Help, Antivirus, O No, austsftav.exe

February 14, 2010 at 14:09:51
Specs: windows xp, 3gb Ram
O No, here we go again, I had a virus called Antivirus about 3 years ago and I had to reinstall windows. Well now this seems to be a new version. Basically it keeps popping up telling me I have trojans, malware, etc... and that I need to purchase. I close it out and it pops back up every 2 or 3 minutes. I'm so frustrated, it disabled internet explorer, and keeps popping up some viagra page, i'm typing this on firefox. What have I done, well, I ran Malwarebytes in safe mode, at first it found like 200 virus, I deleted them, rebooted and this Antivirus Personal thing is still there. It disables task manager, download manager, installing apps, etc... I did a search and it said do regedit and look for Anti virus or something, anyways I didn't see it. Also I ran sypbot in Safe Mode, it found something called Fraud.Sysguard, it deleted it, I had hoped that would solve my problem, but NO. I know little about changing registry things, I only remember messing up windows changing registry several years back.

Anyways the only relief I have found, I rebooted my computer, soon as windows starts loading I can open task manager, so I see this Antivirus crap when it starts in Task Manager---it's name----austsftav.exe The sad part is i've searched Google, Yahoo, this site (Computing.net) and find nothing on austsftav.exe

Can someone please help, i'm not computer literate so please give details on procedures i need to do.

btw i'm on xp sp3, I have ran malwarebytes and spybot in Safe Mode, Thanks


See More: Help, Antivirus, O No, austsftav.exe

Report •


#1
February 14, 2010 at 14:24:40
Malwarebytes does not need to be turned off to run Combofix.

Remember..your antivirus, Spybot's TeaTimer and any other realtime anti spyware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.

Please download ComboFix to the desktop from one of the following links:

ComboFix

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#2
February 14, 2010 at 16:01:04
Thanks Jabuck! I don't want to talk too soon, but I ran combofix and so far antivirus hasn't popped up. Thanks

Report •

#3
February 14, 2010 at 16:21:07
We need to see that log, there may be some lingering bad file that will cause the malware to reinstall itself. It is located at C:\Combofix.txt

Report •

Related Solutions

#4
February 14, 2010 at 17:40:11
ComboFix 10-02-12.01 - Administrator 02/12/2010 19:47:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2678 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\program files\INSTALL.LOG
c:\windows\system32\kungsfcmptoydt.dat
c:\windows\system32\msvcsv60.dll
c:\windows\system32\stacsv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kungsfnkrjnoed
-------\Service_kungsfnkrjnoed


((((((((((((((((((((((((( Files Created from 2010-01-13 to 2010-02-13 )))))))))))))))))))))))))))))))
.

2010-02-12 20:04 . 2010-02-13 00:45 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\AskToolbar
2010-02-12 14:36 . 2010-02-12 14:36 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\bntemi
2010-01-24 12:01 . 2010-01-24 12:01 -------- dc----w- c:\program files\LUXONIX
2010-01-24 11:01 . 2010-01-24 12:43 16 -c--a-w- c:\windows\msocreg32.dat
2010-01-24 11:00 . 2010-01-24 11:01 -------- dc----w- c:\program files\Sonik Synth 2
2010-01-24 01:43 . 2010-01-24 01:43 -------- dc----w- c:\program files\Common Files\Native Instruments
2010-01-24 01:43 . 2010-01-24 12:28 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Native Instruments
2010-01-24 01:43 . 2010-01-24 01:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{580B8E22-2CB8-4C43-AE50-9338E581C6FA}
2010-01-24 01:30 . 2010-01-24 01:30 -------- dc----w- c:\program files\Smart Projects
2010-01-23 23:05 . 2010-01-23 23:05 -------- dc----w- c:\windows\vocoder
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\program files\InterLok
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\documents and settings\Administrator\Application Data\Antares
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\program files\Antares Audio Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-13 00:31 . 2009-03-16 04:30 -------- dc----w- c:\documents and settings\Administrator\Application Data\DMCache
2010-02-12 23:15 . 2009-12-09 00:38 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 17:01 . 2009-11-22 23:15 -------- dc----w- c:\program files\Ask.com
2010-02-12 16:59 . 2009-03-15 20:43 -------- dc----w- c:\program files\Sonique
2010-02-07 23:29 . 2009-08-14 19:53 -------- dc----w- c:\documents and settings\Administrator\Application Data\U3
2010-01-24 13:28 . 2009-05-30 11:47 -------- dc----w- c:\documents and settings\Administrator\Application Data\Tracktion 3
2010-01-24 13:28 . 2009-05-11 23:41 -------- dc----w- c:\documents and settings\All Users\Application Data\Tracktion 3
2010-01-24 10:18 . 2010-01-08 04:49 -------- dc----w- c:\program files\Garritan Personal Orchestra
2010-01-09 17:23 . 2010-01-09 17:23 -------- dc----w- c:\documents and settings\All Users\Application Data\Ad Muncher
2010-01-09 17:23 . 2010-01-09 17:23 -------- dc----w- c:\program files\Ad Muncher
2010-01-09 00:01 . 2010-01-08 23:59 -------- dc----w- c:\program files\FXpansion DR-008 v1.21
2010-01-08 23:59 . 2009-05-04 03:56 -------- dc----w- c:\program files\Steinberg
2010-01-08 15:39 . 2010-01-08 15:39 -------- dc----w- c:\program files\Common Files\KORG
2010-01-08 05:19 . 2010-01-08 03:45 -------- dc----w- c:\documents and settings\Administrator\Application Data\FXpansion
2010-01-08 04:49 . 2010-01-08 04:49 -------- dc----w- c:\program files\Digidesign
2010-01-08 04:36 . 2009-05-04 03:52 -------- dc----w- c:\program files\Syncrosoft
2010-01-08 04:07 . 2010-01-08 04:07 -------- dc----w- c:\program files\Alcohol Soft
2010-01-08 04:03 . 2009-03-16 22:47 721904 -c--a-w- c:\windows\system32\drivers\sptd.sys
2010-01-08 03:48 . 2009-05-04 04:01 -------- dc----w- c:\documents and settings\Administrator\Application Data\Steinberg
2010-01-08 03:47 . 2010-01-08 03:47 -------- dc----w- c:\program files\rgcaudio software
2010-01-08 03:46 . 2010-01-08 03:46 69632 -c--a-w- c:\windows\system32\FxShared.dll
2010-01-08 03:46 . 2010-01-08 03:46 -------- dc----w- c:\program files\FXpansion
2010-01-08 02:49 . 2009-03-24 23:12 -------- dc----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2010-01-07 21:07 . 2009-12-09 00:38 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-09 00:38 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 23:45 . 2009-04-01 01:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-03 22:48 . 2009-04-01 01:17 -------- dc----w- c:\program files\Common Files\Symantec Shared
2010-01-03 21:51 . 2010-01-03 21:51 -------- dc----w- c:\program files\Trend Micro
2010-01-03 21:43 . 2009-11-07 10:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Kodak
2010-01-03 14:30 . 2010-01-03 14:00 -------- dc----w- c:\program files\Spectrasonics
2010-01-03 14:00 . 2010-01-03 14:00 -------- dc----w- c:\program files\Common Files\Digidesign
2009-12-27 02:14 . 2009-03-07 02:21 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-12-27 02:14 . 2009-12-27 02:14 -------- dc----w- c:\program files\Seagate
2009-12-27 02:14 . 2009-12-27 02:14 -------- dc----w- c:\documents and settings\All Users\Application Data\Seagate
2009-12-27 02:09 . 2009-12-27 02:09 -------- dc----w- c:\documents and settings\Administrator\Application Data\Leadertech
2009-12-27 02:02 . 2009-12-27 02:02 54016 -c--a-w- c:\windows\system32\drivers\imjece.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-02-04 21:50 1197448 -c--a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-02-04 1197448]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"oolidppy"="c:\documents and settings\Administrator\Local Settings\Application Data\bntemi\austsftav.exe" [2010-02-12 278784]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 -c--a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
2009-02-03 13:22 1004544 -c--a-w- c:\program files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-05-02 03:05 27648 -c--a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-05-02 03:05 15360 -c----w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-MU USB Audio Control Panel]
2007-11-26 19:03 274432 -c----w- c:\program files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-08-03 14:33 1626112 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 -c--a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-12-18 19:18 307200 -c--a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2008-12-05 01:23 2745776 -c--a-w- c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-24 20:06 1840424 -c--a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-02-29 08:12 76304 -c--a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-05-01 19:35 185640 -c--a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 22:50 4363504 -c--a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mylbx]
2009-03-05 04:44 1074352 -c--a-w- c:\program files\My Lockbox\mylbx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 13:31 2221352 -c--a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-06-19 13:53 570664 -c--a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 19:01 13529088 -c--a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 19:01 86016 -c--a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 19:01 1630208 -c--a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oolidppy]
2010-02-12 14:36 278784 -c--a-w- c:\documents and settings\Administrator\Local Settings\Application Data\bntemi\austsftav.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoniqueQuickStart]
2009-03-15 20:43 44832 -c--a-w- c:\program files\Sonique\SQStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [3/15/2009 1:12 AM 43792]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/26/2009 8:10 PM 40560]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/16/2009 5:47 PM 721904]
R1 NetBurn;Paragon NetBurning Driver;c:\windows\system32\drivers\NetBurn.sys [6/7/2008 1:54 PM 84752]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [4/3/2009 4:01 AM 1680704]
R2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [11/26/2007 2:10 PM 20992]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [3/15/2009 1:12 AM 73344]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/8/2009 7:38 PM 236368]
R2 NetBurnerService;Net Burner iSCSI Service;c:\program files\Paragon Software\Drive Backup 9 Professional\Net Burner Service\NetBurnerService.exe [6/7/2008 1:54 PM 223248]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [5/3/2009 10:52 PM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/8/2009 7:38 PM 19160]
R3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [3/16/2009 7:58 PM 65794]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [4/10/2009 9:26 AM 127496]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 12:49 PM 284016]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [11/26/2007 2:14 PM 163352]
S3 SliceDisk5;SliceDisk5;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\slicedisk.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\slicedisk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-01-30 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\documents and settings\All Users\Application Data\Kodak\Installer\Registration.exe [2009-11-07 14:29]

2010-02-12 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-09 21:07]

2010-02-13 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
IE: Block frame with Ad Muncher - http://www.admuncher.com/request_wi...
IE: Block image with Ad Muncher - http://www.admuncher.com/request_wi...
IE: Block link with Ad Muncher - http://www.admuncher.com/request_wi...
IE: Don't filter page with Ad Muncher - http://www.admuncher.com/request_wi...
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: Report page to the Ad Muncher developers - http://www.admuncher.com/request_wi...
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l8r50sm9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=867034&p=
FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-ares vista - c:\program files\Ares Vista\AresVista.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-HelpCenter4 - c:\program files\Bellsouth\HelpCenter40b\bin\sprtcmd.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MyWebSearch Email Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
MSConfigStartUp-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
MSConfigStartUp-SearchSettings - c:\program files\Search Settings\SearchSettings.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
AddRemove-Agere Systems Soft Modem - c:\windows\agrsmdel
AddRemove-Antares AVOX Vocal Kit Bundle VST v1.02 - c:\progra~1\STEINB~1\VSTPLU~1\Antares\AVOXVO~1\Choir\UNWISE.EXE
AddRemove-E-MU USB Audio Windows Drivers - c:\program files\Creative Professional\E-MU USB Audio\Program\SETUP.EXE
AddRemove-FXPansion Guru VSTi DXi RTAS v1.0 - c:\progra~1\FXPANS~1\Guru\UNWISE.EXE
AddRemove-IrfanView - c:\program files\IrfanView4.25\iv_uninstall.exe
AddRemove-REAPER - c:\program files\REAPER\Uninstall.exe
AddRemove-ReCycle_is1 - c:\program files\Propellerhead\ReCycle\unins000.exe
AddRemove-rgcAudio z3ta Plus v1.40 - c:\progra~1\RGCAUD~1\Z3TA_~1\Z3TA_U~1\UNWISE.EXE
AddRemove-Steinberg Cubase SX v3.1.1.944 - c:\progra~1\STEINB~1\CUBASE~1\UNWISE.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-12 20:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spul.sys >>UNKNOWN [0x8AD2F938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba666cb8
\Driver\atapi -> atapi.sys @ 0xba5fbb40
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
copy of MBR has been found in sector 62 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):d8,7f,6c,0e,55,06,b5,10,b4,04,9a,39,b2,5d,1f,2e,d6,02,1f,bf,ec,
2e,ae,f7,be,5a,78,b4,25,18,53,d2,b6,67,fa,bd,8c,4b,a5,c4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c204474a-cecf-41db-a1ce-9d8ca5632bd0}]
@Denied: (Full) (Everyone)
"Model"=dword:000000cb
"Therad"=dword:00000015
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-02-12 20:13:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-13 01:12

Pre-Run: 76,252,000,256 bytes free
Post-Run: 85,714,104,320 bytes free

- - End Of File - - 1B6F4AE424D79A1FA39BC9C1B185F649


Report •

#5
February 14, 2010 at 18:26:43
You should go to add/remove programs and uninstall Ask toobar

Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::

Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\bntemi

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"oolidppy"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oolidppy]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please go to Virus Total and upload the following file for analysis:

c:\windows\system32\drivers\imjece.sys

Use the browse button at the site to find the file, once you find the file double click it and it should appear in the empty space to the left of the browse button> click "send file". If the file has already been analyzed click the reanalyze button to have it checked again.

Post the results in your reply.


Report •

#6
February 15, 2010 at 18:35:59
Thanks so much Jabuck! I am currently away from my computer I will be back on Weds. I hope you are still available, because I really appreciate you. Thanks

Report •

#7
February 20, 2010 at 09:23:21
sorry for this late response Jabuck, just getting back. I did the notepad thing, then combofix went away and that darn antivirus thing was scanning and I was unable to do anything, I powered off, restarted, opened task manager soon as windows began loading, that's the only way I can stop this virus is by having task manager open b4 it opens.

ComboFix 10-02-12.01 - Administrator 02/18/2010 12:00:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2714 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.

2010-02-15 10:24 . 2010-02-15 10:24 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\qwntxd
2010-01-24 12:01 . 2010-01-24 12:01 -------- dc----w- c:\program files\LUXONIX
2010-01-24 11:01 . 2010-01-24 12:43 16 -c--a-w- c:\windows\msocreg32.dat
2010-01-24 11:00 . 2010-01-24 11:01 -------- dc----w- c:\program files\Sonik Synth 2
2010-01-24 01:43 . 2010-01-24 01:43 -------- dc----w- c:\program files\Common Files\Native Instruments
2010-01-24 01:43 . 2010-01-24 12:28 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Native Instruments
2010-01-24 01:43 . 2010-01-24 01:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{580B8E22-2CB8-4C43-AE50-9338E581C6FA}
2010-01-24 01:30 . 2010-01-24 01:30 -------- dc----w- c:\program files\Smart Projects
2010-01-23 23:05 . 2010-01-23 23:05 -------- dc----w- c:\windows\vocoder
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\program files\InterLok
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\documents and settings\Administrator\Application Data\Antares
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\program files\Antares Audio Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-18 16:55 . 2009-11-22 23:15 -------- dc----w- c:\program files\Ask.com
2010-02-18 16:22 . 2009-03-15 20:43 -------- dc----w- c:\program files\Sonique
2010-02-16 02:29 . 2009-03-16 04:30 -------- dc----w- c:\documents and settings\Administrator\Application Data\DMCache
2010-02-12 23:15 . 2009-12-09 00:38 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-07 23:29 . 2009-08-14 19:53 -------- dc----w- c:\documents and settings\Administrator\Application Data\U3
2010-01-24 13:28 . 2009-05-30 11:47 -------- dc----w- c:\documents and settings\Administrator\Application Data\Tracktion 3
2010-01-24 13:28 . 2009-05-11 23:41 -------- dc----w- c:\documents and settings\All Users\Application Data\Tracktion 3
2010-01-24 10:18 . 2010-01-08 04:49 -------- dc----w- c:\program files\Garritan Personal Orchestra
2010-01-09 00:01 . 2010-01-08 23:59 -------- dc----w- c:\program files\FXpansion DR-008 v1.21
2010-01-08 23:59 . 2009-05-04 03:56 -------- dc----w- c:\program files\Steinberg
2010-01-08 15:39 . 2010-01-08 15:39 -------- dc----w- c:\program files\Common Files\KORG
2010-01-08 05:19 . 2010-01-08 03:45 -------- dc----w- c:\documents and settings\Administrator\Application Data\FXpansion
2010-01-08 04:49 . 2010-01-08 04:49 -------- dc----w- c:\program files\Digidesign
2010-01-08 04:36 . 2009-05-04 03:52 -------- dc----w- c:\program files\Syncrosoft
2010-01-08 04:07 . 2010-01-08 04:07 -------- dc----w- c:\program files\Alcohol Soft
2010-01-08 04:03 . 2009-03-16 22:47 721904 -c--a-w- c:\windows\system32\drivers\sptd.sys
2010-01-08 03:48 . 2009-05-04 04:01 -------- dc----w- c:\documents and settings\Administrator\Application Data\Steinberg
2010-01-08 03:47 . 2010-01-08 03:47 -------- dc----w- c:\program files\rgcaudio software
2010-01-08 03:46 . 2010-01-08 03:46 69632 -c--a-w- c:\windows\system32\FxShared.dll
2010-01-08 03:46 . 2010-01-08 03:46 -------- dc----w- c:\program files\FXpansion
2010-01-08 02:49 . 2009-03-24 23:12 -------- dc----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2010-01-07 21:07 . 2009-12-09 00:38 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-09 00:38 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 23:45 . 2009-04-01 01:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-03 22:48 . 2009-04-01 01:17 -------- dc----w- c:\program files\Common Files\Symantec Shared
2010-01-03 21:51 . 2010-01-03 21:51 -------- dc----w- c:\program files\Trend Micro
2010-01-03 21:43 . 2009-11-07 10:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Kodak
2010-01-03 14:30 . 2010-01-03 14:00 -------- dc----w- c:\program files\Spectrasonics
2010-01-03 14:00 . 2010-01-03 14:00 -------- dc----w- c:\program files\Common Files\Digidesign
2009-12-27 02:14 . 2009-03-07 02:21 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-12-27 02:14 . 2009-12-27 02:14 -------- dc----w- c:\program files\Seagate
2009-12-27 02:14 . 2009-12-27 02:14 -------- dc----w- c:\documents and settings\All Users\Application Data\Seagate
2009-12-27 02:09 . 2009-12-27 02:09 -------- dc----w- c:\documents and settings\Administrator\Application Data\Leadertech
2009-12-27 02:02 . 2009-12-27 02:02 54016 -c--a-w- c:\windows\system32\drivers\imjece.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-13_01.02.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-18 16:59 . 2010-02-18 16:59 16384 c:\windows\temp\Perflib_Perfdata_26c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uqsmiquc"="c:\documents and settings\Administrator\Local Settings\Application Data\qwntxd\icogsftav.exe" [2010-02-15 278784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"uqsmiquc"="c:\documents and settings\Administrator\Local Settings\Application Data\qwntxd\icogsftav.exe" [2010-02-15 278784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 -c--a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
2009-02-03 13:22 1004544 -c--a-w- c:\program files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-05-02 03:05 27648 -c--a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-05-02 03:05 15360 -c----w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-MU USB Audio Control Panel]
2007-11-26 19:03 274432 -c----w- c:\program files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-08-03 14:33 1626112 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 -c--a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-12-18 19:18 307200 -c--a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2008-12-05 01:23 2745776 -c--a-w- c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-24 20:06 1840424 -c--a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-02-29 08:12 76304 -c--a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-05-01 19:35 185640 -c--a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 22:50 4363504 -c--a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mylbx]
2009-03-05 04:44 1074352 -c--a-w- c:\program files\My Lockbox\mylbx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 13:31 2221352 -c--a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-06-19 13:53 570664 -c--a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 19:01 13529088 -c--a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 19:01 86016 -c--a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 19:01 1630208 -c--a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoniqueQuickStart]
2009-03-15 20:43 44832 -c--a-w- c:\program files\Sonique\SQStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [3/15/2009 1:12 AM 43792]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/26/2009 8:10 PM 40560]
R1 NetBurn;Paragon NetBurning Driver;c:\windows\system32\drivers\NetBurn.sys [6/7/2008 1:54 PM 84752]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [4/3/2009 4:01 AM 1680704]
R2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [11/26/2007 2:10 PM 20992]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [3/15/2009 1:12 AM 73344]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/8/2009 7:38 PM 236368]
R2 NetBurnerService;Net Burner iSCSI Service;c:\program files\Paragon Software\Drive Backup 9 Professional\Net Burner Service\NetBurnerService.exe [6/7/2008 1:54 PM 223248]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [5/3/2009 10:52 PM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/8/2009 7:38 PM 19160]
R3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [3/16/2009 7:58 PM 65794]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [4/10/2009 9:26 AM 127496]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/16/2009 5:47 PM 721904]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 12:49 PM 284016]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [11/26/2007 2:14 PM 163352]
S3 SliceDisk5;SliceDisk5;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\slicedisk.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\slicedisk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-09 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l8r50sm9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=867034&p=
FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-RunOnce-Ad Muncher Reboot Required - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 12:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):d8,7f,6c,0e,55,06,b5,10,b4,04,9a,39,b2,5d,1f,2e,d6,02,1f,bf,ec,
2e,ae,f7,be,5a,78,b4,25,18,53,d2,b6,67,fa,bd,8c,4b,a5,c4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c204474a-cecf-41db-a1ce-9d8ca5632bd0}]
@Denied: (Full) (Everyone)
"Model"=dword:000000cb
"Therad"=dword:00000015
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
Completion time: 2010-02-18 12:12:19
ComboFix-quarantined-files.txt 2010-02-18 17:12
ComboFix2.txt 2010-02-18 16:42
ComboFix3.txt 2010-02-13 01:13

Pre-Run: 81,016,782,848 bytes free
Post-Run: 80,967,995,392 bytes free

- - End Of File - - 12C6FAFD05F29DCDA12DFD4E5F702857


VirusTotal results.

File imjece.sys received on 2010.02.20 17:18:35 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 2/41 (4.88%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 42 and 60 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.50 2010.02.20 -
AhnLab-V3 5.0.0.2 2010.02.20 -
AntiVir 8.2.1.170 2010.02.19 -
Antiy-AVL 2.0.3.7 2010.02.19 -
Authentium 5.2.0.5 2010.02.20 -
Avast 4.8.1351.0 2010.02.20 -
AVG 9.0.0.730 2010.02.20 -
BitDefender 7.2 2010.02.20 -
CAT-QuickHeal 10.00 2010.02.19 -
ClamAV 0.96.0.0-git 2010.02.20 -
Comodo 4002 2010.02.20 -
DrWeb 5.0.1.12222 2010.02.20 -
eSafe 7.0.17.0 2010.02.18 Win32.TrojanHorse
eTrust-Vet 35.2.7315 2010.02.20 -
F-Prot 4.5.1.85 2010.02.19 -
F-Secure 9.0.15370.0 2010.02.19 -
Fortinet 4.0.14.0 2010.02.20 -
GData 19 2010.02.20 -
Ikarus T3.1.1.80.0 2010.02.20 -
Jiangmin 13.0.900 2010.02.20 -
K7AntiVirus 7.10.977 2010.02.18 -
Kaspersky 7.0.0.125 2010.02.17 -
McAfee 5897 2010.02.19 -
McAfee+Artemis 5897 2010.02.19 -
McAfee-GW-Edition 6.8.5 2010.02.19 -
Microsoft 1.5406 2010.02.20 -
NOD32 4882 2010.02.20 -
Norman 6.04.08 2010.02.20 -
nProtect 2009.1.8.0 2010.02.20 -
Panda 10.0.2.2 2010.02.20 -
PCTools 7.0.3.5 2010.02.19 -
Prevx 3.0 2010.02.20 -
Rising 22.34.01.03 2010.02.11 -
Sophos 4.50.0 2010.02.20 -
Sunbelt 5689 2010.02.20 -
Symantec 20091.2.0.41 2010.02.20 Suspicious.Insight
TheHacker 6.5.1.5.202 2010.02.20 -
TrendMicro 9.120.0.1004 2010.02.20 -
VBA32 3.12.12.2 2010.02.19 -
ViRobot 2010.2.19.2194 2010.02.19 -
VirusBuster 5.0.27.0 2010.02.20 -
Additional information
File size: 54016 bytes
MD5...: e6d35f3aa51a65eb35c1f2340154a25e
SHA1..: aabbd57e20d2e7041f9e7abce6cfd8a53c366537
SHA256: 3da4f51682e7d42c5569f1fb1adc6295182962e36f748219e1d0c8f2389ba516
ssdeep: 768:Bosx0q2ph6P2Jpz8ftoSUiJP7hYTCMrhwYKUzY4q:j076P2Jpz8ftBUMPaCM
rhwY
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xc505
timedatestamp.....: 0x4a9ee5b5 (Wed Sep 02 21:37:57 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x480 0xbd9f 0xbe00 5.83 9474f39576a0e15bdbaa2ea3355f0a4a
.rdata 0xc280 0x126 0x180 3.78 375b710d9f213cfced30e9fdb29567e1
.data 0xc400 0xc0 0x100 0.33 786971ca2b109729eda604b44d6c72ad
INIT 0xc500 0x3c8 0x400 5.20 eea49a93a73afb6afc178455582133c6
.reloc 0xc900 0x9ec 0xa00 6.62 bddd5a40c508bfc84ec87de5f8e6a5d3

( 1 imports )
> ntoskrnl.exe: ZwWriteFile, RtlUpcaseUnicodeChar, ZwClose, ZwCreateFile, RtlInitUnicodeString, _wcsicmp, ZwQueryValueKey, ZwOpenKey, ZwDeleteKey, swprintf, ZwEnumerateKey, ExFreePoolWithTag, DbgPrint, ExAllocatePool, RtlPrefixUnicodeString, memcpy, RtlDeleteRegistryValue, ZwSetValueKey, RtlWriteRegistryValue, ZwEnumerateValueKey, ZwSetInformationFile, ZwQueryInformationFile, ZwQueryDirectoryFile, ZwOpenFile, KeTickCount, KeBugCheck, MmGetSystemRoutineAddress, ZwFlushKey, PsTerminateSystemThread, KeSetPriorityThread, KeGetCurrentThread, RtlCheckRegistryKey, KeDelayExecutionThread, ZwReadFile, PsCreateSystemThread, PsGetVersion, KeBugCheckEx

( 0 exports )
RDS...: NSRL Reference Data Set
-
pdfid.: -
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned
trid..: Clipper DOS Executable (33.3%)
Generic Win/DOS Executable (33.0%)
DOS Executable Generic (33.0%)
VXD Driver (0.5%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)

Thanks


Report •

#8
February 20, 2010 at 09:38:17
Open Notepad and copy/paste everything between the X's into it and make sure the first word (such as KILLALL, File, Folder, Registry etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
c:\windows\system32\drivers\imjece.sys

Folder::
c:\documents and settings\Administrator\Local Settings\Application Data\qwntxd

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uqsmiquc"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".

Please post the log that is produced.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •

#9
February 21, 2010 at 22:55:18
Thanks so much Jabuck!


ComboFix 10-02-12.01 - Administrator 02/20/2010 1:13.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2710 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\imjece.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\qwntxd
c:\documents and settings\Administrator\Local Settings\Application Data\qwntxd\icogsftav.exe
c:\windows\system32\drivers\imjece.sys
K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.

2010-01-24 12:01 . 2010-01-24 12:01 -------- dc----w- c:\program files\LUXONIX
2010-01-24 11:01 . 2010-01-24 12:43 16 -c--a-w- c:\windows\msocreg32.dat
2010-01-24 11:00 . 2010-01-24 11:01 -------- dc----w- c:\program files\Sonik Synth 2
2010-01-24 01:43 . 2010-01-24 01:43 -------- dc----w- c:\program files\Common Files\Native Instruments
2010-01-24 01:43 . 2010-01-24 12:28 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Native Instruments
2010-01-24 01:43 . 2010-01-24 01:43 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{580B8E22-2CB8-4C43-AE50-9338E581C6FA}
2010-01-24 01:30 . 2010-01-24 01:30 -------- dc----w- c:\program files\Smart Projects
2010-01-23 23:05 . 2010-01-23 23:05 -------- dc----w- c:\windows\vocoder
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\program files\InterLok
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\documents and settings\Administrator\Application Data\Antares
2010-01-23 22:56 . 2010-01-23 22:56 -------- dc----w- c:\program files\Antares Audio Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 06:06 . 2009-03-15 20:43 -------- dc----w- c:\program files\Sonique
2010-02-20 06:05 . 2009-03-16 04:30 -------- dc----w- c:\documents and settings\Administrator\Application Data\DMCache
2010-02-18 16:55 . 2009-11-22 23:15 -------- dc----w- c:\program files\Ask.com
2010-02-12 23:15 . 2009-12-09 00:38 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-07 23:29 . 2009-08-14 19:53 -------- dc----w- c:\documents and settings\Administrator\Application Data\U3
2010-01-24 13:28 . 2009-05-30 11:47 -------- dc----w- c:\documents and settings\Administrator\Application Data\Tracktion 3
2010-01-24 13:28 . 2009-05-11 23:41 -------- dc----w- c:\documents and settings\All Users\Application Data\Tracktion 3
2010-01-24 10:18 . 2010-01-08 04:49 -------- dc----w- c:\program files\Garritan Personal Orchestra
2010-01-09 00:01 . 2010-01-08 23:59 -------- dc----w- c:\program files\FXpansion DR-008 v1.21
2010-01-08 23:59 . 2009-05-04 03:56 -------- dc----w- c:\program files\Steinberg
2010-01-08 15:39 . 2010-01-08 15:39 -------- dc----w- c:\program files\Common Files\KORG
2010-01-08 05:19 . 2010-01-08 03:45 -------- dc----w- c:\documents and settings\Administrator\Application Data\FXpansion
2010-01-08 04:49 . 2010-01-08 04:49 -------- dc----w- c:\program files\Digidesign
2010-01-08 04:36 . 2009-05-04 03:52 -------- dc----w- c:\program files\Syncrosoft
2010-01-08 04:07 . 2010-01-08 04:07 -------- dc----w- c:\program files\Alcohol Soft
2010-01-08 04:03 . 2009-03-16 22:47 721904 -c--a-w- c:\windows\system32\drivers\sptd.sys
2010-01-08 03:48 . 2009-05-04 04:01 -------- dc----w- c:\documents and settings\Administrator\Application Data\Steinberg
2010-01-08 03:47 . 2010-01-08 03:47 -------- dc----w- c:\program files\rgcaudio software
2010-01-08 03:46 . 2010-01-08 03:46 69632 -c--a-w- c:\windows\system32\FxShared.dll
2010-01-08 03:46 . 2010-01-08 03:46 -------- dc----w- c:\program files\FXpansion
2010-01-08 02:49 . 2009-03-24 23:12 -------- dc----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Pro
2010-01-07 21:07 . 2009-12-09 00:38 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-09 00:38 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 23:45 . 2009-04-01 01:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-03 22:48 . 2009-04-01 01:17 -------- dc----w- c:\program files\Common Files\Symantec Shared
2010-01-03 21:51 . 2010-01-03 21:51 -------- dc----w- c:\program files\Trend Micro
2010-01-03 21:43 . 2009-11-07 10:58 -------- dc----w- c:\documents and settings\All Users\Application Data\Kodak
2010-01-03 14:30 . 2010-01-03 14:00 -------- dc----w- c:\program files\Spectrasonics
2010-01-03 14:00 . 2010-01-03 14:00 -------- dc----w- c:\program files\Common Files\Digidesign
2009-12-27 02:14 . 2009-03-07 02:21 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-12-27 02:14 . 2009-12-27 02:14 -------- dc----w- c:\program files\Seagate
2009-12-27 02:14 . 2009-12-27 02:14 -------- dc----w- c:\documents and settings\All Users\Application Data\Seagate
2009-12-27 02:09 . 2009-12-27 02:09 -------- dc----w- c:\documents and settings\Administrator\Application Data\Leadertech
.

------- Sigcheck -------

[7] 2008-05-02 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0009\DriverFiles\i386\atapi.sys
[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\atapi.sys
[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\2bc0b3c55e0c166e04844934d1c7c342\atapi.sys
[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\atapi.sys
[-] 2008-04-14 05:10 . E9113D940039B84BB9FE49C0BA67FAB8 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2008-04-14 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\system32\ReinstallBackups\0010\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((( SnapShot@2010-02-13_01.02.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-20 06:25 . 2010-02-20 06:25 16384 c:\windows\temp\Perflib_Perfdata_724.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"="c:\program files\Ares\Ares.exe" [2009-02-03 1004544]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-05-02 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 07:42 72208 -c--a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-27 21:10 35696 -c--a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
2009-02-03 13:22 1004544 -c--a-w- c:\program files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-05-02 03:05 27648 -c--a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-05-02 03:05 15360 -c----w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 -c--a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-MU USB Audio Control Panel]
2007-11-26 19:03 274432 -c----w- c:\program files\Creative Professional\E-MU USB Audio\EmuUsbAudioCP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-08-03 14:33 1626112 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 -c--a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
2005-12-18 19:18 307200 -c--a-w- c:\program files\Syncrosoft\POS\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2008-12-05 01:23 2745776 -c--a-w- c:\program files\Internet Download Manager\IDMan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-24 20:06 1840424 -c--a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-02-29 08:12 76304 -c--a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
2009-05-01 19:35 185640 -c--a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-03-18 22:50 4363504 -c--a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 -c----w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mylbx]
2009-03-05 04:44 1074352 -c--a-w- c:\program files\My Lockbox\mylbx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-06-08 13:31 2221352 -c--a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-06-19 13:53 570664 -c--a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-16 19:01 13529088 -c--a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-16 19:01 86016 -c--a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-05-16 19:01 1630208 -c--a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 -c--a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoniqueQuickStart]
2009-03-15 20:43 44832 -c--a-w- c:\program files\Sonique\SQStart.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 FSProFilter;FSPro File Filter;c:\windows\system32\drivers\FSPFltd.sys [3/15/2009 1:12 AM 43792]
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [8/26/2009 8:10 PM 40560]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/16/2009 5:47 PM 721904]
R1 NetBurn;Paragon NetBurning Driver;c:\windows\system32\drivers\NetBurn.sys [6/7/2008 1:54 PM 84752]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [4/3/2009 4:01 AM 1680704]
R2 emaudsv;E-MU Audio Service;c:\windows\system32\emaudsv.exe [11/26/2007 2:10 PM 20992]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [5/1/2009 2:35 PM 181544]
R2 fsproflt;FSPro Filter Service;c:\windows\system32\fsproflt.exe [3/15/2009 1:12 AM 73344]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/8/2009 7:38 PM 236368]
R2 NetBurnerService;Net Burner iSCSI Service;c:\program files\Paragon Software\Drive Backup 9 Professional\Net Burner Service\NetBurnerService.exe [6/7/2008 1:54 PM 223248]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [5/3/2009 10:52 PM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/8/2009 7:38 PM 19160]
R3 RDID1009;EDIROL UM-1;c:\windows\system32\drivers\Rdwm1009.sys [3/16/2009 7:58 PM 65794]
R3 TotRec7;Total Recorder WDM audio driver;c:\windows\system32\drivers\TotRec7.sys [4/10/2009 9:26 AM 127496]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\ekdiscovery.exe [8/5/2009 12:49 PM 284016]
S3 emusba10;E-MU USB-Audio 1.0 Driver;c:\windows\system32\drivers\emusba10.sys [11/26/2007 2:14 PM 163352]
S3 SliceDisk5;SliceDisk5;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\slicedisk.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\slicedisk.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-19 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Administrator.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-09 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\l8r50sm9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=867034&p=
FF - component: c:\documents and settings\Administrator\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-uqsmiquc - c:\documents and settings\Administrator\Local Settings\Application Data\qwntxd\icogsftav.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-20 01:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spjw.sys >>UNKNOWN [0x8AD3C938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba666cb8
\Driver\atapi -> atapi.sys @ 0xba5fbb40
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK
copy of MBR has been found in sector 62 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):d8,7f,6c,0e,55,06,b5,10,b4,04,9a,39,b2,5d,1f,2e,d6,02,1f,bf,ec,
2e,ae,f7,be,5a,78,b4,25,18,53,d2,b6,67,fa,bd,8c,4b,a5,c4,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{c204474a-cecf-41db-a1ce-9d8ca5632bd0}]
@Denied: (Full) (Everyone)
"Model"=dword:000000cb
"Therad"=dword:00000015
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(848)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll

- - - - - - - > 'explorer.exe'(2212)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2010-02-20 01:34:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-20 06:34
ComboFix2.txt 2010-02-18 17:12
ComboFix3.txt 2010-02-18 16:42
ComboFix4.txt 2010-02-13 01:13

Pre-Run: 79,235,424,256 bytes free
Post-Run: 79,188,480,000 bytes free

- - End Of File - - 762DB8DE357EA7046358697449D68C0F


Bitdefender quick scan


BitDefender QuickScan Beta 32-bit v0.9.9.2
------------------------------------------

Scan date: Sat Feb 20 01:47:17 2010
Machine ID: 439CD3

Found 1 infected file!
------------------------
C:\WINDOWS\system32\DRIVERS\atapi.sys - Rootkit.Patched.TDSS.Gen


Processes
---------
<unsigned> IoctlSvc Application 472 C:\WINDOWS\system32\IoctlSvc.exe
<unsigned> E-MU Audio Product 1232 C:\WINDOWS\system32\emaudsv.exe
<unsigned> mcci+McciCMService 148 C:\Program Files\Common Files\Motive\McciCMService.exe

<verified> Agere Soft Modem Call Progress Service 676 C:\Program Files\LSI SoftModem\agrsmsvc.exe
<verified> CodeMeter 692 C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
<verified> Firefox 3148 C:\Program Files\Mozilla Firefox\firefox.exe
<verified> FSPro Labs Filter Service 1752 C:\WINDOWS\system32\fsproflt.exe
<verified> Java(TM) Platform SE 6 U16 1828 C:\Program Files\Java\jre6\bin\jqs.exe
<verified> Malwarebytes' Anti-Malware 1480 C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
<verified> Malwarebytes' Anti-Malware 1992 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
<verified> Microsoft® Windows® Operating System 2212 C:\WINDOWS\explorer.exe
<verified> Microsoft® Windows® Operating System 1304 C:\WINDOWS\System32\alg.exe
<verified> Microsoft® Windows® Operating System 824 C:\WINDOWS\system32\csrss.exe
<verified> Microsoft® Windows® Operating System 3808 C:\WINDOWS\system32\ctfmon.exe
<verified> Microsoft® Windows® Operating System 904 C:\WINDOWS\system32\lsass.exe
<verified> Microsoft® Windows® Operating System 2180 C:\WINDOWS\system32\notepad.exe
<verified> Microsoft® Windows® Operating System 892 C:\WINDOWS\system32\services.exe
<verified> Microsoft® Windows® Operating System 608 C:\WINDOWS\System32\smss.exe
<verified> Microsoft® Windows® Operating System 1876 C:\WINDOWS\system32\spoolsv.exe
<verified> Microsoft® Windows® Operating System 536 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 732 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1072 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1132 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1296 C:\WINDOWS\System32\svchost.exe
<verified> Microsoft® Windows® Operating System 1348 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1440 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 1600 C:\WINDOWS\system32\svchost.exe
<verified> Microsoft® Windows® Operating System 796 C:\WINDOWS\system32\taskmgr.exe
<verified> Microsoft® Windows® Operating System 848 C:\WINDOWS\system32\winlogon.exe
<verified> Microsoft® Windows® Operating System 3528 C:\WINDOWS\system32\wscntfy.exe
<verified> Nero BackItUp 404 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
<verified> NetBurner 292 C:\Program Files\Paragon Software\Drive Backup 9 Professional\Net Burner Service\NetBurnerService.exe
<verified> NVIDIA Driver Helper Service, Version 1 352 C:\WINDOWS\system32\nvsvc32.exe
<verified> Sync 1280 C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe


Network activity
----------------
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 208.46.17.16
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.86.25
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 208.117.241.150
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.252
Process firefox.exe (3148) connected on port 80 (HTTP) - 208.46.17.162
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 208.46.17.162
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.119
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.90.50
Process firefox.exe (3148) connected on port 80 (HTTP) - *.122.2o7.net
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.90.50
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.90.50
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.88.59
Process firefox.exe (3148) connected on port 80 (HTTP) - 63.135.90.50

Process NetBurnerService.exe (292) listens on ports: 3260 (iSCSI Target), 3261
Process svchost.exe (1132) listens on ports: 135 (RPC)


Autoruns and critical files
---------------------------
<unsigned> Ares p2p for windows C:\Program Files\Ares\Ares.exe

<verified> Logitech SetPoint C:\Program Files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
<verified> Malwarebytes' Anti-Malware C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
<verified> Malwarebytes' Anti-Malware C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\browseui.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\crypt32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cryptnet.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\cscdll.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\dimsntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\logonui.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\sclgntfy.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\shell32.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\stobject.dll
<verified> Microsoft® Windows® Operating System c:\windows\system32\userinit.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\wlnotify.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\WPDShServiceObj.dll
<verified> NVIDIA Compatible Windows 2000 Display C:\WINDOWS\system32\NvCpl.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\webcheck.dll


Browser plugins
---------------
<unsigned> Bonjour C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> Java(TM) Platform SE 6 U16 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> Mega Manager IE Click Catcher c:\program files\megaupload\mega manager\megaiemn.dll

<verified> AcroIEHelperShim Library c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll
<verified> Adobe Acrobat C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
<verified> Adobe® Flash® Player ActiveX C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
<verified> BitDefender QuickScan C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/l8r50sm9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
<verified> BitDefender QuickScan C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles/l8r50sm9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.dll
<verified> InstallShield Update Service C:\WINDOWS\Downloaded Program Files\dwusplay.exe
<verified> Internet Download Manager Module c:\program files\internet download manager\idmiecc.dll
<verified> Java Deployment Toolkit 6.0.160.1 C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\mswsock.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\rsvpsp.dll
<verified> Microsoft® Windows® Operating System C:\WINDOWS\system32\winrnr.dll
<verified> Mozilla Default Plug-in C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
<verified> NPSWF32.dll C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
<verified> Software Manager C:\WINDOWS\Downloaded Program Files\isusweb.dll
<verified> Windows® Internet Explorer C:\WINDOWS\system32\ieframe.dll
<verified> Yahoo Application State Plugin C:\Program Files\Yahoo!\Shared\npYState.dll
<verified> Yahoo! Toolbar c:\program files\yahoo!\companion\installs\cpn\yt.dll


Scan
----
<unsigned> MD5: d1ea7694103f5d5cf11148f9b3864c45 C:\Program Files\Ares\Ares.exe
<unsigned> MD5: 292f92469efb2fd402e00742c06d539d C:\Program Files\Bonjour\mdnsNSP.dll
<unsigned> MD5: 6f95324909b502e2651442c1548ab12f C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
<unsigned> MD5: 67b6f4e0db57dd2020a2415294ba4ed8 C:\Program Files\Common Files\Motive\McciCMService.exe
<unsigned> MD5: 9bd4dcb5412921864a7aacdedfbd1923 C:\Program Files\Common Files\Motive\MREMP50.sys
<unsigned> MD5: 07c02c892e8e1a72d6bf35004f0e9c5e C:\Program Files\Common Files\Motive\MRESP50.sys
<unsigned> MD5: 86f1895ae8c5e8b17d99ece768a70732 C:\Program Files\Java\jre6\bin\msvcr71.dll
<unsigned> MD5: 37edbcc7e5e0b89e59941ff79a2f9746 c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
<unsigned> MD5: 5f04e79ab3c0016ed1f6b5e35cddbcc6 c:\program files\megaupload\mega manager\megaiemn.dll
<unsigned> MD5: 1aab00ae4ffb5c72a0a06a254f80510e C:\Program Files\Mozilla Firefox\freebl3.dll
<unsigned> MD5: 39dfd2c92728fca093d5bdefe5f6e801 C:\Program Files\Mozilla Firefox\nssdbm3.dll
<unsigned> MD5: 89e6d66ec90b4e8e41b55248eb7c84cb C:\Program Files\Mozilla Firefox\softokn3.dll
<unsigned> MD5: 395611b0d184d57a8b535ac590622e6a C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
<unsigned> MD5: 5a5cff37f1bd0f86b9bdaad7a9445882 C:\WINDOWS\system32\cdplayer.exe.manifest
<unsigned> MD5: e9113d940039b84bb9fe49c0ba67fab8 C:\WINDOWS\system32\DRIVERS\atapi.sys
<unsigned> MD5: b53f9635457b56dcffef750e18aec6cb C:\WINDOWS\system32\DRIVERS\cledx.sys
<unsigned> MD5: 5b6c11de7e839c05248ced8825470fef C:\WINDOWS\System32\Drivers\pcouffin.sys
<unsigned> MD5: 5eb5bf181e42be9cbf07d6332707fe73 C:\WINDOWS\system32\Drivers\rdwm1009.sys
<unsigned> MD5: 2d77c535d32688d5fd6cd05c04e27948 C:\WINDOWS\system32\emaudsv.exe
<unsigned> MD5: 875e4e0661f3a5994df9e5e3a0a4f96b C:\WINDOWS\system32\IoctlSvc.exe
<unsigned> MD5: 5d76c3fb736514e1d7c88791e7322784 C:\WINDOWS\system32\logonui.exe.manifest
<unsigned> MD5: 5a5cff37f1bd0f86b9bdaad7a9445882 C:\WINDOWS\system32\ncpa.cpl.manifest
<unsigned> MD5: 5a5cff37f1bd0f86b9bdaad7a9445882 C:\WINDOWS\system32\nwc.cpl.manifest
<unsigned> MD5: 5a5cff37f1bd0f86b9bdaad7a9445882 C:\WINDOWS\system32\sapi.cpl.manifest
<unsigned> MD5: 00dd2a31fbcb142275a0c725de372c63 C:\WINDOWS\system32\spool\prtprocs\w32x86\wfxprint2000.dll
<unsigned> MD5: 5d76c3fb736514e1d7c88791e7322784 C:\WINDOWS\system32\WindowsLogon.manifest
<unsigned> MD5: 5a5cff37f1bd0f86b9bdaad7a9445882 C:\WINDOWS\system32\wuaucpl.cpl.manifest
<unsigned> MD5: 5a5cff37f1bd0f86b9bdaad7a9445882 C:\WINDOWS\WindowsShell.Manifest
<unsigned> MD5: 4c8a880eabc0b4d462cc4b2472116ea1 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
<unsigned> MD5: e4fece18310e23b1d8fee993e35e7a6f C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
<unsigned> MD5: 1b7524806d0270b81360c63a2fa047cb C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
<unsigned> MD5: ccc2e312486ae6b80970211da472268b C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
<unsigned> MD5: 9090454e6772f7cfbce240bf4dc5f7e8 C:\WINDOWS\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll

The following file(s) must be uploaded for server-side scanning:
C:\WINDOWS\system32\DRIVERS\atapi.sys

Upload started - 1 file(s)
C:\WINDOWS\system32\DRIVERS\atapi.sys (96512)
Upload speed - 20 KB/s
Upload finished - 1 uploaded, 0 failed

Scan finished - communication took 7 sec
Total traffic - 0.14 MB sent, 2.65 KB recvd
Scanned 851 files and modules - 183 seconds


Report •

#10
February 22, 2010 at 14:46:36
Download TDSSKiller to your Desktop from the following link.

TDSSKiller


1. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. It will extract to an unzipped folder, drag TDSSKiller.exe out of that folder onto the desktop.
2. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


3. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
4. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

Ask Question