Tech Support Forum banner
Cancel

computer has a virus!

1267 Views 5 Replies 2 Participants Last post by  sjpritch25
M
I have did what this sites asked...

my computer has apop ups, and some virus... that resets my computer, when I go online...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-18 00:28:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MIKESE~1\LOCALS~1\Temp\pxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647BFE]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\System32\svchost.exe[1516] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
.text C:\WINDOWS\System32\svchost.exe[1516] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E0000A
.text C:\WINDOWS\Explorer.EXE[2092] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
.text C:\WINDOWS\Explorer.EXE[2092] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[2092] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
.text C:\WINDOWS\system32\wuauclt.exe[2568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
.text C:\WINDOWS\system32\wuauclt.exe[2568] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\wuauclt.exe[2568] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)

---- EOF - GMER 1.0.15 ----



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/23/2009 9:24:49 PM
System Uptime: 7/17/2010 9:59:05 PM (2 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4P800SE
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | CPU 1 | 3198/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 149.088 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP340: 7/10/2010 2:15:21 AM - System Checkpoint
RP341: 7/11/2010 3:54:58 AM - System Checkpoint
RP342: 7/11/2010 7:29:54 PM - Installed 1CLICK DVD COPY PRO
RP343: 7/12/2010 6:17:26 PM - Installed Trend Micro RUBotted
RP344: 7/13/2010 7:15:54 PM - System Checkpoint
RP345: 7/14/2010 9:40:40 PM - System Checkpoint
RP346: 7/15/2010 8:18:57 AM - Avg Update
RP347: 7/15/2010 8:20:47 AM - Avg Update
RP348: 7/16/2010 8:28:39 AM - System Checkpoint
RP349: 7/17/2010 9:54:02 PM - Restore Operation

==== Installed Programs ======================

1Click DVD Copy Pro 4.2.2.0
7-Zip 4.65
Ad-Aware
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 9.3.3
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
AnyDVD
ATI Display Driver
AVG Free 9.0
Clean Virus MSN
Connect
ConvertXtoDVD 4.0.9.322
Critical Update for Windows Media Player 11 (KB959772)
DVD Shrink 3.2
DVD Suite
Google Earth Pro
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Java(TM) 6 Update 11
kuler
LightScribe System Software 1.10.27.1
LimeWire PRO 5.3.6
Logitech Gaming Software
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Media Player Codec Pack 3.6.0
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MSConfig CleanUp 1.2
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nero 7 Essentials
neroxml
NVIDIA Drivers
PDF Settings CS4
Photoshop Camera Raw
PowerDVD
PowerISO
PowerProducer
RegCure
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB982135)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Segoe UI
Sid Meier's Civilization 4
SoundMAX
Spybot - Search & Destroy
Suite Shared Configuration CS4
Trend Micro RUBotted
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb983486)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vuze
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
YouTube Downloader 2.5.6

==== Event Viewer Messages From Past Week ========

7/17/2010 9:47:02 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The system cannot find the file specified.
7/17/2010 9:47:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
7/17/2010 9:46:28 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
7/17/2010 9:38:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service NMIndexingService with arguments "" in order to run the server: {C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}
7/17/2010 11:00:00 PM, error: Schedule [7901] - The At98.job command failed to start due to the following error: %%2147942402
7/17/2010 11:00:00 PM, error: Schedule [7901] - The At74.job command failed to start due to the following error: %%2147942402
7/17/2010 11:00:00 PM, error: Schedule [7901] - The At50.job command failed to start due to the following error: %%2147942402
7/17/2010 11:00:00 PM, error: Schedule [7901] - The At146.job command failed to start due to the following error: %%2147942402
7/17/2010 11:00:00 PM, error: Schedule [7901] - The At122.job command failed to start due to the following error: %%2147942402
7/17/2010 10:48:00 PM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402
7/17/2010 10:00:00 PM, error: Schedule [7901] - The At97.job command failed to start due to the following error: %%2147942402
7/17/2010 10:00:00 PM, error: Schedule [7901] - The At73.job command failed to start due to the following error: %%2147942402
7/17/2010 10:00:00 PM, error: Schedule [7901] - The At49.job command failed to start due to the following error: %%2147942402
7/17/2010 10:00:00 PM, error: Schedule [7901] - The At145.job command failed to start due to the following error: %%2147942402
7/17/2010 10:00:00 PM, error: Schedule [7901] - The At121.job command failed to start due to the following error: %%2147942402
7/16/2010 12:06:25 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the service.
7/16/2010 12:05:55 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Lavasoft Ad-Aware Service service.
7/15/2010 9:06:10 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/15/2010 9:06:10 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
7/14/2010 5:00:00 PM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
7/14/2010 5:00:00 PM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
7/13/2010 8:10:35 PM, error: Dhcp [1002] - The IP address lease 67.215.48.71 for the Network Card with network address 0015F27DAA98 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
7/12/2010 7:19:30 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
7/11/2010 12:02:16 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/10/2010 9:46:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/10/2010 9:46:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX ElbyCDIO Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SCDEmu Tcpip
7/10/2010 9:46:28 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2010 9:46:28 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2010 9:46:28 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2010 9:46:28 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2010 11:02:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

==== End Of File ===========================

Attachments

See less See more
Save
Like
Status
Not open for further replies.
1 - 6 of 6 Posts
sjpritch25
Welcome to TSF :)

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
See less See more
Save
Like
M
ComboFix 10-07-19.01 - Mike Seenie 07/19/2010 22:14:51.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.963 [GMT -5:00]
Running from: c:\documents and settings\Mike Seenie\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mike Seenie\Application Data\3A3CA8A2B50F6F973468E809E9ED1CC7
c:\documents and settings\Mike Seenie\Application Data\3A3CA8A2B50F6F973468E809E9ED1CC7\enemies-names.txt
c:\documents and settings\Mike Seenie\Application Data\3A3CA8A2B50F6F973468E809E9ED1CC7\local.ini
c:\documents and settings\Mike Seenie\Application Data\inst.exe
c:\windows\alevivamebopevu.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-18 02:56 . 2010-07-18 02:56 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-17 23:46 . 2010-07-17 23:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-17 12:52 . 2010-07-17 12:52 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE
2010-07-16 00:19 . 2010-07-16 00:19 -------- d-----w- c:\documents and settings\Mike Seenie\Local Settings\Application Data\Sunbelt Software
2010-07-16 00:18 . 2010-07-16 00:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-16 00:17 . 2010-07-16 00:31 -------- d-----w- c:\windows\SxsCaPendDel
2010-07-15 13:20 . 2010-07-15 13:20 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-12 23:17 . 2008-03-02 08:28 206608 ----a-w- c:\windows\system32\drivers\TMPassthru.sys
2010-07-12 23:16 . 2010-07-12 23:16 -------- d-----w- c:\documents and settings\Mike Seenie\Application Data\InstallShield
2010-07-12 23:01 . 2010-07-12 23:01 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-07-10 04:40 . 2010-07-20 02:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-10 04:32 . 2010-07-10 04:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-30 12:58 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-06-30 12:58 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-06-30 12:58 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2010-06-30 12:58 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 14:04 . 2009-06-24 06:02 -------- d-----w- c:\documents and settings\Mike Seenie\Application Data\Vso
2010-07-19 11:50 . 2009-06-24 05:11 -------- d-----w- c:\documents and settings\Mike Seenie\Application Data\Azureus
2010-07-19 03:56 . 2009-06-24 06:04 -------- d-----w- c:\documents and settings\All Users\Application Data\1Click DVD Copy Pro
2010-07-17 21:53 . 2010-07-17 12:49 112 ----a-w- c:\documents and settings\All Users\Application Data\FfANHV.dat
2010-07-16 03:49 . 2010-04-14 04:26 -------- d-----w- c:\program files\DVDFab 7
2010-07-16 03:49 . 2009-06-24 06:02 47360 ----a-w- c:\documents and settings\Mike Seenie\Application Data\pcouffin.sys
2010-07-16 03:49 . 2009-06-24 06:02 47360 ----a-w- c:\documents and settings\Mike Seenie\Application Data\pcouffin.sys
2010-07-16 00:16 . 2010-04-24 03:21 -------- d-----w- c:\program files\Lavasoft
2010-07-15 13:20 . 2010-07-15 13:20 242896 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2010-07-15 13:20 . 2010-07-15 13:20 216200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys
2010-07-15 13:20 . 2009-06-24 02:29 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:19 . 2009-06-24 02:29 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-15 13:18 . 2010-07-15 13:18 1690464 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2010-07-15 13:18 . 2010-07-15 13:18 1038688 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2010-07-15 13:18 . 2010-07-15 13:18 813336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll
2010-07-15 13:18 . 2010-07-15 13:18 624920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2010-07-12 23:17 . 2009-06-24 02:32 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-12 23:17 . 2009-06-28 22:45 -------- d-----w- c:\program files\Trend Micro
2010-07-12 08:56 . 2010-07-16 00:18 2979280 -c--a-w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-12 08:55 . 2010-04-24 03:29 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-12 08:55 . 2010-05-15 14:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-12 00:26 . 2009-06-24 06:02 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-07-11 02:29 . 2010-03-02 20:14 -------- d-----w- c:\program files\nLite
2010-06-25 15:11 . 2009-06-24 06:15 -------- d-----w- c:\documents and settings\Mike Seenie\Application Data\LimeWire
2010-06-21 22:27 . 2010-01-06 13:46 -------- d-----w- c:\program files\Brother
2010-06-21 22:27 . 2010-05-22 16:56 -------- d-----w- c:\program files\Windows Desktop Search
2010-06-21 22:19 . 2009-12-15 18:33 -------- d-----w- c:\program files\Unity
2010-06-12 19:49 . 2010-06-12 19:49 -------- d-----w- c:\program files\YouTube Downloader
2010-06-10 04:09 . 2009-06-24 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-06-02 13:36 . 2009-06-24 02:29 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-22 16:59 . 2010-04-17 19:56 -------- d-----w- c:\documents and settings\Mike Seenie\Application Data\DNA
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 20:39 . 2009-06-24 02:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 20:39 . 2009-06-24 02:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-24 03:29 . 2010-04-24 03:29 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 13:20 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TMRUBottedTray]
2008-11-06 16:33 288088 ----a-w- c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [4/23/2010 10:29 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/23/2009 9:29 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/23/2009 9:29 PM 243024]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 8:20 AM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 3:55 AM 1352832]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [7/12/2010 6:17 PM 582992]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [7/12/2010 6:17 PM 206608]
S0 tmicfxk;tmicfxk;c:\windows\system32\drivers\arrk.sys --> c:\windows\system32\drivers\arrk.sys [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [7/12/2010 6:17 PM 206608]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-12-05 18:27 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-07-20 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 08:55]

2010-07-20 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2010-07-15 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Adobe_e710050f58773df9fb3ad333fd37d30 - c:\program files\Common Files\Adobe\Installers\e710050f58773df9fb3ad333fd37d30\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 22:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89C2978A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> ntoskrnl.exe @ 0x805c3d35
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> 0x89c8fae0
PacketIndicateHandler -> NDIS.sys @ 0xf7459a21
SendHandler -> NDIS.sys @ 0xf743787b
copy of MBR has been found in sector 0x03A380D80
malicious code @ sector 0x03A380D83 !
PE file found in sector at 0x03A380D99 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1056)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(140)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-07-19 22:27:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-20 03:27

Pre-Run: 231,846,932,480 bytes free
Post-Run: 231,926,611,968 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 8CE2078E03D7DEF7B8966E8E41B8067E
See less See more
Save
Like
sjpritch25
Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs.
  • Double-Click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt).
  • A window will open on your desktop.
  • if an unknown bootcode is found you will have further options available to you, at this time press N the press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
  • In your next reply, please include the log from MBRChecker.
Thanks
Save
Like
M
MBRCheck, version 1.1.1

(c) 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

465 GB \\.\PhysicalDrive0 Unknown MBR code





Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:



Done! Press ENTER to exit...
See less See more
Save
Like
sjpritch25
Sorry for the delay

Looks like you have one of the latest rootkit infections.


Download TDSSKiller and extract TDSSKiller.exe to your desktop.
  • Double-Click on TDSSKiller.exe to run the tool.
  • You may be prompted to restart your machine. Type Y at the prompt.
Once complete, a log will be produced on your root drive (typically C:\).

For Example C:\TDSSKiller.2.3.0.0_24.05.2010_15.31.43_log.txt
See less See more
Save
Like
1 - 6 of 6 Posts
Status
Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support

Top Contributors this Month

View All
spunk.funk
Gary R
SpywareDr
Recommended Communities
Community avatar for SkyscraperCity
SkyscraperCity
1M+ members
Community avatar for AVS Forum
AVS Forum
1M+ members
Community avatar for Climbing
Climbing
NEW!
30+ members
Top