Scottdavid
Posts: 23 +0
When checking proccesses after 10 mins of computer being booted up with access to the internet my computer begins to slow right down and in proccess it says scvhost/system/ 99 percent usuage. It also has stoped programs from opening up if i dont open them as soon as i start my computer up. I have ran many anti virus programs and they seem to keep finding tracking cookies over and over.
here are your steps
Malware:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7478
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
8/16/2011 7:26:06 AM
mbam-log-2011-08-16 (07-26-06).txt
Scan type: Quick scan
Objects scanned: 179328
Time elapsed: 2 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-16 07:31:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD2500JS-60NCB1 rev.10.02E02
Running: 6jok50wr.exe; Driver: C:\DOCUME~1\Scott\LOCALS~1\Temp\ffayraoc.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-16 89D1231B
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
---- EOF - GMER 1.0.15 ----
DDS:
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by Scott at 7:32:26 on 2011-08-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.943 [GMT -6:00]
.
AV: AVG Anti-Virus 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avanquest Fix-It *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avanquest\Fix-It\AVQWinMonEngine.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [AvanquestMainUI] c:\program files\avanquest\fix-it\Fix-It.exe
mPolicies-system: tray = 0 (0x0)
mPolicies-system: pop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194
TCP: Interfaces\{2ABF507B-8CAA-46A8-9C50-1BB00DDFE557} : DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\scott\application data\mozilla\firefox\profiles\8xpzqnft.default\
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12279&client_id=280cc4f8a868a80828e89cca&camp_id=2578&install_time=2011-05-27T04:13:27Z&tb_version=2.4.11000%28F%29&pr=auto&q=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-7-7 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2011-7-7 203056]
R2 AvanquestWindowsMonitorService;AvanquestWindowsMonitorService;c:\program files\avanquest\fix-it\AVQWinMonEngine.exe [2010-8-20 328704]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-16 366640]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-7-7 69936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-16 22712]
S2 SBAMSvc;Fix-It;c:\program files\common files\antivirus\SBAMSvc.exe [2010-2-22 1012080]
.
=============== Created Last 30 ================
.
2011-08-16 13:22:52 -------- d-----w- c:\documents and settings\scott\application data\Malwarebytes
2011-08-16 13:22:34 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-16 13:22:34 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-16 13:22:31 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-16 13:22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-16 12:55:37 -------- d-sha-r- C:\cmdcons
2011-08-16 12:51:37 98816 ----a-w- c:\windows\sed.exe
2011-08-16 12:51:37 518144 ----a-w- c:\windows\SWREG.exe
2011-08-16 12:51:37 256000 ----a-w- c:\windows\PEV.exe
2011-08-16 12:51:37 208896 ----a-w- c:\windows\MBR.exe
2011-08-10 22:06:54 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:06:33 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:25:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-07 19:06:51 273344 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-06-07 19:06:51 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-06-07 19:06:48 273344 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-60NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D124D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d187d0]; MOV EAX, [0x89d1884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89CF6AB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006c[0x89C0A510]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89CB1940]
\Driver\atapi[0x89D80F38] -> IRP_MJ_CREATE -> 0x89D124D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D1231B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 7:33:08.76 ===============
dds attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/25/2011 9:12:59 PM
System Uptime: 8/16/2011 7:13:04 AM (0 hours ago)
.
Motherboard: ASUSTek Computer INC. | | NODUSM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2204/199mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 224 GiB total, 189.289 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is FIXED (FAT32) - 9 GiB total, 0.414 GiB free.
I: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 5/25/2011 9:48:00 PM - System Checkpoint
RP2: 5/25/2011 11:00:04 PM - Software Distribution Service 3.0
RP3: 5/26/2011 3:30:50 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP4: 5/26/2011 3:30:54 PM - Installed AVG 2011
RP5: 5/26/2011 3:31:06 PM - Installed AVG 2011
RP6: 5/26/2011 5:56:42 PM - Installed Windows XP KB888111WXPSP2.
RP7: 5/26/2011 6:00:08 PM - Installed Realtek High Definition Audio Driver
RP8: 5/26/2011 6:01:08 PM - Software Distribution Service 3.0
RP9: 5/26/2011 6:15:31 PM - Installed Windows XP WgaNotify.
RP10: 5/26/2011 6:18:03 PM - Installed Windows XP WIC.
RP11: 5/26/2011 6:19:32 PM - Installed %1 %2.
RP12: 5/26/2011 6:19:36 PM - Printer Driver Microsoft XPS Document Writer Installed
RP13: 5/26/2011 6:57:16 PM - Software Distribution Service 3.0
RP14: 5/26/2011 9:39:53 PM - Software Distribution Service 3.0
RP15: 5/26/2011 10:28:54 PM - Installed Windows Media Player 11
RP16: 5/26/2011 10:29:13 PM - Installed Windows XP Wudf01000.
RP17: 5/26/2011 10:30:33 PM - Installed Windows XP MSCompPackV1.
RP18: 5/26/2011 10:38:51 PM - Installed Java(TM) 6 Update 22
RP19: 5/27/2011 3:00:14 AM - Software Distribution Service 3.0
RP20: 5/27/2011 1:31:37 PM - Installed iTunes
RP21: 5/28/2011 3:00:13 AM - Software Distribution Service 3.0
RP22: 5/29/2011 3:00:13 AM - Software Distribution Service 3.0
RP23: 5/30/2011 3:00:14 AM - Software Distribution Service 3.0
RP24: 5/30/2011 1:06:44 PM - Software Distribution Service 3.0
RP25: 5/30/2011 1:09:15 PM - Printer Driver Microsoft XPS Document Writer Installed
RP26: 5/31/2011 3:00:13 AM - Software Distribution Service 3.0
RP27: 6/1/2011 3:00:13 AM - Software Distribution Service 3.0
RP28: 6/2/2011 3:00:13 AM - Software Distribution Service 3.0
RP29: 6/2/2011 8:16:55 PM - HOTLLAMA Media Player Installation
RP30: 6/5/2011 12:09:08 PM - System Checkpoint
RP31: 6/6/2011 6:55:48 PM - System Checkpoint
RP32: 6/7/2011 12:23:13 PM - Installed Gears of War
RP33: 6/16/2011 3:00:14 AM - Software Distribution Service 3.0
RP34: 6/19/2011 10:45:46 AM - System Checkpoint
RP35: 6/20/2011 10:51:58 AM - System Checkpoint
RP36: 6/21/2011 5:53:23 PM - System Checkpoint
RP37: 6/22/2011 11:59:36 PM - System Checkpoint
RP38: 6/24/2011 12:54:16 AM - System Checkpoint
RP39: 6/26/2011 12:08:40 PM - System Checkpoint
RP40: 6/27/2011 8:25:18 PM - System Checkpoint
RP41: 6/29/2011 3:00:13 AM - Software Distribution Service 3.0
RP42: 6/30/2011 3:00:13 AM - Software Distribution Service 3.0
RP43: 7/2/2011 3:00:14 AM - Software Distribution Service 3.0
RP44: 7/3/2011 10:31:41 AM - System Checkpoint
RP45: 7/4/2011 11:21:02 AM - System Checkpoint
RP46: 7/5/2011 12:21:02 PM - System Checkpoint
RP47: 7/6/2011 2:34:32 PM - System Checkpoint
RP48: 7/7/2011 4:32:08 PM - Installed Fix-It Utilities 11 Professional
RP49: 7/9/2011 12:47:45 AM - System Checkpoint
RP50: 7/9/2011 3:00:21 AM - Software Distribution Service 3.0
RP51: 7/10/2011 11:35:06 AM - Removed AVG 2011
RP52: 7/10/2011 11:36:12 AM - Removed AVG 2011
RP53: 7/10/2011 11:50:39 AM - Installed Java(TM) 6 Update 26
RP54: 7/11/2011 12:17:27 PM - System Checkpoint
RP55: 7/13/2011 12:23:21 PM - System Checkpoint
RP56: 7/14/2011 5:09:17 PM - Installed AVG 2011
RP57: 7/14/2011 5:09:56 PM - Installed AVG 2011
RP58: 7/15/2011 3:00:16 AM - Software Distribution Service 3.0
RP59: 7/15/2011 11:27:07 AM - ErrorWiz Restore point
RP60: 7/15/2011 11:53:06 AM - Installed PC MightyMax 2011
RP61: 7/15/2011 12:04:55 PM - Installed Pc Optimizer 360 setup
RP62: 7/15/2011 6:34:00 PM - Installed Microsoft Fix it 50587
RP63: 8/9/2011 7:11:52 PM - System Checkpoint
RP64: 8/11/2011 3:00:15 AM - Software Distribution Service 3.0
RP65: 8/12/2011 1:54:37 PM - System Checkpoint
RP66: 8/16/2011 6:45:57 AM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP67: 8/16/2011 6:49:13 AM - Removed AVG 2011
RP68: 8/16/2011 6:51:22 AM - Removed AVG 2011
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
Data Fax SoftModem with SmartCP
Fix-It Utilities 11 Professional
FrostWire 4.21.8
Gears of War
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java Auto Updater
Java(TM) 6 Update 26
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 5.0 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
NVIDIA Graphics Driver 275.33
NVIDIA nView 135.85
NVIDIA nView Desktop Manager
PC MightyMax 2011
Pc Optimizer 360 setup
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923789)
Segoe UI
StarCraft II
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2541763)
Update for Windows XP (KB961503)
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
.
==== End Of File ===========================
ALSO USED COMBO FIX AND HAVE A REPORT MADE FROM THAT I USED IT BEFORE I USED YOUR STEPS:
Combofix:
ComboFix 11-08-16.02 - Scott 08/16/2011 6:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.672 [GMT -6:00]
Running from: c:\documents and settings\Scott\My Documents\Downloads\ComboFix.exe
AV: Avanquest Fix-It *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
AV: AVG Anti-Virus 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\Guest\Application Data\alot
c:\documents and settings\Scott\Application Data\Adobe\plugs
c:\documents and settings\Scott\Application Data\Adobe\plugs\KB638959250
c:\documents and settings\Scott\Application Data\Adobe\shed
c:\documents and settings\Scott\Application Data\ErrorWiz
c:\documents and settings\Scott\Application Data\ErrorWiz\Backup\Automatic Backup_07-15-2011_11-27-08.reg
c:\documents and settings\Scott\Application Data\ErrorWiz\settings.ini
c:\program files\ErrorWiz
c:\program files\ErrorWiz\ErrorWiz.exe
H:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-07-16 to 2011-08-16 )))))))))))))))))))))))))))))))
.
.
2011-08-10 22:06 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:06 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2011-05-26 03:07 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:25 . 2011-05-27 04:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-21 18:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-25 06:09 . 2006-05-09 21:50 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-05-25 06:09 . 2006-05-09 21:50 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2011-05-25 06:09 . 2006-05-09 21:50 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-05-25 06:09 . 2006-05-09 21:50 13895272 ----a-w- c:\windows\system32\nvcpl.dll
2011-05-25 06:09 . 2011-06-07 19:06 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-05-25 06:09 . 2011-06-07 19:06 899688 ----a-w- c:\windows\system32\nvdispco3220150.dll
2011-05-25 06:09 . 2011-06-07 19:06 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-05-25 06:09 . 2011-06-07 19:06 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-05-25 06:09 . 2011-06-07 19:06 2808936 ----a-w- c:\windows\system32\nvcuvid.dll
2011-05-25 06:09 . 2011-06-07 19:06 2082408 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-05-25 06:09 . 2006-05-09 21:50 16068608 ----a-w- c:\windows\system32\nvoglnt.dll
2011-05-25 06:09 . 2006-05-09 21:50 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-05-25 06:09 . 2011-06-07 19:06 5332992 ----a-w- c:\windows\system32\nvcuda.dll
2011-05-25 06:09 . 2011-06-07 19:06 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-05-25 06:09 . 2006-05-09 21:50 4198272 ----a-w- c:\windows\system32\nv4_disp.dll
2011-05-25 06:09 . 2006-05-09 21:50 2328576 ----a-w- c:\windows\system32\nvapi.dll
2011-05-25 06:09 . 2006-05-09 21:50 12753664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-06-21 18:24 . 2011-05-27 00:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 19:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"MRT"="c:\windows\system32\MRT.exe" [2011-08-11 52390856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR0pSVzItTlFIWEMtUVQ3T0otMlk0VEstOQ&inst=NzYtODc5MzQ0ODc4LUZMMTArMS1YTzEwKzExLUxJQysyLVRVRyszLUREVCsw&prod=92&ver=10.0.1392" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AvanquestMainUI"="c:\program files\Avanquest\Fix-It\Fix-It.exe" [2011-03-01 1150744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"tray"= 0 (0x0)
"pop"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\Support\\BlizzardDownloader.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/7/2011 4:37 PM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 8:22 AM 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [7/7/2011 4:37 PM 203056]
R2 AvanquestWindowsMonitorService;AvanquestWindowsMonitorService;c:\program files\Avanquest\Fix-It\AVQWinMonEngine.exe [8/20/2010 8:21 PM 328704]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [7/7/2011 4:37 PM 69936]
R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
R4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
S2 SBAMSvc;Fix-It;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [2/22/2010 1:29 PM 1012080]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-08-16 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 19:29]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\8xpzqnft.default\
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12279&client_id=280cc4f8a868a80828e89cca&camp_id=2578&install_time=2011-05-27T04:13Z&tb_version=2.4.11000%28F%29&pr=auto&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Filip - (no file)
HKLM-Run-ErrorWiz - c:\program files\ErrorWiz\ErrorWiz.exe
Notify-TPSvc - TPSvc.dll
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-16 07:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-60NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89C5B31B
user & kernel MBR OK
.
**************************************************************************
.
Completion time: 2011-08-16 07:08:45
ComboFix-quarantined-files.txt 2011-08-16 13:08
.
Pre-Run: 202,405,736,448 bytes free
Post-Run: 203,264,847,872 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 17F5785D13213B7777E6BB2472510641
here are your steps
Malware:
Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org
Database version: 7478
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512
8/16/2011 7:26:06 AM
mbam-log-2011-08-16 (07-26-06).txt
Scan type: Quick scan
Objects scanned: 179328
Time elapsed: 2 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2011-08-16 07:31:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 WDC_WD2500JS-60NCB1 rev.10.02E02
Running: 6jok50wr.exe; Driver: C:\DOCUME~1\Scott\LOCALS~1\Temp\ffayraoc.sys
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior
---- Devices - GMER 1.0.15 ----
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 89D1231B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-16 89D1231B
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software)
---- EOF - GMER 1.0.15 ----
DDS:
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_26
Run by Scott at 7:32:26 on 2011-08-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.943 [GMT -6:00]
.
AV: AVG Anti-Virus 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Avanquest Fix-It *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Avanquest\Fix-It\AVQWinMonEngine.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MRT] "c:\windows\system32\MRT.exe" /R
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [AvanquestMainUI] c:\program files\avanquest\fix-it\Fix-It.exe
mPolicies-system: tray = 0 (0x0)
mPolicies-system: pop = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194
TCP: Interfaces\{2ABF507B-8CAA-46A8-9C50-1BB00DDFE557} : DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\scott\application data\mozilla\firefox\profiles\8xpzqnft.default\
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12279&client_id=280cc4f8a868a80828e89cca&camp_id=2578&install_time=2011-05-27T04:13:27Z&tb_version=2.4.11000%28F%29&pr=auto&q=
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2011-7-7 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2011-7-7 203056]
R2 AvanquestWindowsMonitorService;AvanquestWindowsMonitorService;c:\program files\avanquest\fix-it\AVQWinMonEngine.exe [2010-8-20 328704]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-8-16 366640]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-7-7 69936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-16 22712]
S2 SBAMSvc;Fix-It;c:\program files\common files\antivirus\SBAMSvc.exe [2010-2-22 1012080]
.
=============== Created Last 30 ================
.
2011-08-16 13:22:52 -------- d-----w- c:\documents and settings\scott\application data\Malwarebytes
2011-08-16 13:22:34 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-16 13:22:34 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-16 13:22:31 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-16 13:22:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-16 12:55:37 -------- d-sha-r- C:\cmdcons
2011-08-16 12:51:37 98816 ----a-w- c:\windows\sed.exe
2011-08-16 12:51:37 518144 ----a-w- c:\windows\SWREG.exe
2011-08-16 12:51:37 256000 ----a-w- c:\windows\PEV.exe
2011-08-16 12:51:37 208896 ----a-w- c:\windows\MBR.exe
2011-08-10 22:06:54 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:06:33 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:25:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-21 18:18:34 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18:34 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18:34 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58:45 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-07 19:06:51 273344 ----a-w- c:\windows\system32\nvdrsdb0.bin
2011-06-07 19:06:51 1 ----a-w- c:\windows\system32\nvdrssel.bin
2011-06-07 19:06:48 273344 ----a-w- c:\windows\system32\nvdrsdb1.bin
2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-60NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D124D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89d187d0]; MOV EAX, [0x89d1884c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x89CF6AB8]
3 CLASSPNP[0xB8108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006c[0x89C0A510]
5 ACPI[0xB7F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x89CB1940]
\Driver\atapi[0x89D80F38] -> IRP_MJ_CREATE -> 0x89D124D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89D1231B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 7:33:08.76 ===============
dds attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/25/2011 9:12:59 PM
System Uptime: 8/16/2011 7:13:04 AM (0 hours ago)
.
Motherboard: ASUSTek Computer INC. | | NODUSM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2204/199mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 224 GiB total, 189.289 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is FIXED (FAT32) - 9 GiB total, 0.414 GiB free.
I: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 5/25/2011 9:48:00 PM - System Checkpoint
RP2: 5/25/2011 11:00:04 PM - Software Distribution Service 3.0
RP3: 5/26/2011 3:30:50 PM - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
RP4: 5/26/2011 3:30:54 PM - Installed AVG 2011
RP5: 5/26/2011 3:31:06 PM - Installed AVG 2011
RP6: 5/26/2011 5:56:42 PM - Installed Windows XP KB888111WXPSP2.
RP7: 5/26/2011 6:00:08 PM - Installed Realtek High Definition Audio Driver
RP8: 5/26/2011 6:01:08 PM - Software Distribution Service 3.0
RP9: 5/26/2011 6:15:31 PM - Installed Windows XP WgaNotify.
RP10: 5/26/2011 6:18:03 PM - Installed Windows XP WIC.
RP11: 5/26/2011 6:19:32 PM - Installed %1 %2.
RP12: 5/26/2011 6:19:36 PM - Printer Driver Microsoft XPS Document Writer Installed
RP13: 5/26/2011 6:57:16 PM - Software Distribution Service 3.0
RP14: 5/26/2011 9:39:53 PM - Software Distribution Service 3.0
RP15: 5/26/2011 10:28:54 PM - Installed Windows Media Player 11
RP16: 5/26/2011 10:29:13 PM - Installed Windows XP Wudf01000.
RP17: 5/26/2011 10:30:33 PM - Installed Windows XP MSCompPackV1.
RP18: 5/26/2011 10:38:51 PM - Installed Java(TM) 6 Update 22
RP19: 5/27/2011 3:00:14 AM - Software Distribution Service 3.0
RP20: 5/27/2011 1:31:37 PM - Installed iTunes
RP21: 5/28/2011 3:00:13 AM - Software Distribution Service 3.0
RP22: 5/29/2011 3:00:13 AM - Software Distribution Service 3.0
RP23: 5/30/2011 3:00:14 AM - Software Distribution Service 3.0
RP24: 5/30/2011 1:06:44 PM - Software Distribution Service 3.0
RP25: 5/30/2011 1:09:15 PM - Printer Driver Microsoft XPS Document Writer Installed
RP26: 5/31/2011 3:00:13 AM - Software Distribution Service 3.0
RP27: 6/1/2011 3:00:13 AM - Software Distribution Service 3.0
RP28: 6/2/2011 3:00:13 AM - Software Distribution Service 3.0
RP29: 6/2/2011 8:16:55 PM - HOTLLAMA Media Player Installation
RP30: 6/5/2011 12:09:08 PM - System Checkpoint
RP31: 6/6/2011 6:55:48 PM - System Checkpoint
RP32: 6/7/2011 12:23:13 PM - Installed Gears of War
RP33: 6/16/2011 3:00:14 AM - Software Distribution Service 3.0
RP34: 6/19/2011 10:45:46 AM - System Checkpoint
RP35: 6/20/2011 10:51:58 AM - System Checkpoint
RP36: 6/21/2011 5:53:23 PM - System Checkpoint
RP37: 6/22/2011 11:59:36 PM - System Checkpoint
RP38: 6/24/2011 12:54:16 AM - System Checkpoint
RP39: 6/26/2011 12:08:40 PM - System Checkpoint
RP40: 6/27/2011 8:25:18 PM - System Checkpoint
RP41: 6/29/2011 3:00:13 AM - Software Distribution Service 3.0
RP42: 6/30/2011 3:00:13 AM - Software Distribution Service 3.0
RP43: 7/2/2011 3:00:14 AM - Software Distribution Service 3.0
RP44: 7/3/2011 10:31:41 AM - System Checkpoint
RP45: 7/4/2011 11:21:02 AM - System Checkpoint
RP46: 7/5/2011 12:21:02 PM - System Checkpoint
RP47: 7/6/2011 2:34:32 PM - System Checkpoint
RP48: 7/7/2011 4:32:08 PM - Installed Fix-It Utilities 11 Professional
RP49: 7/9/2011 12:47:45 AM - System Checkpoint
RP50: 7/9/2011 3:00:21 AM - Software Distribution Service 3.0
RP51: 7/10/2011 11:35:06 AM - Removed AVG 2011
RP52: 7/10/2011 11:36:12 AM - Removed AVG 2011
RP53: 7/10/2011 11:50:39 AM - Installed Java(TM) 6 Update 26
RP54: 7/11/2011 12:17:27 PM - System Checkpoint
RP55: 7/13/2011 12:23:21 PM - System Checkpoint
RP56: 7/14/2011 5:09:17 PM - Installed AVG 2011
RP57: 7/14/2011 5:09:56 PM - Installed AVG 2011
RP58: 7/15/2011 3:00:16 AM - Software Distribution Service 3.0
RP59: 7/15/2011 11:27:07 AM - ErrorWiz Restore point
RP60: 7/15/2011 11:53:06 AM - Installed PC MightyMax 2011
RP61: 7/15/2011 12:04:55 PM - Installed Pc Optimizer 360 setup
RP62: 7/15/2011 6:34:00 PM - Installed Microsoft Fix it 50587
RP63: 8/9/2011 7:11:52 PM - System Checkpoint
RP64: 8/11/2011 3:00:15 AM - Software Distribution Service 3.0
RP65: 8/12/2011 1:54:37 PM - System Checkpoint
RP66: 8/16/2011 6:45:57 AM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP67: 8/16/2011 6:49:13 AM - Removed AVG 2011
RP68: 8/16/2011 6:51:22 AM - Removed AVG 2011
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
Bonjour
Data Fax SoftModem with SmartCP
Fix-It Utilities 11 Professional
FrostWire 4.21.8
Gears of War
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iTunes
Java Auto Updater
Java(TM) 6 Update 26
Malwarebytes' Anti-Malware version 1.51.1.1800
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Mozilla Firefox 5.0 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
NVIDIA Graphics Driver 275.33
NVIDIA nView 135.85
NVIDIA nView Desktop Manager
PC MightyMax 2011
Pc Optimizer 360 setup
QuickTime
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2559049)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB923789)
Segoe UI
StarCraft II
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2541763)
Update for Windows XP (KB961503)
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
Windows Imaging Component
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
.
==== End Of File ===========================
ALSO USED COMBO FIX AND HAVE A REPORT MADE FROM THAT I USED IT BEFORE I USED YOUR STEPS:
Combofix:
ComboFix 11-08-16.02 - Scott 08/16/2011 6:57.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1982.672 [GMT -6:00]
Running from: c:\documents and settings\Scott\My Documents\Downloads\ComboFix.exe
AV: Avanquest Fix-It *Disabled/Updated* {964FCE60-0B18-4D30-ADD6-EB178909041C}
AV: AVG Anti-Virus 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\documents and settings\Guest\Application Data\alot
c:\documents and settings\Scott\Application Data\Adobe\plugs
c:\documents and settings\Scott\Application Data\Adobe\plugs\KB638959250
c:\documents and settings\Scott\Application Data\Adobe\shed
c:\documents and settings\Scott\Application Data\ErrorWiz
c:\documents and settings\Scott\Application Data\ErrorWiz\Backup\Automatic Backup_07-15-2011_11-27-08.reg
c:\documents and settings\Scott\Application Data\ErrorWiz\settings.ini
c:\program files\ErrorWiz
c:\program files\ErrorWiz\ErrorWiz.exe
H:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-07-16 to 2011-08-16 )))))))))))))))))))))))))))))))
.
.
2011-08-10 22:06 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 22:06 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-24 14:10 . 2011-05-26 03:07 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-21 18:25 . 2011-05-27 04:15 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-21 18:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-06-21 18:18 . 2004-08-04 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-06-21 18:18 . 2004-08-04 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-06-21 12:58 . 2004-08-04 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-06-02 14:02 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-25 06:09 . 2006-05-09 21:50 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-05-25 06:09 . 2006-05-09 21:50 154728 ----a-w- c:\windows\system32\nvsvc32.exe
2011-05-25 06:09 . 2006-05-09 21:50 111208 ----a-w- c:\windows\system32\nvmctray.dll
2011-05-25 06:09 . 2006-05-09 21:50 13895272 ----a-w- c:\windows\system32\nvcpl.dll
2011-05-25 06:09 . 2011-06-07 19:06 543336 ----a-w- c:\windows\system32\easyupdatusapiu.dll
2011-05-25 06:09 . 2011-06-07 19:06 899688 ----a-w- c:\windows\system32\nvdispco3220150.dll
2011-05-25 06:09 . 2011-06-07 19:06 865896 ----a-w- c:\windows\system32\nvgenco322090.dll
2011-05-25 06:09 . 2011-06-07 19:06 61440 ----a-w- c:\windows\system32\OpenCL.dll
2011-05-25 06:09 . 2011-06-07 19:06 2808936 ----a-w- c:\windows\system32\nvcuvid.dll
2011-05-25 06:09 . 2011-06-07 19:06 2082408 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-05-25 06:09 . 2006-05-09 21:50 16068608 ----a-w- c:\windows\system32\nvoglnt.dll
2011-05-25 06:09 . 2006-05-09 21:50 145000 ----a-w- c:\windows\system32\nvcolor.exe
2011-05-25 06:09 . 2011-06-07 19:06 5332992 ----a-w- c:\windows\system32\nvcuda.dll
2011-05-25 06:09 . 2011-06-07 19:06 13004800 ----a-w- c:\windows\system32\nvcompiler.dll
2011-05-25 06:09 . 2006-05-09 21:50 4198272 ----a-w- c:\windows\system32\nv4_disp.dll
2011-05-25 06:09 . 2006-05-09 21:50 2328576 ----a-w- c:\windows\system32\nvapi.dll
2011-05-25 06:09 . 2006-05-09 21:50 12753664 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-06-21 18:24 . 2011-05-27 00:12 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 19:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 16010240]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-27 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-25 13895272]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"MRT"="c:\windows\system32\MRT.exe" [2011-08-11 52390856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-app?lic=QUFTWUwtR0pSVzItTlFIWEMtUVQ3T0otMlk0VEstOQ&inst=NzYtODc5MzQ0ODc4LUZMMTArMS1YTzEwKzExLUxJQysyLVRVRyszLUREVCsw&prod=92&ver=10.0.1392" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"AvanquestMainUI"="c:\program files\Avanquest\Fix-It\Fix-It.exe" [2011-03-01 1150744]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"tray"= 0 (0x0)
"pop"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=
"c:\\Program Files\\StarCraft II\\StarCraft II.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"c:\\Program Files\\StarCraft II\\Support\\BlizzardDownloader.exe"=
"c:\\Program Files\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
.
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [7/7/2011 4:37 PM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/13/2009 8:22 AM 95024]
R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [7/7/2011 4:37 PM 203056]
R2 AvanquestWindowsMonitorService;AvanquestWindowsMonitorService;c:\program files\Avanquest\Fix-It\AVQWinMonEngine.exe [8/20/2010 8:21 PM 328704]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [7/7/2011 4:37 PM 69936]
R4 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys --> c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [?]
R4 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys --> c:\windows\system32\DRIVERS\AVGIDSEH.Sys [?]
R4 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys --> c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [?]
R4 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys --> c:\windows\system32\DRIVERS\AVGIDSShim.Sys [?]
R4 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys --> c:\windows\system32\DRIVERS\avgrkx86.sys [?]
R4 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys --> c:\windows\system32\DRIVERS\avgtdix.sys [?]
S2 SBAMSvc;Fix-It;c:\program files\Common Files\AntiVirus\SBAMSvc.exe [2/22/2010 1:29 PM 1012080]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - Avgldx86
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
2011-08-16 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-05-17 19:29]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 24.226.1.93 24.226.10.193 24.226.10.194
FF - ProfilePath - c:\documents and settings\Scott\Application Data\Mozilla\Firefox\Profiles\8xpzqnft.default\
FF - prefs.js: browser.search.selectedEngine - ALOT Search
FF - prefs.js: browser.startup.homepage - www.google.ca
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12279&client_id=280cc4f8a868a80828e89cca&camp_id=2578&install_time=2011-05-27T04:13Z&tb_version=2.4.11000%28F%29&pr=auto&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-Filip - (no file)
HKLM-Run-ErrorWiz - c:\program files\ErrorWiz\ErrorWiz.exe
Notify-TPSvc - TPSvc.dll
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-16 07:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD2500JS-60NCB1 rev.10.02E02 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89C5B31B
user & kernel MBR OK
.
**************************************************************************
.
Completion time: 2011-08-16 07:08:45
ComboFix-quarantined-files.txt 2011-08-16 13:08
.
Pre-Run: 202,405,736,448 bytes free
Post-Run: 203,264,847,872 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - 17F5785D13213B7777E6BB2472510641