Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

View previous topic View next topic Go down

Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by cyprian_jess on 26th January 2010, 12:10 am

Hello -

I really don't know much about any of this, however, I am good at following instructions!! Any help would be greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:02 PM, on 1/25/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Jesse1\LOCALS~1\Temp\Temporary Directory 1 for JavaRa.zip\JavaRa.exe
C:\Documents and Settings\Jesse1\My Documents\Downloads\winlogon.scr

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Qwest
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\ievkbd.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe"
O4 - HKLM\..\Run: [yeyahovut] Rundll32.exe "c:\windows\system32\luvobeze.dll",a
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Google Sidewiki... - [You must be registered and logged in to see this link.] Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtbbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\helper32.dll
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{43ACFED9-4299-4CC4-AD66-DA8DCC37E6D9}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CCS\Services\Tcpip\..\{4C5E29B3-CA5F-447D-82E2-6B7649509054}: NameServer = 205.171.3.65,205.171.2.65
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\gujawoke.dll c:\windows\system32\pewuviwa.dll hemenozu.dll c:\windows\system32\tabahebe.dll c:\windows\system32\rutijoka.dllc:\progra~1\kasper~1\kasper~1\mzvkbd3.dll c:\windows\system32\luvobeze.dll
O21 - SSODL: gihohezud - {1dc3c1a3-7763-4425-89a9-22be9a6fcd46} - c:\windows\system32\gujawoke.dll (file missing)
O21 - SSODL: jeyujeyig - {0bca63ef-eab2-4d65-b4d2-4edb403c6609} - c:\windows\system32\pewuviwa.dll (file missing)
O21 - SSODL: fugimohut - {eaef0b0c-5784-4e3a-a140-20ae3256d1ff} - c:\windows\system32\luvobeze.dll (file missing)
O22 - SharedTaskScheduler: gahurihor - {1dc3c1a3-7763-4425-89a9-22be9a6fcd46} - c:\windows\system32\gujawoke.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {0bca63ef-eab2-4d65-b4d2-4edb403c6609} - c:\windows\system32\pewuviwa.dll (file missing)
O22 - SharedTaskScheduler: kupuhivus - {eaef0b0c-5784-4e3a-a140-20ae3256d1ff} - c:\windows\system32\luvobeze.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: SMServer - SMServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: SupportSoft Listener Service (sprtlisten) - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 11290 bytes

cyprian_jess
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-25
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by Belahzur on 26th January 2010, 1:23 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: Shell=Explorer.exe logon.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon32.exe
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
    O4 - HKLM\..\Run: [yeyahovut] Rundll32.exe "c:\windows\system32\luvobeze.dll",a
    O4 - HKCU\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
    O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll c:\windows\system32\gujawoke.dll c:\windows\system32\pewuviwa.dll hemenozu.dll c:\windows\system32\tabahebe.dll c:\windows\system32\rutijoka.dllc:\progra~1\kasper~1\kasper~1\mzvkbd3.dll c:\windows\system32\luvobeze.dll
    O21 - SSODL: gihohezud - {1dc3c1a3-7763-4425-89a9-22be9a6fcd46} - c:\windows\system32\gujawoke.dll (file missing)
    O21 - SSODL: jeyujeyig - {0bca63ef-eab2-4d65-b4d2-4edb403c6609} - c:\windows\system32\pewuviwa.dll (file missing)
    O21 - SSODL: fugimohut - {eaef0b0c-5784-4e3a-a140-20ae3256d1ff} - c:\windows\system32\luvobeze.dll (file missing)
    O22 - SharedTaskScheduler: gahurihor - {1dc3c1a3-7763-4425-89a9-22be9a6fcd46} - c:\windows\system32\gujawoke.dll (file missing)
    O22 - SharedTaskScheduler: mujuzedij - {0bca63ef-eab2-4d65-b4d2-4edb403c6609} - c:\windows\system32\pewuviwa.dll (file missing)
    O22 - SharedTaskScheduler: kupuhivus - {eaef0b0c-5784-4e3a-a140-20ae3256d1ff} - c:\windows\system32\luvobeze.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by cyprian_jess on 26th January 2010, 2:11 pm

Hello - I was able to run hijack this and fix checked. When I tried to download and run malwarebytes it would not open the program. During installation, there was an error screen that came up and said Could not perform task, code 2. I can find it on the computer, but when try to run it does nothing.

cyprian_jess
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-25
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by Belahzur on 26th January 2010, 6:05 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by cyprian_jess on 26th January 2010, 11:31 pm

Hi - here is the log from Combo-Fix

ComboFix 10-01-26.02 - Jesse1 01/26/2010 16:52:57.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.202 [GMT -6:00]
Running from: c:\documents and settings\Jesse1\My Documents\Downloads\Combo-Fix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jesse1\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
c:\documents and settings\Jesse1\Desktop\Internet Security 2010.lnk
c:\documents and settings\Jesse1\My Documents\ZbThumbnail.info
c:\documents and settings\Jesse1\Start Menu\Internet Security 2010.lnk
c:\program files\InternetSecurity2010
c:\program files\InternetSecurity2010\IS2010.exe
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\26500.exe
c:\windows\system32\41.exe
c:\windows\system32\6334.exe
c:\windows\system32\balutolu.dll
c:\windows\system32\bijeraki.dll
c:\windows\system32\bogozimo.dll
c:\windows\system32\bolapuno.dll
c:\windows\system32\bulijoko.dll
c:\windows\system32\dapirima.dll
c:\windows\system32\dayoneji.dll
c:\windows\system32\dogubina.dll
c:\windows\system32\doneboho.dll
c:\windows\system32\donojawi.dll
c:\windows\system32\ganuhoto.dll
c:\windows\system32\gaveferi.dll
c:\windows\system32\helper32.dll
c:\windows\system32\hemenozu.dll
c:\windows\system32\huhupini.dll
c:\windows\system32\jajukufe.dll
c:\windows\system32\jigesigu.dll
c:\windows\system32\jirebahi.dll
c:\windows\system32\kayujada.dll
c:\windows\system32\keragegi.dll
c:\windows\system32\ketisuli.dll
c:\windows\system32\kudokeru.dll
c:\windows\system32\kumutaje.dll
c:\windows\system32\kupusalo.dll
c:\windows\system32\labonapu.dll
c:\windows\system32\lazinuyi.dll
c:\windows\system32\lomokafu.dll
c:\windows\system32\marujate.dll
c:\windows\system32\melamiro.dll
c:\windows\system32\mezenoke.dll
c:\windows\system32\mijinora.dll
c:\windows\system32\miyijani.dll
c:\windows\system32\mulugumi.dll
c:\windows\system32\natasaza.dll
c:\windows\system32\niwaluyu.dll
c:\windows\system32\nuwojove.dll
c:\windows\system32\pesitake.dll
c:\windows\system32\pugasile.dll
c:\windows\system32\rekeheti.dll
c:\windows\system32\riweyepa.dll
c:\windows\system32\romuzoge.dll
c:\windows\system32\sapinivu.dll
c:\windows\system32\sayiwido.dll
c:\windows\system32\taruvura.dll
c:\windows\system32\tiwinoti.dll
c:\windows\system32\vokizaku.dll
c:\windows\system32\wakiyuyo.dll
c:\windows\system32\warning.html
c:\windows\system32\yeyenuzu.dll
c:\windows\system32\yizovaha.dll
c:\windows\system32\yoguyejo.dll
c:\windows\system32\yozofuko.dll
c:\windows\system32\yusaponi.dll
c:\windows\Tasks\ndxflgrp.job
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\dllcache\atapi.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI


((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))
.

2010-01-26 14:06 . 2010-01-26 14:06 -------- d-----w- c:\documents and settings\Jesse1\Application Data\Malwarebytes
2010-01-25 04:30 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 04:30 . 2010-01-25 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-25 04:30 . 2010-01-26 14:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 04:30 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 01:47 . 2010-01-25 01:47 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-01-25 01:45 . 2010-01-25 02:42 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-25 01:45 . 2010-01-25 02:41 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-25 01:43 . 2010-01-26 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-25 01:43 . 2010-01-25 01:43 -------- d-----w- c:\program files\Kaspersky Lab
2010-01-25 01:40 . 2010-01-25 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-25 00:37 . 2010-01-25 00:37 -------- d-----w- c:\documents and settings\Jesse1\Application Data\AVGTOOLBAR
2010-01-13 00:10 . 2010-01-25 00:27 -------- d-----w- c:\documents and settings\Jesse1\Application Data\HPAppData
2010-01-13 00:06 . 2010-01-13 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-01-13 00:03 . 2010-01-13 00:03 -------- d-----w- c:\documents and settings\Jesse1\Application Data\HP
2010-01-13 00:02 . 2010-01-13 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-01-13 00:00 . 2010-01-13 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-12 23:58 . 2008-10-14 02:00 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-01-12 23:58 . 2008-10-14 02:00 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-01-12 23:58 . 2008-10-06 21:37 315392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp083.dll
2010-01-12 23:58 . 2008-10-14 01:55 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-01-12 23:58 . 2008-10-06 21:38 121344 ----a-w- c:\windows\system32\hpf3l083.dll
2010-01-12 23:58 . 2008-10-14 02:00 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-01-12 23:58 . 2008-10-14 02:00 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-01-12 23:58 . 2008-10-14 01:59 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-01-12 23:58 . 2008-10-14 01:55 737280 ----a-r- c:\windows\system32\hposwia_d02a.dll
2010-01-12 23:58 . 2008-10-14 01:55 598016 ----a-r- c:\windows\system32\hpost_d02a.dll
2010-01-12 23:58 . 2008-10-14 01:55 307200 ----a-r- c:\windows\system32\hposc_d02a.dll
2010-01-12 23:51 . 2010-01-12 23:51 -------- d-----w- c:\program files\Common Files\HP
2010-01-12 23:51 . 2010-01-12 23:51 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-01-12 23:51 . 2010-01-12 23:51 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-12 23:51 . 2010-01-13 00:02 -------- d-----w- c:\program files\HP
2010-01-12 23:51 . 2004-08-04 05:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-01-12 23:51 . 2004-08-04 05:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-01-12 23:49 . 2010-01-13 00:03 147910 ----a-w- c:\windows\hpoins37.dat
2010-01-12 23:49 . 2008-12-11 21:42 504 ------w- c:\windows\hpomdl37.dat
2010-01-08 00:32 . 2010-01-08 00:32 -------- d-----w- c:\documents and settings\Jesse1\Application Data\McAfee
2010-01-08 00:31 . 2010-01-08 00:31 -------- d-----w- c:\program files\McAfee
2010-01-08 00:05 . 2010-01-08 00:05 -------- d-sh--w- c:\documents and settings\Jesse1\IECompatCache
2010-01-07 23:41 . 2009-11-04 22:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 04:11 . 2008-12-24 01:47 -------- d-----w- c:\program files\LimeWire
2010-01-25 02:43 . 2010-01-25 02:43 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-01-25 02:43 . 2010-01-25 02:43 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-01-25 02:43 . 2010-01-25 02:43 264720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-01-25 02:39 . 2010-01-25 02:39 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-01-25 02:39 . 2010-01-25 02:39 59920 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-01-25 02:39 . 2010-01-25 02:39 264720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-01-22 15:18 . 2004-08-10 18:51 14336 ----a-w- c:\windows\system32\svchost.exe
2010-01-18 23:23 . 2008-12-30 00:52 -------- d-----w- c:\documents and settings\Jesse1\Application Data\ZoomBrowser EX
2010-01-18 23:23 . 2008-12-30 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-13 00:43 . 2008-12-17 02:09 2970 ----a-w- c:\documents and settings\Jesse1\Application Data\wklnhst.dat
2010-01-08 23:45 . 2009-12-21 22:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-08 00:31 . 2009-12-19 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-20 04:21 . 2009-02-15 20:26 -------- d-----w- c:\documents and settings\Jesse1\Application Data\Apple Computer
2009-12-19 01:06 . 2009-12-19 01:05 -------- d-----w- c:\program files\iTunes
2009-12-19 01:06 . 2009-12-19 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-19 01:05 . 2009-12-19 01:05 -------- d-----w- c:\program files\iPod
2009-12-19 01:05 . 2009-02-15 20:23 -------- d-----w- c:\program files\Common Files\Apple
2009-12-19 01:01 . 2009-12-19 01:00 -------- d-----w- c:\program files\QuickTime
2009-12-19 00:58 . 2006-02-14 20:30 -------- d-----w- c:\program files\Google
2009-12-19 00:48 . 2009-12-19 00:48 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-19 00:39 . 2009-05-12 15:12 -------- d-----w- c:\program files\Safari
2009-12-19 00:31 . 2009-12-19 00:31 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-18 20:30 . 2006-02-14 20:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-18 20:29 . 2009-10-27 00:38 -------- d-----w- c:\program files\THQ
2009-12-18 19:52 . 2009-12-18 19:52 -------- d-----w- c:\program files\McAfee Security Scan
2009-12-18 19:52 . 2009-12-18 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2008-12-23 03:48 . 2008-12-23 03:41 56 --sh--r- c:\windows\system32\6E40225C9C.sys
2008-12-23 03:48 . 2008-12-23 03:41 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
1601-01-01 00:03 . 1601-01-01 00:03 61440 --sha-w- c:\windows\system32\lufaniku.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\mudayagu.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\nadubesu.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\naluwota.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\poyiyele.dll
1601-01-01 00:03 . 1601-01-01 00:03 91648 --sha-w- c:\windows\system32\riluvuse.dll
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
c:\windows\system32\WLTRAY [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2006-02-14 19:54 61440 ----a-w- c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 17:06 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-09-01 23:24 684032 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2006-02-14 20:30 168448 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 02:46 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 08:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-02-14 20:18 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-09-10 05:19 393216 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 23:48 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-24 12:36 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dfrgntfs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\logon.scr"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Qwest\\Quickcare\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Works\\wksss.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2/15/2009 2:10 PM 23096]
R3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2/15/2009 2:10 PM 3768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-01-25 c:\windows\Tasks\WebReg HP Deskjet F4400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-10-17 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
TCP: {43ACFED9-4299-4CC4-AD66-DA8DCC37E6D9} = 205.171.3.65,205.171.2.65
TCP: {4C5E29B3-CA5F-447D-82E2-6B7649509054} = 205.171.3.65,205.171.2.65
FF - ProfilePath - c:\documents and settings\Jesse1\Application Data\Mozilla\Firefox\Profiles\fj71b49y.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{94564b45-bf10-4b6c-a33a-7e8be9609d43} - sayiwido.dll
HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
HKLM-Run-yahiriruve - marujate.dll
MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
MSConfigStartUp-MMTray - c:\progra~1\MUSICM~1\MUSICM~3\mm_tray.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 12\pccguide.exe
AddRemove-HijackThis - c:\documents and settings\Jesse1\My Documents\Downloads\HijackThis.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-26 17:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...


c:\windows\TEMP\OLD29.tmp 51224 bytes executable

scan completed successfully
hȋdden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1276)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(480)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\supportsoft\bin\sprtlisten.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-26 17:27:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-26 23:27

Pre-Run: 2,229,473,280 bytes free
Post-Run: 2,105,524,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 10745141D572826DC925E030166C7B91

cyprian_jess
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-25
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by Belahzur on 27th January 2010, 1:42 am

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\windows\system32\lufaniku.dll
    c:\windows\system32\mudayagu.dll
    c:\windows\system32\nadubesu.dll
    c:\windows\system32\naluwota.dll
    c:\windows\system32\poyiyele.dll
    c:\windows\system32\riluvuse.dll
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by cyprian_jess on 27th January 2010, 3:04 am

Hello -
Results from the most recent run of ComboFix.
Thank you.

ComboFix 10-01-26.02 - Jesse1 01/26/2010 20:48:03.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.224 [GMT -6:00]
Running from: c:\documents and settings\Jesse1\My Documents\Downloads\Combo-Fix.exe
Command switches used :: c:\documents and settings\Jesse1\My Documents\Downloads\CFscript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat"
"c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat"
"c:\windows\system32\lufaniku.dll"
"c:\windows\system32\mudayagu.dll"
"c:\windows\system32\nadubesu.dll"
"c:\windows\system32\naluwota.dll"
"c:\windows\system32\poyiyele.dll"
"c:\windows\system32\riluvuse.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\lufaniku.dll
c:\windows\system32\mudayagu.dll
c:\windows\system32\nadubesu.dll
c:\windows\system32\naluwota.dll
c:\windows\system32\poyiyele.dll
c:\windows\system32\riluvuse.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-27 to 2010-01-27 )))))))))))))))))))))))))))))))
.

2010-01-26 23:12 . 2010-01-26 23:22 -------- d-----w- c:\windows\LastGood
2010-01-26 14:06 . 2010-01-26 14:06 -------- d-----w- c:\documents and settings\Jesse1\Application Data\Malwarebytes
2010-01-25 04:30 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-25 04:30 . 2010-01-25 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-25 04:30 . 2010-01-26 14:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-25 04:30 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-25 02:43 . 2010-01-25 02:43 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-01-25 02:43 . 2010-01-25 02:43 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-01-25 02:43 . 2010-01-25 02:43 264720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-01-25 02:39 . 2010-01-25 02:39 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2010-01-25 02:39 . 2010-01-25 02:39 59920 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2010-01-25 02:39 . 2010-01-25 02:39 264720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2010-01-25 01:47 . 2010-01-25 01:47 604140 --sha-w- c:\windows\system32\drivers\ISwift3.dat
2010-01-25 01:45 . 2010-01-25 02:42 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-01-25 01:45 . 2010-01-25 02:41 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-01-25 01:43 . 2010-01-26 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-01-25 01:43 . 2010-01-25 01:43 -------- d-----w- c:\program files\Kaspersky Lab
2010-01-25 01:40 . 2010-01-25 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-01-25 00:37 . 2010-01-25 00:37 -------- d-----w- c:\documents and settings\Jesse1\Application Data\AVGTOOLBAR
2010-01-13 00:10 . 2010-01-25 00:27 -------- d-----w- c:\documents and settings\Jesse1\Application Data\HPAppData
2010-01-13 00:06 . 2010-01-13 00:06 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-01-13 00:03 . 2010-01-13 00:03 -------- d-----w- c:\documents and settings\Jesse1\Application Data\HP
2010-01-13 00:02 . 2010-01-13 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-01-13 00:00 . 2010-01-13 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-01-12 23:58 . 2008-10-14 02:00 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2010-01-12 23:58 . 2008-10-14 02:00 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2010-01-12 23:58 . 2008-10-06 21:37 315392 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp083.dll
2010-01-12 23:58 . 2008-10-14 01:55 271704 ----a-r- c:\windows\system32\hpzids01.dll
2010-01-12 23:58 . 2008-10-06 21:38 121344 ----a-w- c:\windows\system32\hpf3l083.dll
2010-01-12 23:58 . 2008-10-14 02:00 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2010-01-12 23:58 . 2008-10-14 02:00 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-01-12 23:58 . 2008-10-14 01:59 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-01-12 23:58 . 2008-10-14 01:55 737280 ----a-r- c:\windows\system32\hposwia_d02a.dll
2010-01-12 23:58 . 2008-10-14 01:55 598016 ----a-r- c:\windows\system32\hpost_d02a.dll
2010-01-12 23:58 . 2008-10-14 01:55 307200 ----a-r- c:\windows\system32\hposc_d02a.dll
2010-01-12 23:51 . 2010-01-12 23:51 -------- d-----w- c:\program files\Common Files\HP
2010-01-12 23:51 . 2010-01-12 23:51 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-01-12 23:51 . 2010-01-12 23:51 -------- d-----w- c:\program files\Hewlett-Packard
2010-01-12 23:51 . 2010-01-13 00:02 -------- d-----w- c:\program files\HP
2010-01-12 23:51 . 2004-08-04 05:08 31616 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-01-12 23:51 . 2004-08-04 05:08 31616 ----a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-01-12 23:49 . 2010-01-13 00:03 147910 ----a-w- c:\windows\hpoins37.dat
2010-01-12 23:49 . 2008-12-11 21:42 504 ------w- c:\windows\hpomdl37.dat
2010-01-08 00:34 . 2009-09-30 18:11 288096 ----a-r- c:\documents and settings\Jesse1\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-01-08 00:32 . 2010-01-08 00:32 -------- d-----w- c:\documents and settings\Jesse1\Application Data\McAfee
2010-01-08 00:31 . 2010-01-08 00:31 -------- d-----w- c:\program files\McAfee
2010-01-08 00:05 . 2010-01-08 00:05 -------- d-sh--w- c:\documents and settings\Jesse1\IECompatCache
2010-01-07 23:41 . 2009-11-04 22:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-25 04:11 . 2008-12-24 01:47 -------- d-----w- c:\program files\LimeWire
2010-01-22 15:18 . 2004-08-10 18:51 14336 ------w- c:\windows\system32\svchost.exe
2010-01-18 23:23 . 2008-12-30 00:52 -------- d-----w- c:\documents and settings\Jesse1\Application Data\ZoomBrowser EX
2010-01-18 23:23 . 2008-12-30 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\ZoomBrowser
2010-01-13 00:43 . 2008-12-17 02:09 2970 ----a-w- c:\documents and settings\Jesse1\Application Data\wklnhst.dat
2010-01-08 23:45 . 2009-12-21 22:37 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-01-08 00:31 . 2009-12-19 01:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-12-20 04:21 . 2009-02-15 20:26 -------- d-----w- c:\documents and settings\Jesse1\Application Data\Apple Computer
2009-12-19 01:06 . 2009-12-19 01:05 -------- d-----w- c:\program files\iTunes
2009-12-19 01:06 . 2009-12-19 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-19 01:05 . 2009-12-19 01:05 -------- d-----w- c:\program files\iPod
2009-12-19 01:05 . 2009-02-15 20:23 -------- d-----w- c:\program files\Common Files\Apple
2009-12-19 01:01 . 2009-12-19 01:00 -------- d-----w- c:\program files\QuickTime
2009-12-19 00:58 . 2006-02-14 20:30 -------- d-----w- c:\program files\Google
2009-12-19 00:48 . 2009-12-19 00:48 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-12-19 00:39 . 2009-05-12 15:12 -------- d-----w- c:\program files\Safari
2009-12-19 00:31 . 2009-12-19 00:31 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2009-12-18 20:30 . 2006-02-14 20:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-18 20:29 . 2009-10-27 00:38 -------- d-----w- c:\program files\THQ
2009-12-18 19:52 . 2009-12-18 19:52 -------- d-----w- c:\program files\McAfee Security Scan
2009-12-18 19:52 . 2009-12-18 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-11-04 22:54 . 2009-11-04 22:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2008-12-23 03:48 . 2008-12-23 03:41 56 --sh--r- c:\windows\system32\6E40225C9C.sys
2008-12-23 03:48 . 2008-12-23 03:41 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 0B788EE2A876D7B31DF840C13F08CD2B . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[-] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"avp"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe" [2009-07-03 303376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Wireless Manager UI]
c:\windows\system32\WLTRAY [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2006-02-14 19:54 61440 ----a-w- c:\dell\bldbubg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
2005-08-31 17:06 106496 ----a-w- c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
2005-09-01 23:24 684032 ----a-w- c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-12-06 07:05 127035 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2006-02-14 20:30 168448 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-10-15 02:46 77824 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-10-15 02:50 114688 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-10-15 02:49 94208 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-06-10 16:44 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 16:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
2003-09-10 08:24 20480 ------w- c:\program files\NetWaiting\netwaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-02-14 20:18 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-09-10 05:19 393216 ----a-w- c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2003-11-19 23:48 32881 ----a-w- c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2005-06-24 12:36 729178 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\WINDOWS\\system32\\BCMWLTRY.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\dfrgntfs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=
"c:\\WINDOWS\\system32\\imapi.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe"=
"c:\\WINDOWS\\system32\\logon.scr"=
"c:\\Program Files\\Dell\\NicConfigSvc\\NicConfigSvc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Qwest\\Quickcare\\bin\\sprtcmd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Works\\wksss.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [12/15/2008 8:41 PM 33808]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 11:02 AM 1213728]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [5/13/2009 5:46 PM 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [5/16/2009 8:59 PM 19472]
R3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2/15/2009 2:10 PM 23096]
R3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2/15/2009 2:10 PM 3768]
S3 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2/15/2009 2:10 PM 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-01-25 c:\windows\Tasks\WebReg HP Deskjet F4400 series.job
- c:\program files\HP\Digital Imaging\bin\hpqwrg.exe [2008-10-17 01:22]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uDefault_Search_URL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride =
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: musicmatch.com\online
TCP: {43ACFED9-4299-4CC4-AD66-DA8DCC37E6D9} = 205.171.3.65,205.171.2.65
TCP: {4C5E29B3-CA5F-447D-82E2-6B7649509054} = 205.171.3.65,205.171.2.65
FF - ProfilePath - c:\documents and settings\Jesse1\Application Data\Mozilla\Firefox\Profiles\fj71b49y.default\
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-26 20:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1276)
c:\windows\System32\BCMLogon.dll
c:\windows\system32\igfxdev.dll
.
Completion time: 2010-01-26 21:00:44
ComboFix-quarantined-files.txt 2010-01-27 03:00
ComboFix2.txt 2010-01-26 23:27

Pre-Run: 2,084,007,936 bytes free
Post-Run: 2,057,678,848 bytes free

- - End Of File - - B299099862E4A0839DB1F9A049553D59

cyprian_jess
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-25
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by cyprian_jess on 28th January 2010, 12:54 pm

Hello -
Are there any further actions/steps that I should take? Thank you!

cyprian_jess
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-25
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by Belahzur on 28th January 2010, 5:45 pm

Hello.
Nearly done now.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by cyprian_jess on 28th January 2010, 11:29 pm

Hello - Here is the uninstall list.

32 Bit HP CIO Components Installer
Actiontec Gateway
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
AllMusicConverter 3.7.3
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom Management Programs
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
Choice Guard
Chuzzle Deluxe
Chuzzle Deluxe 1.0
Conexant HDA D110 MDC V.92 Modem
Corel Paint Shop Pro X
Corel Photo Album 6
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support 3.1
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
Driver Detective
Driver Detective
EarthLink setup files
EducateU
ELIcon
Get High Speed Internet!
Google AFE
Google Desktop
Google Toolbar for Internet Explorer
Green Eggs and Ham
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Customer Participation Program 12.0
HP Deskjet F4400 All-In-One Driver Software 12.0 Rel .5
HP Imaging Device Functions 12.0
HP Smart Web Printing
HP Solution Center 12.0
HP Update
Intel(R) Graphics Media Accelerator Driver for Mobile
Internal Network Card Power Management
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Anti-Virus 2010
Kaspersky Anti-Virus 2010
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee Security Scan
McAfee Virtual Technician
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Standard 2006
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Money 2006
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Search Enhancement Pack
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Streets & Trips 2006
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
MobileMe Control Panel
Modem Helper
Mozilla Firefox (3.5.4)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
Musicmatch for Windows Media Player
Musicmatch® Jukebox
NetWaiting
NetZeroInstallers
Picasa 3
PowerDVD 5.5
QuickConnect
QuickSet
QuickTime
Qwest QuickAssist Desktop Tools
Qwest Quickcare 2.6
Qwest Windows Live Toolbar Buttons
RealPlayer Basic
SA3020 Device Manager
SA30xx Media Converter
Safari
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Segoe UI
Shop for HP Supplies
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB898461)
Update for Windows XP (KB925720)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
WildTangent Web Driver
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885884

cyprian_jess
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-25
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by Belahzur on 29th January 2010, 12:11 am

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) SE Runtime Environment 6 Update 1
    Viewpoint Media Player

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by cyprian_jess on 29th January 2010, 3:25 am

Seems to be running smoothly. I am assuming that my anti-virus should be turned back on? Should I do a system scan with my anti-virus software? I appreciate all of your help with my computer!!

cyprian_jess
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-25
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by Belahzur on 29th January 2010, 5:40 pm

Yes to both questions. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rootkit/Win32.TDSS.c virus and possible Internet Security 2010

Post by cyprian_jess on 29th January 2010, 10:26 pm

Thank you again for all of your help Hooray!

cyprian_jess
Novice
Novice

Posts Posts : 8
Joined Joined : 2010-01-25
OS OS : Windows XP
Points Points : 25218
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum