
2010-07-10 03:27:08 . 2010-07-10 17:41:45 -------- d-----w- C:\Program Files\Spybot - Search & Destroy
2010-07-10 03:27:08 . 2010-07-10 17:25:30 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-10 03:24:09 . 2010-07-10 03:24:09 -------- d-sh--w- C:\Documents and Settings\NetworkService\UserData
2010-07-08 06:11:40 . 2010-05-04 17:20:37 52224 -c----w- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2010-07-08 06:11:40 . 2010-05-04 17:20:37 459264 -c----w- C:\WINDOWS\system32\dllcache\msfeeds.dll
2010-07-08 06:11:40 . 2010-05-04 17:20:36 268288 -c----w- C:\WINDOWS\system32\dllcache\iertutil.dll
2010-07-08 06:11:40 . 2010-04-16 13:24:05 13824 -c----w- C:\WINDOWS\system32\dllcache\ieudinit.exe
2010-07-08 06:11:39 . 2010-05-04 17:20:35 6067200 -c----w- C:\WINDOWS\system32\dllcache\ieframe.dll
2010-07-08 06:11:39 . 2010-05-04 17:20:34 380928 -c----w- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2010-07-08 06:11:39 . 2010-05-04 17:20:33 63488 -c----w- C:\WINDOWS\system32\dllcache\icardie.dll
2010-07-08 06:11:39 . 2010-02-22 22:04:28 2452872 -c----w- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2010-07-08 05:40:18 . 2010-07-25 03:13:04 -------- d-----w- C:\Program Files\Trend Micro
2010-07-08 02:33:22 . 2010-07-08 02:33:22 -------- d-s---w- C:\Documents and Settings\LocalService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-04 16:45:21 . 2009-09-09 00:00:31 -------- d-----w- C:\Program Files\Symantec AntiVirus
2010-07-23 03:16:46 . 2009-10-06 18:29:43 -------- d-----w- C:\Documents and Settings\user\Application Data\vlc
2010-07-19 03:38:07 . 2009-09-14 03:21:23 -------- d-----w- C:\Documents and Settings\user\Application Data\Apple Computer
2010-07-10 16:45:16 . 2009-10-06 17:36:27 -------- d-----w- C:\Documents and Settings\user\Application Data\uTorrent
2010-07-04 02:52:34 . 2009-09-13 04:20:53 -------- d-----w- C:\Program Files\Microsoft Silverlight
2010-06-18 04:11:09 . 2010-06-18 04:10:06 -------- d-----w- C:\Program Files\iTunes
2010-06-18 04:10:36 . 2010-06-18 04:10:36 -------- d-----w- C:\Program Files\iPod
2010-06-18 04:10:31 . 2009-09-14 03:18:59 -------- d-----w- C:\Program Files\Common Files\Apple
2010-06-18 04:06:18 . 2010-06-18 04:06:17 -------- d-----w- C:\Program Files\Bonjour
2010-06-18 04:03:17 . 2010-06-18 04:03:17 72504 ----a-w- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-15 17:32:08 . 2010-06-15 17:32:08 -------- d-----w- C:\Program Files\MSXML 4.0
2010-06-15 03:37:44 . 2010-06-15 03:31:53 93418 ----a-w- C:\WINDOWS\HPHins03.dat
2010-06-15 03:37:01 . 2010-06-15 03:32:55 -------- d-----w- C:\Program Files\HP
2010-06-15 03:36:57 . 2010-06-15 03:36:57 45056 ----a-r- C:\Documents and Settings\user\Application Data\Microsoft\Installer\{457791C5-D702-4143-A7B2-2744BE9573F2}\NewShortcut1_5B69D3033CA54B39B5ECE7D051297E77.exe
2010-06-14 14:31:20 . 2009-09-08 23:45:17 744448 ----a-w- C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe
2010-05-18 20:35:16 . 2010-05-18 20:35:16 91424 ----a-w- C:\WINDOWS\system32\dnssd.dll
2010-05-18 20:35:16 . 2010-05-18 20:35:16 107808 ----a-w- C:\WINDOWS\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 20:44:46 66680]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 19:18:32 124128]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-09-18 03:55:00 149280]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 04:54:42 172032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 05:42:51 36272]
"Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 08:06:33 976832]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2010-03-18 01:53:36 421888]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 04:54:59 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 17:38:56 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 19:18:56 241664]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2006-01-07 04:54:41 659456]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-06-15 20:33:44 141624]

C:\Documents and Settings\user\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2004-5-28 241664]
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [2007-11-21 1507328]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

S0 cerc6;cerc6; [x]
S3 cpudrv;cpudrv;C:\Program Files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58:52 AM 11336]
S3 SavRoam;SAVRoam;C:\Program Files\Symantec AntiVirus\SavRoam.exe [3/12/2004 3:18:06 PM 169192]
.
Contents of the 'Scheduled Tasks' folder

2010-07-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34:12 . 2008-07-30 16:34:12]

2010-08-02 C:\WINDOWS\Tasks\HP Usg Daily FY04.job
- C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2010-06-15 03:31:27 . 2006-01-07 04:54:59]

2010-08-04 C:\WINDOWS\Tasks\WGASetup.job
- C:\WINDOWS\system32\KB905474\wgasetup.exe [2009-09-21 05:57:47 . 2009-03-11 02:18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://myportal.hcc.mass.edu/site/index_page.html
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\8bmldoh0.default\
FF - prefs.js: browser.startup.homepage - hxxp://myportal.hcc.mass.edu/site/index_page.html
FF - plugin: C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
chefbd
Regular Member
 
Posts: 25
Joined: July 10th, 2010, 1:19 am

Re: Still need help. Was waiting for Kaspersky to finish.

Unread postby askey127 » August 5th, 2010, 7:18 am

chefbd,

----------------------------------------------------------------------------------
Run MalwareBytes' Anti-Malware
  • Start Malwarebytes' Anti-Malware.
  • Click on The Update tab. Choose Check for Updates.
  • If an update is found, it will download and install the latest version.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program is running, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items. Check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any log listed to open its contents.
  • Recent logs are named by time/date stamp in this format : mbam-log-2010-mm-dd(hour-min-sec).txt

Tell me how it's running.
Please also post a fresh HiJackThis log.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13904
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 35 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware