Free Malware Removal Forum

by **mike busch** » October 18th, 2010, 5:21 pm

I am always trying to learn as life goes by, could you please share with me why you think I might have a corrupted MBR. I am not doubting your expertise just curios what causes you to suggest it...was it something in the reports? Thanks

by **melboy** » October 18th, 2010, 5:38 pm

Yes, entries in your logs plus the symptoms you are experiencing points to a known rootkit that has a couple of variants - One of which is currently very hard to detect. The first TDSSKiller run ruled out one the variants - I expect the second run to fix it. It also looks as though you have a second rootkit as well, but we'll deal with the first one and then take it from there.

by **mike busch** » October 18th, 2010, 9:11 pm

TDSS killer found 2 items, 1 was cured and the other skipped, computer needed reboot. The computer is working better. Should I scan with Anti Virus Plus to see if it finds the rootkit?

2010/10/18 19:56:11.0078 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/18 19:56:11.0078 ================================================================================
2010/10/18 19:56:11.0078 SystemInfo:
2010/10/18 19:56:11.0078
2010/10/18 19:56:11.0078 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/18 19:56:11.0109 Product type: Workstation
2010/10/18 19:56:11.0109 ComputerName: MIKESNOTEBOOK
2010/10/18 19:56:11.0109 UserName: mike busch
2010/10/18 19:56:11.0109 Windows directory: C:\WINDOWS
2010/10/18 19:56:11.0109 System windows directory: C:\WINDOWS
2010/10/18 19:56:11.0109 Processor architecture: Intel x86
2010/10/18 19:56:11.0109 Number of processors: 1
2010/10/18 19:56:11.0109 Page size: 0x1000
2010/10/18 19:56:11.0109 Boot type: Normal boot
2010/10/18 19:56:11.0109 ================================================================================
2010/10/18 19:56:12.0281 Initialize success
2010/10/18 19:56:37.0671 ================================================================================
2010/10/18 19:56:37.0671 Scan started
2010/10/18 19:56:37.0671 Mode: Manual;
2010/10/18 19:56:37.0671 ================================================================================
2010/10/18 19:56:41.0203 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/18 19:56:41.0234 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/10/18 19:56:41.0640 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/18 19:56:41.0937 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/10/18 19:56:42.0609 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/18 19:56:42.0718 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/10/18 19:56:43.0015 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/18 19:56:43.0125 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/10/18 19:56:43.0828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/18 19:56:43.0906 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/18 19:56:43.0984 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/18 19:56:44.0031 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/18 19:56:44.0109 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/18 19:56:44.0250 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/18 19:56:44.0468 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/10/18 19:56:44.0531 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/18 19:56:44.0593 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/18 19:56:44.0593 Suspicious service (NoAccess): cdfsqdbh
2010/10/18 19:56:44.0671 cdfsqdbh - detected Locked service (1)
2010/10/18 19:56:44.0718 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/18 19:56:44.0796 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/18 19:56:44.0875 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/18 19:56:45.0031 DCamUSBEMPIA (5118ea8a2f55fa4d4295516500b78229) C:\WINDOWS\system32\DRIVERS\emDevice.sys
2010/10/18 19:56:45.0078 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/18 19:56:45.0140 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2010/10/18 19:56:45.0296 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2010/10/18 19:56:45.0343 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
2010/10/18 19:56:45.0390 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2010/10/18 19:56:45.0421 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2010/10/18 19:56:45.0453 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2010/10/18 19:56:45.0515 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2010/10/18 19:56:45.0578 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2010/10/18 19:56:45.0625 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2010/10/18 19:56:45.0734 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/18 19:56:45.0843 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/18 19:56:45.0984 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/18 19:56:46.0046 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/18 19:56:46.0109 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/18 19:56:46.0140 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2010/10/18 19:56:46.0187 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2010/10/18 19:56:46.0296 E100B (2646883e6dd867cd872d5b51b6036710) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/18 19:56:46.0343 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/10/18 19:56:46.0468 emAudio (200da4f1964c11b3c19a07f937394624) C:\WINDOWS\system32\drivers\emAudio.sys
2010/10/18 19:56:46.0609 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/18 19:56:46.0750 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/18 19:56:46.0843 FiltUSBEMPIA (6f87e4706f59463b74bc4fad0f67338f) C:\WINDOWS\system32\DRIVERS\emFilter.sys
2010/10/18 19:56:46.0890 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/18 19:56:46.0921 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/18 19:56:46.0984 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/18 19:56:47.0031 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/18 19:56:47.0062 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/18 19:56:47.0109 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/18 19:56:47.0187 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/18 19:56:47.0375 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/18 19:56:47.0531 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/18 19:56:47.0671 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/18 19:56:47.0781 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/10/18 19:56:48.0000 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/18 19:56:48.0265 IntcAzAudAddService (b12a9fc49cd2765a43829d834f518aed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/10/18 19:56:48.0578 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/10/18 19:56:48.0640 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/18 19:56:48.0687 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/18 19:56:48.0750 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/18 19:56:48.0796 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/18 19:56:48.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/18 19:56:48.0906 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/18 19:56:48.0953 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/18 19:56:49.0093 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
2010/10/18 19:56:49.0656 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/18 19:56:49.0703 kl1 (47f4320cff5bd3de472bb300a32a879e) C:\WINDOWS\system32\DRIVERS\kl1.sys
2010/10/18 19:56:49.0921 KLIF (2eaca1e0cc5d49ded5659b43a41c60a8) C:\WINDOWS\system32\DRIVERS\klif.sys
2010/10/18 19:56:50.0140 klim5 (fbdc2034b58d2135d25fe99eb8b747c3) C:\WINDOWS\system32\DRIVERS\klim5.sys
2010/10/18 19:56:50.0234 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/18 19:56:50.0281 KR10N (00c1ea8decf810b8eccb5c5a8186a96e) C:\WINDOWS\system32\drivers\KR10N.sys
2010/10/18 19:56:50.0312 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/18 19:56:50.0437 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
2010/10/18 19:56:50.0531 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/10/18 19:56:51.0078 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/18 19:56:51.0140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/18 19:56:51.0250 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/18 19:56:51.0859 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/18 19:56:52.0171 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/18 19:56:52.0250 MPE (c0f8e0c2c3c0437cf37c6781896dc3ec) C:\WINDOWS\system32\DRIVERS\MPE.sys
2010/10/18 19:56:52.0328 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/18 19:56:52.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/18 19:56:52.0531 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/18 19:56:52.0593 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/18 19:56:52.0671 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/18 19:56:52.0781 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/18 19:56:52.0828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/18 19:56:52.0875 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/10/18 19:56:52.0921 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/18 19:56:52.0984 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/10/18 19:56:53.0046 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/18 19:56:53.0093 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/10/18 19:56:53.0171 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/18 19:56:53.0250 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/18 19:56:53.0281 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/18 19:56:53.0296 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/18 19:56:53.0359 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/18 19:56:53.0468 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/18 19:56:53.0578 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/18 19:56:53.0640 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/18 19:56:53.0687 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/18 19:56:53.0796 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/18 19:56:53.0890 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/18 19:56:53.0921 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/18 19:56:53.0968 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/18 19:56:54.0062 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/18 19:56:54.0156 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/18 19:56:54.0203 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/18 19:56:54.0218 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/18 19:56:54.0296 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/18 19:56:54.0328 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/18 19:56:54.0515 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
2010/10/18 19:56:55.0015 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/18 19:56:55.0046 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/18 19:56:55.0078 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/18 19:56:55.0125 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/18 19:56:55.0281 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/18 19:56:55.0343 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/18 19:56:55.0375 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/18 19:56:55.0390 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/18 19:56:55.0500 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/18 19:56:55.0531 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/18 19:56:55.0578 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/18 19:56:55.0640 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/18 19:56:55.0703 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/18 19:56:55.0812 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2010/10/18 19:56:57.0328 ScanUSBEMPIA (f5a633609777c212ec5ff19927fc5955) C:\WINDOWS\system32\DRIVERS\emScan.sys
2010/10/18 19:56:57.0578 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/10/18 19:56:57.0640 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/18 19:56:57.0718 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/10/18 19:56:57.0921 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2010/10/18 19:56:57.0953 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2010/10/18 19:56:58.0015 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2010/10/18 19:56:58.0125 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/10/18 19:56:58.0265 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/18 19:56:58.0343 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/18 19:56:58.0609 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/18 19:56:58.0703 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/10/18 19:56:58.0734 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/18 19:56:58.0765 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/18 19:56:58.0953 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/10/18 19:56:59.0015 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/18 19:56:59.0078 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
2010/10/18 19:56:59.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/18 19:56:59.0312 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/18 19:56:59.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/18 19:56:59.0406 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/18 19:56:59.0500 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
2010/10/18 19:56:59.0578 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
2010/10/18 19:57:00.0281 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
2010/10/18 19:57:00.0546 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
2010/10/18 19:57:01.0000 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/18 19:57:01.0078 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/18 19:57:01.0171 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/18 19:57:01.0265 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/18 19:57:01.0312 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/18 19:57:01.0359 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/18 19:57:01.0640 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/18 19:57:01.0703 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/18 19:57:01.0750 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/18 19:57:01.0828 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/18 19:57:01.0921 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/18 19:57:02.0046 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2010/10/18 19:57:02.0421 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/18 19:57:02.0484 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/10/18 19:57:02.0609 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/18 19:57:02.0734 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2010/10/18 19:57:02.0812 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/10/18 19:57:02.0875 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/18 19:57:03.0062 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/18 19:57:03.0156 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/18 19:57:03.0171 ================================================================================
2010/10/18 19:57:03.0171 Scan finished
2010/10/18 19:57:03.0171 ================================================================================
2010/10/18 19:57:03.0187 Detected object count: 2
2010/10/18 19:57:46.0062 Locked service(cdfsqdbh) - User select action: Skip
2010/10/18 19:57:46.0078 \HardDisk0\MBR - will be cured after reboot
2010/10/18 19:57:46.0078 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/18 19:57:51.0109 Deinitialize success

by **melboy** » October 19th, 2010, 2:49 am

Hi

Firstly delete the copy of combofix you should have on your desktop, and download a new copy from >> here << and save it to your Desktop.

Then follow these instructions:

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code: Select all
```
File:: 
C:\WINDOWS\system32\drivers\cdfsqdbh.sys
c:\windows\Bcune.bin

Driver:: 
cdfsqdbh
```
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
If you need help to disable your protection programs see here.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

by **mike busch** » October 20th, 2010, 9:06 am

here is the combofix log;

ComboFix 10-10-19.03 - mike busch 10/20/2010 7:18.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.295 [GMT -5:00]
Running from: c:\documents and settings\mike busch\Desktop\mikebusch.exe
Command switches used :: c:\documents and settings\mike busch\Desktop\cfscript.txt

FILE ::
"c:\windows\Bcune.bin"
"c:\windows\system32\drivers\cdfsqdbh.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Bcune.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDFSQDBH

((((((((((((((((((((((((( Files Created from 2010-09-20 to 2010-10-20 )))))))))))))))))))))))))))))))
.

2010-10-19 02:19 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 02:19 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 02:19 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 02:19 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-17 16:09 . 2010-10-17 16:09 -------- d-----w- c:\program files\Seagate
2010-10-17 16:09 . 2010-10-17 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-10-17 16:07 . 2010-10-17 16:07 -------- d-----w- c:\documents and settings\mike busch\Local Settings\Application Data\Downloaded Installations
2010-10-17 16:06 . 2010-10-17 16:06 -------- d-----w- c:\program files\Carbonite
2010-10-17 16:06 . 2010-10-17 16:06 -------- d-sh--w- c:\windows\ftpcache
2010-10-17 16:05 . 2010-10-17 16:05 -------- d-----w- c:\documents and settings\mike busch\Application Data\Leadertech
2010-10-17 12:45 . 2010-10-17 13:09 -------- d-----w- C:\MikeB
2010-10-10 23:52 . 2010-10-10 23:53 -------- d-----w- c:\program files\Linksys
2010-10-08 12:50 . 2010-10-08 12:50 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-05 07:26 . 2010-10-05 07:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-09-22 00:52 . 2010-09-22 00:52 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-09-22 00:52 . 2010-09-22 00:52 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-09-22 00:47 . 2010-09-22 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PLAV
2010-09-22 00:46 . 2010-08-09 17:57 132184 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-09-22 00:46 . 2010-09-22 00:46 -------- d-----w- c:\program files\Common Files\PLAV
2010-09-22 00:46 . 2010-09-22 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic Anti-Virus PLUS
2010-09-22 00:46 . 2010-09-22 00:46 -------- d-----w- c:\program files\ParetoLogic
2010-09-21 04:18 . 2010-09-21 04:18 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-21 01:59 . 2010-09-21 01:59 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-09-21 00:32 . 2010-06-08 09:04 7168 ----a-w- c:\documents and settings\All Users\Application Data\Z@!-650e035b-f528-4366-9791-a41f4c3395a7.tmp
2010-09-20 12:44 . 2010-09-21 02:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\PLAV\Pareto_AV.exe" [2010-09-08 4547864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-05 155648]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe" [2010-08-28 232912]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
nayvp.exe [2010-10-10 139264]

c:\documents and settings\mike busch\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\mike busch\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2010-10-17 1731736]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
emuhk.exe [2010-10-10 139264]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56092:TCP"= 56092:TCP:Pando
"56092:UDP"= 56092:UDP:Pando
"22778:TCP"= 22778:TCP:spport
"22549:TCP"= 22549:TCP:spport
"29215:TCP"= 29215:TCP:spport
"16980:TCP"= 16980:TCP:spport
"18849:TCP"= 18849:TCP:spport
"8955:TCP"= 8955:TCP:spport
"18405:TCP"= 18405:TCP:spport
"29937:TCP"= 29937:TCP:spport
"7953:TCP"= 7953:TCP:spport
"6578:TCP"= 6578:TCP:spport
"15619:TCP"= 15619:TCP:spport

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [8/9/2010 12:57 PM 32272]
R3 PLAVService;PLAVService;c:\program files\Common Files\PLAV\plavservice.exe [9/8/2010 12:32 PM 599384]
S2 gupdate1c9cab57a5a0ae4;Google Update Service (gupdate1c9cab57a5a0ae4);c:\program files\Google\Update\GoogleUpdate.exe [5/1/2009 6:35 PM 133104]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\DRIVERS\w600bus.sys --> c:\windows\system32\DRIVERS\w600bus.sys [?]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w600mdfl.sys --> c:\windows\system32\DRIVERS\w600mdfl.sys [?]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\DRIVERS\w600mdm.sys --> c:\windows\system32\DRIVERS\w600mdm.sys [?]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\w600mgmt.sys --> c:\windows\system32\DRIVERS\w600mgmt.sys [?]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w600obex.sys --> c:\windows\system32\DRIVERS\w600obex.sys [?]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [10/23/2009 4:58 PM 582424]
.
Contents of the 'Scheduled Tasks' folder

2010-10-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-08 23:34]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:35]

2010-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:35]

2010-10-05 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]

2010-10-04 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]

2010-10-04 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-23 21:58]

2010-10-07 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-23 21:58]

2006-07-19 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]

2010-09-19 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2009-10-23 21:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2116)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2010-10-20 07:37:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-20 12:37
ComboFix2.txt 2010-10-17 13:09
ComboFix3.txt 2010-10-15 15:14
ComboFix4.txt 2010-10-15 12:45
ComboFix5.txt 2010-10-20 12:16

Pre-Run: 53,521,301,504 bytes free
Post-Run: 53,850,603,520 bytes free

- - End Of File - - E527A762B88BC986D7D1826B4BDDA2A3

by **melboy** » October 20th, 2010, 5:15 pm

Hi Mike.

That's good - progress.

You've a couple of files that I don't like the look of. I'd like you to get them checked out at VirusTotal.

Check a file

Go to VirusTotal
In the Upload a file box, click Browse
When the Choose a file to upload box opens Copy/Paste the file below and click Open.
c:\documents and settings\Default User\Start Menu\Programs\Startup\emuhk.exe
Click Send File, and the file will upload to VirusTotal where it will be scanned by several anti-virus programmes.
NOTE: if you receive a message stating:
- File already submitted, click Reanalyze.
After a while, a window will open, with details of what the scans found.
Copy and paste the results into your next reply.

Repeat the above for:

c:\documents and settings\Administrator\Start Menu\Programs\Startup\nayvp.exe

TFC

Please download TFC by Old Timer to your desktop,
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
Click the Start button in the bottom left of TFC
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

Malwarebytes' Anti-Malware (MBAM)

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick scan, then click on Scan
When done, you will be prompted. Click OK. If Items are found, then click on Show Results
Check all items then click on Remove Selected
After it has removed the items, Notepad will open. Please post this log in your next reply.

The log can also be found here:
1. C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
2. Or via the Logs tab when the application is started.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately.
Failure to reboot will prevent MBAM from removing all the malware.

by **mike busch** » October 20th, 2010, 8:13 pm

first scan results for c:\documents and settings\Default User\Start Menu\Programs\Startup\emuhk.exe

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: emuhk.exe
Submission date: 2010-10-21 00:11:35 (UTC)
Current status: queued (#7) queued analysing finished

Result: 5/ 6 (83.3%)
VT Community

not reviewed
Safety score: -
Compact Print results
Antivirus Version Last Update Result
Fortinet 4.2.249.0 2010.10.20 W32/ZBOT.SMEQ!tr
NOD32 5549 2010.10.20 Win32/Spy.Zbot.ZR
Norman 6.06.10 2010.10.20 -
TrendMicro 9.120.0.1004 2010.10.20 TSPY_ZBOT.SMEQ
TrendMicro-HouseCall 9.120.0.1004 2010.10.21 TSPY_ZBOT.SMEQ
VBA32 3.12.14.1 2010.10.20 TrojanSpy.Zbot.zr
Additional informationShow all
MD5 : 5ed23dddf616b8c79bc0077c3492b613
SHA1 : 581a61da1045624d57fb4bc5ac1d609666de1dd3
SHA256: 0b3ccb0e6bde90ac4fb398e9c67cd5f40b3356f6799bd6c08c5e4d911a907a61
ssdeep: 3072:plChaSX2zBtzmxaQ9xeVcGGzCGb61JHhb2/T4pdt99iovNfX:plGfmPsN9xnLW13Kb4pBN
fX
File size : 139264 bytes
First seen: 2010-10-09 01:14:55
Last seen : 2010-10-21 00:11:35
TrID:
Win32 Executable MS Visual C++ (generic) (51.6%)
Windows Screen Saver (17.9%)
Win32 Executable Generic (11.6%)
Win32 Dynamic Link Library (generic) (10.3%)
Clipper DOS Executable (2.7%)

VT Community

0
This file has never been reviewed by any VT Commun

by **mike busch** » October 20th, 2010, 8:22 pm

second scan result for c:\documents and settings\Administrator\Start Menu\Programs\Startup\nayvp.exe

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: nayvp.exe
Submission date: 2010-10-21 00:16:12 (UTC)
Current status: queued (#2) queued (#2) analysing finished

Result: 32/ 43 (74.4%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2010.10.20.02 2010.10.20 Win-Trojan/Zbot.139264.P
AntiVir 7.10.13.9 2010.10.20 TR/Kazy.613
Antiy-AVL 2.0.3.7 2010.10.20 Packed/Win32.Krap.gen
Authentium 5.2.0.5 2010.10.20 -
Avast 4.8.1351.0 2010.10.20 Win32:Redosdru-R
Avast5 5.0.594.0 2010.10.20 Win32:Redosdru-R
AVG 9.0.0.851 2010.10.21 PSW.Generic8.ZEE
BitDefender 7.2 2010.10.21 Gen:Variant.Kazy.613
CAT-QuickHeal 11.00 2010.10.20 -
ClamAV 0.96.2.0-git 2010.10.20 -
Comodo 6454 2010.10.20 -
DrWeb 5.0.2.03300 2010.10.21 Trojan.PWS.Panda.387
Emsisoft 5.0.0.50 2010.10.20 PWS.Win32!IK
eSafe 7.0.17.0 2010.10.20 -
eTrust-Vet 36.1.7923 2010.10.20 -
F-Prot 4.6.2.117 2010.10.20 -
F-Secure 9.0.16160.0 2010.10.21 Gen:Variant.Kazy.613
Fortinet 4.2.249.0 2010.10.20 W32/ZBOT.SMEQ!tr
GData 21 2010.10.21 Gen:Variant.Kazy.613
Ikarus T3.1.1.90.0 2010.10.20 PWS.Win32
Jiangmin 13.0.900 2010.10.20 Packed.Krap.dkbk
K7AntiVirus 9.66.2798 2010.10.20 Riskware
Kaspersky 7.0.0.125 2010.10.20 Packed.Win32.Krap.hx
McAfee 5.400.0.1158 2010.10.21 PWS-Zbot.gen.bx
McAfee-GW-Edition 2010.1C 2010.10.20 -
Microsoft 1.6301 2010.10.20 PWS:Win32/Zbot
NOD32 5549 2010.10.20 Win32/Spy.Zbot.ZR
Norman 6.06.10 2010.10.20 -
nProtect 2010-10-20.01 2010.10.20 Trojan/W32.Krap.139264.AH
Panda 10.0.2.7 2010.10.20 Generic Malware
PCTools 7.0.3.5 2010.10.21 Trojan.Zbot
Prevx 3.0 2010.10.21 High Risk Cloaked Malware
Rising 22.70.01.08 2010.10.20 Trojan.Win32.Generic.5239EEE8
Sophos 4.58.0 2010.10.20 Mal/FakeAV-BW
Sunbelt 7103 2010.10.20 Trojan.Win32.Generic!BT
SUPERAntiSpyware 4.40.0.1006 2010.10.21 -
Symantec 20101.2.0.161 2010.10.21 Trojan.Zbot
TheHacker 6.7.0.1.063 2010.10.20 Trojan/Spy.Zbot.zr
TrendMicro 9.120.0.1004 2010.10.20 TSPY_ZBOT.SMEQ
TrendMicro-HouseCall 9.120.0.1004 2010.10.21 TSPY_ZBOT.SMEQ
VBA32 3.12.14.1 2010.10.20 TrojanSpy.Zbot.zr
ViRobot 2010.10.20.4103 2010.10.20 -
VirusBuster 12.69.9.0 2010.10.20 TrojanSpy.Zbot.AOIJ
Additional informationShow all
MD5 : 5ed23dddf616b8c79bc0077c3492b613
SHA1 : 581a61da1045624d57fb4bc5ac1d609666de1dd3
SHA256: 0b3ccb0e6bde90ac4fb398e9c67cd5f40b3356f6799bd6c08c5e4d911a907a61
ssdeep: 3072:plChaSX2zBtzmxaQ9xeVcGGzCGb61JHhb2/T4pdt99iovNfX:plGfmPsN9xnLW13Kb4pBN
fX
File size : 139264 bytes
First seen: 2010-10-09 01:14:55
Last seen : 2010-10-21 00:16:12
TrID:
Win32 Executable MS Visual C++ (generic) (51.6%)
Windows Screen Saver (17.9%)
Win32 Executable Generic (11.6%)
Win32 Dynamic Link Library (generic) (10.3%)
Clipper DOS Executable (2.7%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x3B00
timedatestamp....: 0x48B8B081 (Sat Aug 30 02:29:21 2008)
machinetype......: 0x14c (I386)

