Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Windows Updates disabled - Unable to remove malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Windows Updates disabled - Unable to remove malware

Unread postby Jon22 » April 11th, 2011, 7:31 pm

This is a computer that was given to me to clean. I have been unsuccessful in my attemps to remove the malware. It has diabled windows updates and mozilla firefox from running. Navigation to the wiondows update page by any means is disabled. Sometimes directed to false web sites. Emsisoft, Malwarebytes and Mcafee Anitivius plus (installed post infection) have removed many infections, but I feel to no avail since registry values have already been compromised.

Just looking for some advice and direction on where to go from here without doing a reinstall. If this is necessary than so be it. Would rather see if I can salvage the current instance of windows.

Thanks for any advice or tips in advance, I know that you guys have a keen eye as to what stands out. I can also produce a hijack this report if needed.

Thanks,

Jonathan
_________________________________________________________________
DDS Text Below:
DDS (Ver_11-03-05.01) - NTFSx86
Run by Jamie Miller at 17:12:56.84 on Mon 04/11/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1020 [GMT -5:00]
.
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\WINDOWS\UMStor\Res.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Emsisoft Anti-Malware\a2start.exe
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google\Update\GoogleUpdateBeta.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\dds.scr
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/ ... nel=us-smb
uDefault_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080619
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/ ... nel=us-smb
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/ ... nel=us-smb
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110410204153.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USB Storage Toolbox] c:\windows\umstor\Res.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: itlnfw32 - itlnfw32.dll
Notify: itlntfy - itlnfw32.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-4-10 386840]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-4-10 84072]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\emsisoft anti-malware\a2service.exe [2011-4-10 2860800]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2006-12-19 79432]
R2 GoogleUpdateBeta;Google Update Service;c:\documents and settings\networkservice\local settings\application data\google\update\GoogleUpdateBeta.exe [2011-4-11 19968]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-10 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-10 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2011-4-10 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-4-10 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-4-10 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-4-10 141792]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2004-8-11 5120]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-4-10 55840]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [2006-11-2 97536]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-4-10 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-4-10 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-4-10 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-4-10 88544]
R4 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-4-9 38224]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-9 135664]
S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2004-8-11 14336]
S3 a2acc;a2acc;c:\program files\emsisoft anti-malware\a2accx86.sys [2011-4-10 73728]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-6-19 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-4-10 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-4-10 84264]
.
=============== Created Last 30 ================
.
2011-04-11 02:39:46 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-04-11 01:41:53 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2011-04-11 01:41:52 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-11 01:41:46 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-11 01:41:44 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-11 01:41:43 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-11 01:41:43 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-11 01:41:43 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-11 01:41:43 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-11 01:41:43 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-11 01:41:43 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-11 01:41:43 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-11 01:41:43 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-10 19:43:36 -------- d-----w- c:\program files\common files\McAfee
2011-04-10 19:43:34 -------- d-----w- c:\program files\McAfee.com
2011-04-10 19:43:25 -------- d-----w- c:\program files\McAfee
2011-04-10 02:31:39 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-09 23:55:32 -------- d-----w- c:\program files\CCleaner
2011-04-09 23:11:29 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 23:11:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 23:11:25 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 23:03:57 -------- d-----w- c:\docume~1\jamiem~1\applic~1\Malwarebytes
2011-04-09 23:03:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-09 22:04:29 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-09 21:07:55 -------- d-----w- c:\windows\pss
2011-04-04 19:34:01 -------- d-----w- c:\docume~1\jamiem~1\locals~1\applic~1\{88656822-8524-4662-AEBB-5C60B542ECC5}
2011-04-04 19:33:04 217 ----a-w- c:\documents and settings\jamie miller\delme.bat
2011-04-04 19:31:47 -------- d-----w- c:\docume~1\jamiem~1\applic~1\95DF6A5DCFF7D93FFA67CDE5A7AC3F1F
2011-04-04 19:31:27 114688 --sha-r- c:\windows\system32\snmpapiq.dll
2011-04-04 19:31:27 114688 --sha-r- c:\windows\system32\slbiopb.dll
2011-04-04 01:01:20 -------- d-----w- c:\docume~1\jamiem~1\locals~1\applic~1\AskToolbar
2011-03-13 00:54:52 -------- d-----w- c:\program files\iPod
2011-03-13 00:54:46 -------- d-----w- c:\program files\iTunes
2011-03-12 23:42:49 -------- d-----w- c:\docume~1\jamiem~1\applic~1\FrostWire
2011-03-12 23:41:49 -------- d-----w- c:\program files\Ask.com
2011-03-12 23:41:31 -------- d-----w- c:\program files\FrostWire
.
==================== Find3M ====================
.
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8051GSY rev.LD201D -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A7C2439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a7c87d0]; MOV EAX, [0x8a7c884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A7FCAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A7F0628]
\Driver\atapi[0x8A85A828] -> IRP_MJ_CREATE -> 0x8A7C2439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskTOSHIBA_MK8051GSY_______________________LD201D__#5&16482f9&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7C227F
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:15:27.10 ===============
Attach.txt below:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/9/2010 3:47:40 PM
System Uptime: 4/11/2011 4:11:42 PM (1 hours ago)
.
Motherboard: Dell Inc. | | 0HN338
Processor: Intel Pentium III Xeon processor | Microprocessor | 2394/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 19.847 GiB free.
D: is CDROM ()
E: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom NetXtreme 57xx Gigabit Controller
Device ID: PCI\VEN_14E4&DEV_1673&SUBSYS_01FE1028&REV_02\4&1E93A591&0&00E5
Manufacturer: Broadcom
Name: Broadcom NetXtreme 57xx Gigabit Controller
PNP Device ID: PCI\VEN_14E4&DEV_1673&SUBSYS_01FE1028&REV_02\4&1E93A591&0&00E5
Service: b57w2k
.
==== System Restore Points ===================
.
RP1: 4/10/2011 8:12:35 AM - System Checkpoint
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
3600_Help
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.0
AIM 7
AIM Toolbar
AOL Search
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATT-RC Self Support Tool
AuthenTec Fingerprint Sensor Minimum Install
Bing Bar
biolsp patch
BlackBerry App World Browser Plugin
BlackBerry Desktop Software 6.0
BlackBerry Device Software Updater
Bluetooth Stack for Windows by Toshiba
Bonjour
BPD_Scan
BPDSoftware_Ini
Broadcom ASF Management Applications
Broadcom Management Programs
Browser Address Error Redirector
BufferChm
Canon MP250 series MP Drivers
CCleaner
Conexant HDA D330 MDC V.92 Modem
Coupon Printer for Windows
Dell Drivers MSI
Dell Embassy Trust Suite by Wave Systems
Dell Touchpad
Digital Line Detect
Document Manager Lite
Download Updater (AOL LLC)
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
Emsisoft Anti-Malware 5.1
ESC Home Page Plugin
FrostWire 4.21.3
Gemalto
GemSafe Standard Edition 5.1
Google Desktop
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP OfficeJet J3600
Inkscape 0.48.0
Intel(R) PROSet/Wireless Software
IntelliSonic Speech Enhancement
iTunes
J3600_Basic
Java(TM) 6 Update 15
Java(TM) 6 Update 5
Malwarebytes' Anti-Malware
McAfee AntiVirus Plus
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Default Manager
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
mIWA
mLogView
mMHouse
MobileMe Control Panel
Modem Diagnostic Tool
mPfMgr
mPfWiz
mProSafe
mSCfg
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
mWlsSafe
mWMI
mZConfig
Napster Download Manager
NetWaiting
NTRU TCG Software Stack
NVIDIA Drivers
OGA Notifier 2.0.0048.0
PowerDVD
Preboot Manager
Private Information Manager
QuickSet
QuickTime
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler 3
Roxio Update Manager
Safari
Scan
SearchAssist
Secure Update
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2289158)
Security Update for 2007 Microsoft Office System (KB2344875)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB2345035)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office PowerPoint Viewer (KB2413381)
Security Update for Microsoft Office Publisher 2007 (KB2284697)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Security Wizards
Sonic CinePlayer Decoder Pack
Sure Cuts A Lot 2.030
Toolbox
Trusted Drive Manager
tsp patch
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB2412171)
Update for Outlook 2007 Junk Email Filter (KB2508979)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
upekmsi
USB Disk Win98 Driver
Wave Infrastructure Installer
Wave Support Software
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
4/9/2011 9:41:41 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/9/2011 9:35:02 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/9/2011 6:47:37 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: APPDRV BHDrvx86 ccHP eeCtrl Fips intelppm SRTSPX SymIRON Tosrfcom
4/9/2011 6:35:24 PM, error: Service Control Manager [7000] - The tmcomm service failed to start due to the following error: The system cannot find the file specified.
4/9/2011 6:29:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
4/9/2011 6:29:36 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/9/2011 6:11:05 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/9/2011 5:54:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV BHDrvx86 ccHP eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SRTSPX SymIRON Tcpip Tosrfcom
4/9/2011 5:54:28 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
4/9/2011 5:54:28 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/9/2011 5:54:28 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/9/2011 5:54:28 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
4/9/2011 5:54:28 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/9/2011 5:54:28 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
4/9/2011 4:05:18 PM, error: Service Control Manager [7024] - The Norton AntiVirus service terminated with service-specific error 4294967295 (0xFFFFFFFF).
4/11/2011 4:06:22 PM, error: Service Control Manager [7023] - The Intel CPU service terminated with the following error: The specified module could not be found.
4/10/2011 9:52:30 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
4/10/2011 9:51:09 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD APPDRV Fips intelppm IPSec mfehidk mfetdi2k MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip Tosrfcom
4/10/2011 9:51:09 PM, error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
4/10/2011 9:51:09 PM, error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
4/10/2011 9:51:09 PM, error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
4/10/2011 9:51:09 PM, error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
4/10/2011 9:51:09 PM, error: Service Control Manager [7001] - The McAfee Network Agent service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
4/10/2011 9:51:09 PM, error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
4/10/2011 9:36:37 PM, error: Service Control Manager [7023] - The Network Security service terminated with the following error: The specified module could not be found.
4/10/2011 9:16:59 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
4/10/2011 8:49:17 PM, error: Service Control Manager [7023] - The 6to4 service terminated with the following error: The specified module could not be found.
4/10/2011 8:25:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
4/10/2011 7:44:32 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/10/2011 3:29:36 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
4/10/2011 3:29:02 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
.
==== End Of File ===========================

This is a computer that was given to me to clean. I have been unsuccessful in my attemps to remove the malware. It has diabled windows updates and mozilla firefox from running. Navigation to the wiondows update page by any means is disabled. Sometimes directed to false web sites. Emsisoft, Malwarebytes and Mcafee Anitivius plus (installed post infection) have removed many infections, but I feel to no avail since registry values have already been compromised.

Just looking for some advice and direction on where to go from here without doing a reinstall. If this is necessary than so be it. Would rather see if I can salvage the current instance of windows.

Thanks for any advice or tips in advance, I know that you guys have a keen eye as to what stands out. I can also produce a hijack this report if needed.

Thanks,

Jonathan
Jon22
Active Member
 
Posts: 10
Joined: April 11th, 2011, 6:22 pm
Advertisement
Register to Remove

Re: Windows Updates disabled - Unable to remove malware

Unread postby askey127 » April 13th, 2011, 1:46 pm

Hi jon22,
-----------------------------------------------
Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programs
It is posted here: http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394
As a condition of receiving our help, I have included the P2P program Frostwire in the removal instructions below, so we are not wasting our time.
If you have used this, and your computer is infected, you can be fairly confident this is a principal reason.

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Frostwire, Vuze, Shareaza, Bitlord.
(Limewire has just been shut down by the courts).
Criminals have "planted" thousands upon thousands of infections in the "free" shared files.
Virtually all of these recent infections will compromise your Security, and some can turn your machine into a useless "doorstop".

-----------------------------------------------------------
Among other things, we are removing obsolete Java and Adobe Reader. We will replace them later.
Remove Programs Using Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

Adobe Reader 9.4.0
Ask Toolbar
Emsisoft Anti-Malware 5.1
FrostWire 4.21.3
Java(TM) 6 Update 15
Java(TM) 6 Update 5
SearchAssist

Take extra care in answering questions posed by any Uninstaller.
------------------------------------------------
Download and Run Rkill
Please download and run the tool named Rkill, which may help in allowing other programs to run.
There are 4 different versions. If one of them won't run then download and try to run one of the other ones.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get ONE of these to run, not all of them. You may get warnings from your antivirus about any of these tools, ignore them or shutdown your antivirus.
Please download Rkill from one of the following links and save to your Desktop:
Rkill.exe
RKill.com
RKill.scr
Rkill.pif
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If ir does not, delete the desktop entry. Then download and use the one provided in the next link.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the main directory of C:
    (the dd.mm.yyyy_hh.mm.ss numbers in the filename represent the time/date stamp)
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

Looking for the TDSSKiller log from its first run. Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Windows Updates disabled - Unable to remove malware

Unread postby Jon22 » April 13th, 2011, 2:25 pm

Thanks askey127. I totally agree with you about the P2P software and I never run that stuff on my personal computer! I plan on running the scans tonight and I will post my results asap. Thanks for your help.

Jonathan
Jon22
Active Member
 
Posts: 10
Joined: April 11th, 2011, 6:22 pm

Re: Windows Updates disabled - Unable to remove malware

Unread postby Jon22 » April 14th, 2011, 2:21 pm

Askey127, here is the results from the Kaspersky TDSSKILLER scan. It didn't seem to find anything. All software recommended has been removed.

Thanks again,

Jonathan


2011/04/13 20:43:13.0328 4652 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/13 20:43:13.0343 4652 ================================================================================
2011/04/13 20:43:13.0343 4652 SystemInfo:
2011/04/13 20:43:13.0343 4652
2011/04/13 20:43:13.0343 4652 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/13 20:43:13.0343 4652 Product type: Workstation
2011/04/13 20:43:13.0343 4652 ComputerName: JAMIE
2011/04/13 20:43:13.0343 4652 UserName: Jamie Miller
2011/04/13 20:43:13.0343 4652 Windows directory: C:\WINDOWS
2011/04/13 20:43:13.0343 4652 System windows directory: C:\WINDOWS
2011/04/13 20:43:13.0343 4652 Processor architecture: Intel x86
2011/04/13 20:43:13.0343 4652 Number of processors: 2
2011/04/13 20:43:13.0343 4652 Page size: 0x1000
2011/04/13 20:43:13.0343 4652 Boot type: Normal boot
2011/04/13 20:43:13.0343 4652 ================================================================================
2011/04/13 20:43:13.0500 4652 Initialize success
2011/04/13 20:43:37.0656 5652 ================================================================================
2011/04/13 20:43:37.0656 5652 Scan started
2011/04/13 20:43:37.0656 5652 Mode: Manual;
2011/04/13 20:43:37.0656 5652 ================================================================================
2011/04/13 20:43:38.0375 5652 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/04/13 20:43:38.0406 5652 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/13 20:43:38.0453 5652 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/04/13 20:43:38.0484 5652 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/04/13 20:43:38.0531 5652 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/13 20:43:38.0562 5652 AegisP (a1ad1a4a9f18d900ca9c93fa3efdcb56) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/04/13 20:43:38.0609 5652 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/13 20:43:38.0640 5652 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/04/13 20:43:38.0687 5652 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/04/13 20:43:38.0718 5652 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/04/13 20:43:38.0765 5652 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/04/13 20:43:38.0781 5652 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/04/13 20:43:38.0828 5652 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/04/13 20:43:38.0859 5652 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/04/13 20:43:38.0890 5652 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/04/13 20:43:38.0921 5652 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/04/13 20:43:38.0937 5652 ApfiltrService (b8d65da679a4a8d048783ede2691b5d4) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/04/13 20:43:38.0968 5652 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/04/13 20:43:39.0000 5652 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/04/13 20:43:39.0046 5652 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/04/13 20:43:39.0078 5652 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/04/13 20:43:39.0109 5652 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/04/13 20:43:39.0156 5652 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/13 20:43:39.0171 5652 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/13 20:43:39.0218 5652 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/13 20:43:39.0234 5652 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/13 20:43:39.0265 5652 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/04/13 20:43:39.0312 5652 BASFND (5c68ac6f3e5b3e6d6a78e97d05e42c3a) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
2011/04/13 20:43:39.0328 5652 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/13 20:43:39.0343 5652 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/04/13 20:43:39.0359 5652 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/13 20:43:39.0390 5652 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/04/13 20:43:39.0406 5652 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/13 20:43:39.0421 5652 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/13 20:43:39.0453 5652 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/13 20:43:39.0500 5652 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
2011/04/13 20:43:39.0562 5652 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/13 20:43:39.0578 5652 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/04/13 20:43:39.0609 5652 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/13 20:43:39.0640 5652 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/04/13 20:43:39.0656 5652 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/04/13 20:43:39.0687 5652 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/04/13 20:43:39.0703 5652 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/13 20:43:39.0718 5652 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYS
2011/04/13 20:43:39.0734 5652 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYS
2011/04/13 20:43:39.0750 5652 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/04/13 20:43:39.0765 5652 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYS
2011/04/13 20:43:39.0781 5652 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYS
2011/04/13 20:43:39.0796 5652 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYS
2011/04/13 20:43:39.0796 5652 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYS
2011/04/13 20:43:39.0812 5652 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2011/04/13 20:43:39.0843 5652 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYS
2011/04/13 20:43:39.0859 5652 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYS
2011/04/13 20:43:39.0921 5652 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/13 20:43:39.0968 5652 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/13 20:43:39.0984 5652 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/13 20:43:40.0031 5652 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/13 20:43:40.0062 5652 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/04/13 20:43:40.0093 5652 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/13 20:43:40.0109 5652 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/04/13 20:43:40.0140 5652 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/04/13 20:43:40.0171 5652 DXEC01 (549734664886d91222969845e4311d1b) C:\WINDOWS\system32\drivers\dxec01.sys
2011/04/13 20:43:40.0203 5652 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/04/13 20:43:40.0250 5652 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/13 20:43:40.0281 5652 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/04/13 20:43:40.0312 5652 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/13 20:43:40.0359 5652 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/04/13 20:43:40.0406 5652 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/04/13 20:43:40.0437 5652 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/13 20:43:40.0484 5652 FTDIBUS (8142d5d886829b9876cb93af59475c09) C:\WINDOWS\system32\drivers\ftdibus.sys
2011/04/13 20:43:40.0515 5652 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/13 20:43:40.0562 5652 FTSER2K (63d72a4cf9f163b59db0ceed940a7d76) C:\WINDOWS\system32\drivers\ftser2k.sys
2011/04/13 20:43:40.0609 5652 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/13 20:43:40.0656 5652 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/13 20:43:40.0687 5652 guardian2 (7031a936832967a93b0e5d5f1c76745a) C:\WINDOWS\system32\Drivers\oz776.sys
2011/04/13 20:43:40.0718 5652 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/13 20:43:40.0765 5652 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/04/13 20:43:40.0812 5652 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/04/13 20:43:40.0859 5652 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/04/13 20:43:40.0921 5652 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/04/13 20:43:40.0968 5652 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/04/13 20:43:41.0031 5652 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/04/13 20:43:41.0093 5652 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/13 20:43:41.0156 5652 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/04/13 20:43:41.0203 5652 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/04/13 20:43:41.0234 5652 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/13 20:43:41.0281 5652 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/13 20:43:41.0312 5652 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/04/13 20:43:41.0343 5652 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/04/13 20:43:41.0390 5652 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/13 20:43:41.0421 5652 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/04/13 20:43:41.0453 5652 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/13 20:43:41.0484 5652 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/13 20:43:41.0515 5652 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/13 20:43:41.0562 5652 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/13 20:43:41.0593 5652 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/13 20:43:41.0640 5652 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/13 20:43:41.0671 5652 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/13 20:43:41.0718 5652 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/13 20:43:41.0750 5652 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/13 20:43:41.0890 5652 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/04/13 20:43:41.0937 5652 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/04/13 20:43:41.0968 5652 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/04/13 20:43:42.0015 5652 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/04/13 20:43:42.0062 5652 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/04/13 20:43:42.0109 5652 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/04/13 20:43:42.0140 5652 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/04/13 20:43:42.0156 5652 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/04/13 20:43:42.0187 5652 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/04/13 20:43:42.0250 5652 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/04/13 20:43:42.0296 5652 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/13 20:43:42.0328 5652 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/13 20:43:42.0375 5652 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/13 20:43:42.0390 5652 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/13 20:43:42.0437 5652 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/04/13 20:43:42.0453 5652 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/13 20:43:42.0515 5652 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/13 20:43:42.0546 5652 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/13 20:43:42.0578 5652 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/13 20:43:42.0609 5652 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/13 20:43:42.0640 5652 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/13 20:43:42.0671 5652 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/13 20:43:42.0687 5652 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/13 20:43:42.0718 5652 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/13 20:43:42.0734 5652 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/13 20:43:42.0765 5652 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/13 20:43:42.0796 5652 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/13 20:43:42.0828 5652 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/13 20:43:42.0843 5652 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/13 20:43:42.0859 5652 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/13 20:43:42.0937 5652 NETw4x32 (b5ab1108b377b5f3d37409fabda01453) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2011/04/13 20:43:42.0984 5652 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/04/13 20:43:43.0031 5652 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/13 20:43:43.0046 5652 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/13 20:43:43.0078 5652 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/13 20:43:43.0265 5652 nv (8129d762cc3e3c5ab9cf2eabc377fb73) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/04/13 20:43:43.0453 5652 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/13 20:43:43.0468 5652 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/13 20:43:43.0500 5652 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/04/13 20:43:43.0531 5652 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/04/13 20:43:43.0546 5652 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/13 20:43:43.0578 5652 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/13 20:43:43.0593 5652 PBADRV (9ec004140e1b675acdeb07f66ee797a4) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
2011/04/13 20:43:43.0625 5652 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/13 20:43:43.0656 5652 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/13 20:43:43.0687 5652 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/04/13 20:43:43.0796 5652 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/04/13 20:43:43.0812 5652 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/04/13 20:43:43.0843 5652 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/13 20:43:43.0859 5652 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/13 20:43:43.0875 5652 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/13 20:43:43.0906 5652 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/04/13 20:43:43.0937 5652 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/04/13 20:43:43.0953 5652 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/04/13 20:43:43.0984 5652 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/04/13 20:43:44.0000 5652 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/04/13 20:43:44.0031 5652 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/04/13 20:43:44.0046 5652 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/13 20:43:44.0078 5652 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/13 20:43:44.0093 5652 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/13 20:43:44.0109 5652 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/13 20:43:44.0125 5652 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/13 20:43:44.0140 5652 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/13 20:43:44.0171 5652 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/04/13 20:43:44.0203 5652 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/13 20:43:44.0218 5652 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/13 20:43:44.0265 5652 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/04/13 20:43:44.0296 5652 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/04/13 20:43:44.0359 5652 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/04/13 20:43:44.0406 5652 s24trans (eadfb87f911a7a75d1b80617f92901e8) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/04/13 20:43:44.0453 5652 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/13 20:43:44.0484 5652 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/13 20:43:44.0515 5652 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/04/13 20:43:44.0531 5652 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/13 20:43:44.0593 5652 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/04/13 20:43:44.0609 5652 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/04/13 20:43:44.0640 5652 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/13 20:43:44.0656 5652 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/13 20:43:44.0703 5652 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/13 20:43:44.0796 5652 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2011/04/13 20:43:44.0828 5652 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/13 20:43:44.0859 5652 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/13 20:43:44.0906 5652 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/04/13 20:43:44.0921 5652 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/04/13 20:43:44.0953 5652 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/04/13 20:43:44.0968 5652 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/04/13 20:43:45.0000 5652 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/13 20:43:45.0046 5652 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/13 20:43:45.0093 5652 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/13 20:43:45.0125 5652 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/13 20:43:45.0140 5652 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/13 20:43:45.0156 5652 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/04/13 20:43:45.0187 5652 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2011/04/13 20:43:45.0234 5652 tosrfbd (435ac6cc2abed508ac5a495658cbaf0f) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2011/04/13 20:43:45.0250 5652 tosrfbnp (90c8525bc578aaffe87c2d0ed4379e9e) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2011/04/13 20:43:45.0281 5652 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2011/04/13 20:43:45.0296 5652 Tosrfhid (28099a4e52148319afa685d93a2244d0) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2011/04/13 20:43:45.0312 5652 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2011/04/13 20:43:45.0328 5652 Tosrfusb (6bc529c5eca0c7654943fd6fab21c5fa) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2011/04/13 20:43:45.0375 5652 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/13 20:43:45.0421 5652 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/04/13 20:43:45.0468 5652 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/13 20:43:45.0515 5652 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/13 20:43:45.0531 5652 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/13 20:43:45.0546 5652 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/13 20:43:45.0562 5652 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/13 20:43:45.0578 5652 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/13 20:43:45.0640 5652 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/13 20:43:45.0656 5652 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/13 20:43:45.0671 5652 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/13 20:43:45.0687 5652 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/13 20:43:45.0718 5652 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/04/13 20:43:45.0750 5652 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/04/13 20:43:45.0765 5652 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/13 20:43:45.0796 5652 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/13 20:43:45.0843 5652 WaveFDE (db626c46997c2430d4958da5c7ffb969) C:\WINDOWS\system32\DRIVERS\WaveFDE.sys
2011/04/13 20:43:45.0875 5652 WavxDMgr (51e756f2bfb5e3adcb15f966ad293231) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
2011/04/13 20:43:45.0906 5652 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/13 20:43:45.0953 5652 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/04/13 20:43:46.0015 5652 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/04/13 20:43:46.0046 5652 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/04/13 20:43:46.0078 5652 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/13 20:43:46.0109 5652 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/13 20:43:46.0375 5652 ================================================================================
2011/04/13 20:43:46.0375 5652 Scan finished
2011/04/13 20:43:46.0375 5652 ================================================================================
2011/04/13 20:44:06.0156 1116 Deinitialize success
Jon22
Active Member
 
Posts: 10
Joined: April 11th, 2011, 6:22 pm

Re: Windows Updates disabled - Unable to remove malware

Unread postby askey127 » April 14th, 2011, 2:57 pm

Jon22,
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software after downloading but BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE MCAFEE ANTIVIRUS
    Please navigate to the system tray on the bottom right hand corner and look for a Imagesign.
    • right-click it -> choose "Exit."
    • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
    The McAfee Guard is now disabled.
  • Now start ComboFix (zzz.exe)
  • The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).
  • If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts.
    When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
  • It will run through about 50 procedures, then take a while to assemble its output log.
  • Do not touch the computer AT ALL while ComboFix is running.
  • When finished, the report will open. Post the log in your next reply, and then Reenable your Antivirus protection software
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Windows Updates disabled - Unable to remove malware

Unread postby Jon22 » April 15th, 2011, 8:08 pm

Askey127, my internet was on the fritz during my first of run of combofix. This first scan log is first below. My second scan was with internet enabled and after the recovery console was able to install sucessfully. This second is also provided below.Thanks,

Jonathan

First combofix scan with no internet connection:

ComboFix 11-04-13.06 - Jamie Miller 04/14/2011 21:34:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1613 [GMT -5:00]
Running from: c:\documents and settings\Jamie Miller\Desktop\zzz.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jamie Miller\Application Data\Adobe\plugs
c:\documents and settings\Jamie Miller\Application Data\Adobe\shed
c:\documents and settings\Jamie Miller\delme.bat
C:\Install.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_ITLPERF
-------\Service_6to4
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-11 02:39 . 2011-04-14 01:28 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-04-11 01:41 . 2010-10-14 03:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2011-04-11 01:41 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-11 01:41 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-11 01:41 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-11 01:41 . 2010-10-14 03:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-11 01:41 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-11 01:41 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-11 01:41 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-11 01:41 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-11 01:41 . 2010-10-14 03:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-11 01:41 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-11 01:41 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-10 20:13 . 2011-04-10 20:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-10 19:43 . 2011-04-11 01:44 -------- d-----w- c:\program files\Common Files\McAfee
2011-04-10 19:43 . 2011-04-11 01:45 -------- d-----w- c:\program files\McAfee
2011-04-10 13:04 . 2011-04-10 13:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-10 13:01 . 2011-04-10 13:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-04-10 04:49 . 2011-04-10 04:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-10 02:31 . 2011-04-10 02:31 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-09 23:55 . 2011-04-09 23:55 -------- d-----w- c:\program files\CCleaner
2011-04-09 23:11 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 23:11 . 2011-04-09 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 23:11 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 23:03 . 2011-04-09 23:03 -------- d-----w- c:\documents and settings\Jamie Miller\Application Data\Malwarebytes
2011-04-09 23:03 . 2011-04-09 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-09 22:04 . 2011-04-10 01:20 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-04 19:34 . 2011-04-04 19:34 -------- d-----w- c:\documents and settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}
2011-04-04 19:31 . 2011-04-11 20:53 -------- d-----w- c:\documents and settings\Jamie Miller\Application Data\95DF6A5DCFF7D93FFA67CDE5A7AC3F1F
2011-04-04 19:31 . 2011-04-04 19:31 114688 --sha-r- c:\windows\system32\snmpapiq.dll
2011-04-04 19:31 . 2011-04-04 19:31 114688 --sha-r- c:\windows\system32\slbiopb.dll
2011-04-04 01:01 . 2011-04-12 03:03 -------- d-----w- c:\documents and settings\Jamie Miller\Local Settings\Application Data\AskToolbar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-15 02:43 . 2010-08-09 20:47 0 ----a-w- c:\documents and settings\Jamie Miller\Local Settings\Application Data\WavXMapDrive.bat
2011-02-18 22:36 . 2011-02-09 18:51 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-02-09 18:51 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53 . 2004-08-11 22:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-08-20 01:50 . 2010-08-20 01:50 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-14 03:28 . 2011-04-11 01:41 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-15 65536]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-19 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ------w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-04-16 02:49 159744 ------w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-20 01:50 30192 ------w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ------w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/10/2011 8:41 PM 84072]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/10/2011 8:41 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/10/2011 8:41 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/10/2011 8:41 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/10/2011 8:41 PM 141792]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/10/2011 8:41 PM 55840]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/10/2011 8:41 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/10/2011 8:41 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2010 6:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/19/2008 4:28 PM 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/10/2011 8:41 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/10/2011 8:41 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 23:26]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 23:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
Notify-itlntfy - itlnfw32.dll
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Adobe® PDF Plug-in Update Tool - c:\documents and settings\Jamie Miller\Application Data\Adobe\pdfupdate.exe
MSConfigStartUp-Axome - c:\windows\overuqazejowe.dll
MSConfigStartUp-AZ15NF7UKG - c:\docume~1\JAMIEM~1\LOCALS~1\Temp\Icp.exe
MSConfigStartUp-K8CE6CA1JO - c:\docume~1\JAMIEM~1\LOCALS~1\Temp\Ida.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-14 21:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2788)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\rundll32.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\StacSV.exe
c:\program files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-04-14 21:47:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-15 02:47
.
Pre-Run: 21,545,525,248 bytes free
Post-Run: 34,563,481,600 bytes free
.
- - End Of File - - 878A149978CFF3727025DEA865A4A8EA


SECOND SCAN WITH INTERNET:


ComboFix 11-04-14.03 - Jamie Miller 04/15/2011 18:50:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1440 [GMT -5:00]
Running from: c:\documents and settings\Jamie Miller\Desktop\zzz.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Norton AntiVirus *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-15 to 2011-04-15 )))))))))))))))))))))))))))))))
.
.
2011-04-11 02:39 . 2011-04-14 01:28 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-04-11 01:41 . 2010-10-14 03:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2011-04-11 01:41 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-11 01:41 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-11 01:41 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-11 01:41 . 2010-10-14 03:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-11 01:41 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-11 01:41 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-11 01:41 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-11 01:41 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-11 01:41 . 2010-10-14 03:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-11 01:41 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-11 01:41 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-10 20:13 . 2011-04-10 20:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-10 19:43 . 2011-04-11 01:44 -------- d-----w- c:\program files\Common Files\McAfee
2011-04-10 19:43 . 2011-04-11 01:45 -------- d-----w- c:\program files\McAfee
2011-04-10 13:04 . 2011-04-10 13:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-10 13:01 . 2011-04-10 13:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-04-10 04:49 . 2011-04-10 04:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-10 02:31 . 2011-04-10 02:31 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-09 23:55 . 2011-04-09 23:55 -------- d-----w- c:\program files\CCleaner
2011-04-09 23:11 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 23:11 . 2011-04-09 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 23:11 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 23:03 . 2011-04-09 23:03 -------- d-----w- c:\documents and settings\Jamie Miller\Application Data\Malwarebytes
2011-04-09 23:03 . 2011-04-09 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-09 22:04 . 2011-04-10 01:20 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-04 19:34 . 2011-04-04 19:34 -------- d-----w- c:\documents and settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}
2011-04-04 19:31 . 2011-04-11 20:53 -------- d-----w- c:\documents and settings\Jamie Miller\Application Data\95DF6A5DCFF7D93FFA67CDE5A7AC3F1F
2011-04-04 19:31 . 2011-04-04 19:31 114688 --sha-r- c:\windows\system32\snmpapiq.dll
2011-04-04 19:31 . 2011-04-04 19:31 114688 --sha-r- c:\windows\system32\slbiopb.dll
2011-04-04 01:01 . 2011-04-12 03:03 -------- d-----w- c:\documents and settings\Jamie Miller\Local Settings\Application Data\AskToolbar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-15 23:40 . 2010-08-09 20:47 0 ----a-w- c:\documents and settings\Jamie Miller\Local Settings\Application Data\WavXMapDrive.bat
2011-02-18 22:36 . 2011-02-09 18:51 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-02-09 18:51 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53 . 2004-08-11 22:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-08-20 01:50 . 2010-08-20 01:50 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-14 03:28 . 2011-04-11 01:41 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-15_02.43.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-03 20:26 . 2011-04-15 23:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-08-03 20:26 . 2011-04-12 10:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2011-04-15 23:45 . 2011-04-15 23:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-08-03 20:26 . 2011-04-12 10:50 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-15 65536]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-19 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ------w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-04-16 02:49 159744 ------w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-20 01:50 30192 ------w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ------w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/10/2011 8:41 PM 84072]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/10/2011 8:41 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/10/2011 8:41 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/10/2011 8:41 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/10/2011 8:41 PM 141792]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/10/2011 8:41 PM 55840]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/10/2011 8:41 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/10/2011 8:41 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2010 6:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/19/2008 4:28 PM 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/10/2011 8:41 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/10/2011 8:41 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 23:26]
.
2011-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 23:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-15 18:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(772)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-15 18:54:52
ComboFix-quarantined-files.txt 2011-04-15 23:54
ComboFix2.txt 2011-04-15 02:47
.
Pre-Run: 34,501,500,928 bytes free
Post-Run: 34,532,052,992 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 77F5D84E100022863ABED991B9E4D19A
Jon22
Active Member
 
Posts: 10
Joined: April 11th, 2011, 6:22 pm

Re: Windows Updates disabled - Unable to remove malware

Unread postby askey127 » April 16th, 2011, 8:38 am

jon22,
---------------------------------------------
Symantec did not remove everything as it should. This is a common problem.
To completely remove Norton Antivirus, Download and Run the Norton Removal Tool for your version of Windows.
http://www.symantec.com/norton/support/kb/web_view.jsp?wv_type=public_web&docurl=20080710133834EN&ln=en_US
Perform the DownLoad for your version of Windows (download to your desktop as it says).
On your desktop, click on Norton Removal Tool and follow the instructions.
Please Be patient. This tool removes hundreds of files and settings. It will let you know when it's done.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    File::
    c:\windows\system32\snmpapiq.dll
    c:\windows\system32\slbiopb.dll
    
    Folder::
    c:\documents and settings\Jamie Miller\Local Settings\Application Data\AskToolbar
    c:\documents and settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Windows Updates disabled - Unable to remove malware

Unread postby Jon22 » April 17th, 2011, 10:54 pm

Askey127 please see below, thanks:


ComboFix 11-04-14.03 - Jamie Miller 04/17/2011 21:41:03.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1604 [GMT -5:00]
Running from: c:\documents and settings\Jamie Miller\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Jamie Miller\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\windows\system32\slbiopb.dll"
"c:\windows\system32\snmpapiq.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}
c:\documents and settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}\chrome.manifest
c:\documents and settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}\chrome\content\_cfg.js
c:\documents and settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}\install.rdf
c:\documents and settings\Jamie Miller\Local Settings\Application Data\AskToolbar
c:\documents and settings\Jamie Miller\Local Settings\Application Data\AskToolbar\cache.dat
c:\documents and settings\Jamie Miller\Local Settings\Application Data\AskToolbar\config.xml
c:\documents and settings\Jamie Miller\Local Settings\Application Data\AskToolbar\osearch.xml
c:\windows\system32\slbiopb.dll
c:\windows\system32\snmpapiq.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-03-18 to 2011-04-18 )))))))))))))))))))))))))))))))
.
.
2011-04-11 02:39 . 2011-04-14 01:28 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-04-11 01:41 . 2010-10-14 03:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2011-04-11 01:41 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-11 01:41 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-11 01:41 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-11 01:41 . 2010-10-14 03:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-11 01:41 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-11 01:41 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-11 01:41 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-11 01:41 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-11 01:41 . 2010-10-14 03:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-11 01:41 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-11 01:41 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-10 20:13 . 2011-04-10 20:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-10 19:43 . 2011-04-11 01:44 -------- d-----w- c:\program files\Common Files\McAfee
2011-04-10 19:43 . 2011-04-11 01:45 -------- d-----w- c:\program files\McAfee
2011-04-10 13:04 . 2011-04-10 13:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-10 13:01 . 2011-04-10 13:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-04-10 04:49 . 2011-04-10 04:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-10 02:31 . 2011-04-10 02:31 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-09 23:55 . 2011-04-09 23:55 -------- d-----w- c:\program files\CCleaner
2011-04-09 23:11 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 23:11 . 2011-04-09 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 23:11 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 23:03 . 2011-04-09 23:03 -------- d-----w- c:\documents and settings\Jamie Miller\Application Data\Malwarebytes
2011-04-09 23:03 . 2011-04-09 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-09 22:04 . 2011-04-10 01:20 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-04 19:31 . 2011-04-11 20:53 -------- d-----w- c:\documents and settings\Jamie Miller\Application Data\95DF6A5DCFF7D93FFA67CDE5A7AC3F1F
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-18 01:39 . 2010-08-09 20:47 0 ----a-w- c:\documents and settings\Jamie Miller\Local Settings\Application Data\WavXMapDrive.bat
2011-02-18 22:36 . 2011-02-09 18:51 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-02-09 18:51 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53 . 2004-08-11 22:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-08-20 01:50 . 2010-08-20 01:50 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-14 03:28 . 2011-04-11 01:41 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-15_02.43.58 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-03 20:26 . 2011-04-15 23:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-08-03 20:26 . 2011-04-12 10:50 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-15 65536]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-19 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ------w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-04-16 02:49 159744 ------w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-20 01:50 30192 ------w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ------w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/10/2011 8:41 PM 84072]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/10/2011 8:41 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/10/2011 8:41 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/10/2011 8:41 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/10/2011 8:41 PM 141792]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/10/2011 8:41 PM 55840]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/10/2011 8:41 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/10/2011 8:41 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2010 6:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/19/2008 4:28 PM 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/10/2011 8:41 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/10/2011 8:41 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 23:26]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 23:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-17 21:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-17 21:47:51
ComboFix-quarantined-files.txt 2011-04-18 02:47
ComboFix2.txt 2011-04-15 23:54
ComboFix3.txt 2011-04-15 02:47
.
Pre-Run: 34,502,184,960 bytes free
Post-Run: 34,497,400,832 bytes free
.
- - End Of File - - 563E2518FA29021FB0A9EE61C5565152
Jon22
Active Member
 
Posts: 10
Joined: April 11th, 2011, 6:22 pm

Re: Windows Updates disabled - Unable to remove malware

Unread postby askey127 » April 18th, 2011, 7:34 am

jon22,
Question: Did you run TDSSKiller more than once?
If you did, please go to the C: drive main directory and find the TDSSK log with the earliest time stamp.
File name will be: TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt
(the dd.mm.yyyy_hh.mm.ss numbers in the filename represent the time/date stamp)
--------------------------------------------------------
aswMBR
Download aswMBR and save it to your Desktop.

  • Double click aswMBR.exe to run it.
  • Click the Scan button.
  • After a short while when the scan reports "Scan finished successfully", click Save log & save the log to your desktop.
  • Click OK
  • Two files will be created, aswMBR.txt & a file named MBR.dat
  • Save MBR.dat to a USB flash drive. This is a backup of your MBR. Do not delete this file.
  • NOTE: Do not click to fix anything at this stage!
  • Click EXIT.
  • Copy & Paste the contents of aswMBR.txt into your next reply.

Tell me how it's running.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Windows Updates disabled - Unable to remove malware

Unread postby Jon22 » April 18th, 2011, 7:38 pm

Askey127, I am only able to find one TDSS scan log text file. I also only remember running it once. I have the log and can post it if you would like. The laptop seems to be running OK. Yet windows update's website tells me the following message when I visit the website:
The website has encountered a problem and cannot display the page you are trying to view. The options provided below might help you solve the problem.


aswMBR.txt is as follows:


aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-18 18:27:38
-----------------------------
18:27:38.649 OS Version: Windows 5.1.2600 Service Pack 3
18:27:38.649 Number of processors: 2 586 0x1706
18:27:38.649 ComputerName: JAMIE UserName:
18:27:39.055 Initialize success
18:27:50.743 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
18:27:50.758 Disk 0 Vendor: TOSHIBA_MK8051GSY LD201D Size: 76319MB BusType: 3
18:27:52.790 Disk 0 MBR read successfully
18:27:52.790 Disk 0 MBR scan
18:27:54.883 Disk 0 scanning sectors +156296385
18:27:54.915 Disk 0 scanning C:\WINDOWS\system32\drivers
18:28:09.321 Service scanning
18:28:11.149 Disk 0 trace - called modules:
18:28:11.180 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
18:28:11.196 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7ebab8]
18:28:11.196 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a859d98]
18:28:11.196 Scan finished successfully


Thanks, Jonathan.
Jon22
Active Member
 
Posts: 10
Joined: April 11th, 2011, 6:22 pm

Re: Windows Updates disabled - Unable to remove malware

Unread postby askey127 » April 19th, 2011, 7:41 am

jon22,
This machine may have a recent, difficult to detect rootkit infection.
-------------------------------------------------
Please download RogueKiller.exe and save it to your desktop.

Run RogueKiller
  • Now quit all running programs.
  • Double click RogueKiller.exe to run it.
  • When prompted, type 1 and hit Enter.
  • A RKreport.txt should appear on your desktop.
  • Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe .
  • Please post the contents of the RKreport.txt in your next Reply.
---------------------------------------------------
MBR Rootkit Detector:

Please download The MBR Rootkit Detector by GMER
Be sure to download it to the root of your drive, e.g. directly to C:\mbr.exe


Once the download has finished, click Start > Run. Copy and paste the following into the run box, then click OK:
Code: Select all
cmd /c  mbr.exe -t >> "%Userprofile%\desktop\mbrlog.txt"

A log will be generated on your desktop named mbrlog.txt.
Please open it with Notepad and post the contents in your next reply.
-----------------------------------------------
Please download MiniToolBox and run it.
Check ONLY the following in the list:
  • Flush DNS
  • Report IE Proxy Settings
  • List IP configuration
  • List content of Hosts
  • List last 10 Event Viewer Errors
  • Click GO and post the result (Result.txt).
---------------------------------------------
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :reg
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost /sub
    
    :service
    itlperf
    itlsvc
    
    :filefind
    itlnfw32.dll
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

askey127

Note: edited by askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Windows Updates disabled - Unable to remove malware

Unread postby Jon22 » April 19th, 2011, 10:30 pm

Askey127, this is surely a tricky one! Here are the log files generated from all four of the scans:

RougeKiller:
RogueKiller V4.3.9 [04/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion- ... ntees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Jamie Miller [Admin rights]
Mode: Scan -- Date : 04/19/2011 21:14:19

Bad processes: 0

Registry Entries: 1
[PROXY FF] 42w64u6p.default\ 127.0.0.1:59980 -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

MBRRootkit Detector:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK8051GSY rev.LD201D -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A736AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Ide\IdeDeviceP1T0L0-e[0x8A81D308]
kernel: MBR read successfully
user & kernel MBR OK

MiniTollBox:
MiniToolBox by Farbar
Ran by Jamie Miller (administrator) at 2011-04-19 21:18:40
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


================= Flush DNS: ==============================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


================= End of Flush DNS ========================================

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Wireless Network Connection"

set address name="Wireless Network Connection" source=dhcp
set dns name="Wireless Network Connection" source=dhcp register=PRIMARY
set wins name="Wireless Network Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : Jamie

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Wireless Network Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection

Physical Address. . . . . . . . . : 00-1F-3C-7D-00-D7

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1f 3c 7d 00 d7 ...... Intel(R) PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 2 1
===========================================================================
Persistent Routes:
None

================= End of IP Configuration =================================

========================= Event log errors: ===============================

Application errors:
==================
Error: (04/18/2011 05:38:18 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (04/18/2011 05:38:18 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (04/17/2011 08:39:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (04/17/2011 08:39:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (04/17/2011 08:39:34 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The server name or address could not be resolved

Error: (04/15/2011 04:06:13 PM) (Source: Broadcom ASF IP and SMBIOS Mailbox Monitor) (User: )
Description: !ERROR 53 Refreshing BMAPI data

Error: (04/14/2011 09:04:37 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (04/14/2011 09:04:37 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (04/14/2011 09:04:37 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Error: (04/14/2011 09:04:37 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.


System errors:
=============
Error: (04/17/2011 09:40:48 PM) (Source: Service Control Manager) (User: )
Description: The Smart Card service terminated unexpectedly. It has done this 1 time(s).

Error: (04/17/2011 09:40:48 PM) (Source: Service Control Manager) (User: )
Description: The NTRU TSS v1.2.1.25 TCS service terminated unexpectedly. It has done this 1 time(s).

Error: (04/15/2011 06:49:57 PM) (Source: Service Control Manager) (User: )
Description: The Smart Card service terminated unexpectedly. It has done this 1 time(s).

Error: (04/15/2011 06:49:57 PM) (Source: Service Control Manager) (User: )
Description: The NTRU TSS v1.2.1.25 TCS service terminated unexpectedly. It has done this 1 time(s).

Error: (04/15/2011 06:42:01 PM) (Source: DCOM) (User: Jamie Miller)
Description: The server {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A} did not register with DCOM within the required timeout.

Error: (04/15/2011 06:41:06 PM) (Source: Dhcp) (User: )
Description: The IP address lease 172.16.0.10 for the Network Card with network address 001F3C7D00D7 has been
denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Error: (04/14/2011 09:34:17 PM) (Source: Service Control Manager) (User: )
Description: The NTRU TSS v1.2.1.25 TCS service terminated unexpectedly. It has done this 1 time(s).

Error: (04/14/2011 09:34:17 PM) (Source: Service Control Manager) (User: )
Description: The Smart Card service terminated unexpectedly. It has done this 1 time(s).

Error: (04/14/2011 09:07:48 PM) (Source: Service Control Manager) (User: )
Description: The Intel CPU service terminated with the following error:
%%126

Error: (04/14/2011 09:07:48 PM) (Source: Service Control Manager) (User: )
Description: The Network Security service terminated with the following error:
%%126


Microsoft Office Sessions:
=========================
Error: (03/16/2011 02:34:45 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1311 seconds with 120 seconds of active time. This session ended with a crash.

Error: (03/16/2011 02:11:40 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 2172 seconds with 180 seconds of active time. This session ended with a crash.

Error: (03/01/2011 05:52:42 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1569 seconds with 0 seconds of active time. This session ended with a crash.

Error: (02/08/2011 05:42:16 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 839 seconds with 0 seconds of active time. This session ended with a crash.

Error: (01/28/2011 07:52:26 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 289 seconds with 60 seconds of active time. This session ended with a crash.

Error: (01/24/2011 05:17:32 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 952 seconds with 120 seconds of active time. This session ended with a crash.

Error: (01/18/2011 05:46:00 PM) (Source: Microsoft Office 12 Sessions)(User: )
Description: ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 258 seconds with 0 seconds of active time. This session ended with a crash.


========================= End of Event log errors =========================

SystemLook:

SystemLook 04.09.10 by jpshortstuff
Log created at 21:19 on 19/04/2011 by Jamie Miller
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"HTTPFilter"="HTTPFilter"
"LocalService"="Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV"
"NetworkService"="DnsCache"
"netsvcs"="6to4 AppMgmt AudioSrv Browser CryptSvc DMServer DHCP ERSvc EventSystem FastUserSwitchingCompatibility HidServ Ias Iprip Irmon LanmanServer LanmanWorkstation Messenger Netman Nla Ntmssvc NWCWorkstation Nwsapagent Rasauto Rasman Remoteaccess Schedule Seclogon SENS Sharedaccess SRService Tapisrv Themes TrkWks W32Time WZCSVC Wmi WmdmPmSp winmgmt wscsvc xmlprov BITS wuauserv ShellHWDetection helpsvc WmdmPmSN napagent hkmsvc"
"DcomLaunch"="DcomLaunch TermService"
"rpcss"="RpcSs"
"imgsvc"="StiSvc"
"termsvcs"="TermService"
"HPZ12"="Pml Driver HPZ12 Net Driver HPZ12"
"eapsvcs"="eaphost"
"dot3svc"="dot3svc"
"WudfServiceGroup"="WUDFSvc"
"itlsvc"="itlperf"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\DComLaunch]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\dot3svc]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\eapsvcs]
"AuthenticationCapabilities"= 0x0000003020 (12320)
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\HTTPFilter]
"CoInitializeSecurityParam"= 0x0000000001 (1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\LocalService]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"AuthenticationCapabilities"= 0x0000002000 (8192)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\netsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"AuthenticationCapabilities"= 0x0000003020 (12320)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\PCHealth]
"CoInitializeSecurityParam"= 0x0000000002 (2)
"AuthenticationCapabilities"= 0x0000000040 (64)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost\termsvcs]
"CoInitializeSecurityParam"= 0x0000000001 (1)
"DefaultRpcStackSize"= 0x0000000008 (8)


========== service ==========

itlperf - Unable to open Service Handle.

itlsvc - Unable to open Service Handle.

========== filefind ==========

Searching for "itlnfw32.dll"
No files found.

-= EOF =-


Thanks, Jonathan
Jon22
Active Member
 
Posts: 10
Joined: April 11th, 2011, 6:22 pm

Re: Windows Updates disabled - Unable to remove malware

Unread postby askey127 » April 20th, 2011, 7:32 am

jon22,
The Windows update sites use ActiveX controls, and will only work if you use Internet Explorer and have ActiveX controls enabled. The site URLs have to also be placed in the Trusted Zone.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    "itlsvc"=-
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.
---------------------------------------------
We need to check on that proxy reported by RogueKiller:
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :reg
    HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox /sub
    
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Windows Updates disabled - Unable to remove malware

Unread postby Jon22 » April 20th, 2011, 5:37 pm

Askey127,

To enable active x control if it is somehow disabled, what would be the best way to go about this? I could do a internet explorer reset if you think that will work. I will not proceed until you provide further advice.


Here is the ComboFix results:

ComboFix 11-04-20.01 - Jamie Miller 04/20/2011 16:22:17.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1483 [GMT -5:00]
Running from: c:\documents and settings\Jamie Miller\Desktop\zzz.exe
Command switches used :: c:\documents and settings\Jamie Miller\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-20 to 2011-04-20 )))))))))))))))))))))))))))))))
.
.
2011-04-20 02:15 . 2011-04-20 01:28 89088 ----a-w- C:\mbr.exe
2011-04-11 02:39 . 2011-04-14 01:28 -------- d-----w- c:\program files\Emsisoft Anti-Malware
2011-04-11 01:41 . 2010-10-14 03:28 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
2011-04-11 01:41 . 2010-10-14 03:28 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-04-11 01:41 . 2010-10-14 03:28 141792 ----a-w- c:\windows\system32\mfevtps.exe
2011-04-11 01:41 . 2010-10-14 03:28 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-11 01:41 . 2010-10-14 03:28 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-11 01:41 . 2010-10-14 03:28 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2011-04-11 01:41 . 2010-10-14 03:28 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-04-11 01:41 . 2010-10-14 03:28 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-11 01:41 . 2010-10-14 03:28 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-04-11 01:41 . 2010-10-14 03:28 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-04-11 01:41 . 2010-10-14 03:28 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-04-11 01:41 . 2010-10-14 03:28 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-04-10 20:13 . 2011-04-10 20:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-04-10 19:43 . 2011-04-11 01:44 -------- d-----w- c:\program files\Common Files\McAfee
2011-04-10 19:43 . 2011-04-11 01:45 -------- d-----w- c:\program files\McAfee
2011-04-10 13:04 . 2011-04-10 13:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-10 13:01 . 2011-04-10 13:01 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-04-10 04:49 . 2011-04-10 04:49 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-10 02:31 . 2011-04-10 02:31 -------- d--h--w- c:\windows\system32\GroupPolicy
2011-04-09 23:55 . 2011-04-09 23:55 -------- d-----w- c:\program files\CCleaner
2011-04-09 23:11 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-09 23:11 . 2011-04-09 23:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-09 23:11 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-09 23:03 . 2011-04-09 23:03 -------- d-----w- c:\documents and settings\Jamie Miller\Application Data\Malwarebytes
2011-04-09 23:03 . 2011-04-09 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-09 22:04 . 2011-04-10 01:20 102400 ----a-w- c:\windows\RegBootClean.exe
2011-04-04 19:31 . 2011-04-11 20:53 -------- d-----w- c:\documents and settings\Jamie Miller\Application Data\95DF6A5DCFF7D93FFA67CDE5A7AC3F1F
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-20 20:51 . 2010-08-09 20:47 0 ----a-w- c:\documents and settings\Jamie Miller\Local Settings\Application Data\WavXMapDrive.bat
2011-02-18 22:36 . 2011-02-09 18:51 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-02-09 18:51 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 13:53 . 2004-08-11 22:00 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-11 22:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2004-08-11 22:11 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2004-08-11 22:11 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44 . 2004-08-11 22:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-08-20 01:50 . 2010-08-20 01:50 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2010-10-14 03:28 . 2011-04-11 01:41 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-19 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 92160]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-15 65536]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"nwiz"="nwiz.exe" [2007-05-31 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-31 81920]
"NVHotkey"="nvHotkey.dll" [2007-05-31 67584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-31 8429568]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-11 288088]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-26 17920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-02-22 1245184]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-11 2150400]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-19 50688]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ------w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2007-04-16 02:49 159744 ------w- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-08-20 01:50 30192 ------w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 ------w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 15:17 5252408 ------w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/10/2011 8:41 PM 84072]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/10/2011 8:41 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/10/2011 8:41 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/10/2011 8:41 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/10/2011 8:41 PM 141792]
R2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [8/11/2004 5:00 PM 5120]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/10/2011 8:41 PM 55840]
R3 DXEC01;DXEC01;c:\windows\system32\drivers\dxec01.sys [11/2/2006 12:32 PM 97536]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/10/2011 8:41 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/10/2011 8:41 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/9/2010 6:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [6/19/2008 4:28 PM 30192]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/10/2011 8:41 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/10/2011 8:41 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 23:26]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-09 23:26]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-20 16:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4144)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-04-20 16:26:00
ComboFix-quarantined-files.txt 2011-04-20 21:25
ComboFix2.txt 2011-04-20 21:19
ComboFix3.txt 2011-04-18 02:47
ComboFix4.txt 2011-04-15 23:54
ComboFix5.txt 2011-04-20 21:21
.
Pre-Run: 34,471,141,376 bytes free
Post-Run: 34,456,408,064 bytes free
.
- - End Of File - - 03E69F81F61C44C57DA6F2B60A4FFAC7


Below are the results from SystemLook:

SystemLook 04.09.10 by jpshortstuff
Log created at 16:31 on 20/04/2011 by Jamie Miller
Administrator - Elevation successful

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]
(No values found)

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"
"{88656822-8524-4662-AEBB-5C60B542ECC5}"="C:\Documents and Settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}\"


-= EOF =-
Jon22
Active Member
 
Posts: 10
Joined: April 11th, 2011, 6:22 pm

Re: Windows Updates disabled - Unable to remove malware

Unread postby askey127 » April 21st, 2011, 7:55 am

jon22,
Under Internet Explorer, Tools, Internet Options, on the Security tab, you can reset all zones to default level.
Also look in Trusted Sites and enter the URL for Microsoft Updates in the sites list.
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Folder::
    C:\Documents and Settings\Jamie Miller\Local Settings\Application Data\{88656822-8524-4662-AEBB-5C60B542ECC5}
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
    "{88656822-8524-4662-AEBB-5C60B542ECC5}"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

Tell me how it's running.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13906
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 65 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware