Member Avatar for bpcomprp

I don't have the original system disks for the machine in question so i would like to attempt a manual recovery. If needed i can order them, but HP charges for the disks. Currently the network is disabled and Mcafee anti-virus does not appear to work correctly.

WHAT HAS MY ISSUE BEEN?
- Ping.exe consuming memory and CPU
- Use of the internet, no matter the browser gives me multiple popups, mostly porn
- Flaky programs, some not launching, like Anti-virus software

THANK YOU.

1A– Please Uninstall or Disable any P2P (peer-to-peer) programs: DONE

1B – Please endeavor to reply to your thread promptly: Will do my best

2/3/4 – Download ATF-Cleaner.exe / Download DDS / Download GMER Rootkit Scanner: DONE

5– If your OS is Windows XP, please run the Microsoft® Windows® Malicious Software Removal Tool: Done, several items found

Malware: Scan Results:
Trojan:Win32/Alureon.FK Partially removed, restart computer to clean
TrojanDownloader:Win32/Tracur.Q Partially removed, restart computer to clean
Trojan:JS/Tracur.B Removed

Rebooted Windows XP PC

6 – If you are able, RUN ATF-Cleaner.exe: First run error-ed out an crashed, appears second run was successful.

7– Please run the GMER Rootkit Scanner: Done

GMEROne.txt

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-02-02 01:12:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVT-60ZCT1 rev.13.01A13
Running: off96xi6.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\axrdrpoc.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF73984C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73984D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7398500]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF73984AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7398484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7398498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF73984EA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF739852C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7398516]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

GMERTwo.txt

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-02-02 02:28:42
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVT-60ZCT1 rev.13.01A13
Running: off96xi6.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\axrdrpoc.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF73984C0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73984D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7398500]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF73984AC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7398484]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7398498]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF73984EA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF739852C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7398516]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 SaibIa32.sys (Disk Filter Driver/Sonic Solutions)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) AA41E000-AA438000 (106496 bytes)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5CWM5JNI\background_gradient[1] 453 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5CWM5JNI\bullet[1] 3169 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5CWM5JNI\dnserrordiagoff_webOC[1] 6766 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RR6D9Z5Y\down[1] 3414 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RR6D9Z5Y\errorPageStrings[2] 1817 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RR6D9Z5Y\httpErrorPagesScripts[1] 8601 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\RR6D9Z5Y\info_48[1] 6993 bytes
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\WXENK3FM\ErrorPageTemplate[1] 2168 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115 0 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\bckfg.tmp 854 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\cfg.ini 265 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\keywords 39 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\L 0 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\L\dnnkaqhd 456320 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\U 0 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1310695115\version 854 bytes
File C:\WINDOWS\$NtUninstallKB53460$\1388541195 0 bytes

---- EOF - GMER 1.0.15 ----

MalwareBytes’ Anti-Malware log

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.02.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: YOUR-5A66F93F18 [administrator]

Protection: Enabled

2/2/2012 2:38:56 AM
mbam-log-2012-02-02 (02-38-56).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218195
Time elapsed: 43 minute(s), 6 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 2
C:\WINDOWS\system32\oyucumxm.dll (IPH.GenericBHO) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\ApplicationHistoryUpdate\ApplicationHistoryupdt32.dll (Trojan.SHarpro.PGen) -> Delete on reboot.

Registry Keys Detected: 10
HKCR\CLSID\{D1A3922A-68A6-08D7-2959-9D46C1C37A50} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKCR\Ikahjeng (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D1A3922A-68A6-08D7-2959-9D46C1C37A50} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{D1A3922A-68A6-08D7-2959-9D46C1C37A50} (IPH.GenericBHO) -> Quarantined and deleted successfully.
HKCR\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKCR\.fsharproj (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKCR\AH (Rogue.MultipleAV) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKLM\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 6
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run|2205 (Trojan.CryptBit.Gen) -> Data: C:\DOCUME~1\ALLUSE~1\LOCALS~1\Temp\dubmnaxxxzeur.exe -> Delete on reboot.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: sp -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Data: -> Quarantined and deleted successfully.
HKCR\ah|Content Type (Rogue.MultipleAV) -> Data: application/x-msdownload -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|ODBC Update (Trojan.SHarpro.PGen) -> Data: rundll32 "C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\ApplicationHistoryUpdate\ApplicationHistoryupdt32.dll",DllRegisterServer -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^w^ -> Quarantined and deleted successfully.

Registry Data Items Detected: 7
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\fgb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\fgb.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Owner\Local Settings\Application Data\fgb.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\WINDOWS\system32\oyucumxm.dll (IPH.GenericBHO) -> Delete on reboot.
C:\Documents and Settings\All Users\Local Settings\Temp\dubmnaxxxzeur.exe (Trojan.CryptBit.Gen) -> Delete on reboot.
C:\Documents and Settings\Owner\Local Settings\Temp\opre0.22843723231465518.exe (Exploit.Drop.6) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\kna0.951604019009468.exe (Exploit.Drop.7) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\ApplicationHistory\ApplicationHistoryUpdate\ApplicationHistoryupdt32.dll (Trojan.SHarpro.PGen) -> Delete on reboot.

(end)

DDS.log

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 10:10:59 on 2012-02-02
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.475 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\Program Files\HP\HPBTWD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\syncables\syncables desktop\Syncables.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\syncables\syncables desktop\jre\bin\javaw.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\syncables\syncables desktop\MigoMapi.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\UINotification.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.gmail.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111228121126.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540000} - c:\program files\gbplugin\gbieh.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0559.0\msneshellx.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [cdloader] "c:\documents and settings\owner\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [MicrosoftVerifierOnline] rundll32.exe "c:\documents and settings\all users\application data\MicrosoftVerifierOnline.dll",DllRegisterServer
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [HP BTW Detect Program] c:\program files\hp\HPBTWD.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Mobile Broadband] c:\swsetup\hpqwwan\HPMobileBroadband.exe /TrayMode
mRun: [Syncables] c:\program files\syncables\syncables desktop\Syncables.exe
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: bancobrasil.com.br\www
Trusted Zone: bancobrasil.com.br\www14
Trusted Zone: bancobrasil.com.br\www2
Trusted Zone: bb.com.br\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: GbPluginBb - c:\program files\gbplugin\gbieh.dll
Notify: igfxcui - igfxdev.dll
Notify: nykkygy - c:\documents and settings\networkservice\local settings\application data\nykkygy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399f83} - c:\program files\gbplugin\gbieh.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\zx9n9iam.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [2011-3-1 43600]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-28 464176]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2009-6-16 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2009-6-16 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [2008-9-25 103792]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-28 89792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2009-6-16 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\roxio\backontrack\disaster recovery\SaibSVC.exe [2008-12-12 125424]
R2 BOTService;BOTService;c:\program files\roxio\backontrack\instant restore\BOTService.exe [2009-3-19 203248]
R2 GbpSv;Gbp Service;c:\progra~1\gbplugin\GbpSv.exe [2011-3-1 208264]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-2 652360]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-28 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-28 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-28 214904]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-28 214904]
R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-28 166288]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-28 160608]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-28 150856]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-6-16 113664]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-28 57600]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-3-2 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-2 20464]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-28 180816]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-28 338176]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-12-28 83856]
S1 hbirlheu;hbirlheu;\??\c:\windows\system32\drivers\hbirlheu.sys --> c:\windows\system32\drivers\hbirlheu.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-15 136176]
S2 zrkfpmbz;Microsoft Composite Battery Controller;c:\windows\system32\svchost.exe -k netsvcs [2008-4-15 14336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-15 136176]
S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2011-12-28 203080]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-28 59456]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-12-28 83856]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-28 87656]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\drivers\rts5121.sys --> c:\windows\system32\drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\drivers\rts516xir.sys --> c:\windows\system32\drivers\Rts516xIR.sys [?]
S4 McOobeSv;McAfee OOBE Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-28 214904]
.
=============== Created Last 30 ================
.
2012-02-02 07:31:03 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes
2012-02-02 07:30:24 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-02 07:30:23 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-02 07:30:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-02 00:35:53 -------- d-----w- c:\windows\system32\MpEngineStore
2012-02-02 00:22:50 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-02-02 00:22:47 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-29 18:25:27 -------- d-----w- c:\windows\pss
2012-01-05 14:47:21 -------- d-----w- c:\documents and settings\all users\application data\McAfee Security Scan
2012-01-05 14:47:06 -------- d-----w- c:\program files\McAfee Security Scan
.
==================== Find3M ====================
.
2011-12-19 02:04:05 218624 ----a-w- c:\documents and settings\all users\application data\MicrosoftVerifierOnline.dll
2011-12-13 04:24:38 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-06 22:25:42 150856 ----a-w- c:\windows\system32\mfevtps.exe
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
.
============= FINISH: 10:12:38.65 ===============


Thank you so much for your assistance!!!

Edited by bpcomprp because: n/a
  • 3 Contributors
  • 17 Replies
  • 543 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by PhilliePhan
Member Avatar for jholland1964

Good Job! Great to have somebody who reads and follows directions! Helps things move much faster.

Attach.txt log needs to be copy/pasted also. Then also run this scan, have it fix/remove anything found. Reboot and come back with the log.

ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Edited by jholland1964 because: n/a
Member Avatar for bpcomprp

Good Job! Great to have somebody who reads and follows directions! Helps things move much faster.

Attach.txt log needs to be copy/pasted also. Then also run this scan, have it fix/remove anything found. Reboot and come back with the log.

ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Thank you Once again, ran the online scanner and here are the attach and eset logs.

Attach

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/13/2009 11:46:16 PM
System Uptime: 2/2/2012 9:58:10 AM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 308F
Processor: Intel(R) Atom(TM) CPU N270 @ 1.60GHz | CPU 1 | 1596/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 135.245 GiB free.
D: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP3: 2/2/2012 9:57:35 AM - System Checkpoint
.
==== Installed Programs ======================
.
Acrobat.com
Activation Assistant for the 2007 Microsoft Office suites
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.4.7
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Broadcom 802.11 Wireless LAN Adapter
Compatibility Pack for the 2007 Office system
Default Manager
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP BatteryCheck 2.10 A2
HP Doc Viewer
HP Help and Support
HP Mobile Broadband Setup Utility
HP User Guides 0139
HP Wireless Assistant
HpSdpAppCoreApp
IDT Audio
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 11
magicJack
Malwarebytes Anti-Malware version 1.60.1.1000
McAfee AntiVirus Plus
McAfee Security Scan Plus
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Live Search Toolbar
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Move Media Player
Mozilla Firefox 8.0.1 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Roxio BackOnTrack
Roxio Disaster Recovery
Roxio Instant Restore
Roxio Instant Restore Recovery Disk
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Synaptics Pointing Device Driver
syncables desktop
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 Card Reader Software
Viewpoint Media Player
WebFldrs XP
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
.
==== Event Viewer Messages From Past Week ========
.
2/2/2012 9:28:00 AM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
2/2/2012 8:28:00 AM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
2/2/2012 7:28:00 AM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
2/2/2012 6:28:00 AM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
2/2/2012 5:28:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
2/2/2012 4:28:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
2/2/2012 3:28:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
2/2/2012 3:28:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
2/2/2012 2:28:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
2/2/2012 2:28:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
2/2/2012 12:28:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
2/2/2012 10:00:11 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AliIde IntelIde ViaIde
2/2/2012 10:00:11 AM, error: Service Control Manager [7023] - The Microsoft Composite Battery Controller service terminated with the following error: The specified module could not be found.
2/2/2012 1:57:52 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
2/2/2012 1:28:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
2/2/2012 1:28:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
2/2/2012 1:04:27 AM, error: Service Control Manager [7023] - The SPService service terminated with the following error: The specified module could not be found.
2/2/2012 1:03:25 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
2/1/2012 9:28:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
2/1/2012 9:28:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
2/1/2012 8:28:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
2/1/2012 8:28:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
2/1/2012 7:28:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
2/1/2012 7:28:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
2/1/2012 11:28:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
2/1/2012 11:28:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
2/1/2012 10:28:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
2/1/2012 10:28:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
1/29/2012 1:28:00 PM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402
.
==== End Of File ===========================



ESET log

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=621340f4a4f8b747a43168e2d3e2aee8
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-02-03 01:35:18
# local_time=2012-02-02 08:35:18 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16777189 100 75 2089674 28607667 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=61061
# found=15
# cleaned=13
# scan_time=5098
C:\Documents and Settings\All Users\Application Data\MicrosoftVerifierOnline.dll a variant of Win32/Kryptik.XQD trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\NetworkService\Local Settings\Application Data\nykkygy.dll a variant of Win32/TrojanProxy.Agent.NIF trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx9n9iam.default\extensions\{468eebbf-a9cd-4e49-9238-73c293f83842}\chrome.manifest Win32/TrojanDownloader.Tracur.F trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\31\70e83d9f-48850867 a variant of Java/TrojanDownloader.Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\33\53784821-2493d337 a variant of Java/TrojanDownloader.Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\36\70190024-28f398fc a variant of Java/TrojanDownloader.Agent.NDJ trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\43\e5a51ab-5b9c052e multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\47\be97b6f-114a0317 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\5\2ac74c85-7f5ad0f1 multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Local Settings\Temp\NOD237.tmp a variant of Win32/Kryptik.XQD trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Local Settings\Temp\NOD8BB.tmp a variant of Win32/TrojanProxy.Agent.NIF trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Local Settings\Temp\nsa4B.tmp\k4kfjnq.isg a variant of Win32/Kryptik.XQD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Owner\Local Settings\Temp\nsa4B.tmp\qhzrtly.hzd a variant of Win32/Kryptik.XQD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\mrxsmb.sys Win32/Sirefef.DA trojan (unable to clean) 00000000000000000000000000000000 I
${Memory} multiple threats 00000000000000000000000000000000 I

Member Avatar for jholland1964

Please now do the following:
Download the TDSSKiller.zip archive and extract it into a folder on the infected (or possibly infected) computer with an archiver (WinZip, for example);
Run the TDSSKiller.exe file;
Wait until the scanning and disinfection completes. A reboot might require after the disinfection has been completed .
Post back with that log, then continue with instructions below:

Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Member Avatar for bpcomprp

Ran TDSSKiller, it found one infection and asked me to reboot, I could not find any log generated so i included a screen shot. After the reboot i got a pop up error window: "RUNDLL C:\Documents and Settings\All Users\Application Data\MicrosoftVerifierOnline.dll The specified module could not be found." I don't think its related, maybe something residual from the earlier infections/fixes.

Ran combo fix, got a message that said that the "Microsoft Windows Recovery console" was not installed, and that it needed a network connection to download and install it. Plugged in the network so that could complete.

When that completed I disconnected the network agian and combofix continued to run. It said it found a root kit in the TCP/IP stack and rebooted the machine several times with a warning that network might not work afterwards and to reboot one more time or run combofix again to fix it if it does not work after the reboot.

Here is the combo fix log, i checked the network interface and it appears to be working fine.

ComboFix.txt

ComboFix 12-02-05.02 - Owner 02/05/2012 23:40:28.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.728 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
ADS - system32: deleted 2 bytes in 1 streams.
ADS - drivers: deleted 204 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx9n9iam.default\extensions\{468eebbf-a9cd-4e49-9238-73c293f83842}
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx9n9iam.default\extensions\{468eebbf-a9cd-4e49-9238-73c293f83842}\chrome\xulcache.jar
c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx9n9iam.default\extensions\{468eebbf-a9cd-4e49-9238-73c293f83842}\install.rdf
c:\program files\HP\HPBTWD.exe
c:\windows\$NtUninstallKB53460$\1291579719
c:\windows\$NtUninstallKB53460$\1310695115\@
c:\windows\$NtUninstallKB53460$\1310695115\cfg.ini
c:\windows\$NtUninstallKB53460$\1310695115\Desktop.ini
c:\windows\$NtUninstallKB53460$\1310695115\L\dnnkaqhd
c:\windows\$NtUninstallKB53460$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-01-06 to 2012-02-06 )))))))))))))))))))))))))))))))
.
.
2012-02-06 03:53 . 2012-02-06 03:53 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-05 20:02 . 2012-02-05 20:02 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-02-05 19:48 . 2012-02-05 19:48 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2012-02-05 14:19 . 2012-02-05 14:57 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-02 23:53 . 2012-02-02 23:53 -------- d-----w- c:\program files\ESET
2012-02-02 07:31 . 2012-02-02 07:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-02-02 07:30 . 2012-02-02 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-02 07:30 . 2012-02-02 07:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-02 07:30 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-02 00:35 . 2012-02-02 06:02 -------- d-----w- c:\windows\system32\MpEngineStore
2012-02-02 00:22 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-02-02 00:22 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-13 04:24 . 2011-06-07 17:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2010-12-31 13:10 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 04:46 . 2011-05-08 00:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-16 39408]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-30 483428]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 737280]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2009-01-09 455224]
"Syncables"="c:\program files\syncables\syncables desktop\Syncables.exe" [2009-04-02 173360]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2011-07-18 12:09 1685384 ----a-w- c:\program files\GbPlugin\gbieh.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-17 00:06 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
"\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [3/1/2011 12:19 AM 43600]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/16/2009 7:05 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/16/2009 7:05 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [9/25/2008 12:09 AM 103792]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/16/2009 7:05 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [12/12/2008 12:46 AM 125424]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [3/19/2009 2:04 PM 203248]
R2 GbpSv;Gbp Service;c:\progra~1\GbPlugin\GbpSv.exe [3/1/2011 12:19 AM 208264]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/2/2012 2:30 AM 652360]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/2/2009 4:03 PM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/2/2012 2:30 AM 20464]
S1 hbirlheu;hbirlheu;\??\c:\windows\system32\drivers\hbirlheu.sys --> c:\windows\system32\drivers\hbirlheu.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2011 11:34 PM 136176]
S2 zrkfpmbz;Microsoft Composite Battery Controller;c:\windows\System32\svchost.exe -k netsvcs [4/15/2008 7:00 AM 14336]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/16/2009 6:55 PM 113664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2011 11:34 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/5/2012 3:02 PM 40776]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
s24trans
zrkfpmbz
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-06 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-03-19 19:05]
.
2012-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-16 04:33]
.
2012-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-16 04:33]
.
2012-02-06 c:\windows\Tasks\User_Feed_Synchronization-{B1F49AD2-9F9C-4279-A3B5-B260CFC4E382}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: mswsock.dll
Trusted Zone: bancobrasil.com.br\www
Trusted Zone: bancobrasil.com.br\www14
Trusted Zone: bancobrasil.com.br\www2
Trusted Zone: bb.com.br\www
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx9n9iam.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-MicrosoftVerifierOnline - c:\documents and settings\All Users\Application Data\MicrosoftVerifierOnline.dll
HKLM-Run-HP BTW Detect Program - c:\program files\HP\HPBTWD.exe
SafeBoot-09979888.sys
SafeBoot-59154121.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-05 23:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB53460$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,14,89,9b,0f,ae,e3,4d,82,c3,2a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,14,89,9b,0f,ae,e3,4d,82,c3,2a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(776)
c:\program files\GbPlugin\gbieh.dll
.
- - - - - - - > 'explorer.exe'(2576)
c:\windows\system32\WININET.dll
c:\program files\GbPlugin\gbieh.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\syncables\syncables desktop\jre\bin\javaw.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\syncables\syncables desktop\MigoMapi.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Roxio\BackOnTrack\Instant Restore\UINotification.exe
.
**************************************************************************
.
Completion time: 2012-02-06 00:00:05 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-06 05:00
.
Pre-Run: 144,720,330,752 bytes free
Post-Run: 145,675,825,152 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 3FDCD04FD070DB121583355442ACCA4D

TDSSKiller.jpg 24.76 KB
Member Avatar for jholland1964

Update MBA-M and do another Full Scan, have it remove everything it finds, reboot and post back with the log.

Member Avatar for bpcomprp

Ok, i found the TDSSKiller log file, attaching it to this post (incase you still wanted to see it). Also on a side note, i earlier un-installed McAfee Anti-virus pro and installed Avast instead. (this is a pretty under powered netbook and McAfee was bogging it down) I now get constant popups from avast that say a Malicious ULR is being blocked:

MALICIOUS URL BLOCKED
avast! Network Sheild has blocked a harmful site.
Object: http:/.../3k3slaLDKSe3...etc..
Infection: URL:Mal
Process: C:\WINDOWS\System32\ping.exe

I couldn't find where to view the log but within the program it mentioned over 10,000 blocked connections. Avast seems to be taxed with all these blocked connections, CPU is running at 100%, decided to reboot. After a reboot Avast is no longer pegging the CPU, and i dont see anymore popup or blocked connections in the Avast log.

I no longer get the RUNDLL error on reboot

An Avast quick scan found 1 infection that it moved to the virus chest: Threat: Win32:Sirefef-JQ [Trj] Will also run a full system scan on boot with Avast after the MBA scan.

Updated MBA-M and ran another scan, no items found, Log below


mbam-log-2012-02-06 (00-54-13)

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.06.01

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: YOUR-5A66F93F18 [administrator]

Protection: Enabled

2/6/2012 12:54:13 AM
mbam-log-2012-02-06 (00-54-13).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 218477
Time elapsed: 1 hour(s), 2 minute(s), 15 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

22:52:30.0937 5316	TDSS rootkit removing tool 2.7.9.0 Feb  1 2012 09:28:49

22:52:31.0046 5316	============================================================

22:52:31.0046 5316	Current date / time: 2012/02/05 22:52:31.0046

22:52:31.0046 5316	SystemInfo:

22:52:31.0046 5316	

22:52:31.0046 5316	OS Version: 5.1.2600 ServicePack: 3.0

22:52:31.0046 5316	Product type: Workstation

22:52:31.0046 5316	ComputerName: YOUR-5A66F93F18

22:52:31.0046 5316	UserName: Owner

22:52:31.0062 5316	Windows directory: C:\WINDOWS

22:52:31.0062 5316	System windows directory: C:\WINDOWS

22:52:31.0062 5316	Processor architecture: Intel x86

22:52:31.0062 5316	Number of processors: 2

22:52:31.0062 5316	Page size: 0x1000

22:52:31.0062 5316	Boot type: Normal boot

22:52:31.0062 5316	============================================================

22:52:36.0359 5316	Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

22:52:36.0390 5316	Drive \Device\Harddisk1\DR4 - Size: 0xF4FFE00 (0.24 Gb), SectorSize: 0x200, Cylinders: 0x1F, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

22:52:36.0390 5316	\Device\Harddisk0\DR0:

22:52:36.0500 5316	MBR used

22:52:36.0500 5316	\Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x12A14400

22:52:36.0500 5316	\Device\Harddisk1\DR4:

22:52:36.0515 5316	MBR used

22:52:36.0515 5316	\Device\Harddisk1\DR4\Partition0: MBR, Type 0x6, StartLBA 0x63, BlocksNum 0x7A59D

22:52:36.0593 5316	Initialize success

22:52:36.0593 5316	============================================================

22:53:03.0734 4828	============================================================

22:53:03.0734 4828	Scan started

22:53:03.0734 4828	Mode: Manual; 

22:53:03.0734 4828	============================================================

22:53:04.0609 4828	Abiosdsk - ok

22:53:04.0656 4828	abp480n5        (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

22:53:04.0656 4828	abp480n5 - ok

22:53:04.0687 4828	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

22:53:04.0703 4828	ACPI - ok

22:53:04.0718 4828	ACPIEC          (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

22:53:04.0718 4828	ACPIEC - ok

22:53:04.0750 4828	adpu160m        (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

22:53:04.0750 4828	adpu160m - ok

22:53:04.0812 4828	aec             (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

22:53:04.0812 4828	aec - ok

22:53:04.0828 4828	AESTAud         (f0f8212d86ef2bfdd5ad01f6ab7b017c) C:\WINDOWS\system32\drivers\AESTAud.sys

22:53:04.0843 4828	AESTAud - ok

22:53:04.0890 4828	AFD             (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

22:53:04.0890 4828	AFD - ok

22:53:04.0906 4828	agp440          (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

22:53:04.0906 4828	agp440 - ok

22:53:04.0937 4828	agpCPQ          (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

22:53:04.0937 4828	agpCPQ - ok

22:53:04.0968 4828	Aha154x         (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

22:53:04.0968 4828	Aha154x - ok

22:53:05.0000 4828	aic78u2         (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

22:53:05.0000 4828	aic78u2 - ok

22:53:05.0015 4828	aic78xx         (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

22:53:05.0015 4828	aic78xx - ok

22:53:05.0062 4828	AliIde          (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

22:53:05.0062 4828	AliIde - ok

22:53:05.0078 4828	alim1541        (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

22:53:05.0093 4828	alim1541 - ok

22:53:05.0109 4828	amdagp          (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

22:53:05.0109 4828	amdagp - ok

22:53:05.0125 4828	amsint          (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

22:53:05.0125 4828	amsint - ok

22:53:05.0171 4828	Arp1394         (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

22:53:05.0171 4828	Arp1394 - ok

22:53:05.0187 4828	asc             (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

22:53:05.0187 4828	asc - ok

22:53:05.0203 4828	asc3350p        (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

22:53:05.0203 4828	asc3350p - ok

22:53:05.0234 4828	asc3550         (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

22:53:05.0234 4828	asc3550 - ok

22:53:05.0281 4828	AsyncMac        (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

22:53:05.0281 4828	AsyncMac - ok

22:53:05.0343 4828	atapi           (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

22:53:05.0343 4828	atapi - ok

22:53:05.0359 4828	Atdisk - ok

22:53:05.0390 4828	A
Member Avatar for bpcomprp

Avast! ran clean, no threats found. I did another reboot for good measure, thought i was making progress, but now the windows firewall is disabled, cannot manually start the service. And the Avast real time shield is disabled as well, cannot enable it.

What do you think?

Member Avatar for bpcomprp

Avast! ran clean, no threats found. I did another reboot for good measure, thought i was making progress, but now the windows firewall is disabled, cannot manually start the service. And the Avast real time shield is disabled as well, cannot enable it.

What do you think?

It's my network connection, it appears to be enabled but its not functioning, i cant get an IP address, must be that issue that Combofix mentioned earlier. any ideas on how to recover? I tried another reboot, but no luck.

Member Avatar for jholland1964

Download a new copy of Combofix and run it again, we will see if it shows anything else.

Member Avatar for bpcomprp

Download a new copy of Combofix and run it again, we will see if it shows anything else.

Done, here is the log, network still not working correctly



Combofix

ComboFix 12-02-08.02 - Owner 02/08/2012 19:48:54.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.696 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
ADS - drivers: deleted 204 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Owner\My Documents\rundll32.exe
c:\windows\$NtUninstallKB53460$\37333535
c:\windows\EventSystem.log
c:\windows\svhosts.exe
.
c:\windows\system32\drivers\afd.sys was missing
Restored copy from - c:\windows\system32\dllcache\afd.sys
.
c:\windows\system32\drivers\netbt.sys . . . is missing!!
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_.afd
-------\Service_.i8042prt
-------\Service_.ipsec
-------\Service_.netbt
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-09 01:32 . 2012-02-09 01:32 -------- d-----w- c:\windows\LastGood
2012-02-09 01:24 . 2011-08-17 13:49 138496 ----a-w- c:\windows\system32\dllcache\afd.sys
2012-02-06 05:09 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-02-06 05:09 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-02-06 05:09 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-02-06 05:09 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-02-06 05:09 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-06 05:09 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-02-06 05:09 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-02-06 05:09 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-02-06 05:08 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-02-06 05:08 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-02-06 05:08 . 2012-02-06 05:08 -------- d-----w- c:\program files\AVAST Software
2012-02-06 05:08 . 2012-02-06 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-02-06 03:53 . 2012-02-06 03:53 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-05 19:48 . 2012-02-05 19:48 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2012-02-05 14:19 . 2012-02-06 05:11 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-02-02 23:53 . 2012-02-02 23:53 -------- d-----w- c:\program files\ESET
2012-02-02 07:31 . 2012-02-02 07:31 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2012-02-02 07:30 . 2012-02-02 07:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-02 07:30 . 2012-02-02 07:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-02 07:30 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-02 00:35 . 2012-02-02 06:02 -------- d-----w- c:\windows\system32\MpEngineStore
2012-02-02 00:22 . 2008-04-14 10:41 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-02-02 00:22 . 2008-04-14 05:09 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-13 04:24 . 2011-06-07 17:26 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-23 13:25 . 2010-12-31 13:10 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-12-19 04:46 . 2011-05-08 00:09 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-06_04.54.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-12 05:02 . 2009-07-12 05:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
+ 2012-02-09 01:30 . 2012-02-09 01:30 16384 c:\windows\temp\Perflib_Perfdata_790.dat
+ 2008-06-25 01:26 . 2012-02-06 07:44 74208 c:\windows\system32\perfc009.dat
+ 2008-04-15 12:00 . 2011-11-18 12:35 60416 c:\windows\system32\packager.exe
+ 2009-07-12 05:02 . 2009-07-12 05:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-12 05:05 . 2009-07-12 05:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
+ 2008-06-25 01:26 . 2012-02-06 07:44 446062 c:\windows\system32\perfh009.dat
+ 2012-02-06 05:09 . 2012-02-06 05:09 219648 c:\windows\Installer\e05bc.msi
+ 2009-07-12 05:02 . 2009-07-12 05:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-16 39408]
"cdloader"="c:\documents and settings\Owner\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-15 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-15 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-15 131072]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-30 483428]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-02-18 737280]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-01-16 1418536]
"HP Mobile Broadband"="c:\swsetup\HPQWWAN\HPMobileBroadband.exe" [2009-01-09 455224]
"Syncables"="c:\program files\syncables\syncables desktop\Syncables.exe" [2009-04-02 173360]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-06 224616]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2011-07-18 12:09 1685384 ----a-w- c:\program files\GbPlugin\gbieh.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-07 22:58 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-06-17 00:06 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\syncables\\syncables desktop\\jre\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\mjusbsp\\magicJack.exe"=
"\\??\\c:\\WINDOWS\\system32\\winlogon.exe"=
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [3/1/2011 12:19 AM 43600]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [6/16/2009 7:05 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [6/16/2009 7:05 PM 15856]
R0 SysCow;SysCow;c:\windows\system32\drivers\syscow32x.sys [9/25/2008 12:09 AM 103792]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/6/2012 12:09 AM 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/6/2012 12:09 AM 314456]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [6/16/2009 7:05 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [12/12/2008 12:46 AM 125424]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/6/2012 12:09 AM 20568]
R2 BOTService;BOTService;c:\program files\Roxio\BackOnTrack\Instant Restore\BOTService.exe [3/19/2009 2:04 PM 203248]
R2 GbpSv;Gbp Service;c:\progra~1\GbPlugin\GbpSv.exe [3/1/2011 12:19 AM 208264]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/2/2012 2:30 AM 652360]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [3/2/2009 4:03 PM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/2/2012 2:30 AM 20464]
S1 hbirlheu;hbirlheu;\??\c:\windows\system32\drivers\hbirlheu.sys --> c:\windows\system32\drivers\hbirlheu.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2011 11:34 PM 136176]
S2 zrkfpmbz;Microsoft Composite Battery Controller;c:\windows\System32\svchost.exe -k netsvcs [4/15/2008 7:00 AM 14336]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [6/16/2009 6:55 PM 113664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/15/2011 11:34 PM 136176]
S3 RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RTS5121.sys --> c:\windows\system32\Drivers\RTS5121.sys [?]
S3 Rts516xIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys --> c:\windows\system32\DRIVERS\Rts516xIR.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
s24trans
zrkfpmbz
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\BackOnTrack Instant Restore Idle.job
- c:\program files\Roxio\BackOnTrack\Instant Restore\RstIdle.exe [2009-03-19 19:05]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-16 04:33]
.
2012-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-16 04:33]
.
2012-02-09 c:\windows\Tasks\User_Feed_Synchronization-{B1F49AD2-9F9C-4279-A3B5-B260CFC4E382}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gmail.com/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
Trusted Zone: bancobrasil.com.br\www
Trusted Zone: bancobrasil.com.br\www14
Trusted Zone: bancobrasil.com.br\www2
Trusted Zone: bb.com.br\www
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75 192.168.1.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\zx9n9iam.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-08 20:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\$NtUninstallKB53460$:SummaryInformation 0 bytes hidden from API
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,14,89,9b,0f,ae,e3,4d,82,c3,2a,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,52,14,89,9b,0f,ae,e3,4d,82,c3,2a,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(380)
c:\program files\GbPlugin\gbieh.dll
.
- - - - - - - > 'explorer.exe'(2528)
c:\windows\system32\WININET.dll
c:\program files\GbPlugin\gbieh.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\syncables\syncables desktop\MigoMapi.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\windows\SoftwareDistribution\Download\Install\NDP20SP2-KB2656352-x86.exe
c:\cfab8a54f284e71eb2e2f6b674ef0647\HotFixInstaller.exe
c:\windows\system32\msiexec.exe
c:\program files\Roxio\BackOnTrack\Instant Restore\UINotification.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2012-02-08 20:40:27 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-09 01:40
ComboFix2.txt 2012-02-06 05:00
.
Pre-Run: 145,323,954,176 bytes free
Post-Run: 145,151,717,376 bytes free
.
- - End Of File - - A69FC9BFE62433FD48ABC07595F2C4B3

Member Avatar for PhilliePhan

Hi bpcomprp,

Sorry for the late reply.
Judy asked me to have a look at this thread a few days ago and I'm only now getting the time.

If you haven't fixed this already, please try the following:

-- Please download the attached FixNetBT.txt
Download the text file and transfer it to the desktop of the ill machine.
- RENAME the text file to FixNetBT.reg and leave it there for now.

-- Please download and run Farbar Service Scanner
- Check ALL the boxes and hit scan. It should produce a log. Rename the log to FSS ONE.txt and please post the FSS ONE.txt for me.

THEN:
Click START > CONTROL PANEL > PERFORMANCE & MAINTAINANCE > ADMINISTRATIVE TOOLS > SERVICES
- RightClick DHCP Client and select STOP
- Navigate to C:\Windows\System32\Drivers and DELETE NetBT.sys (if it remains).
- Then go to C:\Windows\servicepackfiles\i386 and locate NetBT.sys.
Copy and Paste NetBT.sys from servicepackfiles\i386 into the C:\Windows\System32\Drivers Folder.
- Then, go back to Services and RightClick DHCP Client and select START

NEXT:
On the ill machine, DoubleClick the FixNetBT.reg you placed on the desktop and allow it to merge into the registry.

REBOOT the ill compy and see if that fixes the connection.

If that fails to work, please Run Farbar Service Scanner again and post the FSS TWO.txt for me and we'll go from there.

Let me know if you have any trouble along the way.

Cheers :)
PP


** You should also note that this particular family of rootkitted malware usually includes a nasty backdoor trojan that harvests passwords and other sensitive data. If you use this machine for financial transactions or other important business you should change your passwords via an uninfected machine.
Be advised that this sensitive data may have been compromised.

Normally, in cases such as this, I recommend wiping the HD and re-installing Windows - it's fastest and 100% effective.
But, since you and Judy had already started, why not finish, right? Plus, reformat is not always a feasible option.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000005
"ImagePath"=hex(2):53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
  52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
  00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
  00,69,00,70,00,5f,00,7b,00,36,00,35,00,38,00,43,00,33,00,44,00,42,00,34,00,\
  2d,00,37,00,46,00,45,00,38,00,2d,00,34,00,38,00,30,00,31,00,2d,00,42,00,37,\
  00,30,00,46,00,2d,00,37,00,43,00,36,00,43,00,30,00,35,00,36,00,30,00,41,00,\
  43,00,37,00,38,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
  00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,46,00,35,00,35,00,39,00,45,00,\
  30,00,38,00,32,00,2d,00,42,00,37,00,33,00,45,00,2d,00,34,00,46,00,42,00,41,\
  00,2d,00,39,00,44,00,45,00,46,00,2d,00,43,00,39,00,30,00,37,00,31,00,43,00,\
  42,00,34,00,38,00,32,00,33,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
  00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,46,00,32,00,\
  37,00,38,00,37,00,36,00,45,00,30,00,2d,00,44,00,31,00,32,00,32,00,2d,00,34,\
  00,41,00,38,00,33,00,2d,00,42,00,45,00,38,00,42,00,2d,00,42,00,42,00,34,00,\
  46,00,33,00,46,00,44,00,46,00,31,00,39,00,32,00,41,00,7d,00,00,00,5c,00,44,\
  00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,\
  7b,00,36,00,36,00,45,00,37,00,37,00,30,00,44,00,39,00,2d,00,36,00,36,00,31,\
  00,42,00,2d,00,34,00,42,00,35,00,32,00,2d,00,38,00,31,00,43,00,44,00,2d,00,\
  30,00,30,00,36,00,30,00,32,00,44,00,33,00,33,00,32,00,41,00,32,00,45,00,7d,\
  00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,\
  69,00,70,00,5f,00,7b,00,44,00,42,00,32,00,45,00,34,00,34,00,43,00,36,00,2d,\
  00,37,00,46,00,38,00,37,00,2d,00,34,00,30,00,43,00,41,00,2d,00,41,00,35,00,\
  42,00,39,00,2d,00,39,00,39,00,31,00,34,00,35,00,37,00,36,00,39,00,38,00,33,\
  00,36,00,38,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,\
  54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,37,00,43,00,45,00,37,00,39,00,43,\
  00,45,00,38,00,2d,00,46,00,32,00,44,00,42,00,2d,00,34,00,33,00,36,00,33,00,\
  2d,00,41,00,46,00,39,00,34,00,2d,00,42,00,32,00,32,00,42,00,45,00,44,00,33,\
  00,30,00,41,00,30,00,43,00,30,00,7d,00,00,00,00,00
"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,36,\
  00,35,00,38,00,43,00,33,00,44,00,42,00,34,00,2d,00,37,00,46,00,45,00,38,00,\
  2d,00,34,00,38,00,30,00,31,00,2d,00,42,00,37,00,30,00,46,00,2d,00,37,00,43,\
  00,36,00,43,00,30,00,35,00,36,00,30,00,41,00,43,00,37,00,38,00,7d,00,22,00,\
  00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,46,00,35,\
  00,35,00,39,00,45,00,30,00,38,00,32,00,2d,00,42,00,37,00,33,00,45,00,2d,00,\
  34,00,46,00,42,00,41,00,2d,00,39,00,44,00,45,00,46,00,2d,00,43,00,39,00,30,\
  00,37,00,31,00,43,00,42,00,34,00,38,00,32,00,33,00,41,00,7d,00,22,00,00,00,\
  22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,46,00,32,00,37,\
  00,38,00,37,00,36,00,45,00,30,00,2d,00,44,00,31,00,32,00,32,00,2d,00,34,00,\
  41,00,38,00,33,00,2d,00,42,00,45,00,38,00,42,00,2d,00,42,00,42,00,34,00,46,\
  00,33,00,46,00,44,00,46,00,31,00,39,00,32,00,41,00,7d,00,22,00,00,00,22,00,\
  54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,36,00,36,00,45,00,37,\
  00,37,00,30,00,44,00,39,00,2d,00,36,00,36,00,31,00,42,00,2d,00,34,00,42,00,\
  35,00,32,00,2d,00,38,00,31,00,43,00,44,00,2d,00,30,00,30,00,36,00,30,00,32,\
  00,44,00,33,00,33,00,32,00,41,00,32,00,45,00,7d,00,22,00,00,00,22,00,54,00,\
  63,00,70,00,69,00,70,00,22,00,20,00,22,00,4e,00,64,00,69,00,73,00,57,00,61,\
  00,6e,00,49,00,70,00,22,00,00,00,00,00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\
  00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,36,00,35,00,\
  38,00,43,00,33,00,44,00,42,00,34,00,2d,00,37,00,46,00,45,00,38,00,2d,00,34,\
  00,38,00,30,00,31,00,2d,00,42,00,37,00,30,00,46,00,2d,00,37,00,43,00,36,00,\
  43,00,30,00,35,00,36,00,30,00,41,00,43,00,37,00,38,00,7d,00,00,00,5c,00,44,\
  00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\
  54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,46,00,35,00,35,00,39,00,45,00,30,\
  00,38,00,32,00,2d,00,42,00,37,00,33,00,45,00,2d,00,34,00,46,00,42,00,41,00,\
  2d,00,39,00,44,00,45,00,46,00,2d,00,43,00,39,00,30,00,37,00,31,00,43,00,42,\
  00,34,00,38,00,32,00,33,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
  63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\
  00,70,00,5f,00,7b,00,46,00,32,00,37,00,38,00,37,00,36,00,45,00,30,00,2d,00,\
  44,00,31,00,32,00,32,00,2d,00,34,00,41,00,38,00,33,00,2d,00,42,00,45,00,38,\
  00,42,00,2d,00,42,00,42,00,34,00,46,00,33,00,46,00,44,00,46,00,31,00,39,00,\
  32,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,\
  00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,\
  36,00,36,00,45,00,37,00,37,00,30,00,44,00,39,00,2d,00,36,00,36,00,31,00,42,\
  00,2d,00,34,00,42,00,35,00,32,00,2d,00,38,00,31,00,43,00,44,00,2d,00,30,00,\
  30,00,36,00,30,00,32,00,44,00,33,00,33,00,32,00,41,00,32,00,45,00,7d,00,00,\
  00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,\
  54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,44,00,42,00,32,00,45,\
  00,34,00,34,00,43,00,36,00,2d,00,37,00,46,00,38,00,37,00,2d,00,34,00,30,00,\
  43,00,41,00,2d,00,41,00,35,00,42,00,39,00,2d,00,39,00,39,00,31,00,34,00,35,\
  00,37,00,36,00,39,00,38,00,33,00,36,00,38,00,7d,00,00,00,5c,00,44,00,65,00,\
  76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,\
  00,70,00,69,00,70,00,5f,00,7b,00,37,00,43,00,45,00,37,00,39,00,43,00,45,00,\
  38,00,2d,00,46,00,32,00,44,00,42,00,2d,00,34,00,33,00,36,00,33,00,2d,00,41,\
  00,46,00,39,00,34,00,2d,00,42,00,32,00,32,00,42,00,45,00,44,00,33,00,30,00,\
  41,00,30,00,43,00,30,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"DhcpNodeType"=dword:00000008
"EnableLMHOSTS"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{658C3DB4-7FE8-4801-B70F-7C6C0560AC78}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{66E770D9-661B-4B52-81CD-00602D332A2E}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{7CE79CE8-F2DB-4363-AF94-B22BED30A0C0}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{DB2E44C6-7F87-40CA-A5B9-991457698368}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{F27876E0-D122-4A83-BE8B-BB4F3FDF192A}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{F559E082-B73E-4FBA-9DEF-C9071CB4823A}]
"NameServerList"=hex(7):00,00
"NetbiosOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
  05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
  23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
  02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
  00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
  00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
  01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
  00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
  00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Edited by PhilliePhan because: added info
Member Avatar for bpcomprp

Thanks for you help and patience on this one, i dont have the reinstall disks or i would have wiped it already i think, thanks for your help so far.

If you haven't fixed this already, please try the following: Not fixed yet

-- Please download the attached FixNetBT.txt Done
Download the text file and transfer it to the desktop of the ill machine. Done
- RENAME the text file to FixNetBT.reg and leave it there for now. done

-- Please download and run Farbar Service Scanner done
- Check ALL the boxes and hit scan. It should produce a log. Rename the log to FSS ONE.txt and please post the FSS ONE.txt for me. Done

THEN:
Click START > CONTROL PANEL > PERFORMANCE & MAINTAINANCE > ADMINISTRATIVE TOOLS > SERVICES
- RightClick DHCP Client and select STOP It was already stopped
- Navigate to C:\Windows\System32\Drivers and DELETE NetBT.sys (if it remains). Could not find the file
- Then go to C:\Windows\servicepackfiles\i386 and locate NetBT.sys. could not find directory called "servicepackfiles"
Copy and Paste NetBT.sys from servicepackfiles\i386 into the C:\Windows\System32\Drivers Folder.
- Then, go back to Services and RightClick DHCP Client and select START

FSS ONE.txt

Farbar Service Scanner Version: 12-02-2012 01
Ran by Owner (administrator) on 13-02-2012 at 00:38:24
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\afd.sys is missing.
Attention! C:\WINDOWS\system32\Drivers\netbt.sys is missing.
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\ipsec.sys is missing.
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(9) Gpc(6) IPSec(4) NetBT(10) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Member Avatar for bpcomprp

DHCP client wont start with out that file im guessing, any place where i can download it?

Member Avatar for bpcomprp

I was able to download the service pack from microsoft and extract the needed file, but could still not start the DHCP service after copying it to the \system32\drivers directory

Member Avatar for bpcomprp

FSS TWO.txt
Farbar Service Scanner Version: 12-02-2012 01
Ran by Owner (administrator) on 13-02-2012 at 01:37:26
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.


Connection Status:
==============
Localhost is blocked.
There is no connection to network.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============
Srservice Service is not running. Checking service configuration:
The start type of Srservice service is OK.
The ImagePath of Srservice service is OK.
The ServiceDll of Srservice service is OK.


System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\afd.sys is missing.
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
Attention! C:\WINDOWS\system32\Drivers\ipsec.sys is missing.
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(9) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

Member Avatar for PhilliePhan

Thanks for you help and patience on this one, i dont have the reinstall disks or i would have wiped it already i think, thanks for your help so far.

Happy to help.

Yeah - that is generally the case regarding reformat. These day I have my machine mirrored on three different hard drives - you never know when you'll need it, right?

-- Generally, clean copies of files can be found on an infected machine - most of the time.

It doesn't look to me that there is the typical registry damage on this machine.
However, afd.sys is still missing - you'll need to copy it in there as you did with netbt.sys. Same directory.

The reason I didn't include it was that combofix said it restored it. Apparently not.

Anyhoo, try that and reboot and restart DHCP if needed and see if that helps and we'll go from there.

I'll try to check back tonight EST, but it may be Tuesday.

Cheers :)
PP

Member Avatar for PhilliePhan

However, afd.sys is still missing - you'll need to copy it in there as you did with netbt.sys. Same directory.

Likewise for ipsec.sys - it, too, is missing and I forgot to add it to the list. 'Course, you may have noticed that already :)

PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.