[[ 5 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
DATA, 0x1000, 0xDE4, 0xE00, 0.00, b4202f7fe985b9648b4676e6f70832bd
.text, 0x2000, 0x201E7, 0x20200, 6.61, 1d5771d26316cee677679fba90a4fcee
.textbss, 0x23000, 0x17F69, 0x400, 7.27, 2bc507e7b0cd587079457a26468b2f24
DATA, 0x3B000, 0x3E1, 0x400, 6.63, 8e19235b7060082c482bd5551fea4bb1
.rsrc, 0x3C000, 0x1EC, 0x200, 5.08, 48786ca694fc7aad0e100bec22bf13cd

[[ 13 import(s) ]]
USER32.dll: CharUpperA, CheckRadioButton, RedrawWindow, SetMenu, GetMessagePos, PtInRect, IsIconic, CharLowerW, GetWindowPlacement, wsprintfA, SetWindowTextA, DestroyIcon, GetWindowTextLengthW, GetAsyncKeyState, MessageBeep, SetDlgItemTextA, SetWindowTextW, ShowWindow, FindWindowA
ole32.dll: StgCreateDocfileOnILockBytes, CLSIDFromString, CLSIDFromProgID, CoUnmarshalInterface, CoTaskMemRealloc, CoGetClassObject, CoSetProxyBlanket, CoRegisterClassObject, CreateStreamOnHGlobal, CoCreateInstanceEx, OleRegEnumVerbs, CoDisconnectObject, CoImpersonateClient, StgOpenStorage, CoReleaseMarshalData, CoTaskMemFree, CoGetInterfaceAndReleaseStream, StgIsStorageFile, IIDFromString
ADVAPI32.dll: RegQueryValueW, CheckTokenMembership, GetTokenInformation, UnlockServiceDatabase, CryptAcquireContextA, GetSecurityDescriptorControl, CopySid, ConvertSidToStringSidW, CryptAcquireContextW, FreeSid, ReportEventW, ConvertStringSidToSidW, RegEnumKeyExW, RegCloseKey, RegCreateKeyExW, LookupAccountNameW, OpenSCManagerA, EqualSid, CryptCreateHash, CryptDestroyHash, LsaQueryInformationPolicy, RegSetValueA, GetUserNameW, GetSidIdentifierAuthority, RegEnumValueW, RegCreateKeyW, RegOpenKeyW, ImpersonateLoggedOnUser, GetTraceEnableFlags, AddAccessAllowedAce, CryptHashData, OpenThreadToken
GDI32.dll: GetMapMode, CreateDCW, GetTextExtentPointW, TextOutA, RectVisible, PlayMetaFile, TextOutW, EndDoc, GetTextExtentPointA, SetROP2, SetBkColor, UnrealizeObject, RestoreDC, CreateFontIndirectA, DeleteObject, CreateMetaFileW
shlwapi.dll: StrChrIW, StrCmpNIW, PathRemoveFileSpecW, PathFileExistsW, PathStripToRootW, PathFindExtensionW, StrStrW, PathIsRelativeW, StrCmpW, PathCombineW, PathAddBackslashW, StrChrW, PathFindFileNameA, wnsprintfA, PathFindFileNameW, SHSetValueW, StrRChrW, SHStrDupW, PathIsURLW, StrStrIW, PathAppendA, PathRemoveBackslashW, AssocQueryStringW, SHRegGetBoolUSValueW, StrToIntW, StrCpyW, PathGetDriveNumberW, PathCreateFromUrlW, SHDeleteValueA, UrlUnescapeW, UrlIsW, PathRemoveBlanksW
comdlg32.dll: ChooseColorW, GetSaveFileNameW, FindTextA, GetFileTitleA, PrintDlgW, PrintDlgExW, GetSaveFileNameA, PageSetupDlgW, GetFileTitleW, ChooseFontA, PageSetupDlgA, GetOpenFileNameW, FindTextW, CommDlgExtendedError, GetOpenFileNameA, PrintDlgA, ChooseColorA, ChooseFontW
oleaut32.dll: VariantCopy, SysFreeString, VariantInit, GetActiveObject, VariantChangeType, SysStringByteLen, VariantClear, SafeArrayAccessData, SafeArrayUnaccessData, CreateErrorInfo, SysAllocStringByteLen, OleLoadPicture, RegisterTypeLib, VariantCopyInd, SysStringLen
msvcrt.dll: _adjust_fdiv, __wgetmainargs, malloc, __badioinfo, strstr, fread, fflush, _wcsnicmp, strrchr, ctime, isleadbyte, _itow, floor, _rotr, _snprintf, _wfopen, _stat, srand, _amsg_exit, setlocale, memmove, wcscpy, wcsrchr, _XcptFilter, _onexit, _wcsdup, memcpy, mbstowcs, _exit, _fileno, _access, _except_handler3, _beginthreadex, strtoul, iswctype, __set_app_type, _purecall, _wsplitpath, _finite, isdigit, _CxxThrowException, __setusermatherr, _ftol, wcspbrk, atoi, wcsncpy, towupper, __p__osver, wcscmp, __2@YAPAXI@Z, _rotl, _controlfp, _vsnprintf, rand, __0exception@@QAE@ABV0@@Z, _itoa
VERSION.dll: VerLanguageNameA, VerQueryValueW, GetFileVersionInfoSizeA, VerFindFileW, GetFileVersionInfoSizeW, VerQueryValueA, GetFileVersionInfoA, GetFileVersionInfoW
ntdll.dll: RtlxAnsiStringToUnicodeSize, RtlAllocateHeap, DbgPrint, _vsnprintf, NtWaitForSingleObject, RtlEnterCriticalSection, RtlLengthSecurityDescriptor, RtlImageNtHeader, RtlReAllocateHeap, NtOpenProcessToken, RtlLengthSid, RtlExpandEnvironmentStrings_U, NtDeviceIoControlFile, RtlMultiByteToUnicodeN, RtlDeleteResource, NtSetValueKey, RtlSubAuthorityCountSid, RtlCompareUnicodeString, RtlSetGroupSecurityDescriptor, RtlCreateHeap, RtlGetVersion, wcsrchr, NtAllocateVirtualMemory, NtWaitForMultipleObjects, RtlDestroyHeap, NtQueryVirtualMemory, swprintf, NtSetInformationProcess, wcschr, RtlDeleteElementGenericTable, strrchr, _wcsicmp, RtlGetSaclSecurityDescriptor, RtlDestroyEnvironment, RtlFreeSid, NtQueryInformationFile, NtQueryKey, RtlLengthRequiredSid, RtlConvertSidToUnicodeString, RtlOemStringToUnicodeString, RtlQueryEnvironmentVariable_U, NtWriteFile, RtlIntegerToUnicodeString, RtlInitUnicodeString, RtlCreateUnicodeStringFromAsciiz, RtlInitializeSid, RtlCreateTimer
SHELL32.dll: ShellExecuteW, SHFileOperationW, SHGetMalloc, SHGetDesktopFolder, ShellExecuteA, SHBrowseForFolderW, SHGetPathFromIDListW, DragQueryFileA, SHChangeNotify, DragQueryFileW, SHGetSpecialFolderPathW, SHGetPathFromIDListA, SHGetFileInfoW, CommandLineToArgvW, ShellExecuteExW, SHBindToParent, SHGetSpecialFolderLocation, SHBrowseForFolderA
COMCTL32.dll: ImageList_Create, PropertySheetW, ImageList_Destroy, InitCommonControlsEx, PropertySheetA, CreatePropertySheetPageW, ImageList_Draw, InitCommonControls, ImageList_ReplaceIcon
KERNEL32.dll: GetComputerNameW, LCMapStringW, OpenEventW, GetCurrentProcess, GetVersion, LeaveCriticalSection, MapViewOfFile, SetLastError, GetFileAttributesA, GetCurrentThreadId, Thread32Next, QueryPerformanceCounter, InitializeCriticalSection, OpenEventA, GetDriveTypeW, GetCommandLineW, lstrlenA, FindResourceA, GetCurrentThread, GetFileSize, InterlockedExchange, VirtualAlloc, ExitProcess, lstrcpynW, SetEndOfFile, GetModuleHandleA, WriteConsoleW, GetTempPathA, Sleep, GetCommandLineA, GetStdHandle, GetOEMCP, CreateFileW, GlobalAlloc, FormatMessageW, InterlockedCompareExchange, GetExitCodeThread, CreateEventW, GetFileAttributesW, GetLastError, GetTickCount, GetModuleFileNameW

Prevx Info:
http://info.prevx.com/aboutprogramtext. ... 00ACA98C05
ExifTool:
file metadata
CodeSize: 3584
EntryPoint: 0x3b00
FileSize: 136 kB
FileType: Win32 EXE
ImageVersion: 0.0
InitializedDataSize: 231424
LinkerVersion: 9.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 5.1
PEType: PE32
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2008:08:30 04:29:21+02:00
UninitializedDataSize: 0

VT Community

by **mike busch** » October 20th, 2010, 8:57 pm

malwarebytes log;

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4896

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/20/2010 7:56:00 PM
mbam-log-2010-10-20 (19-56-00).txt

Scan type: Quick scan
Objects scanned: 152770
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\mike busch\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSVolume.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

by **melboy** » October 21st, 2010, 1:57 pm

Hi Mike

I am sorry to be the bearer of bad news, but it is best that you know the full impact of your infections.

The files you uploaded to VirusTotal are an infection that is a Password Stealer. PWS:Win32/Zbot (Microsoft) is a password stealing trojan that also contains backdoor functionality that allows unauthorized access and control of an affected machine. This allows an attacker to remotely control your computer, steal critical system information and download and execute files. Any stolen data is uploaded to a remote server for use by criminals.

Trojan.Zbot (Symantec)

----------------------------

Further to that your computer was infected with two ROOTKITS. One, the TDL4 rootkit, also known as Win32/Alureon. Two, Win32/bubnix
A rootkit is a set of software tools intended for concealing running processes, files or system data from the operating system.

Due to its rootkit functionality, it's impossible to tell what may have been done when the system was compromised.

---------------------------

If the Computer has been used for any important data, you are strongly advised to do the following, immediately

If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being: Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

I can attempt to carry on cleaning this machine but I can't guarantee that it will be at all secure afterwards.

Should you have any questions, please feel free to ask.

Please let me know what you have decided to do in your next post.

by **mike busch** » October 21st, 2010, 9:49 pm

Thanks for your help and I appreciate you letting me know the severity.

Well the good news is; I do not do any banking online and I have purchased stuff with my credit card, but my numbers have been stolen in the past (several times) and I have never had to pay for any of those charges.

When I noticed the virus I shut the internet access off, that might have messed up some off the info they got. (?)

I think the trojan has been removed as I did a scan and no more rootkit.win32.bubnix.auf and the computer is moving along betterthan it has in years.

If you think I need to do more cleaning I am up to that. I would be dissapointed to clean off the hard drive as I have had the computer for A number of years and have lost all the hard copies of the software I have on it (it would be expensive to buy it all again).

by **mike busch** » October 22nd, 2010, 8:19 am

rootkit.win32.bubnix.auf is still on the computer. I got a couple "successfully prevented trojan" windows from antivirus plus. I did a scan and it is there again.

by **melboy** » October 22nd, 2010, 1:08 pm

Hi

Ok, run this Combofix script then we'll see whats going on. IF Combofix informs you at any time an update is available, please allow it to update.

COMBOFIX-Script

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all

http://www.malwareremoval.com/forum/viewtopic.php?p=550558#p550558

Collect:: 
c:\documents and settings\Administrator\Start Menu\Programs\Startup\nayvp.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\emuhk.exe

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
If you need help to disable your protection programs see here.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

===========

by **mike busch** » October 23rd, 2010, 12:04 am

ComboFix 10-10-22.04 - mike busch 10/22/2010 22:53:21.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.320 [GMT -5:00]
Running from: c:\documents and settings\mike busch\Desktop\mikebusch.exe
Command switches used :: c:\documents and settings\mike busch\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))
.

2010-10-21 00:41 . 2010-10-21 00:41 -------- d-----w- c:\documents and settings\mike busch\Application Data\Malwarebytes
2010-10-21 00:40 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-21 00:40 . 2010-10-21 00:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-21 00:40 . 2010-10-21 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-21 00:40 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-19 02:19 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2010-10-19 02:19 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-19 02:19 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-19 02:19 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-17 16:09 . 2010-10-17 16:09 -------- d-----w- c:\program files\Seagate
2010-10-17 16:09 . 2010-10-17 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Seagate
2010-10-17 16:07 . 2010-10-17 16:07 -------- d-----w- c:\documents and settings\mike busch\Local Settings\Application Data\Downloaded Installations
2010-10-17 16:06 . 2010-10-17 16:06 -------- d-----w- c:\program files\Carbonite
2010-10-17 16:06 . 2010-10-17 16:06 -------- d-sh--w- c:\windows\ftpcache
2010-10-17 16:05 . 2010-10-17 16:05 -------- d-----w- c:\documents and settings\mike busch\Application Data\Leadertech
2010-10-17 12:45 . 2010-10-17 13:09 -------- d-----w- C:\MikeB
2010-10-10 23:52 . 2010-10-10 23:53 -------- d-----w- c:\program files\Linksys
2010-10-08 12:50 . 2010-10-08 12:50 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-10-05 07:26 . 2010-10-05 07:26 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 17:23 . 2006-02-15 14:03 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2006-02-15 14:03 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2006-02-15 14:03 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2006-02-15 14:03 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2006-02-15 14:04 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2006-02-15 14:02 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2006-02-15 14:02 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2006-02-15 14:02 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2006-02-15 14:04 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2006-02-15 14:04 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2006-02-15 14:04 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2006-02-15 14:04 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-15 05:18 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2006-02-15 14:02 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2006-02-15 14:04 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2006-02-15 14:03 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-09 17:57 . 2010-09-22 00:46 132184 ----a-w- c:\windows\system32\drivers\kl1.sys
2010-08-09 17:57 . 2010-08-09 17:57 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-21_03.02.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 05:46 . 2006-12-02 05:46 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6c18549a\vcomp.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 05:08 . 2006-12-02 05:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 05:26 . 2006-12-02 05:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2009-07-12 00:41 . 2009-07-12 00:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2007-01-29 08:58 . 2010-06-21 14:46 46080 c:\windows\system32\tzchange.exe
- 2007-01-29 08:58 . 2010-04-21 13:28 46080 c:\windows\system32\tzchange.exe
+ 2006-02-15 14:03 . 2010-09-10 05:58 66560 c:\windows\system32\mshtmled.dll
- 2006-02-15 14:03 . 2009-03-08 09:31 66560 c:\windows\system32\mshtmled.dll
- 2007-08-14 00:54 . 2010-06-24 12:21 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-08-14 00:54 . 2010-09-10 05:58 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-02-15 14:02 . 2010-09-10 05:58 25600 c:\windows\system32\jsproxy.dll
- 2006-02-15 14:02 . 2010-06-24 12:21 25600 c:\windows\system32\jsproxy.dll
+ 2010-09-22 00:52 . 2010-09-22 00:52 97549 c:\windows\system32\drivers\klick.dat
- 2009-07-04 15:10 . 2010-06-24 12:22 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-07-04 15:10 . 2010-09-10 05:58 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2010-08-27 05:57 . 2010-08-27 05:57 99840 c:\windows\system32\dllcache\srvsvc.dll
+ 2006-05-10 05:25 . 2010-09-10 05:58 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2006-05-10 05:25 . 2009-03-08 09:31 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-12-07 12:52 . 2010-09-10 05:58 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-12-07 12:52 . 2010-06-24 12:21 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-08-14 00:44 . 2010-09-10 05:58 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2006-05-10 05:25 . 2010-06-24 12:21 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-10 05:25 . 2010-09-10 05:58 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2004-08-03 22:59 . 2008-04-13 18:31 36352 c:\windows\system32\dllcache\intelppm.sys
- 2010-04-01 16:42 . 2010-04-01 16:42 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2010-09-23 20:55 . 2010-09-23 20:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2010-03-31 19:51 . 2010-03-31 19:51 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2010-03-31 19:51 . 2010-03-31 19:51 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2010-03-31 19:51 . 2010-03-31 19:51 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2010-09-23 08:17 . 2010-09-23 08:17 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2010-03-31 20:32 . 2010-03-31 20:32 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2010-09-23 08:17 . 2010-09-23 08:17 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
- 2010-03-31 20:32 . 2010-03-31 20:32 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2010-10-14 11:54 . 2010-10-14 11:54 21504 c:\windows\Installer\12a9b9.msi
- 2006-02-16 10:41 . 2010-09-15 08:08 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-02-16 10:41 . 2010-09-15 08:08 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-02-16 10:41 . 2010-09-15 08:08 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-02-16 10:41 . 2010-09-15 08:08 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2010-10-17 16:10 . 2010-10-17 16:10 87376 c:\windows\Installer\{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}\NewShortcut3_3AA20A2C6BEF43A6A3B4F09C5D78D1D4.exe
+ 2010-10-17 16:10 . 2010-10-17 16:10 87376 c:\windows\Installer\{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}\NewShortcut2_B7AA0888E8864144BA725EAA61DC15D5.exe
+ 2010-10-17 16:10 . 2010-10-17 16:10 50512 c:\windows\Installer\{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}\NewShortcut1_68F918D3F91F411B8936985CC2BD4192.exe
+ 2010-10-17 16:10 . 2010-10-17 16:10 87376 c:\windows\Installer\{3F5CFC1C-653B-4B22-9153-2BDDF2E03C0E}\ARPPRODUCTICON.exe
+ 2010-10-19 02:40 . 2010-06-24 12:22 12800 c:\windows\ie8updates\KB2360131-IE8\xpshims.dll
+ 2010-10-19 02:40 . 2009-03-08 09:31 66560 c:\windows\ie8updates\KB2360131-IE8\mshtmled.dll
+ 2010-10-19 02:40 . 2010-06-24 12:21 55296 c:\windows\ie8updates\KB2360131-IE8\msfeedsbs.dll
+ 2010-10-19 02:40 . 2009-03-08 09:34 43008 c:\windows\ie8updates\KB2360131-IE8\licmgr10.dll
+ 2010-10-19 02:40 . 2010-06-24 12:21 25600 c:\windows\ie8updates\KB2360131-IE8\jsproxy.dll
+ 2010-10-19 02:33 . 2010-10-19 02:33 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_c3fdc88e\System.Drawing.Design.dll
+ 2010-10-19 02:33 . 2010-10-19 02:33 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_c3626064\CustomMarshalers.dll
- 2010-06-11 08:09 . 2010-06-11 08:09 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2010-10-19 02:33 . 2010-10-19 02:33 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
- 2006-02-16 10:41 . 2010-09-15 08:08 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2006-02-15 14:03 . 2010-06-24 12:22 206848 c:\windows\system32\occache.dll
+ 2006-02-15 14:03 . 2010-09-10 05:58 206848 c:\windows\system32\occache.dll
+ 2006-02-15 14:03 . 2010-09-10 05:58 611840 c:\windows\system32\mstime.dll
- 2006-02-15 14:03 . 2010-06-24 12:22 611840 c:\windows\system32\mstime.dll
+ 2007-08-14 00:54 . 2010-09-10 05:58 602112 c:\windows\system32\msfeeds.dll
+ 2009-11-06 03:17 . 2009-11-06 03:17 297808 c:\windows\system32\mscoree.dll
- 2006-02-15 14:02 . 2010-06-24 12:21 184320 c:\windows\system32\iepeers.dll
+ 2006-02-15 14:02 . 2010-09-10 05:58 184320 c:\windows\system32\iepeers.dll
+ 2006-02-15 14:02 . 2010-09-10 05:58 387584 c:\windows\system32\iedkcs32.dll
- 2006-02-15 14:02 . 2010-06-24 12:21 387584 c:\windows\system32\iedkcs32.dll
+ 2006-02-15 14:02 . 2010-08-26 12:22 173056 c:\windows\system32\ie4uinit.exe
- 2006-02-15 14:02 . 2010-06-23 12:08 173056 c:\windows\system32\ie4uinit.exe
+ 2006-02-15 07:29 . 2010-10-20 11:52 180240 c:\windows\system32\FNTCACHE.DAT
- 2006-02-15 07:29 . 2010-08-11 08:28 180240 c:\windows\system32\FNTCACHE.DAT
+ 2010-09-22 00:52 . 2010-09-22 00:52 113933 c:\windows\system32\drivers\klin.dat
+ 2010-05-28 14:55 . 2010-05-28 14:55 321552 c:\windows\system32\drivers\klif.sys
+ 2009-04-15 05:18 . 2010-07-12 12:55 218112 c:\windows\system32\dllcache\wordpad.exe
- 2006-02-15 14:04 . 2010-06-24 12:22 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-02-15 14:04 . 2010-09-10 05:58 916480 c:\windows\system32\dllcache\wininet.dll
- 2009-06-16 14:36 . 2009-10-15 16:28 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-06-16 14:36 . 2010-08-27 08:02 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2008-10-14 23:36 . 2010-08-26 13:39 357248 c:\windows\system32\dllcache\srv.sys
- 2009-04-15 14:51 . 2010-07-22 15:49 590848 c:\windows\system32\dllcache\rpcrt4.dll
+ 2009-04-15 14:51 . 2010-08-16 08:45 590848 c:\windows\system32\dllcache\rpcrt4.dll
+ 2007-08-14 00:44 . 2010-09-10 05:58 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-14 00:44 . 2010-06-24 12:22 206848 c:\windows\system32\dllcache\occache.dll
- 2006-05-10 05:25 . 2010-06-24 12:22 611840 c:\windows\system32\dllcache\mstime.dll
+ 2006-05-10 05:25 . 2010-09-10 05:58 611840 c:\windows\system32\dllcache\mstime.dll
+ 2007-12-07 12:52 . 2010-09-10 05:58 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2006-10-14 08:13 . 2010-09-18 17:23 974848 c:\windows\system32\dllcache\mfc42u.dll
- 2009-07-04 15:10 . 2010-06-24 12:21 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-07-04 15:10 . 2010-09-10 05:58 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2006-05-10 05:25 . 2010-09-10 05:58 184320 c:\windows\system32\dllcache\iepeers.dll
- 2006-05-10 05:25 . 2010-06-24 12:21 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-11 00:09 . 2010-09-10 05:58 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-11 00:09 . 2010-06-24 12:21 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2007-08-14 00:39 . 2010-06-24 12:21 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-14 00:39 . 2010-09-10 05:58 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-14 00:39 . 2010-08-26 12:22 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-14 00:39 . 2010-06-23 12:08 173056 c:\windows\system32\dllcache\ie4uinit.exe
+ 2010-04-20 05:30 . 2010-09-01 11:51 285824 c:\windows\system32\dllcache\atmfd.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2010-03-31 19:51 . 2010-03-31 19:51 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2010-03-31 19:49 . 2010-03-31 19:49 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-09-23 07:25 . 2010-09-23 07:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2010-09-23 08:17 . 2010-09-23 08:17 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2010-03-31 20:32 . 2010-03-31 20:32 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2010-10-17 16:07 . 2010-10-17 16:07 331264 c:\windows\Installer\7cb61.msi
+ 2010-10-19 02:30 . 2010-10-19 02:30 248832 c:\windows\Installer\110418.msi
+ 2006-02-16 10:41 . 2010-10-19 02:41 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-02-16 10:41 . 2010-09-15 08:08 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2006-02-16 10:41 . 2010-09-15 08:08 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-02-16 10:41 . 2010-09-15 08:08 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-02-16 10:41 . 2010-09-15 08:08 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-02-16 10:41 . 2010-10-19 02:41 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-02-16 10:41 . 2010-09-15 08:08 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2010-10-19 02:40 . 2010-06-24 12:22 916480 c:\windows\ie8updates\KB2360131-IE8\wininet.dll
+ 2010-10-19 02:40 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2360131-IE8\spuninst\updspapi.dll
+ 2010-10-19 02:40 . 2009-05-26 09:01 231288 c:\windows\ie8updates\KB2360131-IE8\spuninst\spuninst.exe
+ 2010-10-19 02:40 . 2010-06-24 12:22 206848 c:\windows\ie8updates\KB2360131-IE8\occache.dll
+ 2010-10-19 02:40 . 2010-06-24 12:22 611840 c:\windows\ie8updates\KB2360131-IE8\mstime.dll
+ 2010-10-19 02:40 . 2010-06-24 12:21 599040 c:\windows\ie8updates\KB2360131-IE8\msfeeds.dll
+ 2010-10-19 02:40 . 2010-06-24 12:21 247808 c:\windows\ie8updates\KB2360131-IE8\ieproxy.dll
+ 2010-10-19 02:40 . 2010-06-24 12:21 184320 c:\windows\ie8updates\KB2360131-IE8\iepeers.dll
+ 2010-10-19 02:40 . 2010-06-24 12:21 743424 c:\windows\ie8updates\KB2360131-IE8\iedvtool.dll
+ 2010-10-19 02:40 . 2010-06-24 12:21 387584 c:\windows\ie8updates\KB2360131-IE8\iedkcs32.dll
+ 2010-10-19 02:40 . 2010-06-23 12:08 173056 c:\windows\ie8updates\KB2360131-IE8\ie4uinit.exe
+ 2010-10-19 02:34 . 2010-10-19 02:34 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_dca40a68\System.Drawing.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 192512 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_f36c1da8\System.Drawing.Design.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 118784 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_6fbade09\CustomMarshalers.dll
+ 2010-10-19 02:19 . 2010-08-23 16:12 1054208 c:\windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 05:25 . 2006-12-02 05:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2006-02-15 14:04 . 2010-09-10 05:58 1210880 c:\windows\system32\urlmon.dll
+ 2006-02-15 14:03 . 2010-07-16 12:05 1288192 c:\windows\system32\ole32.dll
+ 2006-02-15 14:03 . 2010-09-10 05:58 5957120 c:\windows\system32\mshtml.dll
+ 2007-08-14 00:34 . 2010-09-10 05:58 1986560 c:\windows\system32\iertutil.dll
- 2007-08-14 00:34 . 2010-06-24 12:21 1986560 c:\windows\system32\iertutil.dll
+ 2008-10-14 23:35 . 2010-08-31 13:42 1852800 c:\windows\system32\dllcache\win32k.sys
+ 2006-05-10 05:25 . 2010-09-10 05:58 1210880 c:\windows\system32\dllcache\urlmon.dll
+ 2010-07-16 12:05 . 2010-07-16 12:05 1288192 c:\windows\system32\dllcache\ole32.dll
+ 2006-05-19 15:06 . 2010-09-10 05:58 5957120 c:\windows\system32\dllcache\mshtml.dll
+ 2007-12-07 12:52 . 2010-09-10 05:58 1986560 c:\windows\system32\dllcache\iertutil.dll
- 2007-12-07 12:52 . 2010-06-24 12:21 1986560 c:\windows\system32\dllcache\iertutil.dll
- 2010-04-01 16:42 . 2010-04-01 16:42 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2010-09-23 20:55 . 2010-09-23 20:55 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2010-04-01 16:42 . 2010-04-01 16:42 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2010-09-23 20:55 . 2010-09-23 20:55 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2010-09-23 07:26 . 2010-09-23 07:26 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2010-03-31 19:50 . 2010-03-31 19:50 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2010-09-23 07:25 . 2010-09-23 07:25 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2010-04-01 16:42 . 2010-04-01 16:42 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-09-23 20:55 . 2010-09-23 20:55 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2010-10-17 16:10 . 2010-10-17 16:10 3668992 c:\windows\Installer\7cb66.msi
+ 2010-08-23 22:09 . 2010-08-23 22:09 7673344 c:\windows\Installer\110464.msp
+ 2010-10-04 21:32 . 2010-10-04 21:32 5517824 c:\windows\Installer\110452.msp
+ 2010-08-24 14:49 . 2010-08-24 14:49 6825472 c:\windows\Installer\110429.msp
+ 2010-10-19 02:40 . 2010-06-24 12:22 1210368 c:\windows\ie8updates\KB2360131-IE8\urlmon.dll
+ 2010-10-19 02:40 . 2010-06-24 12:22 5951488 c:\windows\ie8updates\KB2360131-IE8\mshtml.dll
+ 2010-10-19 02:40 . 2010-06-24 12:21 1986560 c:\windows\ie8updates\KB2360131-IE8\iertutil.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 4792320 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_91e2d7f2\System.dll
+ 2010-10-19 02:33 . 2010-10-19 02:33 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_3d149c19\System.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 5513216 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_ceb9c03b\System.Xml.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_bf52a4c2\System.Xml.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 7884800 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_4ecc7bf9\System.Windows.Forms.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_494d9cf3\System.Windows.Forms.dll
+ 2010-10-19 02:35 . 2010-10-19 02:35 2244608 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_0f90a563\System.Drawing.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 3395584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_f7abd516\System.Design.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_bf0ca42a\System.Design.dll
+ 2010-10-19 02:35 . 2010-10-19 02:35 8908800 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_bd88e1dd\mscorlib.dll
+ 2010-10-19 02:34 . 2010-10-19 02:34 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_43a4040e\mscorlib.dll
- 2010-06-11 08:09 . 2010-06-11 08:09 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-10-19 02:33 . 2010-10-19 02:33 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2010-10-19 02:33 . 2010-10-19 02:33 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-06-11 08:09 . 2010-06-11 08:09 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2006-02-15 14:05 . 2009-07-14 04:43 10841088 c:\windows\system32\wmp.dll
+ 2006-02-15 14:05 . 2010-08-26 04:36 10841088 c:\windows\system32\wmp.dll
+ 2006-07-24 11:27 . 2010-10-19 02:35 35385288 c:\windows\system32\MRT.exe
+ 2007-08-14 00:54 . 2010-09-10 05:58 11080192 c:\windows\system32\ieframe.dll
- 2009-07-14 04:43 . 2009-07-14 04:43 10841088 c:\windows\system32\dllcache\wmp.dll
+ 2009-07-14 04:43 . 2010-08-26 04:36 10841088 c:\windows\system32\dllcache\wmp.dll
+ 2007-12-07 12:52 . 2010-09-10 05:58 11080192 c:\windows\system32\dllcache\ieframe.dll
+ 2010-09-24 19:08 . 2010-09-24 19:08 11430400 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2416447\M2416447Uninstall.msp
+ 2010-09-24 12:08 . 2010-09-24 12:08 17518080 c:\windows\Installer\110441.msp
+ 2010-10-19 02:40 . 2010-06-24 22:51 11077120 c:\windows\ie8updates\KB2360131-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ParetoLogic Anti-Virus PLUS"="c:\program files\ParetoLogic\PLAV\Pareto_AV.exe" [2010-09-08 4547864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-05 155648]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-12-18 197928]
"XoftSpySE"="c:\program files\XoftSpySE6\XoftSpySE.exe" [2010-09-29 4861720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe" [2010-08-28 232912]

c:\documents and settings\mike busch\Start Menu\Programs\Startup\
Seagate Product Registration.lnk - c:\documents and settings\mike busch\Application Data\Leadertech\PowerRegister\Seagate Product Registration.exe [2010-10-17 1731736]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\America Online 9.0a\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Pando Networks\\Pando\\Pando.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56092:TCP"= 56092:TCP:Pando
"56092:UDP"= 56092:UDP:Pando
"22778:TCP"= 22778:TCP:spport
"22549:TCP"= 22549:TCP:spport
"29215:TCP"= 29215:TCP:spport
"16980:TCP"= 16980:TCP:spport
"18849:TCP"= 18849:TCP:spport
"8955:TCP"= 8955:TCP:spport
"18405:TCP"= 18405:TCP:spport
"29937:TCP"= 29937:TCP:spport
"7953:TCP"= 7953:TCP:spport
"6578:TCP"= 6578:TCP:spport
"15619:TCP"= 15619:TCP:spport

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [12/18/2009 11:25 AM 189736]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [8/9/2010 12:57 PM 32272]
S2 gupdate1c9cab57a5a0ae4;Google Update Service (gupdate1c9cab57a5a0ae4);c:\program files\Google\Update\GoogleUpdate.exe [5/1/2009 6:35 PM 133104]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 PLAVService;PLAVService;c:\program files\Common Files\PLAV\plavservice.exe [9/8/2010 12:32 PM 599384]
S3 w600bus;Sony Ericsson W600 driver (WDM);c:\windows\system32\DRIVERS\w600bus.sys --> c:\windows\system32\DRIVERS\w600bus.sys [?]
S3 w600mdfl;Sony Ericsson W600 USB WMC Modem Filter;c:\windows\system32\DRIVERS\w600mdfl.sys --> c:\windows\system32\DRIVERS\w600mdfl.sys [?]
S3 w600mdm;Sony Ericsson W600 USB WMC Modem Drivers;c:\windows\system32\DRIVERS\w600mdm.sys --> c:\windows\system32\DRIVERS\w600mdm.sys [?]
S3 w600mgmt;Sony Ericsson W600 USB WMC Device Management Drivers;c:\windows\system32\DRIVERS\w600mgmt.sys --> c:\windows\system32\DRIVERS\w600mgmt.sys [?]
S3 w600obex;Sony Ericsson W600 USB WMC OBEX Interface Drivers;c:\windows\system32\DRIVERS\w600obex.sys --> c:\windows\system32\DRIVERS\w600obex.sys [?]
S3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [9/29/2010 1:43 PM 582424]
.
Contents of the 'Scheduled Tasks' folder

2010-10-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-08 23:34]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:35]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-01 23:35]

2010-10-05 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]

2010-10-04 c:\windows\Tasks\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\program files\ParetoLogic\PLAV\pareto_av.exe [2010-09-08 17:31]

2010-10-04 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-23 21:58]

2010-10-07 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-23 21:58]

2006-07-19 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]

2010-09-19 c:\windows\Tasks\XoftSpySE.job
- c:\program files\XoftSpySE6\XoftSpySELauncher.exe [2010-09-29 18:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstart
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-22 23:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-10-22 23:02:56
ComboFix-quarantined-files.txt 2010-10-23 04:02
ComboFix2.txt 2010-10-20 12:37
ComboFix3.txt 2010-10-17 13:09
ComboFix4.txt 2010-10-15 15:14
ComboFix5.txt 2010-10-23 03:49

Pre-Run: 53,831,028,736 bytes free
Post-Run: 53,932,752,896 bytes free

- - End Of File - - 84E2B897E52A8A775DA3CDD79157E563

by **melboy** » October 23rd, 2010, 4:18 am

Hi Mike

That looks good. There's no sign of Bubnix in the combofix log.
Tell me, what and where is ParetoLogic detecting it (the filename and path), is it in System Volume Information by any chance?

Update Adobe Reader

Your Adobe Reader is out of date.
Older versions may have vulnerabilities that malware can use to infect your system.
Please download Adobe Reader 9.4 to your PC's desktop.

Uninstall via Start > Control Panel > Add/Remove Programs:
Adobe Reader 7.1.0
Install the new downloaded updated software.

Update Java Runtime
You are using an old version of Java. Oracle Java (was Sun Java) is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Oracle Java is: Java Runtime Environment Version 6 Update 22.

Go to Oracle Java
Scroll down to where it says "Java Platform, Standard Edition JDK 6 Update 22 (JDK or JRE)"
Click the Download JRE button to the right
In the Platform box choose Windows.
Check the box to Accept License Agreement and click Continue.
Click on Windows Offline Installation, click on the link under it which says "jre-6u22-windows-i586.exe" and save the downloaded file to your desktop.
Uninstall all old versions of Java via Start > Control Panel > Add/Remove Programs:
J2SE Runtime Environment 5.0 Update 4
Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
Reboot your computer

Security Check

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

Double click SecurityCheck.exe and follow the onscreen instructions inside the black box.
When finished, a Notepad document should open automatically called checkup.txt
Please post the contents of that document in your next reply.

TFC

You should still have this on your desktop.

Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
Click the Start button in the bottom left of TFC
If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It should not take longer than a couple of minutes , and may only take a few seconds. Only if needed will you be prompted to reboot.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Please go here then click on:
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: (Selecting Uninstall application on close if you so wish)
Re-enable your anti-virus software.

Free Malware Removal Forum

help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Re: help kill this; rootkit.win32.bubnix.auf

Who is online