Virus - Programs hidden, malfunctioning

Question

iTorres 0 Newbie Poster

13 Years Ago

Hello, I think I've acquired a virus(es) in the past few days. Some of the symptoms:

- Programs missing in the Start > All Programs. I can still open them if I go into the C: drive and look for them.
- Some of the icons on my desktop disappeared.
- Some of the programs aren't functioning properly.
- Ad-ware pops up randomly on a new tab while browsing firefox.
- Theme reverted to classic and audio gone.
- Internet became inaccessible.

After reading the 'read me...' thread and following the steps described, some things changed. The theme is back to XP, audio is there again, and I can access the internet. The rest remains the same. Following are the logs from running the programs suggested in the 'read me...' thread. The only one I couldn't get to work was DDS.scr. Every time I double-clicked it, it would open in notepad and just have some strange characters.

-------------------------------------------------------------------------
Malwarebytes' Log -

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6586

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/17/2011 3:47:08 PM
mbam-log-2011-05-17 (15-47-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 288053
Time elapsed: 1 hour(s), 49 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{8d5b6624-8d4a-485d-94f6-b6b0983f526a}\RP187\A0046579.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully.

GMER One -

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit quick scan 2011-05-17 13:09:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Intel___ rev.1.0.
Running: zs7u7flp.exe; Driver: C:\DOCUME~1\Ismael\LOCALS~1\Temp\kflcyfoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk            \Device\Harddisk0\DR0        TDL4@MBR code has been found                                                                      <-- ROOTKIT !!!
Disk            \Device\Harddisk0\DR0        sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs       AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice  \FileSystem\Fastfat \Fat     fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat     AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice  \Driver\Tcpip \Device\Ip     avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp  avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----

GMER Two -

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-17 13:41:27
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 Intel___ rev.1.0.
Running: zs7u7flp.exe; Driver: C:\DOCUME~1\Ismael\LOCALS~1\Temp\kflcyfoc.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwOpenProcess [0xA4745738]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwTerminateProcess [0xA47457DC]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwTerminateThread [0xA4745878]
SSDT            \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. )  ZwWriteVirtualMemory [0xA4745914]

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                      AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                    avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                   avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                   avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                 avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                    fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice  \FileSystem\Fastfat \Fat                                                                                                    AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Disk sectors - GMER 1.0.15 ----

Disk            \Device\Harddisk0\DR0                                                                                                       TDL4@MBR code has been found                                                                      <-- ROOTKIT !!!
Disk            \Device\Harddisk0\DR0                                                                                                       sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Any help would be greatly appreciated. Thanks!

virus-malware windows-virus

3 Contributors
24 Replies
435 Views
2 Days Discussion Span
Latest Post 13 Years Ago Latest Post by sarabjeet singh

jholland1964 650 Posting Expert

13 Years Ago

Have you tried running DDS in safe mode?

Whoops! Do this first:
Download the following zip file:

http://support.kaspersky.com/downloads/utils/tdsskiller.zip
extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);
Run the TDSSKiller.exe file;
Make sure there are check marks in both boxes, Services and Drivers and Boot Sectors.
Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed .
If the utility detects an infection with the MBR bootkit, it will report the it has detected an infected object type “Physical drive” and prompt for action:

Cure. This action is only available if the utility has identified the exact type of the bootkit.
If it has detected an unknown bootkit, it will be reported as Rootkit.Win32.BackBoot.gen.
Skip.
Copy to quarantine. The utility quarantines the infected MBR.
Restore. The utility restores a standard MBR.
Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed .
Post back with the log.

Edited 13 Years Ago by jholland1964 because: n/a

jholland1964 650 Posting Expert

13 Years Ago

Did you reboot?

jholland1964 650 Posting Expert

13 Years Ago

Just had to be sure, sometimes people don't do the rebooting they need to do.
Now do the following:
Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Post back here with that log.

jholland1964 650 Posting Expert

13 Years Ago

Give me a bit to go through this log and I will get back to you if further steps are needed with Combofix. In the meantime, do the following:

Update MBA-M and do a Full Scan with it. Have it remove everything found. Reboot.

Then Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer or you may use Firefox to complete this scan and you will need to allow an Active X to be installed
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back here with both of those logs.

jholland1964 650 Posting Expert

13 Years Ago

I would also like you to try to run the DDS Scanner again. If it won't run in normal mode then please give it a try in safe mode.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

iTorres 0 Newbie Poster · Answer 1 · 2011-05-18T07:41:43+00:00

Thanks for the reply. I ran the TDSSKiller.exe file and here is the log -

2011/05/17 20:18:03.0046 0532	TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/17 20:18:03.0453 0532	================================================================================
2011/05/17 20:18:03.0453 0532	SystemInfo:
2011/05/17 20:18:03.0453 0532	
2011/05/17 20:18:03.0453 0532	OS Version: 5.1.2600 ServicePack: 3.0
2011/05/17 20:18:03.0453 0532	Product type: Workstation
2011/05/17 20:18:03.0453 0532	ComputerName: GBMCPRECISION
2011/05/17 20:18:03.0453 0532	UserName: Ismael
2011/05/17 20:18:03.0453 0532	Windows directory: C:\WINDOWS
2011/05/17 20:18:03.0453 0532	System windows directory: C:\WINDOWS
2011/05/17 20:18:03.0453 0532	Processor architecture: Intel x86
2011/05/17 20:18:03.0453 0532	Number of processors: 2
2011/05/17 20:18:03.0453 0532	Page size: 0x1000
2011/05/17 20:18:03.0453 0532	Boot type: Normal boot
2011/05/17 20:18:03.0453 0532	================================================================================
2011/05/17 20:18:03.0750 0532	Initialize success
2011/05/17 20:18:19.0468 3232	================================================================================
2011/05/17 20:18:19.0468 3232	Scan started
2011/05/17 20:18:19.0468 3232	Mode: Manual; 
2011/05/17 20:18:19.0468 3232	================================================================================
2011/05/17 20:18:22.0093 3232	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/17 20:18:22.0203 3232	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/17 20:18:22.0375 3232	ADM8511         (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
2011/05/17 20:18:22.0531 3232	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/17 20:18:22.0609 3232	AFD             (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys
2011/05/17 20:18:22.0953 3232	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/17 20:18:23.0031 3232	atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/17 20:18:23.0140 3232	ati2mtag        (8a1a80ef7455244530b117eead8a427f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/17 20:18:23.0343 3232	Atmarpc         (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/17 20:18:23.0437 3232	audstub         (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/17 20:18:23.0531 3232	AVGIDSDriver    (c403e7f715bb0a851a9dfae16ec4ae42) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
2011/05/17 20:18:23.0625 3232	AVGIDSEH        (1af676db3f3d4cc709cfab2571cf5fc3) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
2011/05/17 20:18:23.0671 3232	AVGIDSFilter    (4c51e233c87f9ec7598551de554bc99d) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
2011/05/17 20:18:23.0734 3232	AVGIDSShim      (c3fc426e54f55c1cc3219e415b88e10c) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
2011/05/17 20:18:23.0828 3232	Avgldx86        (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
2011/05/17 20:18:23.0906 3232	Avgmfx86        (5639de66b37d02bd22df4cf3155fba60) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
2011/05/17 20:18:23.0937 3232	Avgrkx86        (d1baf652eda0ae70896276a1fb32c2d4) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
2011/05/17 20:18:24.0031 3232	Avgtdix         (aaf0ebcad95f2164cffb544e00392498) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
2011/05/17 20:18:24.0093 3232	b57w2k          (8c0403aa21029804f31d869e6b0adedf) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/05/17 20:18:24.0187 3232	Beep            (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/17 20:18:24.0359 3232	cbidf2k         (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/17 20:18:24.0406 3232	Cdaudio         (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/17 20:18:24.0468 3232	Cdfs            (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/17 20:18:24.0500 3232	Cdrom           (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/17 20:18:24.0796 3232	Disk            (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/17 20:18:24.0859 3232	dmboot          (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/17 20:18:24.0953 3232	dmio            (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/17 20:18:25.0000 3232	dmload          (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/17 20:18:25.0109 3232	DMusic          (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/17 20:18:25.0234 3232	drmkaud         (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/17 20:18:25.0375 3232	Fastfat         (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/17 20:18:25.0453 3232	Fdc             (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/17 20:18:25.0484 3232	Fips            (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/17 20:18:25.0500 3232	Flpydisk        (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/17 20:18:25.0593 3232	FltMgr          (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/05/17 20:18:25.0671 3232	Fs_Rec          (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/17 20:18:25.0734 3232	Ftdisk          (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/17 20:18:25.0796 3232	GEARAspiWDM     (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/17 20:18:25.0843 3232	Gpc             (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/17 20:18:25.0921 3232	grmnusb         (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
2011/05/17 20:18:26.0046 3232	HDAudBus        (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/17 20:18:26.0109 3232	hidusb          (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/17 20:18:26.0234 3232	HTTP            (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/17 20:18:26.0453 3232	i8042prt        (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/17 20:18:26.0546 3232	iaStor          (1c77a81756d4777ccb0425ae8107fe96) C:\WINDOWS\system32\drivers\iaStor.sys
2011/05/17 20:18:26.0640 3232	Imapi           (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/17 20:18:26.0750 3232	intelppm        (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/17 20:18:26.0796 3232	Ip6Fw           (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/05/17 20:18:26.0859 3232	IpFilterDriver  (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/17 20:18:26.0890 3232	IpInIp          (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/17 20:18:26.0921 3232	IpNat           (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/17 20:18:26.0968 3232	IPSec           (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/17 20:18:27.0031 3232	IRENUM          (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/17 20:18:27.0125 3232	isapnp          (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/17 20:18:27.0218 3232	Kbdclass        (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/17 20:18:27.0312 3232	kbdhid          (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/17 20:18:27.0406 3232	kmixer          (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/17 20:18:27.0453 3232	KSecDD          (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/17 20:18:27.0578 3232	mnmdd           (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/17 20:18:27.0671 3232	Modem           (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/17 20:18:27.0734 3232	Mouclass        (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/17 20:18:27.0781 3232	mouhid          (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/17 20:18:27.0796 3232	MountMgr        (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/17 20:18:27.0875 3232	MRxDAV          (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/17 20:18:27.0953 3232	MRxSmb          (fb7dfd15d760ad339837a470f0e780d3) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/17 20:18:28.0046 3232	Msfs            (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/17 20:18:28.0125 3232	MSKSSRV         (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/17 20:18:28.0281 3232	MSPCLOCK        (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/17 20:18:28.0375 3232	MSPQM           (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/17 20:18:28.0468 3232	mssmbios        (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/17 20:18:28.0531 3232	Mup             (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/17 20:18:28.0578 3232	NCFilter        (d7ca89d05e30d65eb4fa4de2b2b3a5a2) C:\WINDOWS\system32\DRIVERS\NCFilter.sys
2011/05/17 20:18:28.0640 3232	NCRecognizer    (de11895ccde844433ff23ecf1ebee34a) C:\WINDOWS\system32\DRIVERS\NCRecognizer.sys
2011/05/17 20:18:28.0671 3232	NCUncFilter     (17cdb953854b7595aae080ce3826f0ce) C:\WINDOWS\system32\DRIVERS\NCUncFilter.sys
2011/05/17 20:18:28.0750 3232	NDIS            (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/17 20:18:28.0828 3232	NdisTapi        (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/17 20:18:28.0875 3232	Ndisuio         (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/17 20:18:28.0906 3232	NdisWan         (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/17 20:18:28.0937 3232	NDProxy         (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/17 20:18:28.0984 3232	NetBIOS         (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/17 20:18:29.0078 3232	NetBT           (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/17 20:18:29.0156 3232	NetwareWorkstation (78e0d2b781410dcdbbe5c8c39d158f9c) C:\WINDOWS\system32\NetWare\nwfs.sys
2011/05/17 20:18:29.0234 3232	NICM            (d686538f37dff96042047930650ac88d) C:\WINDOWS\system32\drivers\nicm.sys
2011/05/17 20:18:29.0359 3232	Npfs            (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/17 20:18:29.0406 3232	Ntfs            (a0857c97770034fd2af17dc4014b5abd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/17 20:18:29.0484 3232	Null            (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/17 20:18:29.0531 3232	NWDHCP          (a4b071419e0ea596ffb3da89c1f04e61) C:\WINDOWS\system32\NetWare\nwdhcp.sys
2011/05/17 20:18:29.0562 3232	NWDNS           (536b713500ff0011f1df72f780643db9) C:\WINDOWS\system32\NetWare\nwdns.sys
2011/05/17 20:18:29.0593 3232	NWHOST          (baa75acf404bebce7065663664a7c3e4) C:\WINDOWS\system32\NetWare\NWHOST.sys
2011/05/17 20:18:29.0640 3232	NwlnkFlt        (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/17 20:18:29.0687 3232	NwlnkFwd        (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/17 20:18:29.0734 3232	NWSAP           (2726a6792bbb080ff345ed9a8111360f) C:\WINDOWS\system32\NetWare\NWSAP.sys
2011/05/17 20:18:29.0828 3232	NWSIPX32        (e00b0349cc3921225ad60728230d78be) C:\WINDOWS\system32\NetWare\nwsipx32.sys
2011/05/17 20:18:29.0875 3232	NWSLP           (2c69a3258f9477a13e7cd29f6a8696e8) C:\WINDOWS\system32\NetWare\nwslp.sys
2011/05/17 20:18:29.0984 3232	NWSNS           (172308996609da67e99c87fa784df8bc) C:\WINDOWS\system32\NetWare\NWSNS.sys
2011/05/17 20:18:30.0093 3232	Parport         (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/17 20:18:30.0125 3232	PartMgr         (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/17 20:18:30.0171 3232	ParVdm          (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/17 20:18:30.0234 3232	PCI             (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/17 20:18:30.0359 3232	PCIIde          (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/17 20:18:30.0406 3232	Pcmcia          (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/17 20:18:30.0656 3232	PptpMiniport    (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/17 20:18:30.0750 3232	PSched          (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/17 20:18:30.0796 3232	Ptilink         (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/17 20:18:30.0968 3232	RasAcd          (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/17 20:18:31.0046 3232	Rasl2tp         (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/17 20:18:31.0140 3232	RasPppoe        (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/17 20:18:31.0187 3232	Raspti          (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/17 20:18:31.0250 3232	Rdbss           (9629383f70db691cb6aa5bbd828cd9a9) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/17 20:18:31.0296 3232	RDPCDD          (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/17 20:18:31.0375 3232	rdpdr           (3a99642ed25a2fad5b0ba55f09ba2f93) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/17 20:18:31.0484 3232	RDPWD           (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/17 20:18:31.0593 3232	redbook         (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/17 20:18:31.0671 3232	RESMGR          (382ec29aa5bbd5ea7e959167f9cdada2) C:\WINDOWS\system32\NetWare\resmgr.sys
2011/05/17 20:18:31.0781 3232	rspndr          (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
2011/05/17 20:18:31.0890 3232	Secdrv          (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/17 20:18:31.0953 3232	serenum         (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/17 20:18:31.0984 3232	Serial          (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/17 20:18:32.0031 3232	Sfloppy         (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/05/17 20:18:32.0140 3232	splitter        (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/17 20:18:32.0218 3232	sr              (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/17 20:18:32.0328 3232	Srv             (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/17 20:18:32.0406 3232	SRVLOC          (ff5937fc4b1cf71cc009f7e5d7aaa875) C:\WINDOWS\system32\NetWare\srvloc.sys
2011/05/17 20:18:32.0562 3232	STHDA           (9db5dbed65f2d74acd1d20a53898af79) C:\WINDOWS\system32\drivers\sthda.sys
2011/05/17 20:18:32.0687 3232	swenum          (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/17 20:18:32.0765 3232	swmidi          (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/17 20:18:32.0906 3232	sysaudio        (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/17 20:18:32.0984 3232	Tcpip           (ad978a1b783b5719720cff204b666c8e) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/17 20:18:33.0093 3232	TDPIPE          (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/17 20:18:33.0187 3232	TDTCP           (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/17 20:18:33.0265 3232	TermDD          (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/17 20:18:33.0406 3232	Udfs            (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/17 20:18:33.0562 3232	Update          (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/17 20:18:33.0656 3232	usbccgp         (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/17 20:18:33.0718 3232	usbehci         (152ee0baa614388273a0b9ae9c9fd5a0) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/17 20:18:33.0781 3232	usbhub          (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/17 20:18:33.0843 3232	usbstor         (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/17 20:18:33.0906 3232	usbuhci         (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/17 20:18:33.0984 3232	VgaSave         (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/17 20:18:34.0031 3232	VolSnap         (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/17 20:18:34.0093 3232	Wanarp          (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/17 20:18:34.0265 3232	wdmaud          (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/17 20:18:34.0375 3232	\HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/17 20:18:34.0375 3232	================================================================================
2011/05/17 20:18:34.0375 3232	Scan finished
2011/05/17 20:18:34.0375 3232	================================================================================
2011/05/17 20:18:34.0375 1792	Detected object count: 1
2011/05/17 20:19:27.0875 1792	\HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/17 20:19:27.0875 1792	\HardDisk0 - ok
2011/05/17 20:19:27.0875 1792	Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure 
2011/05/17 20:19:33.0687 2892	Deinitialize success

iTorres 0 Newbie Poster · Answer 2 · 2011-05-18T07:50:46+00:00

iTorres 0 Newbie Poster

13 Years Ago

Yes.

iTorres 0 Newbie Poster · Answer 3 · 2011-05-18T23:04:32+00:00

Oh wow, the icons and programs are no longer hidden. Thanks for the help so far. Here's the log -

ComboFix -

ComboFix 11-05-17.03 - Ismael 05/18/2011  11:44:32.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2046.1463 [GMT -5:00]
Running from: c:\documents and settings\Ismael\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Ismael\2gweorjqjutp92vjy9gake
c:\documents and settings\Ismael\Application Data\Adobe\plugs
c:\documents and settings\Ismael\Application Data\Adobe\shed
c:\documents and settings\Ismael\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}
c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}\chrome.manifest
c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}\chrome\content\_cfg.js
c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}\chrome\content\overlay.xul
c:\documents and settings\Ismael\Local Settings\Application Data\{A8D74445-2BFA-4160-A237-0E4D404950D9}\install.rdf
c:\windows\system32\regobj.dll
.
.
(((((((((((((((((((((((((   Files Created from 2011-04-18 to 2011-05-18  )))))))))))))))))))))))))))))))
.
.
2011-05-18 00:35 . 2011-05-18 00:35	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-18 00:35 . 2011-05-18 00:35	--------	d-----w-	c:\documents and settings\NetworkService\Application Data\Apple Computer
2011-05-16 22:09 . 2011-05-16 22:09	--------	d-----w-	c:\windows\system32\NtmsData
2011-05-13 14:04 . 2011-05-16 23:19	--------	d-----w-	c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-13 04:10 . 2011-05-13 04:10	--------	d-----w-	c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-05-13 01:24 . 2011-05-13 01:24	--------	d-sh--w-	c:\documents and settings\NetworkService\IETldCache
2011-05-13 01:09 . 2011-05-13 01:09	0	----a-w-	c:\windows\Epecuteboyo.bin
2011-05-12 20:12 . 2011-05-13 01:07	--------	d-----w-	c:\documents and settings\All Users\Application Data\dN28275EiBeD28275
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2010-12-13 23:49	692736	----a-w-	c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-07-22 22:50	420864	----a-w-	c:\windows\system32\vbscript.dll
2011-03-03 13:27 . 2008-07-22 22:50	1866880	----a-w-	c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-07-22 22:50	916480	----a-w-	c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-07-22 22:49	43520	------w-	c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-07-22 22:48	1469440	------w-	c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-07-22 22:48	385024	----a-w-	c:\windows\system32\html.iec
1997-07-22 02:30	1045776	--sha-w-	c:\windows\system32\Msjet35.dll
1997-06-23 10:00	123664	--sha-w-	c:\windows\system32\Msjint35.dll
1997-06-23 19:06	24848	--sha-w-	c:\windows\system32\Msjter35.dll
1997-06-23 19:06	252176	--sha-w-	c:\windows\system32\Msrd2x35.dll
1997-06-23 19:06	287504	--sha-w-	c:\windows\system32\Msxbse35.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Novell Messenger"="c:\novell\Messenger\NMCL32.exe" [2007-09-05 1417293]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2006-04-26 143360]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-03-15 344064]
"Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2006-04-20 61526]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2010-12-16 25214]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=
"c:\\Program Files\\Novell\\GroupWise\\grpwise.exe"=
"c:\\Program Files\\Novell\\GroupWise\\notify.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\ArcGIS\\Bin\\ArcMap.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1040:TCP"= 1040:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
.
R0 NCFilter;Novell UNC Path Filter - Filter;c:\windows\system32\drivers\ncfilter.sys [11/18/2010 1:10 PM 80000]
R0 NCRecognizer;Novell UNC Path Filter - Recognizer;c:\windows\system32\drivers\ncrecognizer.sys [11/18/2010 1:10 PM 90240]
R0 NCUncFilter;Novell UNC Path Filter - UNC Filter;c:\windows\system32\drivers\ncuncfilter.sys [11/18/2010 1:10 PM 14720]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/14/2008 5:42 AM 14336]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2010 9:17 AM 136176]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [12/14/2010 9:05 AM 20160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/17/2010 9:17 AM 136176]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai	REG_MULTI_SZ   	Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 14:17]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-17 14:17]
.
2011-05-18 c:\windows\Tasks\User_Feed_Synchronization-{B8DC2A4A-382B-4BFD-B98F-BA578BD2CEE8}.job
- c:\windows\system32\msfeedssync.exe [2008-07-22 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ismael\Application Data\Mozilla\Firefox\Profiles\bgeo5x1w.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 11:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\NETWIN32.DLL
c:\windows\system32\NLS\ENGLISH\MAPBASER.DLL
.
- - - - - - - > 'Explorer.exe'(4084)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\NWTRAY.EXE
c:\program files\Adobe\Acrobat 7.0\Acrobat\Acrobat_sl.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-18  11:56:18 - machine was rebooted
ComboFix-quarantined-files.txt  2011-05-18 16:56
.
Pre-Run: 444,515,352,576 bytes free
Post-Run: 447,567,310,848 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 1FFB78F2DB8E0D42491B3D113D18276B

iTorres 0 Newbie Poster · Answer 4 · 2011-05-19T08:02:13+00:00

Alright, here are both of the logs:

Malwarebyte's Log -

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6612

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2011 7:10:59 PM
mbam-log-2011-05-18 (19-10-59).txt

Scan type: Full scan (C:\|)
Objects scanned: 283565
Time elapsed: 2 hour(s), 21 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ESET Log -

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=2554cee087e6e742bcff95d42b99946f
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-19 01:51:46
# local_time=2011-05-18 08:51:46 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777215 100 0 12511451 12511451 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=121117
# found=1
# cleaned=1
# scan_time=2828
C:\System Volume Information\_restore{8D5B6624-8D4A-485D-94F6-B6B0983F526A}\RP187\A0046578.dll	a variant of Win32/Kryptik.NRV trojan (cleaned by deleting - quarantined)	00000000000000000000000000000000	C

I will now run the DDS scanner to see if it works in normal or safe mode.

iTorres 0 Newbie Poster · Answer 5 · 2011-05-19T08:19:12+00:00

There seems to be a message at the top of the document when I try to open the DDS scanner that reads: [This program cannot be run in DOS mode.] It happens in both normal and safe mode.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 6 · 2011-05-19T08:34:34+00:00

Did you set this file association as seen in your combofix log?

------- File Associations -------
.
[B].scr[/B]=AutoCADScriptFile

iTorres 0 Newbie Poster · Answer 7 · 2011-05-19T18:49:29+00:00

That's how it appeared when I downloaded it. Do I need to change it?

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 8 · 2011-05-19T20:21:18+00:00

jholland1964 650 Posting Expert

13 Years Ago

That's how what appeared when you downloaded it?

iTorres 0 Newbie Poster · Answer 9 · 2011-05-19T20:32:15+00:00

iTorres 0 Newbie Poster

13 Years Ago

Yes. I didn't mess with it at all.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 10 · 2011-05-19T20:41:15+00:00

I asked you what was it you downloaded not if you "messed" with it.
I am trying to figure out why the DDS scanner won't run.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 11 · 2011-05-19T20:52:23+00:00

Do you have AutoCad on the computer? This is what is causing DDS to stop running.

iTorres 0 Newbie Poster · Answer 12 · 2011-05-19T20:56:07+00:00

I downloaded DDS by sUBs that's linked in the "Read me..." thread. Yes, I have AutoCAD installed on this computer. Is there a way to run it without having to uninstall AutoCAD?

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 13 · 2011-05-19T21:01:09+00:00

jholland1964 650 Posting Expert

13 Years Ago

Probably not.
Is the computer working correctly?

iTorres 0 Newbie Poster · Answer 14 · 2011-05-19T21:22:36+00:00

Right now it's seems to be working fine. There's still a few programs that are missing in the Start > All Programs menu. Everything else seems ok.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 15 · 2011-05-19T21:25:49+00:00

jholland1964 650 Posting Expert

13 Years Ago

What programs are missing?

iTorres 0 Newbie Poster · Answer 16 · 2011-05-19T21:55:58+00:00

Well, for example, if I go to the All Programs menu I won't find Malwarebytes, AutoCAD, Microsoft Word, Excel, etc... I have to go to My Computer > Local Disk> Program Files > etc... to find them. Although the icons are back in my desktop.

jholland1964 650 Posting Expert Team Colleague Featured Poster · Answer 17 · 2011-05-19T23:32:47+00:00

jholland1964 650 Posting Expert

13 Years Ago

See if these commands help, from Start/Run:

regsvr32 /i shell32
regsvr32 /i shdocvw

sarabjeet singh commented: The commands will also not work it will give error something like this 0x8002801c -1

Portgas D. Ace commented: N/A -1

iTorres 0 Newbie Poster · Answer 18 · 2011-05-20T19:03:37+00:00

Still the same. I will not be able to try anything during the weekend as I will be out of state but I might just go ahead and remove AutoCAD to run DDS when I come back. Thanks for all the help.

sarabjeet singh -3 Newbie Poster · Answer 19 · 2011-05-20T20:27:33+00:00

you can try the registry fixes available on (unapproved website removed)and also to make sure the computer is virus free you can again scan it using SUPERANTISPYWARE that is available free on CNET.COM . I believe it will resolve your concern.
Cheers!!