Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32.pornpopup and strange message about a suspicious download

Started by louise123 , Jul 09 2010 06:48 PM

Please log in to reply

#1
louise123

Posted 09 July 2010 - 06:48 PM

Member

Member
35 posts

I have just run Spybot search and destroy and it found 3 win32.pornpopup yadro tracking cookies. Malwae bytes and avast anti virus found nothing. I dismissed this as a harmless tracking cookie but was curious about the name as havent been on any porn sites and havent really been to anything but waht I would think are fairly reputable sites! Some sites I looked on for info claimed this could be a trojan that downloads porn and can steal passwords etc. They also said that spybot doesnt properly get rid of it, is this the case? Is it malicious and could I still have it despite spybot saying it fixed it? edit: it doesnt seem to have fixed it as for first time ever websites have started to randomly open up, this has only happened since clicked on fix on spybot.

Also, earlier todaywhen I was looking on the BBC website (so a very legit site) my comp came up with a box tht said content you are attemptibg to dowload looks suspicious (think it was a malware byes alert??) and I slected block even though was just browsing not downloading anything so not sure if this is a sign of infection? Not sure if this is a sign of anything?

If someone could advise would really appreciate it :-)

Edited by louise123, 09 July 2010 - 07:07 PM.

#2
louise123

Posted 12 July 2010 - 12:03 PM

Member

Topic Starter
Member
35 posts

The pornpop up in a new window happened again today, strange this has only started happening after spybot initially detected and supposedly fixed win32.pornpopup....

#3
azarl

Posted 15 July 2010 - 08:59 AM

GeekU Admin

Community Leader
25,310 posts

Hi

Welcome to Geekstogo. I'll be helping you with this problem.

Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you

Firstly, please follow all of the steps in this section of the Malware Forum, then please post the MBAM, GMER and OTL Logs in this thread.

#4
louise123

Posted 16 July 2010 - 09:43 AM

Member

Topic Starter
Member
35 posts

Thank for the reply.

Before I received this reply I had been running Spybot everyday since I originally posted. Last night Spy bot found win32.prolacco and win32.Swisyn. I find this bizarre as I have not been surfing the internet or accessing email on the infected computer between scans, so Im not sure if something must have been hiding on the computer possibly and this is why it hasshown up on the 15th July scan and not on others.

Last night I also ran SuperAntiSpyware before I read this reply and it found Trojan.Agen/Gen-Koobface.

I then ran Malware Bytes as requested and it found elements of the win32.Prolacco trojan. My log is attached. However, I find this odd also, as I have been running a Malware bytes scan each day this week as well and it did not find anything each day. It only found something last night just after Spybot had found Prolacco and deleted it. Since Malware Bytes deleted what I found my computer has been very slow loading up and slow when turned on.

I have also attached my OTL logs. However, I have not been able to run a complete GMER scan.It either freezes as soon as it is opened or runs for approx between 45-30mins and then freezes and the comp has to be manually turned off or it runs for this long but then the screen abruptly turns black and does not come on again though the comp is still running. I have tried to run the GMER scan around 40 times without success, but will keep trying.

Since GMER has been on my comp, the computer freezes and has to be turned off manually even when I am not trying to run GMER. It seems very strange that until I found the initial win32.pornpopup tracking cookie via Spybot and it was delted I had no symptoms of anything being wrong. It was only after the initial deletion of this cookie by Spybot that I started to get pornpopups (though these now seem to have stopped). It also was not until Spybot and Malware Bytes deleted what they had found last night that my computer got incredibly slow.

Another odd thing that happens is my anti virus says it is blocking an attempt to connect whenever I go on the Geekstogo website (this also happens on my work comp so not sure what this is really). Also, whenever I surf the Daily Mail or BBC websites McAfee site advisor blocks suspicious downloads. All these things only started happening after the deletion of the win32.prnpopup tracking cookie.

Sorry for the long post!!

Attached Files

Extras.Txt 42.62KB 74 downloads
OTL.Txt 102.62KB 79 downloads
mbam_log_2010_07_15__22_56_45_.txt 1.85KB 93 downloads

#5
azarl

Posted 16 July 2010 - 02:33 PM

GeekU Admin

Community Leader
25,310 posts

Ok, I'm going through your logs. In future, please do not attach them, but paste them in the reply, as it takes me a lot longer to go through them when attached. Thanks

#6
azarl

Posted 17 July 2010 - 02:37 AM

GeekU Admin

Community Leader
25,310 posts

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:Processes 

:Services

:OTL
O4 - HKLM..\Run: [CFSServ.exe]  File not found
O4 - HKLM..\Run: [NDSTray.exe]  File not found
O4 - HKLM..\Run: [TFncKy]  File not found
O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} -  File not found
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Reg Error: Key error.)

:Commands
[purity]
[emptytemp]

[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

ComboFix
Download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your Antivirus and Antispyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#7
louise123

Posted 19 July 2010 - 04:19 PM

Member

Topic Starter
Member
35 posts

Sorry for delay in posting. My OTL log is here:

TL logfile created on: 19/07/2010 00:43:41 - Run 2
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\Lisa Monkhouse\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,014.00 Mb Total Physical Memory | 238.00 Mb Available Physical Memory | 23.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 72.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 55.89 Gb Total Space | 29.84 Gb Free Space | 53.39% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LISA
Current User Name: Lisa Monkhouse
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/16 12:33:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lisa Monkhouse\Desktop\OTL.exe
PRC - [2010/06/28 21:57:18 | 002,837,864 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/06/28 21:57:15 | 000,040,384 | ---- | M] (AVAST Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/23 09:43:26 | 002,001,648 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/08/21 09:15:32 | 000,900,816 | ---- | M] (Secunia) -- C:\Program Files\Secunia\PSI\psi.exe
PRC - [2009/03/05 17:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/08/25 13:47:12 | 000,356,352 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe
PRC - [2006/08/02 01:39:20 | 000,434,176 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2006/08/02 01:38:30 | 000,802,816 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
PRC - [2006/08/02 01:32:44 | 000,696,320 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
PRC - [2006/08/02 01:31:22 | 000,937,984 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2006/08/02 01:27:54 | 000,479,232 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2006/08/02 01:24:22 | 000,327,680 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2006/03/02 23:50:52 | 000,151,552 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\Toshiba.exe
PRC - [2006/02/07 16:30:40 | 000,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
PRC - [2006/02/02 12:11:38 | 000,073,728 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Tvs\TvsTray.exe
PRC - [2005/10/06 05:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2005/08/30 12:31:18 | 000,118,272 | ---- | M] (Nokia.) -- C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
PRC - [2005/08/29 10:51:38 | 000,470,016 | ---- | M] (Nokia Corporation) -- C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
PRC - [2005/08/26 16:49:32 | 000,860,160 | ---- | M] (Time Information Services Ltd.) -- C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
PRC - [2005/08/03 14:26:14 | 000,266,240 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2005/08/03 14:26:02 | 000,040,960 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2005/06/29 16:29:26 | 000,176,128 | ---- | M] (Nokia) -- C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
PRC - [2005/05/12 10:31:38 | 000,118,784 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2005/04/11 11:26:06 | 000,065,536 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
PRC - [2005/01/18 00:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2002/07/17 03:03:00 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
PRC - [2002/01/29 14:33:14 | 000,077,824 | ---- | M] () -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [2001/11/12 13:31:48 | 000,020,480 | ---- | M] (X10) -- C:\Program Files\Common Files\X10\Common\X10nets.exe

========== Modules (SafeList) ==========

MOD - [2010/07/16 12:33:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lisa Monkhouse\Desktop\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe -- (ZeppelinService)
SRV - [2010/06/28 21:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/06/28 21:57:15 | 000,040,384 | ---- | M] (AVAST Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/06/28 21:57:15 | 000,040,384 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2006/08/02 01:39:20 | 000,434,176 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®
SRV - [2006/08/02 01:31:22 | 000,937,984 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®
SRV - [2006/08/02 01:24:22 | 000,327,680 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®
SRV - [2006/02/07 16:30:40 | 000,035,840 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005/01/18 00:38:38 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)
SRV - [2002/07/17 03:03:00 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe -- (EPSONStatusAgent2)
SRV - [2002/01/29 14:33:14 | 000,077,824 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [2001/11/12 13:31:48 | 000,020,480 | ---- | M] (X10) [Auto | Running] -- C:\Program Files\Common Files\X10\Common\X10nets.exe -- (x10nets)

========== Driver Services (SafeList) ==========

DRV - [2010/06/28 21:37:52 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/06/28 21:37:30 | 000,165,456 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/06/28 21:33:13 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/06/28 21:32:45 | 000,100,176 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2010/06/28 21:32:33 | 000,017,744 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/06/28 21:32:16 | 000,028,880 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2009/12/13 11:34:41 | 000,038,976 | ---- | M] (microOLAP Technologies LTD) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pssdk42.sys -- (PSSDK42)
DRV - [2009/11/23 09:43:30 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/23 09:43:30 | 000,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/11/23 09:43:28 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/10/27 16:46:30 | 000,132,424 | ---- | M] (COMODO Security Solutions Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\cfrmd.sys -- (CFRMD)
DRV - [2009/09/18 14:42:18 | 000,176,752 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssidrv.sys -- (ssidrv)
DRV - [2009/09/18 14:42:16 | 000,029,808 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys -- (ssfs0bbc)
DRV - [2009/09/18 14:42:16 | 000,023,152 | ---- | M] (Webroot Software, Inc. (www.webroot.com)) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sshrmd.sys -- (sshrmd)
DRV - [2009/06/17 13:20:34 | 000,012,648 | ---- | M] (Secunia) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\psi_mf.sys -- (PSI)
DRV - [2008/04/13 17:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2006/08/02 02:27:48 | 000,012,544 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2006/07/26 18:39:32 | 001,707,776 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw3x32.sys -- (NETw3x32) Intel®
DRV - [2006/05/30 16:42:52 | 000,045,696 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tvs.sys -- (Tvs)
DRV - [2006/05/05 15:13:52 | 004,271,616 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/05/01 21:04:00 | 003,643,296 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2006/04/02 01:46:28 | 000,471,264 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2006/03/26 13:22:14 | 000,051,200 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2006/03/24 17:27:01 | 000,050,176 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfsync04.sys -- (sfsync04) StarForce Protection Synchronization Driver (version 4.x)
DRV - [2006/03/22 07:56:24 | 001,522,688 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2006/03/13 10:38:23 | 000,006,656 | ---- | M] (Protection Technology (StarForce)) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)
DRV - [2006/03/02 23:46:54 | 000,191,968 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/12/13 17:08:44 | 001,124,097 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2005/11/30 18:12:00 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2005/11/28 10:45:16 | 000,007,040 | ---- | M] (X10 Wireless Technology, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\x10hid.sys -- (X10Hid)
DRV - [2005/11/03 15:40:07 | 000,063,488 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02) StarForce Protection VFS Driver (version 2.x)
DRV - [2005/10/20 14:03:42 | 000,006,144 | ---- | M] (Toshiba Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NBSMI.sys -- (TVALD)
DRV - [2005/10/06 05:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2005/10/06 05:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2005/10/06 05:20:00 | 000,086,524 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2005/10/06 05:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2005/10/06 05:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2005/10/06 05:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2005/10/06 05:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/09/12 03:30:00 | 000,089,264 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB)
DRV - [2005/09/09 14:47:10 | 000,009,344 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2005/08/25 12:16:52 | 000,005,628 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/08/25 12:16:16 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/08/12 05:20:00 | 000,040,544 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\DRVNDDM.SYS -- (DRVNDDM)
DRV - [2003/09/19 01:47:00 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (Pfc)
DRV - [2003/09/10 23:36:54 | 000,021,060 | ---- | M] (InterVideo, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\iviaspi.sys -- (Iviaspi)
DRV - [2003/01/29 22:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Live Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.live.c...ferrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://uk.search.yah...h?fr=mcafee&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/01 22:13:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/22 18:51:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/15 17:32:14 | 000,000,000 | ---D | M]

[2009/12/12 02:07:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\Mozilla\Extensions
[2009/12/22 20:26:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\Mozilla\Firefox\Profiles\frktzvcm.default\extensions
[2009/12/06 20:51:25 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Lisa Monkhouse\Application Data\Mozilla\Firefox\Profiles\frktzvcm.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/10 01:31:27 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/03 02:42:02 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/11/03 02:42:02 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/11/03 02:42:02 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/12/07 18:36:49 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml
[2009/11/03 02:42:02 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/07/15 18:48:42 | 000,412,194 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.123topsearch.com
O1 - Hosts: 127.0.0.1 123topsearch.com
O1 - Hosts: 127.0.0.1 www.132.com
O1 - Hosts: 127.0.0.1 132.com
O1 - Hosts: 127.0.0.1 www.136136.net
O1 - Hosts: 127.0.0.1 136136.net
O1 - Hosts: 127.0.0.1 www.163ns.com
O1 - Hosts: 127.0.0.1 163ns.com
O1 - Hosts: 14245 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\AvastUI.exe (AVAST Software)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe (Nokia)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe (Time Information Services Ltd.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [TOSCDSPD] C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe (TOSHIBA)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\Lisa Monkhouse\Start Menu\Programs\Startup\Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe (Secunia)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL: CheckedValue = 1
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zon...kr.cab56986.cab (Checkers Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail....es/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase1140.cab (Windows Live Safety Center Base Module)
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} http://upload.facebo...otoUploader.cab (Facebook Photo Uploader Control)
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} http://mdsremote.dur...tsweb/msrdp.cab (Microsoft RDP Client Control (redist))
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} http://its-cam2.dur....sCamControl.ocx (CamImage Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zon...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} http://download.mcaf...830/mcfscan.cab (McFreeScan Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/13 15:00:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKCU\...com [@ = comfile] -- Reg Error: Key error. File not found
O37 - HKCU\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 90 Days ==========

[2010/07/19 00:38:37 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/16 12:33:42 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lisa Monkhouse\Desktop\OTL.exe
[2010/07/15 23:04:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lisa Monkhouse\Desktop\gmer
[2010/07/15 19:34:27 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/07/15 19:33:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/07/15 19:19:12 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/15 19:11:52 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lisa Monkhouse\Desktop\TFC.exe
[2010/04/27 17:59:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Adobe
[2010/04/27 17:58:58 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe AIR
[2010/04/27 17:57:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2006/09/14 08:51:54 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\DLLVGA.dll

========== Files - Modified Within 90 Days ==========

[2010/07/19 00:40:45 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/19 00:40:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/19 00:40:33 | 1063,309,312 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/19 00:39:41 | 011,534,336 | -H-- | M] () -- C:\Documents and Settings\Lisa Monkhouse\NTUSER.DAT
[2010/07/19 00:39:34 | 000,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2010/07/19 00:39:32 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Lisa Monkhouse\ntuser.ini
[2010/07/19 00:03:36 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/16 12:33:42 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lisa Monkhouse\Desktop\OTL.exe
[2010/07/15 23:03:46 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\gmer.zip
[2010/07/15 19:35:44 | 000,001,700 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/07/15 19:35:40 | 000,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/15 19:19:12 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\NTREGOPT.lnk
[2010/07/15 19:19:12 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\ERUNT.lnk
[2010/07/15 19:11:59 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lisa Monkhouse\Desktop\TFC.exe
[2010/07/15 18:48:42 | 000,412,194 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/07/15 18:00:39 | 000,000,273 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/07/15 17:32:15 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/07/15 17:11:34 | 000,000,603 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/07/15 17:11:34 | 000,000,435 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/07/15 17:11:34 | 000,000,279 | RHS- | M] () -- C:\boot.ini
[2010/07/09 22:57:00 | 000,411,992 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100715-184842.backup
[2010/07/09 12:46:54 | 000,309,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/07/08 13:34:26 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/07/08 13:29:13 | 000,504,744 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/08 13:29:13 | 000,442,800 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/08 13:29:13 | 000,072,066 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/28 21:57:33 | 000,038,848 | ---- | M] (ALWIL Software) -- C:\WINDOWS\avastSS.scr
[2010/06/28 21:57:12 | 000,165,032 | ---- | M] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2010/06/28 21:37:52 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2010/06/28 21:37:30 | 000,165,456 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2010/06/28 21:33:13 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2010/06/28 21:32:45 | 000,100,176 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2010/06/28 21:32:42 | 000,094,544 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2010/06/28 21:32:33 | 000,017,744 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2010/06/28 21:32:16 | 000,028,880 | ---- | M] (ALWIL Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2010/06/14 20:34:21 | 000,001,738 | -H-- | M] () -- C:\Documents and Settings\Lisa Monkhouse\My Documents\Default.rdp
[2010/05/05 23:10:40 | 000,026,624 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Lisa Monkhouse - Covering Letter.doc
[2010/05/05 23:01:20 | 000,076,288 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Lisa Monkhouse - CV.doc
[2010/05/04 10:42:00 | 000,000,462 | ---- | M] () -- C:\WINDOWS\tasks\COMODO System Cleaner Update.job
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/27 17:59:21 | 000,000,732 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/04/22 19:01:49 | 000,081,408 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Business Assistant CV.doc
[2010/04/22 19:01:41 | 000,032,768 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Business Assistant letter.doc
[2010/04/22 19:01:36 | 000,111,616 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Business jobs.doc
[2010/04/22 19:01:22 | 000,023,552 | ---- | M] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\ASR Supervisor.doc
[2010/04/21 17:49:47 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk

========== Files Created - No Company Name ==========

[2010/07/15 23:03:36 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\gmer.zip
[2010/07/15 19:35:44 | 000,001,700 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2010/07/15 19:19:12 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\NTREGOPT.lnk
[2010/07/15 19:19:12 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\ERUNT.lnk
[2010/07/15 17:11:33 | 000,001,725 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2010/05/05 21:07:31 | 000,026,624 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Lisa Monkhouse - Covering Letter.doc
[2010/05/05 19:48:57 | 000,076,288 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Lisa Monkhouse - CV.doc
[2010/04/27 18:01:12 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/04/27 17:59:21 | 000,000,732 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Acrobat_com.lnk
[2010/04/22 19:01:49 | 000,081,408 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Business Assistant CV.doc
[2010/04/22 19:01:41 | 000,032,768 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Business Assistant letter.doc
[2010/04/22 19:01:34 | 000,111,616 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\Business jobs.doc
[2010/04/22 19:01:22 | 000,023,552 | ---- | C] () -- C:\Documents and Settings\Lisa Monkhouse\Desktop\ASR Supervisor.doc
[2010/04/21 17:49:47 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2009/02/18 15:43:08 | 000,111,960 | ---- | C] () -- C:\WINDOWS\System32\INetHTTPFilter.dll
[2007/01/19 13:47:50 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2007/01/19 13:38:18 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2007/01/18 23:19:41 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2007/01/18 23:19:41 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2007/01/18 23:17:32 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2007/01/18 23:17:32 | 000,000,072 | R--- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2007/01/18 23:16:06 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\EEBAPI.dll
[2007/01/18 23:16:06 | 000,102,400 | ---- | C] () -- C:\WINDOWS\System32\EEBDSCVR.dll
[2007/01/18 23:16:06 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\EBAPI.dll
[2006/09/14 13:22:58 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/09/14 13:09:00 | 000,000,562 | ---- | C] () -- C:\WINDOWS\TBTdetect.ini
[2006/09/14 12:15:49 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/09/14 11:06:12 | 000,000,273 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/09/14 10:58:44 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeW7.dll
[2006/09/14 10:58:44 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeA6.dll
[2006/09/14 10:58:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeP6.dll
[2006/09/14 10:58:44 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\IVIresizeM6.dll
[2006/09/14 10:58:44 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\IVIresizePX.dll
[2006/09/14 10:58:44 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\IVIresize.dll
[2006/09/14 10:54:03 | 000,036,736 | ---- | C] () -- C:\WINDOWS\System32\drivers\CSIIDecoder_kern_i386.sys
[2006/09/14 10:54:03 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\drivers\TSXT_kern_i386.sys
[2006/09/14 09:49:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NDSTray.INI
[2006/09/14 09:28:39 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
[2006/09/14 09:28:39 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
[2006/09/14 09:28:39 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
[2006/09/14 09:28:39 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
[2006/09/14 09:25:44 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/09/14 08:51:54 | 000,118,784 | ---- | C] () -- C:\WINDOWS\System32\TCtrlIO.dll
[2006/09/14 00:11:25 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/09/14 00:11:24 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/09/14 00:11:24 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/09/14 00:11:23 | 001,466,368 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/09/14 00:11:22 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/09/13 13:43:07 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\ToshBIOS.dll
[2006/09/13 13:43:07 | 000,000,083 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/01/30 22:15:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2005/09/02 14:44:00 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\TosBtAcc.dll
[2005/08/05 14:01:54 | 000,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/07/22 21:30:00 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\TosCommAPI.dll
[2004/07/20 17:04:00 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\TosBtHcrpAPI.dll
[2004/01/15 14:43:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\System32\TBTMonUI.dll
[1999/01/22 19:46:56 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/01/12 09:00:00 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\REGOBJ.DLL

========== LOP Check ==========

[2010/07/15 19:33:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/12/06 17:41:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IObit
[2007/03/14 15:53:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
[2009/06/19 22:32:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
[2008/02/09 17:06:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2006/12/26 23:31:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SBT
[2010/01/23 20:29:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/10/06 00:23:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\DataLayer
[2007/01/19 13:38:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\EPSON
[2006/12/31 20:30:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\InterVideo
[2007/09/06 08:19:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\Nokia
[2007/04/15 20:00:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\Nokia Multimedia Player
[2006/12/27 14:43:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\PC Suite
[2008/02/09 17:06:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\PlayFirst
[2007/03/13 21:08:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\Screenshot Sender
[2007/01/08 20:05:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\Template
[2008/12/22 18:02:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\toshiba
[2006/10/05 18:25:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lisa Monkhouse\Application Data\Windows Desktop Search
[2010/01/23 20:13:19 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 103 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >

#8
louise123

Posted 19 July 2010 - 04:27 PM

Member

Topic Starter
Member
35 posts

My combo fix log is below. After I ran combo fix a second Internet Explorer icon appeared on my desktop but was called 'Shoved' This happened the last time I ran combofix last year also. I notice that 'Legacy_H8SRTD.SYS' is mentioned below, when I posted last December I remember that H8SRTD was linked to a rootkit, could it have been there since last December. Tad worried about that as hve been using the infected computer for internet banking and to buy things online on numerous sites sincce then.

Also, when I rebooted my comp after having run comboxfix, spybot detected a change attempting to be made to ctfmon.exe which I blocked, was this the right thing to do? I blocked it as assumed it might be related to a virus.

I still havent bee able to complete a GMER scan, but wil keep trying. Is this a particularly an important scan to run?

ComboFix 10-07-16.02 - Lisa Monkhouse 19/07/2010 0:57.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.505 [GMT 1:00]
Running from: c:\documents and settings\Lisa Monkhouse\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Settings
c:\windows\system32\Settings\Settings.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTD.SYS

((((((((((((((((((((((((( Files Created from 2010-06-19 to 2010-07-19 )))))))))))))))))))))))))))))))
.

2010-07-18 23:38 . 2010-07-18 23:38 -------- d-----w- C:\_OTL
2010-07-15 18:34 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-15 18:33 . 2010-07-15 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-15 18:19 . 2010-07-15 18:19 -------- d-----w- c:\program files\ERUNT
2010-07-15 16:22 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 00:03 . 2006-12-28 04:46 12 ----a-w- c:\windows\bthservsdp.dat
2010-07-15 21:58 . 2009-03-18 20:58 -------- d-----w- c:\program files\Alwil Software
2010-07-15 16:22 . 2010-07-15 16:22 52224 ----a-w- c:\documents and settings\Lisa Monkhouse\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-15 16:22 . 2009-12-09 20:42 117760 ----a-w- c:\documents and settings\Lisa Monkhouse\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-09 12:06 . 2009-12-08 18:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-28 20:57 . 2009-03-18 20:58 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-03-18 20:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-03-18 20:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-03-18 20:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-03-18 20:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2009-03-18 20:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2009-03-18 20:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2009-03-18 20:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-14 14:31 . 2006-09-13 13:57 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-27 16:00 . 2009-12-05 11:23 -------- d-----w- c:\program files\McAfee
2010-05-06 10:41 . 2006-09-13 12:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-09-13 12:42 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-12-06 03:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-12-06 03:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 16:57 . 2010-04-27 16:57 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-04-20 05:30 . 2006-09-13 12:41 285696 ----a-w- c:\windows\system32\atmfd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-08-26 860160]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 16206848]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"TPSMain"="TPSMain.exe" [2005-08-03 266240]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 176128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\documents and settings\Lisa Monkhouse\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20947:TCP"= 20947:TCP:BitComet 20947 TCP
"20947:UDP"= 20947:UDP:BitComet 20947 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 CFRMD;cfrmd;c:\windows\system32\drivers\CFRMD.sys [06/12/2009 11:41 132424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [18/09/2009 14:42 29808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [18/03/2009 21:58 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 09:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 09:43 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/03/2009 21:58 17744]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [05/12/2009 12:23 93320]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 13:20 12648]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 09:43 7408]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [14/09/2006 12:10 7040]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S2 ZeppelinService;plasservice;"c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe" --> c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [?]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [13/12/2009 11:34 38976]
.
Contents of the 'Scheduled Tasks' folder

2009-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-05-04 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2009-10-27 18:18]

2010-01-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
FF - ProfilePath - c:\documents and settings\Lisa Monkhouse\Application Data\Mozilla\Firefox\Profiles\frktzvcm.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-19 01:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1860)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll
c:\windows\system32\ConnAPI.DLL
c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll
c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\rundll32.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\windows\system32\TPSBattM.exe
c:\program files\Common Files\EPSON\EBAPI\eEBSVC.exe
c:\progra~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
c:\progra~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
c:\progra~1\COMMON~1\X10\Common\x10nets.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2010-07-19 01:14:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-19 00:14

Pre-Run: 31,950,589,952 bytes free
Post-Run: 31,816,404,992 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - C4F6A56798E312392997898BCEE99302

#9
azarl

Posted 20 July 2010 - 01:54 AM

GeekU Admin

Community Leader
25,310 posts

I notice that 'Legacy_H8SRTD.SYS' is mentioned below, when I posted last December I remember that H8SRTD was linked to a rootkit, could it have been there since last December. Tad worried about that as hve been using the infected computer for internet banking and to buy things online on numerous sites sincce then.

You did have a H8SRTD rootkit back in December, which we dealt with. This is a re-infection by the look of it

I still havent bee able to complete a GMER scan, but wil keep trying. Is this a particularly an important scan to run?

Yes, but we're working around it, that's one of the reasons we ran ComboFix

We'll check for an active rootkit next

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and run it
Once completed it will create a log in your C:\ drive
Please post the contents of that log

Also, when I rebooted my comp after having run comboxfix, spybot detected a change attempting to be made to ctfmon.exe which I blocked, was this the right thing to do? I blocked it as assumed it might be related to a virus.

No harm done, but can you disable Spybot and your antivirus and run ComboFix again please. Please post the log
You only need to disable the resident feature of Spybot-S&D. And that is the way to deactivate it: Run Spybot-S&D, switch to the Advanced mode via the menu bar item Mode ? hit Yes ? select Tools in the navigation bar on the left ? Resident and there you can untick the checkboxes in front of the two tools.

#10
louise123

Posted 20 July 2010 - 11:26 AM

Member

Topic Starter
Member
35 posts

I ran combofix again, upon startup it asked me to upgrade to a new version, which I did (it automatically said it was connecting to combofix servers). I then restarted the programme, not sure now if I should have done this as the log below is different to the last one:

ComboFix 10-07-19.05 - Lisa Monkhouse 20/07/2010 18:09:14.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.504 [GMT 1:00]
Running from: c:\documents and settings\Lisa Monkhouse\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2010-06-20 to 2010-07-20 )))))))))))))))))))))))))))))))
.

2010-07-18 23:38 . 2010-07-18 23:38 -------- d-----w- C:\_OTL
2010-07-15 18:34 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-07-15 18:33 . 2010-07-15 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-15 18:19 . 2010-07-15 18:19 -------- d-----w- c:\program files\ERUNT
2010-07-15 16:22 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-15 16:22 . 2010-07-15 16:22 52224 ----a-w- c:\documents and settings\Lisa Monkhouse\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-19 00:03 . 2006-12-28 04:46 12 ----a-w- c:\windows\bthservsdp.dat
2010-07-15 21:58 . 2009-03-18 20:58 -------- d-----w- c:\program files\Alwil Software
2010-07-15 16:22 . 2009-12-09 20:42 117760 ----a-w- c:\documents and settings\Lisa Monkhouse\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-09 12:06 . 2009-12-08 18:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-28 20:57 . 2009-03-18 20:58 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2009-03-18 20:58 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2009-03-18 20:58 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2009-03-18 20:58 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2009-03-18 20:58 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2009-03-18 20:58 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2009-03-18 20:58 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2009-03-18 20:58 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-14 14:31 . 2006-09-13 13:57 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-27 16:00 . 2009-12-05 11:23 -------- d-----w- c:\program files\McAfee
2010-05-06 10:41 . 2006-09-13 12:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2006-09-13 12:42 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-12-06 03:49 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-12-06 03:49 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 16:57 . 2010-04-27 16:57 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-08-26 860160]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-11-23 2001648]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-05 16206848]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 88204]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]
"TPSMain"="TPSMain.exe" [2005-08-03 266240]
"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-20 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2005-06-29 176128]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-10-30 256576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]

c:\documents and settings\Lisa Monkhouse\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20947:TCP"= 20947:TCP:BitComet 20947 TCP
"20947:UDP"= 20947:UDP:BitComet 20947 UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 CFRMD;cfrmd;c:\windows\system32\drivers\CFRMD.sys [06/12/2009 11:41 132424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [18/09/2009 14:42 29808]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [18/03/2009 21:58 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/11/2009 09:43 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/11/2009 09:43 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [18/03/2009 21:58 17744]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [05/12/2009 12:23 93320]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 13:20 12648]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/11/2009 09:43 7408]
R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [14/09/2006 12:10 7040]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
S2 ZeppelinService;plasservice;"c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe" --> c:\program files\Common Files\ParetoLogic\PLAS\plasservice.exe [?]
S3 PSSDK42;PSSDK42;c:\windows\system32\drivers\pssdk42.sys [13/12/2009 11:34 38976]
.
Contents of the 'Scheduled Tasks' folder

2009-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-05-04 c:\windows\Tasks\COMODO System Cleaner Update.job
- c:\program files\COMODO\COMODO System-Cleaner\UpdateApplications.exe [2009-10-27 18:18]

2010-01-23 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
FF - ProfilePath - c:\documents and settings\Lisa Monkhouse\Application Data\Mozilla\Firefox\Profiles\frktzvcm.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-20 18:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2010-07-20 18:18:20
ComboFix-quarantined-files.txt 2010-07-20 17:18
ComboFix2.txt 2010-07-19 00:14

Pre-Run: 31,635,214,336 bytes free
Post-Run: 31,629,565,952 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 955A409162B72B8BEF54C521BD5CE8D4

#11
louise123

Posted 20 July 2010 - 11:29 AM

Member

Topic Starter
Member
35 posts

Below is the TDSS log:

18:27:32:906 3892 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
18:27:32:906 3892 ================================================================================
18:27:32:906 3892 SystemInfo:

18:27:32:906 3892 OS Version: 5.1.2600 ServicePack: 3.0
18:27:32:906 3892 Product type: Workstation
18:27:32:906 3892 ComputerName: LISA
18:27:32:906 3892 UserName: Lisa Monkhouse
18:27:32:906 3892 Windows directory: C:\WINDOWS
18:27:32:906 3892 System windows directory: C:\WINDOWS
18:27:32:906 3892 Processor architecture: Intel x86
18:27:32:906 3892 Number of processors: 2
18:27:32:906 3892 Page size: 0x1000
18:27:32:906 3892 Boot type: Normal boot
18:27:32:906 3892 ================================================================================
18:27:33:093 3892 Initialize success
18:27:33:093 3892
18:27:33:093 3892 Scanning Services ...
18:27:33:656 3892 Raw services enum returned 400 services
18:27:33:671 3892
18:27:33:671 3892 Scanning Drivers ...
18:27:34:765 3892 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\system32\drivers\Aavmker4.sys
18:27:34:859 3892 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:27:34:875 3892 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
18:27:34:921 3892 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:27:34:984 3892 AegisP (15e655baa989444f56787ef558823643) C:\WINDOWS\system32\DRIVERS\AegisP.sys
18:27:35:062 3892 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
18:27:35:281 3892 AgereSoftModem (c41a5740468d0b9cb46e6390a0e15ce3) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
18:27:35:406 3892 AR5211 (65b963f05458a7ee00473eb21ce3789d) C:\WINDOWS\system32\DRIVERS\ar5211.sys
18:27:35:484 3892 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
18:27:35:750 3892 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\WINDOWS\system32\drivers\aswFsBlk.sys
18:27:35:781 3892 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\system32\drivers\aswMon2.sys
18:27:35:843 3892 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\system32\drivers\aswRdr.sys
18:27:35:859 3892 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\system32\drivers\aswSP.sys
18:27:35:921 3892 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\system32\drivers\aswTdi.sys
18:27:36:015 3892 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:27:36:140 3892 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:27:36:250 3892 ati2mtag (221f0a33229cce7bf2f7640d3bb8845d) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
18:27:36:375 3892 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:27:36:500 3892 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:27:36:515 3892 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:27:36:562 3892 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
18:27:36:593 3892 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
18:27:36:625 3892 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
18:27:36:687 3892 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
18:27:36:906 3892 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
18:27:37:062 3892 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:27:37:109 3892 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:27:37:156 3892 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:27:37:343 3892 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:27:37:406 3892 CFRMD (78c6c479caf588b8a9a411f64f81e7d9) C:\WINDOWS\system32\drivers\cfrmd.sys
18:27:37:468 3892 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
18:27:37:515 3892 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
18:27:37:578 3892 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:27:37:640 3892 DLABOIOM (ee4325becef51b8c32b4329097e4f301) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
18:27:37:765 3892 DLACDBHM (d979bebcf7edcc9c9ee1857d1a68c67b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
18:27:37:796 3892 DLADResN (1e6c6597833a04c2157be7b39ea92ce1) C:\WINDOWS\system32\DLA\DLADResN.SYS
18:27:37:828 3892 DLAIFS_M (752376e109a090970bfa9722f0f40b03) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
18:27:37:859 3892 DLAOPIOM (62ee7902e74b90bf1ccc4643fc6c07a7) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
18:27:37:875 3892 DLAPoolM (5c220124c5afeaee84a9bb89d685c17b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
18:27:37:906 3892 DLARTL_N (7ee0852ae8907689df25049dcd2342e8) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
18:27:37:937 3892 DLAUDFAM (4ebb78d9bbf072119363b35b9b3e518f) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
18:27:38:015 3892 DLAUDF_M (333b770e52d2cea7bd86391120466e43) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
18:27:38:218 3892 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:27:38:281 3892 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:27:38:328 3892 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:27:38:359 3892 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:27:38:468 3892 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:27:38:531 3892 DRVMCDB (fd0f95981fef9073659d8ec58e40aa3c) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
18:27:38:546 3892 DRVNDDM (b4869d320428cdc5ec4d7f5e808e99b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
18:27:38:578 3892 E100B (83403675cab29e7a4b885b11e7c855d8) C:\WINDOWS\system32\DRIVERS\e100b325.sys
18:27:38:656 3892 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:27:38:703 3892 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
18:27:38:734 3892 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:27:38:812 3892 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
18:27:38:921 3892 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
18:27:38:953 3892 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:27:38:984 3892 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:27:39:046 3892 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
18:27:39:078 3892 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:27:39:171 3892 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:27:39:250 3892 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:27:39:343 3892 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:27:39:453 3892 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:27:39:546 3892 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
18:27:39:656 3892 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:27:39:937 3892 IntcAzAudAddService (7c09d605fcae64e3cb11ebf90fb1e3a1) C:\WINDOWS\system32\drivers\RtkHDAud.sys
18:27:40:187 3892 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:27:40:234 3892 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
18:27:40:265 3892 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:27:40:312 3892 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:27:40:359 3892 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:27:40:406 3892 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:27:40:546 3892 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:27:40:609 3892 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:27:40:640 3892 Iviaspi (f59c3569a2f2c464bb78cb1bdcdca55e) C:\WINDOWS\system32\drivers\iviaspi.sys
18:27:40:703 3892 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:27:40:718 3892 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:27:40:765 3892 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
18:27:40:812 3892 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:27:40:968 3892 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:27:41:078 3892 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
18:27:41:109 3892 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:27:41:156 3892 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:27:41:187 3892 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:27:41:234 3892 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:27:41:265 3892 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:27:41:421 3892 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:27:41:515 3892 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:27:41:578 3892 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:27:41:625 3892 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:27:41:656 3892 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:27:41:796 3892 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:27:41:843 3892 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:27:41:875 3892 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
18:27:41:906 3892 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:27:41:984 3892 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:27:42:015 3892 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:27:42:078 3892 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:27:42:171 3892 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
18:27:42:234 3892 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:27:42:265 3892 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:27:42:328 3892 Netdevio (1265eb253ed4ebe4acb3bd5f548ff796) C:\WINDOWS\system32\DRIVERS\netdevio.sys
18:27:42:453 3892 NETw3x32 (50f5de54e1d1646c02078f3eddc15a8e) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
18:27:42:656 3892 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
18:27:42:703 3892 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:27:42:750 3892 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:27:42:781 3892 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:27:43:015 3892 nv (ac5267c71f72fb42511ed5790ba0e9f5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:27:43:281 3892 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:27:43:296 3892 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:27:43:343 3892 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
18:27:43:375 3892 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
18:27:43:421 3892 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:27:43:468 3892 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:27:43:484 3892 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:27:43:609 3892 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:27:43:703 3892 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
18:27:43:796 3892 Pfc (444f122e68db44c0589227781f3c8b3f) C:\WINDOWS\system32\drivers\pfc.sys
18:27:43:921 3892 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:27:44:312 3892 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:27:44:625 3892 PSI (365622e1f0b6d5f9871d76e89bf0501a) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
18:27:45:218 3892 PSSDK42 (c8eb36910d3bd582891977e80925e21e) C:\WINDOWS\system32\Drivers\pssdk42.sys
18:27:45:765 3892 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:27:45:984 3892 PxHelp20 (324c27635e516184c811339a75cefd4a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:27:46:109 3892 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:27:46:218 3892 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:27:46:234 3892 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:27:46:281 3892 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:27:46:343 3892 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:27:46:406 3892 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:27:46:453 3892 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:27:46:562 3892 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
18:27:46:609 3892 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:27:46:671 3892 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
18:27:46:750 3892 s24trans (2862adb14481ac28f98105ff33a99eb0) C:\WINDOWS\system32\DRIVERS\s24trans.sys
18:27:46:843 3892 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
18:27:46:875 3892 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
18:27:46:890 3892 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
18:27:47:031 3892 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
18:27:47:078 3892 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:27:47:140 3892 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
18:27:47:250 3892 sfdrv01 (9e7dee11fd5a4355941a45f13c0ed59a) C:\WINDOWS\system32\drivers\sfdrv01.sys
18:27:47:312 3892 sfhlp02 (ecefb59d2206d281e6d317af0ea0d8bd) C:\WINDOWS\system32\drivers\sfhlp02.sys
18:27:47:437 3892 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:27:47:468 3892 sfsync04 (05e3038180cd846b0bca0e915163606a) C:\WINDOWS\system32\drivers\sfsync04.sys
18:27:47:484 3892 sfvfs02 (d5a7e09d2c6a702809e49190d52adc9f) C:\WINDOWS\system32\drivers\sfvfs02.sys
18:27:47:546 3892 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:27:47:562 3892 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:27:47:640 3892 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
18:27:47:750 3892 ssfs0bbc (82022bdfa46a8f1a9a57b6e810428dcc) C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys
18:27:47:765 3892 sshrmd (ae317dad2c6e923232656e91f28cf121) C:\WINDOWS\system32\DRIVERS\sshrmd.sys
18:27:47:796 3892 ssidrv (fed786b5ebec2e764fbd241c4a8464d7) C:\WINDOWS\system32\DRIVERS\ssidrv.sys
18:27:47:953 3892 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:27:47:984 3892 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:27:48:109 3892 SynTP (a6cc8c28d5aad4179ef32f05bed55e91) C:\WINDOWS\system32\DRIVERS\SynTP.sys
18:27:48:125 3892 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:27:48:203 3892 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:27:48:281 3892 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:27:48:437 3892 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:27:48:453 3892 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:27:48:515 3892 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
18:27:48:562 3892 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
18:27:48:593 3892 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
18:27:48:609 3892 Tvs (546dfba6486569120d33f7ad6e94efdd) C:\WINDOWS\system32\DRIVERS\Tvs.sys
18:27:48:640 3892 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:27:48:734 3892 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:27:48:890 3892 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:27:48:906 3892 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:27:48:953 3892 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:27:48:984 3892 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:27:49:015 3892 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:27:49:078 3892 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:27:49:125 3892 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:27:49:187 3892 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:27:49:234 3892 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:27:49:375 3892 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:27:49:406 3892 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:27:49:468 3892 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:27:49:531 3892 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:27:49:593 3892 X10Hid (81e8da36ce70858898d5eb81e28a47d2) C:\WINDOWS\system32\Drivers\x10hid.sys
18:27:49:609 3892
18:27:49:609 3892 Completed
18:27:49:609 3892
18:27:49:609 3892 Results:
18:27:49:609 3892 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:27:49:609 3892 File objects infected / cured / cured on reboot: 0 / 0 / 0
18:27:49:609 3892
18:27:49:609 3892 KLMD(ARK) unloaded successfully

#12
azarl

Posted 23 July 2010 - 01:42 AM

GeekU Admin

Community Leader
25,310 posts

Right click here and save MBRCheck to your desktop
Please temporarily disable any security programs you are running (Anti-virus and Spyware). Click here for details
Double click on the MBRCheck.exe icon on your desktop to run it
A window similar to this should open:
If you are prompted with options, enter N at the prompt and press Enter
Press Enter again
A file named MBRCheck_mm.dd.yy_hh.mm.ss.txt will appear on your deskop. Please post the contents of that file in your next reply.

#13
louise123

Posted 27 July 2010 - 05:23 PM

Member

Topic Starter
Member
35 posts

MBR Check scan is below:

MBRCheck, version 1.1.1

© 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

55 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...

I think I successfully disabled spybot but something is unsual about spybot. Instead ofthe usual interface appearing where you can choose to immunize, update or run a scan, now when I click to open spybot only a small window opens and a scan automatically starts. I have attached a pic of the window that now opens instead of the usual interface (sorry I didnt know how to paste a pic so had to attach it), I have no idea why spybot is suddenly different. Should I uninstall it?

I also got a warning message that something called system protection had stopped running, but i dont know what this means.

Attached Files

spybot.bmp 283.76KB 170 downloads

#14
azarl

Posted 04 August 2010 - 08:43 AM

GeekU Admin

Community Leader
25,310 posts

MBR Check scan is below:

MBRCheck, version 1.1.1

© 2010, AD

\\.\C: --> \\.\PhysicalDrive0

Size Device Name MBR Status

--------------------------------------------

55 GB \\.\PhysicalDrive0 Windows XP MBR code detected

Done! Press ENTER to exit...

I think I successfully disabled spybot but something is unsual about spybot. Instead ofthe usual interface appearing where you can choose to immunize, update or run a scan, now when I click to open spybot only a small window opens and a scan automatically starts. I have attached a pic of the window that now opens instead of the usual interface (sorry I didnt know how to paste a pic so had to attach it), I have no idea why spybot is suddenly different. Should I uninstall it?

I also got a warning message that something called system protection had stopped running, but i dont know what this means.

Sorry for the delay, I've had no Internet access or landline for the last few days, I'll get back to you later today or tomorrow

#15
azarl

Posted 05 August 2010 - 03:04 AM

GeekU Admin

Community Leader
25,310 posts

I think I successfully disabled spybot but something is unsual about spybot. Instead ofthe usual interface appearing where you can choose to immunize, update or run a scan, now when I click to open spybot only a small window opens and a scan automatically starts. I have attached a pic of the window that now opens instead of the usual interface (sorry I didnt know how to paste a pic so had to attach it), I have no idea why spybot is suddenly different. Should I uninstall it?

I also got a warning message that something called system protection had stopped running, but i dont know what this means.

Yes, please uninstall SpyBot completely, you can reinstall after we've finished if you like.

» Step 1 «
Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

» Step 2 «
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
» Step 3 «
Kaspersky WebScanner
Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA technology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest vision.

Upgrading Java

Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u18-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u18-windows-i586-p.exe and select "Run as an Administrator.")

Running Kaspersky WebScanner

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure the following is checked.
- Spyware, Adware, Diallers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.