Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Svchost.exe & generic host process errors - darn rats!! (Take 2)

This is a discussion on Svchost.exe & generic host process errors - darn rats!! (Take 2) within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. Guys, sorry for messing up the first post by not having the right logs attached. I've been spanked and now


Closed Thread
 
Thread Tools Search this Thread
Old 12-29-2010, 11:40 PM   #1
Registered Member
 
Join Date: Jul 2009
Posts: 11
OS: xp



Guys, sorry for messing up the first post by not having the right logs attached. I've been spanked and now I'm back. So here we go again:

About a month ago my computer (Windows XP Professional SP3) was attacked by some malware/virus/trojan (Security Suite 2011 or something like that) that locked all functions/programs and told me that any program I tried to open was infected with a virus. I thought I finally got rid of it by running MBAM (in safe mode). It found some trojans, etc., removed them and I thought that was that. Not exactly.

Since then, I've been getting the "Generic Host Process for Win32 Services has encountered a problem and needs to close" error with increased frequency. Now, the following happens w/in 15-20 minutes of a fresh reboot and connecting to the internet. I first get the error, then my system tray basically "blinks"; I then lose internet connection capability, then my system volume goes out, and finally the entire desktop and all programs lock up and I have to reboot. Sometimes I also get a svchost.exe error window that some memory cant be read. That svchost.exe error also posts in the error log of the Generic Host Process error. Additionally, I have no ability to download Windows updates (even when computer is not in Generic Host Process error mode and whether through IE or Firefox) and programs like Adobe are acting all crazy. Incidentally, the DDS report below shows that I'm using some proxy server; I am NOT (or at least I'm not aware of any).

The above ONLY happens when I'm connected to the internet. When I reboot from scratch and don't connect to the internet, the computer is completely stable with none of the above problems - like the good old days.

I constantly scan with AVG, MBAM, Spybot, Superantispyware and Webroot and everything comes back clean every time. My only guess is that the malware wasnt completely cleaned or that in the cleaning process my registry got all screwed up. PLEASE HELP!

Thanks in advance for your time.


DDS (Ver_10-12-12.02) - NTFSx86
Run by gcoltea at 1:02:16.93 on Thu 12/30/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1410 [GMT -5:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\IntelliAdminRC3\Agent32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\gcoltea.BRPMANAGE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyServer = http=127.0.0.1:50370
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AVG8_TRAY] "c:\progra~1\avg\avg8\avgtray.exe"
mRun: [HPWWANGSAssistant] "c:\swsetup\hpqwwan\HPWWanGSAssistant.exe" /TrayMode
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [Synchronization Manager] "%SystemRoot%\system32\mobsync.exe" /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1248404384156
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248404372078
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gcolte~1.brp\applic~1\mozilla\firefox\profiles\0bi54c08.default\
FF - component: c:\documents and settings\gcoltea.brpmanage\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IDM CC: [email protected] - c:\documents and settings\gcoltea.brpmanage\application data\idm\idmmzcc3

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-23 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-23 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-23 108552]
R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [2010-12-23 96600]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-7-23 86552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-23 297752]
R2 IntelliAdminRC3;IntelliAdminRC3;c:\windows\intelliadminrc3\Agent32.exe [2009-8-4 2126304]
R2 SWIHPWMI;SWIHPWMI;c:\program files\hpq\shared\sierra wireless\win32\unicode\SWIHPWMI.exe [2006-12-4 292384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-7-23 1464856]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-16 135664]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-7-23 24876]

=============== Created Last 30 ================

2010-12-30 04:43:24 -------- d-----w- c:\program files\CCleaner
2010-12-29 20:58:22 -------- d-----w- c:\program files\common files\Adobe Systems Shared
2010-12-29 06:20:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 06:20:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-29 06:20:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-28 22:26:37 -------- d-----w- c:\docume~1\gcolte~1.brp\applic~1\Registry Mechanic
2010-12-28 22:20:47 -------- d-----w- c:\program files\common files\PC Tools
2010-12-24 16:50:48 -------- d-----w- c:\docume~1\gcolte~1.brp\applic~1\Office Genuine Advantage
2010-12-24 05:10:56 -------- d-----w- c:\program files\MSSOAP
2010-12-24 05:09:55 -------- d-----w- c:\program files\Webroot
2010-12-24 04:48:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-12-23 19:00:32 96600 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2010-12-21 17:15:12 -------- d-----w- c:\docume~1\gcolte~1.brp\applic~1\Zeon

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, https://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHW2160BH_PL rev.891F -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-12

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A2E2555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a2e87b0]; MOV EAX, [0x8a2e882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A2FBAB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000009a[0x8A2A79E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A318940]
\Driver\atapi[0x8A2A9030] -> IRP_MJ_CREATE -> 0x8A2E2555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-12 -> \??\IDE#DiskFUJITSU_MHW2160BH_PL____________________891F____#314b4e3037543239345443362020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A2E239B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 1:04:29.35 ===============
Attached Files
File Type: zip Attach.zip (5.8 KB, 15 views)
File Type: zip ark.zip (1.6 KB, 13 views)
blue9 is offline  
Sponsored Links
Advertisement
 
Old 12-30-2010, 08:53 AM   #2
Security Team
Analyst
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - ComboFix will not run until AVG is uninstalled. This is because AVG falsely detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first. You may do this through Control Panel > Add/Remove Programs or you can use this tool for a more complete removal:

Download AppRemover from here saving it to your desktop.
  • Double click to run AppRemover
  • Follow the prompts to remove AVG
  • Reboot
Once you've removed AVG with this tool please continue with these instructions
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log
RPMcMurphy is offline  
Old 12-30-2010, 06:54 PM   #3
Registered Member
 
Join Date: Jul 2009
Posts: 11
OS: xp



RPMcMurphy, many thanks for taking me on. Combofix.txt log is attached (sorry if that's incorrect and I should have pasted it in the body of the reply, but your reply didn't specify which way you wanted it).

In any event, I don't know if this makes a difference, but thought you might want to know that during the ComboFix scan process, I got a "PEV.exe - Application Error" pop up window (right after "Completed Stage 5"). It prompted me to either terminate the program or debug it. I did neither and just let ComboFix run. The pop-up window disappeared on its own right after ComboFix finished deleting the files.

Thanks in advance for your help.
Attached Files
File Type: txt ComboFix.txt (18.3 KB, 14 views)
blue9 is offline  
Sponsored Links
Advertisement
 
Old 12-30-2010, 07:07 PM   #4
Security Team
Analyst
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



blue9:

You can just post the logs from now on, thanks. Please do this next:

Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.
Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above DDS::

Code:
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:50370
Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.




This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log
RPMcMurphy is offline  
Old 12-30-2010, 08:27 PM   #5
Registered Member
 
Join Date: Jul 2009
Posts: 11
OS: xp



Here are the 2 logs:

2010/12/30 22:54:57.0828 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/30 22:54:57.0828 ================================================================================
2010/12/30 22:54:57.0828 SystemInfo:
2010/12/30 22:54:57.0828
2010/12/30 22:54:57.0828 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/30 22:54:57.0828 Product type: Workstation
2010/12/30 22:54:57.0828 ComputerName: GCOLTEA-LT
2010/12/30 22:54:57.0828 UserName: gcoltea
2010/12/30 22:54:57.0828 Windows directory: C:\WINDOWS
2010/12/30 22:54:57.0828 System windows directory: C:\WINDOWS
2010/12/30 22:54:57.0828 Processor architecture: Intel x86
2010/12/30 22:54:57.0828 Number of processors: 2
2010/12/30 22:54:57.0828 Page size: 0x1000
2010/12/30 22:54:57.0828 Boot type: Normal boot
2010/12/30 22:54:57.0828 ================================================================================
2010/12/30 22:54:57.0953 Initialize success
2010/12/30 22:55:05.0328 ================================================================================
2010/12/30 22:55:05.0328 Scan started
2010/12/30 22:55:05.0328 Mode: Manual;
2010/12/30 22:55:05.0328 ================================================================================
2010/12/30 22:55:06.0546 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/30 22:55:06.0593 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/12/30 22:55:06.0625 ADIHdAudAddService (4e12c97cbfe99be15d7680918f9899ec) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/12/30 22:55:06.0656 AEAudio (fff87a9b1ab36ee4b7bec98a4cb01b79) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/12/30 22:55:06.0687 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/30 22:55:06.0765 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/30 22:55:07.0031 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/30 22:55:07.0125 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/30 22:55:07.0218 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/30 22:55:07.0421 ati2mtag (3b23691e9eef04de3364d9271371bbde) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/12/30 22:55:07.0562 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/30 22:55:07.0625 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/30 22:55:07.0703 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/30 22:55:07.0843 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/30 22:55:07.0937 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/30 22:55:07.0984 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/30 22:55:08.0109 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/30 22:55:08.0187 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/12/30 22:55:08.0234 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/12/30 22:55:08.0437 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/30 22:55:08.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/30 22:55:08.0687 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/30 22:55:08.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/30 22:55:08.0781 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/30 22:55:08.0828 DNE (7efbafdec4f543d43296bdbdf912bdd4) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2010/12/30 22:55:08.0921 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/12/30 22:55:08.0968 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/12/30 22:55:08.0984 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2010/12/30 22:55:09.0046 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/30 22:55:09.0109 e1express (ed91f1042071a36f54e7c430e130e4cd) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2010/12/30 22:55:09.0187 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/30 22:55:09.0281 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/12/30 22:55:09.0343 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/30 22:55:09.0390 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/12/30 22:55:09.0500 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/30 22:55:09.0546 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/30 22:55:09.0656 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/30 22:55:09.0703 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/30 22:55:09.0765 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/30 22:55:09.0828 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/30 22:55:09.0968 HSFHWAZL (f2c5aaae6403584fbc53053af0844411) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2010/12/30 22:55:10.0015 HSF_DPV (daab917eec9849840a13353198d48cc5) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/12/30 22:55:10.0093 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/30 22:55:10.0234 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/30 22:55:10.0328 IDMTDI (bff38eaaa048e264c02f26c464665cb9) C:\WINDOWS\system32\DRIVERS\idmtdi.sys
2010/12/30 22:55:10.0437 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/30 22:55:10.0656 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/30 22:55:10.0718 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/30 22:55:10.0765 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/30 22:55:10.0812 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/30 22:55:10.0859 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/30 22:55:10.0921 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/30 22:55:11.0046 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/12/30 22:55:11.0109 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/30 22:55:11.0171 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/30 22:55:11.0250 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/30 22:55:11.0312 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/30 22:55:11.0343 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/30 22:55:11.0437 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/30 22:55:11.0562 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/12/30 22:55:11.0640 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/30 22:55:11.0703 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/30 22:55:11.0765 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/30 22:55:11.0828 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/30 22:55:11.0968 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/30 22:55:12.0296 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/30 22:55:12.0453 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/30 22:55:12.0562 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/30 22:55:12.0625 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/30 22:55:12.0656 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/30 22:55:12.0703 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/30 22:55:12.0718 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/30 22:55:12.0812 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/30 22:55:12.0906 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/30 22:55:12.0953 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/30 22:55:13.0015 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/30 22:55:13.0031 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/30 22:55:13.0046 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/30 22:55:13.0109 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/30 22:55:13.0281 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/30 22:55:13.0437 NETw4x32 (12b0d99865434387f784268b70e23360) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
2010/12/30 22:55:13.0484 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/30 22:55:13.0531 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/30 22:55:13.0625 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/30 22:55:13.0671 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/30 22:55:13.0734 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/30 22:55:13.0750 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/30 22:55:13.0843 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/30 22:55:13.0968 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/30 22:55:14.0015 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/30 22:55:14.0078 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/30 22:55:14.0156 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/30 22:55:14.0218 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/30 22:55:14.0296 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/12/30 22:55:14.0515 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/30 22:55:14.0531 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/30 22:55:14.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/30 22:55:14.0640 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/30 22:55:14.0859 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/30 22:55:14.0937 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/12/30 22:55:14.0968 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/30 22:55:14.0984 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/30 22:55:15.0000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/30 22:55:15.0109 RCFOX (8f1211a58c1bf3b63ca928878ac6deb0) C:\WINDOWS\system32\Drivers\RCFOX.sys
2010/12/30 22:55:15.0203 rcvpn (bca39c96b11318cbc2797c4b842e22e4) C:\WINDOWS\system32\DRIVERS\rcvpn.sys
2010/12/30 22:55:15.0281 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/30 22:55:15.0343 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/30 22:55:15.0406 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/30 22:55:15.0468 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/30 22:55:15.0546 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/30 22:55:15.0656 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/12/30 22:55:15.0718 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/30 22:55:15.0812 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/30 22:55:15.0921 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/30 22:55:16.0031 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/30 22:55:16.0125 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2010/12/30 22:55:16.0187 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/30 22:55:16.0265 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/30 22:55:16.0328 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/30 22:55:16.0421 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/30 22:55:16.0453 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/30 22:55:16.0609 SynTP (5876072999220ef2fba1ddec86d2b97e) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/12/30 22:55:16.0640 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/30 22:55:16.0796 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/30 22:55:16.0875 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/30 22:55:16.0921 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/30 22:55:16.0953 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/30 22:55:17.0046 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/30 22:55:17.0125 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/30 22:55:17.0203 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/30 22:55:17.0250 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/30 22:55:17.0312 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/30 22:55:17.0359 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/30 22:55:17.0390 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/30 22:55:17.0453 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/30 22:55:17.0531 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/30 22:55:17.0593 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/30 22:55:17.0640 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/30 22:55:17.0750 winachsf (be3a842c2f2e87e7c840d36bcf13e8e0) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/12/30 22:55:17.0828 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/12/30 22:55:17.0937 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/30 22:55:18.0000 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/30 22:55:18.0062 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/30 22:55:18.0062 ================================================================================
2010/12/30 22:55:18.0062 Scan finished
2010/12/30 22:55:18.0062 ================================================================================
2010/12/30 22:55:18.0093 Detected object count: 1
2010/12/30 22:56:08.0562 \HardDisk0 - will be cured after reboot
2010/12/30 22:56:08.0562 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/30 22:56:37.0234 Deinitialize success







ComboFix 10-12-30.01 - gcoltea 12/30/2010 23:13:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1589 [GMT -5:00]
Running from: c:\documents and settings\gcoltea.BRPMANAGE\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\gcoltea.BRPMANAGE\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-31 )))))))))))))))))))))))))))))))
.

2010-12-30 07:27 . 2010-12-30 07:28 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-12-30 04:43 . 2010-12-30 04:43 -------- d-----w- c:\program files\CCleaner
2010-12-29 20:58 . 2010-12-29 20:58 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-12-29 06:20 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-29 06:20 . 2010-12-29 06:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-29 06:20 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-28 22:26 . 2010-12-29 07:39 -------- d-----w- c:\documents and settings\gcoltea.BRPMANAGE\Application Data\Registry Mechanic
2010-12-24 16:50 . 2010-12-24 16:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-12-24 16:50 . 2010-12-24 16:50 -------- d-----w- c:\documents and settings\gcoltea.BRPMANAGE\Application Data\Office Genuine Advantage
2010-12-24 05:10 . 2010-12-24 05:10 -------- d-----w- c:\program files\MSSOAP
2010-12-24 05:09 . 2010-12-24 05:09 -------- d-----w- c:\program files\Webroot
2010-12-24 04:48 . 2010-12-24 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-12-23 19:00 . 2010-12-23 19:09 96600 ----a-w- c:\windows\system32\drivers\idmtdi.sys
2010-12-21 17:15 . 2010-12-21 17:15 -------- d-----w- c:\documents and settings\gcoltea.BRPMANAGE\Application Data\Zeon
2010-12-20 18:55 . 2010-12-20 18:55 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2010-12-10 12:17 . 2010-12-10 12:17 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-12-08 18:35 . 2010-12-24 01:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-12-07 02:50 . 2010-12-07 02:51 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-31 02:42 . 2010-12-31 02:42 5856 ----a-w- C:\ComboFix.zip
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [email protected]_02.27.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-31 03:57 . 2010-12-31 03:57 16384 c:\windows\Temp\Perflib_Perfdata_3a0.dat
+ 2004-08-04 12:00 . 2010-12-31 04:01 68558 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-12-31 02:12 68558 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-12-31 04:01 435828 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-12-31 02:12 435828 c:\windows\system32\perfh009.dat
+ 2009-08-04 19:06 . 2010-12-31 03:56 2060020 c:\windows\IntelliAdminRC3\Log.dat
- 2009-08-04 19:06 . 2010-12-31 02:06 2060020 c:\windows\IntelliAdminRC3\Log.dat
+ 2009-08-04 19:06 . 2010-12-31 03:56 2060020 c:\windows\IntelliAdminRC3\DebugLog.dat
- 2009-08-04 19:06 . 2010-12-31 02:06 2060020 c:\windows\IntelliAdminRC3\DebugLog.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2010-12-23 19:09 67168 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-28 39408]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-12-23 3274136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPWWANGSAssistant"="c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe" [2007-02-26 3946040]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-07-14 126976]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-12-29 25214]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=c:\windows\pss\HP LaserJet Director.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 07:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atchk]
2007-11-09 20:18 408088 ----a-w- c:\program files\Intel\AMT\atchk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Quick Search Box]
2010-07-14 14:52 126976 ----a-w- c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer]
2002-04-22 16:57 90112 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer]
2002-04-22 16:56 94208 ----a-w- c:\program files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPWWANGSAssistant]
2007-02-26 15:07 3946040 ----a-w- c:\swsetup\HPQWWAN\HPWWanGSAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2010-12-23 18:37 3274136 ----a-w- c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-12-20 20:51 1187840 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2006-03-09 21:38 806912 ----a-w- c:\windows\CREATOR\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scheduler]
2006-10-09 15:23 697976 ----a-w- c:\windows\SMINST\Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2006-07-13 11:12 729088 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2007-01-05 20:36 872448 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 16:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-07-28 03:59 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
2008-04-14 00:12 143360 ----a-w- c:\windows\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-01-12 13:36 827392 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Workshare Compare Standalone]
2009-07-23 13:18 1769472 ----a-w- c:\program files\Workshare\Compare\WMConfigAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PCA"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Workshare Protect Service"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Internet Download Manager\\IDMan.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\AdvancedDVDPlayer\\AdvancedDVDPlayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys [12/23/2010 2:00 PM 96600]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [7/23/2009 10:02 PM 86552]
R2 IntelliAdminRC3;IntelliAdminRC3;c:\windows\IntelliAdminRC3\Agent32.exe [8/4/2009 2:06 PM 2126304]
R2 SWIHPWMI;SWIHPWMI;c:\program files\HPQ\Shared\Sierra Wireless\Win32\Unicode\SWIHPWMI.exe [12/4/2006 3:13 PM 292384]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [7/23/2009 9:31 PM 1464856]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/16/2009 6:45 PM 135664]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [7/23/2009 10:01 PM 24876]
.
Contents of the 'Scheduled Tasks' folder

2010-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 23:45]

2010-12-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-16 23:45]

2010-12-31 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-12-31 c:\windows\Tasks\User_Feed_Synchronization-{9F74489C-3A5F-45A8-AD33-E36C66BDF951}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab
FF - ProfilePath - c:\documents and settings\gcoltea.BRPMANAGE\Application Data\Mozilla\Firefox\Profiles\0bi54c08.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs[email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: IDM CC: [email protected] - c:\documents and settings\gcoltea.BRPMANAGE\Application Data\IDM\idmmzcc3
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-12-30 23:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):4a,e4,ff,73,ce,0e,df,07,9b,6a,27,1d,98,7b,59,47,46,5d,59,e0,15,
0b,f3,c8,42,e3,01,53,25,de,18,a8,f3,bb,26,7e,22,89,cf,81,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{ad340d81-b318-4ff9-b693-5340e4acfd3a}]
@Denied: (Full) (Everyone)
"Model"=dword:0000008c
"Therad"=dword:00000015
"MData"=hex(0):e2,1a,ab,93,7c,5d,cf,d6,77,63,0d,2d,32,49,53,fe,3a,87,f3,e4,44,
a4,cc,69,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1388)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3388)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Internet Download Manager\IDMShellExt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-12-30 23:20:27
ComboFix-quarantined-files.txt 2010-12-31 04:20
ComboFix2.txt 2010-12-31 02:31

Pre-Run: 18,537,459,712 bytes free
Post-Run: 18,550,276,096 bytes free

- - End Of File - - B14E9FD4D95758035314F8F857780BF5
blue9 is offline  
Old 12-30-2010, 09:49 PM   #6
Security Team
Analyst
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



blue9:

How is it running now? Please do this next:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java(TM) 6 Update 17 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes click the Details tab.
  • Copy and paste the contents of the C:\ProgramFiles\EsetOnlineScanner\log.txt into your next reply.
Please include the following in your next post:
  • MBAM log
  • ESET log
RPMcMurphy is offline  
Old 12-31-2010, 07:29 AM   #7
Registered Member
 
Join Date: Jul 2009
Posts: 11
OS: xp



RPMcMurphy: running beautifully; night and day difference. Can now leave internet connection on for more than 10 minutes without everything crapping out. Wow!!

Will post requested logs in a bit.

Thanks a million!!!
blue9 is offline  
Old 12-31-2010, 10:19 AM   #8
Security Team
Analyst
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



Great! I'll be looking for those logs.
RPMcMurphy is offline  
Old 12-31-2010, 11:16 AM   #9
Registered Member
 
Join Date: Jul 2009
Posts: 11
OS: xp



RPMcMurphy:

My Java Control Panel does not have an Update Tab, nor do any of the Tabs (General, Java, Security or Advanced) have any subtabs or links for an update. I went to Java.com and it told me that I have Version 6 Update 18 and it asked me if I wanted to download Version 6 Update 23. Should I do it that way? Just wanna make sure that I follow your instructions to the "t".

thnx
blue9 is offline  
Old 12-31-2010, 11:43 AM   #10
Security Team
Analyst
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



Doing it that way will work just fine. Thanks for checking first though.
RPMcMurphy is offline  
Old 12-31-2010, 12:13 PM   #11
Registered Member
 
Join Date: Jul 2009
Posts: 11
OS: xp



OK, slowly getting there. Java taken care of, but next step is acting up.

Upon double-clicking the MBAM icon on desktop, I get the following pop-up window: "vbAccelerator SGrid II Control" and text says: Run Time error "0". Upon clicking OK, I get the following pop-up window: "Malwarebyte's Anti-Malware" and text says "Run time error "440". When I click OK, I get my desktop again. I also tried to launch MBAM directly from Program Files. No luck. Program just won't launch. All other main programs seem to be working fine.

Should I delete existing copy of MBAM and do a fresh reinstall of the program? And if so, should I remove it with the AppRemover program you had me remove AVG with or just normally through the control panel add/remove programs?

thnx
blue9 is offline  
Old 12-31-2010, 12:59 PM   #12
Security Team
Analyst
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



Hi,

Try this:

Uninstall Malwarebytes via Control Panel > Add/Remove Programs
  • Reboot
  • Download the Malwarebytes Removal Tool
  • Double click on the utility to run it
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here
RPMcMurphy is offline  
Old 01-01-2011, 05:51 AM   #13
Registered Member
 
Join Date: Jul 2009
Posts: 11
OS: xp



RPMcMurphy, first and foremost, Happy New Year!

Alright, I'm finally getting a chance to post the MBAM and ESET scan logs that ran last night. See below. Watcha think?



Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5429

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/31/2010 4:34:48 PM
mbam-log-2010-12-31 (16-34-48).txt

Scan type: Quick scan
Objects scanned: 164129
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




[email protected] as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6419
# api_version=3.0.2
# EOSSerial=778bf8356c027d438b7b73b3ddbd2515
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-31 10:43:34
# local_time=2010-12-31 05:43:34 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=106491
# found=0
# cleaned=0
# scan_time=3760
blue9 is offline  
Old 01-01-2011, 09:58 AM   #14
Security Team
Analyst
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



blue9:

Your logs look good! Now I have some very important cleanup for you to take care of:

Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall


Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Re-install an anti-virus program. Choose one, (but no more) reputable AV program. If you need help chosing one, this site has good information. Avast, Avira and Microsoft all offer free AV products.

Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application current and updated. Also, hang on to MBAM. Scan with them at least weekly.
  • Please visit our General Computer Security Forum and review https://www.techsupportforum.com/f112...ed-525915.html for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!
RPMcMurphy is offline  
Old 01-01-2011, 10:21 PM   #15
Registered Member
 
Join Date: Jul 2009
Posts: 11
OS: xp



RPMcMurphy:

All is (finally) good; can't tell you how happy I am that this thread can be marked as resolved. Thanks again for all your help. I know you guys are volunteers, so a donation is on its way to keep up the good work.

All the best
blue9 is offline  
Old 01-02-2011, 09:05 AM   #16
Security Team
Analyst
 
Join Date: Dec 2009
Location: Michigan
Posts: 2,045
OS: Windows Vista / Win 7



You're welcome, blue9. Take care and thank you for donating.
RPMcMurphy is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:13 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts