954,249 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
1 Year Ago
0

Virus - Programs hidden, malfunctioning

Hello, I think I've acquired a virus(es) in the past few days. Some of the symptoms:

- Programs missing in the Start > All Programs. I can still open them if I go into the C: drive and look for them.
- Some of the icons on my desktop disappeared.
- Some of the programs aren't functioning properly.
- Ad-ware pops up randomly on a new tab while browsing firefox.
- Theme reverted to classic and audio gone.
- Internet became inaccessible.

After reading the 'read me...' thread and following the steps described, some things changed. The theme is back to XP, audio is there again, and I can access the internet. The rest remains the same. Following are the logs from running the programs suggested in the 'read me...' thread. The only one I couldn't get to work was DDS.scr. Every time I double-clicked it, it would open in notepad and just have some strange characters.

-------------------------------------------------------------------------
Malwarebytes' Log -



Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org
 

Database version: 6586
 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702
 

5/17/2011 3:47:08 PM

mbam-log-2011-05-17 (15-47-08).txt
 

Scan type: Full scan (C:\|)

Objects scanned: 288053

Time elapsed: 1 hour(s), 49 minute(s), 43 second(s)
 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1
 

Memory Processes Infected:

(No malicious items detected)
 

Memory Modules Infected:

(No malicious items detected)
 

Registry Keys Infected:

(No malicious items detected)
 

Registry Values Infected:

(No malicious items detected)
 

Registry Data Items Infected:

(No malicious items detected)
 

Folders Infected:

(No malicious items detected)
 

Files Infected:

c:\system volume information\_restore{8d5b6624-8d4a-485d-94f6-b6b0983f526a}\RP187\A0046579.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.


GMER One -



GMER 1.0.15.15627 - http://www.gmer.net

Rootkit quick scan 2011-05-17 13:09:26

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.1.0.

Running: zs7u7flp.exe; Driver: C:\DOCUME~1\Ismael\LOCALS~1\Temp\kflcyfoc.sys
 
 

---- Disk sectors - GMER 1.0.15 ----
 

Disk            \Device\Harddisk0\DR0        TDL4@MBR code has been found                                                                      <-- ROOTKIT !!!

Disk            \Device\Harddisk0\DR0        sector 00: rootkit-like behavior
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \FileSystem\Ntfs \Ntfs       AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

AttachedDevice  \FileSystem\Fastfat \Fat     fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice  \FileSystem\Fastfat \Fat     AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

AttachedDevice  \Driver\Tcpip \Device\Ip     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice  \Driver\Tcpip \Device\Tcp    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice  \Driver\Tcpip \Device\Udp    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice  \Driver\Tcpip \Device\RawIp  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
 

---- EOF - GMER 1.0.15 ----


GMER Two -



GMER 1.0.15.15627 - http://www.gmer.net

Rootkit scan 2011-05-17 13:41:27

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Intel___ rev.1.0.

Running: zs7u7flp.exe; Driver: C:\DOCUME~1\Ismael\LOCALS~1\Temp\kflcyfoc.sys
 
 

---- System - GMER 1.0.15 ----
 

SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwOpenProcess [0xA4745738]

SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwTerminateProcess [0xA47457DC]

SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwTerminateThread [0xA4745878]

SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwWriteVirtualMemory [0xA4745914]
 

---- Devices - GMER 1.0.15 ----
 

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                      AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                   avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                   avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                    fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                    AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
 

---- Disk sectors - GMER 1.0.15 ----
 

Disk            \Device\Harddisk0\DR0                                                                                                       TDL4@MBR code has been found                                                                      <-- ROOTKIT !!!

Disk            \Device\Harddisk0\DR0                                                                                                       sector 00: rootkit-like behavior
 

---- EOF - GMER 1.0.15 ----


Any help would be greatly appreciated. Thanks!

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

Have you tried running DDS in safe mode?

Whoops! Do this first:
Download the following zip file:

http://support.kaspersky.com/downloads/utils/tdsskiller.zip
extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);
Run the TDSSKiller.exe file;
Make sure there are check marks in both boxes, Services and Drivers and Boot Sectors.
Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed .
If the utility detects an infection with the MBR bootkit, it will report the it has detected an infected object type “Physical drive” and prompt for action:

Cure. This action is only available if the utility has identified the exact type of the bootkit.
If it has detected an unknown bootkit, it will be reported as Rootkit.Win32.BackBoot.gen.
Skip.
Copy to quarantine. The utility quarantines the infected MBR.
Restore. The utility restores a standard MBR.
Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed .
Post back with the log.

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

Thanks for the reply. I ran the TDSSKiller.exe file and here is the log -



2011/05/17 20:18:03.0046 0532	TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29

2011/05/17 20:18:03.0453 0532	================================================================================

2011/05/17 20:18:03.0453 0532	SystemInfo:

2011/05/17 20:18:03.0453 0532	

2011/05/17 20:18:03.0453 0532	OS Version: 5.1.2600 ServicePack: 3.0

2011/05/17 20:18:03.0453 0532	Product type: Workstation

2011/05/17 20:18:03.0453 0532	ComputerName: GBMCPRECISION

2011/05/17 20:18:03.0453 0532	UserName: Ismael

2011/05/17 20:18:03.0453 0532	Windows directory: C:\WINDOWS

2011/05/17 20:18:03.0453 0532	System windows directory: C:\WINDOWS

2011/05/17 20:18:03.0453 0532	Processor architecture: Intel x86

2011/05/17 20:18:03.0453 0532	Number of processors: 2

2011/05/17 20:18:03.0453 0532	Page size: 0x1000

2011/05/17 20:18:03.0453 0532	Boot type: Normal boot

2011/05/17 20:18:03.0453 0532	================================================================================

2011/05/17 20:18:03.0750 0532	Initialize success

2011/05/17 20:18:19.0468 3232	================================================================================

2011/05/17 20:18:19.0468 3232	Scan started

2011/05/17 20:18:19.0468 3232	Mode: Manual; 

2011/05/17 20:18:19.0468 3232	================================================================================

2011/05/17 20:18:22.0093 3232	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/17 20:18:22.0203 3232	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/17 20:18:22.0375 3232	ADM8511         (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS

2011/05/17 20:18:22.0531 3232	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/17 20:18:22.0609 3232	AFD             (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys

2011/05/17 20:18:22.0953 3232	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/17 20:18:23.0031 3232	atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/17 20:18:23.0140 3232	ati2mtag        (8a1a80ef7455244530b117eead8a427f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/05/17 20:18:23.0343 3232	Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/17 20:18:23.0437 3232	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/17 20:18:23.0531 3232	AVGIDSDriver    (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys

2011/05/17 20:18:23.0625 3232	AVGIDSEH        (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys

2011/05/17 20:18:23.0671 3232	AVGIDSFilter    (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys

2011/05/17 20:18:23.0734 3232	AVGIDSShim      (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys

2011/05/17 20:18:23.0828 3232	Avgldx86        (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys

2011/05/17 20:18:23.0906 3232	Avgmfx86        (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys

2011/05/17 20:18:23.0937 3232	Avgrkx86        (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys

2011/05/17 20:18:24.0031 3232	Avgtdix         (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys

2011/05/17 20:18:24.0093 3232	b57w2k          (8c0403aa21029804f31d869e6b0adedf) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2011/05/17 20:18:24.0187 3232	Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/17 20:18:24.0359 3232	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/17 20:18:24.0406 3232	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/17 20:18:24.0468 3232	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/17 20:18:24.0500 3232	Cdrom           (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/17 20:18:24.0796 3232	Disk            (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/17 20:18:24.0859 3232	dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/17 20:18:24.0953 3232	dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/17 20:18:25.0000 3232	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/17 20:18:25.0109 3232	DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/17 20:18:25.0234 3232	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/17 20:18:25.0375 3232	Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/17 20:18:25.0453 3232	Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/17 20:18:25.0484 3232	Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/17 20:18:25.0500 3232	Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/17 20:18:25.0593 3232	FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/05/17 20:18:25.0671 3232	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/17 20:18:25.0734 3232	Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/17 20:18:25.0796 3232	GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/17 20:18:25.0843 3232	Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/17 20:18:25.0921 3232	grmnusb         (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys

2011/05/17 20:18:26.0046 3232	HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/05/17 20:18:26.0109 3232	hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/17 20:18:26.0234 3232	HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/17 20:18:26.0453 3232	i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/17 20:18:26.0546 3232	iaStor          (1c77a81756d4777ccb0425ae8107fe96) C:\WINDOWS\system32\drivers\iaStor.sys

2011/05/17 20:18:26.0640 3232	Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/17 20:18:26.0750 3232	intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/17 20:18:26.0796 3232	Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/05/17 20:18:26.0859 3232	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/17 20:18:26.0890 3232	IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/17 20:18:26.0921 3232	IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/17 20:18:26.0968 3232	IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/17 20:18:27.0031 3232	IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/17 20:18:27.0125 3232	isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/17 20:18:27.0218 3232	Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/17 20:18:27.0312 3232	kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/05/17 20:18:27.0406 3232	kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/17 20:18:27.0453 3232	KSecDD          (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/17 20:18:27.0578 3232	mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/17 20:18:27.0671 3232	Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/05/17 20:18:27.0734 3232	Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/17 20:18:27.0781 3232	mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/17 20:18:27.0796 3232	MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/17 20:18:27.0875 3232	MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/17 20:18:27.0953 3232	MRxSmb          (fb7dfd15d760ad339837a470f0e780d3) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/17 20:18:28.0046 3232	Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/17 20:18:28.0125 3232	MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/17 20:18:28.0281 3232	MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/17 20:18:28.0375 3232	MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/17 20:18:28.0468 3232	mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/17 20:18:28.0531 3232	Mup             (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/17 20:18:28.0578 3232	NCFilter        (d7ca89d05e30d65eb4fa4de2b2b3a5a2) C:\WINDOWS\system32\DRIVERS\NCFilter.sys

2011/05/17 20:18:28.0640 3232	NCRecognizer    (de11895ccde844433ff23ecf1ebee34a) C:\WINDOWS\system32\DRIVERS\NCRecognizer.sys

2011/05/17 20:18:28.0671 3232	NCUncFilter     (17cdb953854b7595aae080ce3826f0ce) C:\WINDOWS\system32\DRIVERS\NCUncFilter.sys

2011/05/17 20:18:28.0750 3232	NDIS            (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/17 20:18:28.0828 3232	NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/17 20:18:28.0875 3232	Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/17 20:18:28.0906 3232	NdisWan         (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/17 20:18:28.0937 3232	NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/17 20:18:28.0984 3232	NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/17 20:18:29.0078 3232	NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/17 20:18:29.0156 3232	NetwareWorkstation (78e0d2b781410dcdbbe5c8c39d158f9c) C:\WINDOWS\system32\NetWare\nwfs.sys

2011/05/17 20:18:29.0234 3232	NICM            (d686538f37dff96042047930650ac88d) C:\WINDOWS\system32\drivers\nicm.sys

2011/05/17 20:18:29.0359 3232	Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/17 20:18:29.0406 3232	Ntfs            (a0857c97770034fd2af17dc4014b5abd) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/17 20:18:29.0484 3232	Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/17 20:18:29.0531 3232	NWDHCP          (a4b071419e0ea596ffb3da89c1f04e61) C:\WINDOWS\system32\NetWare\nwdhcp.sys

2011/05/17 20:18:29.0562 3232	NWDNS           (536b713500ff0011f1df72f780643db9) C:\WINDOWS\system32\NetWare\nwdns.sys

2011/05/17 20:18:29.0593 3232	NWHOST          (baa75acf404bebce7065663664a7c3e4) C:\WINDOWS\system32\NetWare\NWHOST.sys

2011/05/17 20:18:29.0640 3232	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/17 20:18:29.0687 3232	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/17 20:18:29.0734 3232	NWSAP           (2726a6792bbb080ff345ed9a8111360f) C:\WINDOWS\system32\NetWare\NWSAP.sys

2011/05/17 20:18:29.0828 3232	NWSIPX32        (e00b0349cc3921225ad60728230d78be) C:\WINDOWS\system32\NetWare\nwsipx32.sys

2011/05/17 20:18:29.0875 3232	NWSLP           (2c69a3258f9477a13e7cd29f6a8696e8) C:\WINDOWS\system32\NetWare\nwslp.sys

2011/05/17 20:18:29.0984 3232	NWSNS           (172308996609da67e99c87fa784df8bc) C:\WINDOWS\system32\NetWare\NWSNS.sys

2011/05/17 20:18:30.0093 3232	Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/17 20:18:30.0125 3232	PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/17 20:18:30.0171 3232	ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/17 20:18:30.0234 3232	PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/17 20:18:30.0359 3232	PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/17 20:18:30.0406 3232	Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/05/17 20:18:30.0656 3232	PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/17 20:18:30.0750 3232	PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/17 20:18:30.0796 3232	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/17 20:18:30.0968 3232	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/17 20:18:31.0046 3232	Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/17 20:18:31.0140 3232	RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/17 20:18:31.0187 3232	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/17 20:18:31.0250 3232	Rdbss           (9629383f70db691cb6aa5bbd828cd9a9) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/17 20:18:31.0296 3232	RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/17 20:18:31.0375 3232	rdpdr           (3a99642ed25a2fad5b0ba55f09ba2f93) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/05/17 20:18:31.0484 3232	RDPWD           (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/17 20:18:31.0593 3232	redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/17 20:18:31.0671 3232	RESMGR          (382ec29aa5bbd5ea7e959167f9cdada2) C:\WINDOWS\system32\NetWare\resmgr.sys

2011/05/17 20:18:31.0781 3232	rspndr          (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys

2011/05/17 20:18:31.0890 3232	Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/17 20:18:31.0953 3232	serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/05/17 20:18:31.0984 3232	Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/05/17 20:18:32.0031 3232	Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

2011/05/17 20:18:32.0140 3232	splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/17 20:18:32.0218 3232	sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/17 20:18:32.0328 3232	Srv             (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/17 20:18:32.0406 3232	SRVLOC          (ff5937fc4b1cf71cc009f7e5d7aaa875) C:\WINDOWS\system32\NetWare\srvloc.sys

2011/05/17 20:18:32.0562 3232	STHDA           (9db5dbed65f2d74acd1d20a53898af79) C:\WINDOWS\system32\drivers\sthda.sys

2011/05/17 20:18:32.0687 3232	swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/17 20:18:32.0765 3232	swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/17 20:18:32.0906 3232	sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/17 20:18:32.0984 3232	Tcpip           (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/17 20:18:33.0093 3232	TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/17 20:18:33.0187 3232	TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/17 20:18:33.0265 3232	TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/17 20:18:33.0406 3232	Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/17 20:18:33.0562 3232	Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/17 20:18:33.0656 3232	usbccgp         (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/17 20:18:33.0718 3232	usbehci         (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/17 20:18:33.0781 3232	usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/17 20:18:33.0843 3232	usbstor         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/17 20:18:33.0906 3232	usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/17 20:18:33.0984 3232	VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/17 20:18:34.0031 3232	VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/17 20:18:34.0093 3232	Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/17 20:18:34.0265 3232	wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/17 20:18:34.0375 3232	\HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/05/17 20:18:34.0375 3232	================================================================================

2011/05/17 20:18:34.0375 3232	Scan finished

2011/05/17 20:18:34.0375 3232	================================================================================

2011/05/17 20:18:34.0375 1792	Detected object count: 1

2011/05/17 20:19:27.0875 1792	\HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/05/17 20:19:27.0875 1792	\HardDisk0 - ok

2011/05/17 20:19:27.0875 1792	Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure 

2011/05/17 20:19:33.0687 2892	Deinitialize success

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

Did you reboot?

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

Yes.

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

Just had to be sure, sometimes people don't do the rebooting they need to do.
Now do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

You must download it to and run it from your Desktop
.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Post back here with that log.

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

Oh wow, the icons and programs are no longer hidden. Thanks for the help so far. Here's the log -

ComboFix -



ComboFix 11-05-17.03 - Ismael 05/18/2011  11:44:32.1.2 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1463 [GMT -5:00]

Running from: c:\documents and settings\Ismael\Desktop\ComboFix.exe

.

.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Ismael\2gweorjqjutp92vjy9gake

c:\documents and settings\Ismael\Application Data\Adobe\plugs

c:\documents and settings\Ismael\Application Data\Adobe\shed

c:\documents and settings\Ismael\Application Data\Adobe\shed\thr1.chm

c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}

c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}\chrome.manifest

c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}\chrome\content\_cfg.js

c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}\chrome\content\overlay.xul

c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}\install.rdf

c:\windows\system32\regobj.dll

.

.

(((((((((((((((((((((((((   Files Created from 2011-04-18 to 2011-05-18  )))))))))))))))))))))))))))))))

.

.

2011-05-18 00:35 . 2011-05-18 00:35	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer

2011-05-18 00:35 . 2011-05-18 00:35	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Apple Computer

2011-05-16 22:09 . 2011-05-16 22:09	--------	d-----w-	c:\windows\system32\NtmsData

2011-05-13 14:04 . 2011-05-16 23:19	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-05-13 04:10 . 2011-05-13 04:10	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-05-13 01:24 . 2011-05-13 01:24	--------	d-sh--w-	c:\documents and settings\NetworkService\IETldCache

2011-05-13 01:09 . 2011-05-13 01:09	0	----a-w-	c:\windows\Epecuteboyo.bin

2011-05-12 20:12 . 2011-05-13 01:07	--------	d-----w-	c:\documents and settings\All Users\Application Data\dN28275EiBeD28275

.

.

.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2010-12-13 23:49	692736	----a-w-	c:\windows\system32\inetcomm.dll

2011-03-04 06:37 . 2008-07-22 22:50	420864	----a-w-	c:\windows\system32\vbscript.dll

2011-03-03 13:27 . 2008-07-22 22:50	1866880	----a-w-	c:\windows\system32\win32k.sys

2011-02-22 23:06 . 2008-07-22 22:50	916480	----a-w-	c:\windows\system32\wininet.dll

2011-02-22 23:06 . 2008-07-22 22:49	43520	------w-	c:\windows\system32\licmgr10.dll

2011-02-22 23:06 . 2008-07-22 22:48	1469440	------w-	c:\windows\system32\inetcpl.cpl

2011-02-22 11:41 . 2008-07-22 22:48	385024	----a-w-	c:\windows\system32\html.iec

1997-07-22 02:30	1045776	--sha-w-	c:\windows\system32\Msjet35.dll

1997-06-23 10:00	123664	--sha-w-	c:\windows\system32\Msjint35.dll

1997-06-23 19:06	24848	--sha-w-	c:\windows\system32\Msjter35.dll

1997-06-23 19:06	252176	--sha-w-	c:\windows\system32\Msrd2x35.dll

1997-06-23 19:06	287504	--sha-w-	c:\windows\system32\Msxbse35.dll

.

.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Novell Messenger"="c:\novell\Messenger\NMCL32.exe" [2007-09-05 1417293]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-04-26 143360]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-15 344064]

"Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2006-04-20 61526]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http:" [X]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-12-16 25214]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"CompatibleRUPSecurity"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=

"c:\\Program Files\\Novell\\GroupWise\\grpwise.exe"=

"c:\\Program Files\\Novell\\GroupWise\\notify.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=

"c:\\Program Files\\ArcGIS\\Bin\\ArcMap.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1040:TCP"= 1040:TCP:Akamai NetSession Interface

"5000:UDP"= 5000:UDP:Akamai NetSession Interface

.

R0 NCFilter;Novell UNC Path Filter - Filter;c:\windows\system32\drivers\ncfilter.sys [11/18/2010 1:10 PM 80000]

R0 NCRecognizer;Novell UNC Path Filter - Recognizer;c:\windows\system32\drivers\ncrecognizer.sys [11/18/2010 1:10 PM 90240]

R0 NCUncFilter;Novell UNC Path Filter - UNC Filter;c:\windows\system32\drivers\ncuncfilter.sys [11/18/2010 1:10 PM 14720]

R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 5:42 AM 14336]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2010 9:17 AM 136176]

S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [12/14/2010 9:05 AM 20160]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2010 9:17 AM 136176]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

Akamai	REG_MULTI_SZ   	Akamai

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

.

2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 14:17]

.

2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 14:17]

.

2011-05-18 c:\windows\Tasks\User_Feed_Synchronization-{B8DC2A4A-382B-4BFD-B98F-BA578BD2CEE8}.job

- c:\windows\system32\msfeedssync.exe [2008-07-22 10:31]

.

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Ismael\Application Data\Mozilla\Firefox\Profiles\bgeo5x1w.default\

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

.

.

------- File Associations -------

.

.scr=AutoCADScriptFile

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-18 11:52

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...  

.

scanning hidden autostart entries ... 

.

scanning hidden files ...  

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(764)

c:\windows\system32\NETWIN32.DLL

c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL

.

- - - - - - - > 'Explorer.exe'(4084)

c:\windows\system32\WININET.dll

c:\windows\system32\AcSignIcon.dll

c:\windows\system32\ieframe.dll

c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\windows\system32\msi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe

c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

c:\windows\system32\NWTRAY.EXE

c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-05-18  11:56:18 - machine was rebooted

ComboFix-quarantined-files.txt  2011-05-18 16:56

.

Pre-Run: 444,515,352,576 bytes free

Post-Run: 447,567,310,848 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 1FFB78F2DB8E0D42491B3D113D18276B

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

Give me a bit to go through this log and I will get back to you if further steps are needed with Combofix. In the meantime, do the following:

Update MBA-M and do a Full Scan with it. Have it remove everything found. Reboot.

Then Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer or you may use Firefox to complete this scan and you will need to allow an Active X to be installed
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back here with both of those logs.

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

I would also like you to try to run the DDS Scanner again. If it won't run in normal mode then please give it a try in safe mode.

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

Alright, here are both of the logs:

Malwarebyte's Log -



Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org
 

Database version: 6612
 

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702
 

5/18/2011 7:10:59 PM

mbam-log-2011-05-18 (19-10-59).txt
 

Scan type: Full scan (C:\|)

Objects scanned: 283565

Time elapsed: 2 hour(s), 21 minute(s), 7 second(s)
 

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0
 

Memory Processes Infected:

(No malicious items detected)
 

Memory Modules Infected:

(No malicious items detected)
 

Registry Keys Infected:

(No malicious items detected)
 

Registry Values Infected:

(No malicious items detected)
 

Registry Data Items Infected:

(No malicious items detected)
 

Folders Infected:

(No malicious items detected)
 

Files Infected:

(No malicious items detected)


ESET Log -



ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=2554cee087e6e742bcff95d42b99946f

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-05-19 01:51:46

# local_time=2011-05-18 08:51:46 (-0600, Central Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 12511451 12511451 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=121117

# found=1

# cleaned=1

# scan_time=2828

C:\System Volume Information\_restore{8D5B6624-8D4A-485D-94F6-B6B0983F526A}\RP187\A0046578.dll	a variant of Win32/Kryptik.NRV trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C



I will now run the DDS scanner to see if it works in normal or safe mode.

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

There seems to be a message at the top of the document when I try to open the DDS scanner that reads: [This program cannot be run in DOS mode.] It happens in both normal and safe mode.

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

Did you set this file association as seen in your combofix log?



------- File Associations -------

.

<strong>.scr</strong>=AutoCADScriptFile

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

That's how it appeared when I downloaded it. Do I need to change it?

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

That's how what appeared when you downloaded it?

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

Yes. I didn't mess with it at all.

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

I asked you what was it you downloaded not if you "messed" with it.
I am trying to figure out why the DDS scanner won't run.

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

Do you have AutoCad on the computer? This is what is causing DDS to stop running.

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

I downloaded DDS by sUBs that's linked in the "Read me..." thread. Yes, I have AutoCAD installed on this computer. Is there a way to run it without having to uninstall AutoCAD?

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 
1 Year Ago
0

Probably not.
Is the computer working correctly?

jholland1964
Posting Expert
Moderator
5,785 posts since Jul 2008
Reputation Points: 725
Solved Threads: 340
 
1 Year Ago
0

Right now it's seems to be working fine. There's still a few programs that are missing in the Start > All Programs menu. Everything else seems ok.

iTorres
Newbie Poster
12 posts since May 2011
Reputation Points: 10
Solved Threads: 0
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
View similar articles that have also been tagged:
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed