Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer infected - not sure which viruses specifically

Started by CWeezy2424 , Jul 15 2010 08:04 PM

  • Please log in to reply

#16
CWeezy2424
Posted 16 July 2010 - 08:09 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
OTL Quick Scan Log...

OTL logfile created on: 7/16/2010 10:02:31 PM - Run 2
OTL by OldTimer - Version 3.2.9.0 Folder = C:\Documents and Settings\asli\Desktop
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 127.00 Mb Available Physical Memory | 25.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 54.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 25.41 Gb Free Space | 34.09% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HAN-A4637BDFDA5
Current User Name: asli
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/07/16 01:33:17 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\asli\Desktop\OTL.exe
PRC - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/12/17 20:50:43 | 002,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2009/11/19 23:29:16 | 000,623,960 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2008/10/24 10:14:36 | 000,206,112 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
PRC - [2008/06/10 04:27:04 | 000,144,784 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
PRC - [2008/06/10 04:27:03 | 000,329,104 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
PRC - [2007/12/04 10:36:33 | 000,017,272 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2007/12/04 09:00:23 | 000,079,224 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2007/12/04 09:00:16 | 000,140,664 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2007/12/04 08:59:53 | 000,247,160 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2007/12/04 08:59:01 | 000,345,464 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2007/09/28 14:30:48 | 000,936,960 | ---- | M] (Motive Communications, Inc.) -- C:\Program Files\Verizon\McciTrayApp.exe
PRC - [2007/06/13 06:23:07 | 001,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/05/11 15:20:04 | 002,061,816 | ---- | M] (Verizon) -- C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
PRC - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files\Viewpoint\Common\ViewpointService.exe
PRC - [2006/07/14 11:47:26 | 000,106,496 | ---- | M] (Walt Disney Internet Group) -- C:\Program Files\ESPNRunTime\DIGServices.exe
PRC - [2006/02/10 15:06:22 | 000,278,528 | ---- | M] (Walt Disney Internet Group) -- C:\Program Files\DIGStream\digstream.exe
PRC - [2004/01/13 10:21:10 | 000,245,760 | ---- | M] (Hewlett-Packard ) -- C:\Program Files\HPQ\Quick Launch Buttons\eabservr.exe
PRC - [2003/08/29 20:05:35 | 000,360,448 | ---- | M] () -- C:\Program Files\SpywareGuard\sgmain.exe
PRC - [2003/08/29 12:14:56 | 000,233,472 | ---- | M] () -- C:\Program Files\SpywareGuard\sgbhp.exe
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/07/16 01:33:17 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\asli\Desktop\OTL.exe
MOD - [2006/08/25 11:45:55 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2006/05/19 08:59:41 | 000,094,720 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\iphlpapi.dll
MOD - [2004/08/04 09:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2007/12/04 10:36:33 | 000,017,272 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2007/12/04 09:00:16 | 000,140,664 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2007/12/04 08:59:53 | 000,247,160 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2007/12/04 08:59:01 | 000,345,464 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2009/12/17 20:50:39 | 000,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2009/12/17 20:50:34 | 000,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2007/12/04 10:55:46 | 000,094,544 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2007/12/04 10:53:39 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2007/12/04 10:51:52 | 000,042,912 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2007/12/04 10:49:02 | 000,026,624 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2007/02/09 07:10:35 | 000,295,712 | ---- | M] (Broadcom Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\nmuhqjp.sys -- (nmuhqjp)
DRV - [2006/02/16 17:51:08 | 000,004,096 | R--- | M] (SuperAdBlocker, Inc.) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2004/05/08 11:21:44 | 000,035,840 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2004/04/07 07:22:00 | 001,382,634 | R--- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/01/30 04:01:40 | 001,205,292 | R--- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2003/12/17 18:02:00 | 000,042,092 | ---- | M] (Texas Instruments Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tiumfwl.sys -- (tiumfwl)
DRV - [2003/12/17 18:02:00 | 000,008,448 | ---- | M] (Texas Instruments Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\tiumflt.sys -- (DevUpper)
DRV - [2003/12/04 00:29:58 | 000,286,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2003/12/02 02:27:00 | 000,021,120 | R--- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nv_agp.sys -- (nv_agp)
DRV - [2003/10/23 03:11:00 | 000,046,976 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\R8139n51.sys -- (rtl8139)
DRV - [2003/10/07 15:40:00 | 000,094,601 | R--- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2003/08/18 01:57:52 | 000,007,080 | R--- | M] (Hewlett-Packard Company) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\eabfiltr.sys -- (eabfiltr)
DRV - [2003/06/05 23:46:16 | 000,005,220 | R--- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\eabusb.sys -- (eabusb)
DRV - [2001/08/17 14:53:32 | 000,003,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\qv2kux.sys -- (QV2KUX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig?hl=en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://wapp.verizon....hoo&bm=yh_home"
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1
FF - prefs.js..keyword.URL: "http://search.yahoo....h?fr=mcafee&p="
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/24 18:35:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/12/17 22:23:08 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/12/17 22:23:08 | 000,000,000 | ---D | M]

[2009/06/18 21:40:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\Mozilla\Extensions
[2010/02/25 22:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\Mozilla\Firefox\Profiles\nzlasclv.default\extensions
[2010/01/22 21:31:15 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\asli\Application Data\Mozilla\Firefox\Profiles\nzlasclv.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2008/03/11 00:34:01 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\asli\Application Data\Mozilla\Firefox\Profiles\nzlasclv.default\searchplugins\siteadvisor.xml
[2010/02/25 22:22:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/11/20 17:52:00 | 002,884,992 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPSWF32.dll
[2010/07/16 02:07:23 | 000,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2008/02/18 17:28:07 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (&ESPN) - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll (Walt Disney Internet Group)
O3 - HKCU\..\Toolbar\WebBrowser: (&ESPN) - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll (Walt Disney Internet Group)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe (Walt Disney Internet Group)
O4 - HKLM..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe (Walt Disney Internet Group)
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe (Hewlett-Packard )
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe (NVIDIA Corporation)
O4 - HKLM..\Run: [RoxWatchTray] C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe (Sonic Solutions)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe (Motive Communications, Inc.)
O4 - HKLM..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\VSP\VerizonServicepoint.exe (Verizon)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (Macrovision Corporation)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe (Intuit Inc.)
O4 - Startup: C:\Documents and Settings\asli\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyfi...20Installer.cab (Support.com Configuration Class)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebo...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.micr...01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (DivXBrowserPlugin Object)
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} https://accounting.q...163/qboax10.cab (QuickBooks Online Edition Utilities Class v10)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.252.0.12
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\asli\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\asli\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Program Files\SpywareGuard\spywareguard.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/09/11 00:49:42 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/07/16 21:38:22 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/07/16 01:32:45 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\asli\Desktop\OTL.exe
[2010/07/16 00:56:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\asli\Desktop\Desktop
[2010/07/16 00:35:14 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/16 00:23:55 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\asli\Desktop\TFC.exe
[2010/07/15 19:03:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/15 19:03:51 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/15 18:28:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/07/15 18:27:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/07/12 20:27:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2010/07/12 20:26:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\asli\Desktop\maddden
[2010/07/11 22:14:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/07/11 22:14:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/07/08 19:54:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Research In Motion(2)
[2010/07/08 19:54:26 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2010/07/02 15:41:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\asli\Desktop\Eminem - Recovery (2010)

========== Files - Modified Within 90 Days ==========

[2010/07/16 21:55:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/16 21:55:15 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/16 21:55:13 | 535,875,584 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/16 21:54:22 | 009,486,336 | ---- | M] () -- C:\Documents and Settings\asli\ntuser.dat
[2010/07/16 21:54:22 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\asli\ntuser.ini
[2010/07/16 01:33:17 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\asli\Desktop\OTL.exe
[2010/07/16 00:35:15 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\asli\Desktop\NTREGOPT.lnk
[2010/07/16 00:35:15 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\asli\Desktop\ERUNT.lnk
[2010/07/16 00:24:12 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\asli\Desktop\TFC.exe
[2010/07/14 17:27:29 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/08 20:38:31 | 000,000,256 | ---- | M] () -- C:\WINDOWS\System32\pool.bin
[2010/07/06 22:19:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/06/25 23:32:53 | 000,502,240 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/25 23:32:53 | 000,441,692 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/25 23:32:53 | 000,071,462 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/15 01:13:01 | 000,019,968 | ---- | M] () -- C:\Documents and Settings\asli\Desktop\Sarah Car Payment Schedule.xls
[2010/06/11 03:40:47 | 000,247,904 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/11 03:23:36 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/07 13:56:55 | 000,021,265 | ---- | M] () -- C:\Documents and Settings\asli\Desktop\41+0zeNvD5L__SL400_.jpg
[2010/05/07 13:56:32 | 000,039,403 | ---- | M] () -- C:\Documents and Settings\asli\Desktop\51emYVVIz2L.jpg
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 22:29:43 | 099,640,723 | ---- | M] () -- C:\Documents and Settings\asli\Desktop\006_Learn_To_Live_-_Darius_Rucker_2008.rar
[2010/04/25 21:03:38 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\asli\My Documents\Nascar 2010.xls

========== Files Created - No Company Name ==========

[2010/07/16 00:35:15 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\asli\Desktop\NTREGOPT.lnk
[2010/07/16 00:35:15 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\asli\Desktop\ERUNT.lnk
[2010/07/15 18:12:31 | 535,875,584 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/08 19:55:28 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2010/07/01 00:13:37 | 009,486,336 | ---- | C] () -- C:\Documents and Settings\asli\ntuser.dat
[2010/06/14 23:00:09 | 000,019,968 | ---- | C] () -- C:\Documents and Settings\asli\Desktop\Sarah Car Payment Schedule.xls
[2010/05/07 13:57:01 | 000,021,265 | ---- | C] () -- C:\Documents and Settings\asli\Desktop\41+0zeNvD5L__SL400_.jpg
[2010/05/07 13:56:48 | 000,039,403 | ---- | C] () -- C:\Documents and Settings\asli\Desktop\51emYVVIz2L.jpg
[2010/04/26 22:29:10 | 099,640,723 | ---- | C] () -- C:\Documents and Settings\asli\Desktop\006_Learn_To_Live_-_Darius_Rucker_2008.rar
[2010/04/25 20:45:16 | 000,015,360 | ---- | C] () -- C:\Documents and Settings\asli\My Documents\Nascar 2010.xls
[2008/01/30 23:58:24 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/16 19:22:18 | 000,000,911 | ---- | C] () -- C:\WINDOWS\QUICKEN.INI
[2008/01/16 15:40:58 | 000,000,137 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2004/01/08 23:22:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2003/12/17 18:02:00 | 000,225,280 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/07/16 21:58:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2008/01/29 14:38:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ESPN
[2008/02/18 03:45:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2010/07/12 20:27:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2010/07/12 20:27:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Research In Motion(2)
[2008/01/29 15:23:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/12/17 22:27:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2008/01/29 15:23:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\acccore
[2008/01/29 14:39:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\ESPN
[2008/02/18 03:49:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\Grisoft
[2008/01/29 03:59:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\Leadertech
[2009/01/28 15:35:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\Research In Motion
[2010/07/12 20:27:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\uTorrent
[2008/01/29 15:23:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\asli\Application Data\Viewpoint

========== Purity Check ==========


< End of report >
  • 0

Advertisements

#17
RKinner
Posted 16 July 2010 - 09:34 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Looks good. Continue with Combofix and TDSSKiller.

Ron
  • 0

#18
CWeezy2424
Posted 26 July 2010 - 04:07 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

Looks good. Continue with Combofix and TDSSKiller.

Ron


Sorry for the delay - I started with COMBOFIX and it said something along the lines of attempting to run combofix and went no further. I waited for about 4 days and the screen was unchanged, so I am going to re-attempt now. Thanks for your patience. Stand by for an update...
  • 0

#19
CWeezy2424
Posted 26 July 2010 - 04:31 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

Looks good. Continue with Combofix and TDSSKiller.

Ron


Sorry for the delay - I started with COMBOFIX and it said something along the lines of attempting to run combofix and went no further. I waited for about 4 days and the screen was unchanged, so I am going to re-attempt now. Thanks for your patience. Stand by for an update...



Ron,

ComboFix started to run, and then a message popped up saying "ComboFix has detected rootkit activity and needs to restart". I hit "yes" to allow it to restart. Now, my computer is stuck on "Windows is shutting down...". It has not been able to get past this screen lately, and I am unsure if it is safe to hold the power button to turn off. The hard drive light is not illuminated, so it doesn't appear that it is still working. Advice? I am on a separate computer now as I type this. Currently, it is sitting idle at the "Windows is shutting down screen" and will continue to until I hear it is safe to hit the power off button.
  • 0

#20
CWeezy2424
Posted 26 July 2010 - 04:59 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts

Looks good. Continue with Combofix and TDSSKiller.

Ron


Sorry for the delay - I started with COMBOFIX and it said something along the lines of attempting to run combofix and went no further. I waited for about 4 days and the screen was unchanged, so I am going to re-attempt now. Thanks for your patience. Stand by for an update...



Ron,

ComboFix started to run, and then a message popped up saying "ComboFix has detected rootkit activity and needs to restart". I hit "yes" to allow it to restart. Now, my computer is stuck on "Windows is shutting down...". It has not been able to get past this screen lately, and I am unsure if it is safe to hold the power button to turn off. The hard drive light is not illuminated, so it doesn't appear that it is still working. Advice? I am on a separate computer now as I type this. Currently, it is sitting idle at the "Windows is shutting down screen" and will continue to until I hear it is safe to hit the power off button.



Scratch that - it rebooted and is running combofix again - Stay tuned for a posted log....
  • 0

#21
CWeezy2424
Posted 26 July 2010 - 05:16 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
ComboFix 10-07-24.06 - asli 07/26/2010 18:45:40.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.227 [GMT -4:00]
Running from: c:\documents and settings\asli\Desktop\george.exe
AV: avast! antivirus 4.7.1098 [VPS 100726-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kmd.exe

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
.

2010-07-17 01:38 . 2010-07-17 01:38 -------- d-----w- C:\_OTL
2010-07-16 04:35 . 2010-07-16 04:35 -------- d-----w- c:\program files\ERUNT
2010-07-15 23:03 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 23:03 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-15 22:28 . 2010-07-15 22:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-07-13 00:27 . 2010-07-13 00:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-13 00:27 . 2010-07-13 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2010-07-13 00:24 . 2010-07-13 00:24 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-08 23:54 . 2010-07-13 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 21:42 . 2008-01-29 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DIGStream
2010-07-17 01:35 . 2008-01-16 19:45 -------- d-----w- c:\program files\Java
2010-07-16 00:48 . 2008-02-19 00:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 00:27 . 2009-08-28 22:51 -------- d-----w- c:\documents and settings\asli\Application Data\uTorrent
2010-07-09 00:38 . 2009-01-28 19:35 256 ----a-w- c:\windows\system32\pool.bin
2010-06-24 22:28 . 2008-07-31 19:15 -------- d-----w- c:\program files\McAfee
2010-05-06 10:41 . 2004-08-04 13:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:56 . 2004-08-04 13:00 1850880 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-18 2002160]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2003-10-07 159744]
"AGRSMMSG"="AGRSMMSG.exe" [2004-01-30 88363]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-04-07 4730880]
"nwiz"="nwiz.exe" [2004-04-07 323584]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-03-01 200766]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-01-13 245760]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]
"DIGStream"="c:\program files\DIGStream\digstream.exe" [2006-02-10 278528]
"DIGServices"="c:\program files\ESPNRunTime\DIGServices.exe" [2006-07-14 106496]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2009-07-08 236016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]

c:\documents and settings\asli\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-7-29 57344]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-18 00:50 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Roxio\\Media Manager 9\\MediaManager9.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/10/2006 1:53 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/27/2007 12:39 PM 74480]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [7/31/2008 3:15 PM 93320]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/29/2008 3:23 PM 24652]
S1 nmuhqjp;nmuhqjp;c:\windows\system32\drivers\nmuhqjp.sys [8/4/2004 9:00 AM 295712]
S2 mrtRate;mrtRate; [x]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
.
Contents of the 'Scheduled Tasks' folder

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\asli\Application Data\Mozilla\Firefox\Profiles\nzlasclv.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0yahoo&bm=yh_home
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-nmuhqjp
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-26 19:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????8?2?0?5??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2010-07-26 19:12:38
ComboFix-quarantined-files.txt 2010-07-26 23:12

Pre-Run: 27,026,100,224 bytes free
Post-Run: 27,137,040,384 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 361B0D0E6D842FE82822CDA3B3EE45FC
  • 0

#22
CWeezy2424
Posted 26 July 2010 - 05:26 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Downloaded and extracted TDS Skiller to desktop...when I copy/paste that bolded text into my command prompt, I get the following error:

Valid command line parameters:

-|<file_name> (path to log file)
-qpath <folder_name> (path to quarantine folder)
-qall (copy all objects to quarantine)
-qsus (copy all suspicious objects to quarantine)
-qmbr (copy all mbr to quarantine)






Not sure what my next steps are - I have completed all requested actions, with the exception of the TDS Killer (which I have posted a response to above). Please advise on my next steps. Thanks!
  • 0

#23
RKinner
Posted 26 July 2010 - 07:36 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
Just run TDSSKiller without the options. You may not get a log file so look at the bottom of the ourput to see if it says it found anything.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

DirLook::
C:\Program Files\Common
%user%\library

File::
c:\windows\system32\drivers\nmuhqjp.sys

Driver::
nmuhqjp
mrtRate

Registry::
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe"

******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Pause your anti-virus.

Drag it over to george and let it start as before.

Post the new log.

How is your PC running now?

Ron
  • 0

#24
CWeezy2424
Posted 26 July 2010 - 07:43 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
TDSSKiller Log:

2010/07/26 21:41:21.0171 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/26 21:41:21.0171 ================================================================================
2010/07/26 21:41:21.0171 SystemInfo:
2010/07/26 21:41:21.0171
2010/07/26 21:41:21.0171 OS Version: 5.1.2600 ServicePack: 2.0
2010/07/26 21:41:21.0171 Product type: Workstation
2010/07/26 21:41:21.0171 ComputerName: HAN-A4637BDFDA5
2010/07/26 21:41:21.0171 UserName: asli
2010/07/26 21:41:21.0171 Windows directory: C:\WINDOWS
2010/07/26 21:41:21.0171 System windows directory: C:\WINDOWS
2010/07/26 21:41:21.0171 Processor architecture: Intel x86
2010/07/26 21:41:21.0171 Number of processors: 1
2010/07/26 21:41:21.0171 Page size: 0x1000
2010/07/26 21:41:21.0171 Boot type: Normal boot
2010/07/26 21:41:21.0171 ================================================================================
2010/07/26 21:41:21.0343 Initialize success
2010/07/26 21:41:29.0781 ================================================================================
2010/07/26 21:41:29.0781 Scan started
2010/07/26 21:41:29.0781 Mode: Manual;
2010/07/26 21:41:29.0781 ================================================================================
2010/07/26 21:41:30.0234 Aavmker4 (d301f57713a0f6f8a3295ae6ebb69617) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/07/26 21:41:30.0359 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/07/26 21:41:30.0390 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/07/26 21:41:30.0484 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/07/26 21:41:30.0562 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/07/26 21:41:30.0609 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/07/26 21:41:30.0765 AgereSoftModem (a7d5c71ff4a5b8fee626fe65b39d71d0) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/07/26 21:41:30.0968 AmdK8 (e6a2299284013ec4de3419481a62069f) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/07/26 21:41:31.0109 ApfiltrService (d3da11b88ab29076b78ff79f35f0586b) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2010/07/26 21:41:31.0187 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/07/26 21:41:31.0312 aswMon2 (71785f529c7b251b188245843bbf85db) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/07/26 21:41:31.0343 aswRdr (7bab4923cabb4404bf05fd111e75e49b) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/07/26 21:41:31.0359 aswTdi (e8a2678eab78c2060d5eb26803667dc2) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/07/26 21:41:31.0390 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/07/26 21:41:31.0468 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/07/26 21:41:31.0531 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/07/26 21:41:31.0593 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/07/26 21:41:31.0687 BCM43XX (5e58a3148b98c9f356cde6049435cb21) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/07/26 21:41:31.0734 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/07/26 21:41:31.0968 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/07/26 21:41:32.0046 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/07/26 21:41:32.0109 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/07/26 21:41:32.0187 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/07/26 21:41:32.0234 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/07/26 21:41:32.0265 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/07/26 21:41:32.0375 DevUpper (5dc28c3458fcc7258edd9f817bad8cc7) C:\WINDOWS\system32\DRIVERS\tiumflt.sys
2010/07/26 21:41:32.0406 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/07/26 21:41:32.0500 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/07/26 21:41:32.0625 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/07/26 21:41:32.0703 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/07/26 21:41:32.0828 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/07/26 21:41:32.0968 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/07/26 21:41:33.0031 eabfiltr (3020c34ffdadfd69004570f88ff44b33) C:\WINDOWS\system32\drivers\EABFiltr.sys
2010/07/26 21:41:33.0062 eabusb (1ba14da377b66278335d4b9e8824cd42) C:\WINDOWS\system32\drivers\eabusb.sys
2010/07/26 21:41:33.0140 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/07/26 21:41:33.0171 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/07/26 21:41:33.0187 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/07/26 21:41:33.0218 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/07/26 21:41:33.0250 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/07/26 21:41:33.0281 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/07/26 21:41:33.0312 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/07/26 21:41:33.0359 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/07/26 21:41:33.0484 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/07/26 21:41:33.0546 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/07/26 21:41:33.0656 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/07/26 21:41:33.0812 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/07/26 21:41:33.0843 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/07/26 21:41:33.0968 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/07/26 21:41:34.0031 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/07/26 21:41:34.0125 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/07/26 21:41:34.0203 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/07/26 21:41:34.0234 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/07/26 21:41:34.0312 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/07/26 21:41:34.0437 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/07/26 21:41:34.0468 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/07/26 21:41:34.0531 klmd24 (6485ad0a17a0d6286b4d44c652adabb2) C:\WINDOWS\system32\drivers\klmd.sys
2010/07/26 21:41:34.0609 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/07/26 21:41:34.0750 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/07/26 21:41:34.0812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/07/26 21:41:34.0859 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/07/26 21:41:34.0921 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/07/26 21:41:35.0031 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/07/26 21:41:35.0062 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/07/26 21:41:35.0140 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/07/26 21:41:35.0218 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/07/26 21:41:35.0312 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/07/26 21:41:35.0390 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/07/26 21:41:35.0453 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/07/26 21:41:35.0531 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/07/26 21:41:35.0609 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/07/26 21:41:35.0640 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/07/26 21:41:35.0687 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/07/26 21:41:35.0796 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/07/26 21:41:35.0812 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/07/26 21:41:35.0843 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/07/26 21:41:35.0859 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/07/26 21:41:35.0953 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/07/26 21:41:35.0984 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/07/26 21:41:36.0031 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/07/26 21:41:36.0125 nmuhqjp (914a3e13590c120fdd8edfc91790ba90) C:\WINDOWS\system32\drivers\nmuhqjp.sys
2010/07/26 21:41:36.0125 Suspicious file (Forged): C:\WINDOWS\system32\drivers\nmuhqjp.sys. Real md5: 914a3e13590c120fdd8edfc91790ba90, Fake md5: fe4155ce40fa9fdc239055e623deb297
2010/07/26 21:41:36.0125 nmuhqjp - detected Forged file (1)
2010/07/26 21:41:36.0218 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/07/26 21:41:36.0359 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/07/26 21:41:36.0453 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/07/26 21:41:36.0625 nv (0aea8f9dbe202fcfeffb181e1c5cf6d2) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/07/26 21:41:36.0781 nv_agp (01621905ae34bc24aaa2fddb93977299) C:\WINDOWS\system32\DRIVERS\nv_agp.sys
2010/07/26 21:41:36.0859 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/07/26 21:41:36.0890 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/07/26 21:41:36.0968 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/07/26 21:41:37.0109 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/07/26 21:41:37.0125 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/07/26 21:41:37.0203 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/07/26 21:41:37.0265 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/07/26 21:41:37.0312 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/07/26 21:41:37.0359 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/07/26 21:41:37.0515 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/07/26 21:41:37.0578 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/07/26 21:41:37.0609 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/07/26 21:41:37.0640 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/07/26 21:41:37.0671 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2010/07/26 21:41:37.0828 QV2KUX (0087f01d35a65b32393cc8bba46ee4a6) C:\WINDOWS\system32\DRIVERS\qv2kux.sys
2010/07/26 21:41:37.0875 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/07/26 21:41:37.0906 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/07/26 21:41:37.0968 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/07/26 21:41:38.0015 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/07/26 21:41:38.0078 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/07/26 21:41:38.0109 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/07/26 21:41:38.0187 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/07/26 21:41:38.0328 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/07/26 21:41:38.0390 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/07/26 21:41:38.0453 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/07/26 21:41:38.0515 rtl8139 (2ef9c0dc26b30b2318b1fc3faa1f0ae7) C:\WINDOWS\system32\DRIVERS\R8139n51.SYS
2010/07/26 21:41:38.0687 SASDIFSV (bfbc4be8d6ac6d33ad93f3f5f2e11499) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/07/26 21:41:38.0703 SASENUM (7f1085895e499907f68df7731924122b) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/07/26 21:41:38.0781 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/07/26 21:41:38.0953 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/07/26 21:41:39.0031 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/07/26 21:41:39.0109 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2010/07/26 21:41:39.0125 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/07/26 21:41:39.0265 smwdm (f41896d591106713649b7eba668324e6) C:\WINDOWS\system32\drivers\smwdm.sys
2010/07/26 21:41:39.0421 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/07/26 21:41:39.0500 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/07/26 21:41:39.0578 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/07/26 21:41:39.0640 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/07/26 21:41:39.0718 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/07/26 21:41:39.0859 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/07/26 21:41:39.0921 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/07/26 21:41:39.0984 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/07/26 21:41:40.0015 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/07/26 21:41:40.0062 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/07/26 21:41:40.0140 tiumfwl (65e8e81c2f40abce9db98fd232f86bf8) C:\WINDOWS\system32\drivers\tiumfwl.sys
2010/07/26 21:41:40.0203 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/07/26 21:41:40.0375 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/07/26 21:41:40.0484 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/07/26 21:41:40.0531 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/07/26 21:41:40.0609 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/07/26 21:41:40.0640 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/07/26 21:41:40.0671 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/07/26 21:41:40.0734 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/07/26 21:41:40.0765 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/07/26 21:41:40.0828 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/07/26 21:41:40.0937 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/07/26 21:41:40.0984 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/07/26 21:41:41.0140 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/07/26 21:41:41.0171 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2010/07/26 21:41:41.0234 ================================================================================
2010/07/26 21:41:41.0234 Scan finished
2010/07/26 21:41:41.0234 ================================================================================
2010/07/26 21:41:41.0265 Detected object count: 1
2010/07/26 21:42:04.0093 Forged file(nmuhqjp) - User select action: Skip
  • 0

#25
CWeezy2424
Posted 26 July 2010 - 08:09 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Computer is actually not going all that much better than before. The internet works, but everything is painfully slow. Still goes idle for minutes before restarting, at both the shutting down screen and also goes idle when booting up.

Right now, I dragged the txt file over the George.exe file, and it is "Attempting to create a new system restore point" - has been doing this for about 10 minutes, this is the same step that held up the computer last time.

Also, sound is still not working?

How long should I wait at this point before turning it off and starting over?
  • 0

Advertisements

#26
RKinner
Posted 26 July 2010 - 09:15 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
It shouldn't take but about 10 minutes to run. Cancel it and run TDSSKiller again and when it asks you if you want it to delete Forged file(nmuhqjp) let it do it.

That's mostly what Combofix is supposed to do for us this time.

We may be looking at a case of Whistler/Black Internet since you have no sound.

Download

http://ad13.geekstogo.com/MBRCheck.exe

Save it and run it. What does it say about your MBR?

Ron
  • 0

#27
CWeezy2424
Posted 26 July 2010 - 09:30 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
Cancelled ComboFix, ran TDSSKiller, and deleted Forged file(nmuhqjp). Do I need to re-run combofix now?
  • 0

#28
RKinner
Posted 26 July 2010 - 09:45 PM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
No. Go on to MBRCheck

Ron
  • 0

#29
CWeezy2424
Posted 26 July 2010 - 10:17 PM

CWeezy2424

    Member

  • Topic Starter
  • Member
  • PipPip
  • 52 posts
MBRCheck, version 1.1.1

© 2010, AD



\\.\C: --> \\.\PhysicalDrive0



Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected





Done! Press ENTER to exit...
  • 0

#30
RKinner
Posted 27 July 2010 - 12:22 AM

RKinner

    Malware Expert

  • Expert
  • 24,625 posts
  • MVP
MBRCheck says you don't have an MBR infection which is good.

Rerun TDSSKiller and see if it is happy now. Sometimes the infection will return.

You might try combofix again and see if it still runs slow. (Remember to pause your anti-virus!)

If you are still missing your sound then try right clicking on My Computer then select Manage then Device Manager. In the right pane, find Sound, Video and Game Controllers and click on the + in front of it. For each subitem, right click and UNINSTALL. OK and reboot.

Your Avast is obsolete. You should be running 5.0

Your XP is only SP2. You should update to SP3 as soon as we are done. "Important notice for users of Windows XP with Service Pack 2 (SP2): The support for your product ended July 13, 2010! To ensure that you will receive all important security updates for Windows you need to upgrade to Windows XP with Service Pack 3 (SP3)"


Ron
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP