Windows firewall service cannot start (solved)

asmoeone · July 1, 2010

Hello,

My system: Dell laptop running XP professional sp3 with Windows Firewall and MS Security Essentials.

Immediate issue: Windows Firewall no longer starts automatically. When I try to start manually I get the message "could not start firewall / internet connection service (ICS). Error 2: The system cannot find the file specified."

Context: Last week MSSE started finding malware. I cleaned it. It kept finding new malware. Today I got a browser hijack. A scan with MalwareBytes found 13 items (trojans, rootkits, backdoors, infected registry keys and values) - ouch! MalwareBytes requested a reboot in order to quarantine all items. Shutdown caused a hang and required power off. On reboot, I experienced the issue with the firewall.

I appreciate any help.

John

Goku · July 1, 2010

Hello,

My system: Dell laptop running XP professional sp3 with Windows Firewall and MS Security Essentials.

Immediate issue: Windows Firewall no longer starts automatically. When I try to start manually I get the message "could not start firewall / internet connection service (ICS). Error 2: The system cannot find the file specified."

Context: Last week MSSE started finding malware. I cleaned it. It kept finding new malware. Today I got a browser hijack. A scan with MalwareBytes found 13 items (trojans, rootkits, backdoors, infected registry keys and values) - ouch! MalwareBytes requested a reboot in order to quarantine all items. Shutdown caused a hang and required power off. On reboot, I experienced the issue with the firewall.

I appreciate any help.
John

Hello and Welcome to FPCH John. This seems to be a malware related problem. Therefore I am moving your thread into the Malware Removal forums so that noone else can interefere with the process.

Please wait patiently till one of our experts come online. Thank you for your co-operation. :)

-- Goku

Starbuck · July 2, 2010

Cheers Goku http://fc09.deviantart.net/fs21/f/2007/266/0/d/0d779334b6dc59bd.gif

Hi asmoeone,

I'd like to see what MalwareBytes removed.

I'm obviously concerned about this:

MalwareBytes found 13 items (trojans, rootkits, backdoors, infected registry keys and values)

It's better to see the devil before he sees you. ;)

Restart MalwareBytes

Click on the logs tab.

The log reports will be date stamped.

Double click on the report that removed the infections.

It'll open in 'Notepad'.

Now copy and paste the report in to a reply here.

Thanks.

asmoeone · July 2, 2010

Hello Starbuck. Here's the MalwareBytes log:

--------------------------------------------------

Malwarebytes' Anti-Malware 1.46

Malwarebytes

Database version: 4263

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

01/07/2010 13:32:51

mbam-log-2010-07-01 (13-32-51).txt

Scan type: Full scan (C:\|)

Objects scanned: 171319

Time elapsed: 1 hour(s), 1 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 10

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportMgmtService.exe (Security.Hijack) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RapportService.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{0fe0428e-3d59-ca67-dc5a-7cbd68e94e0c} (Trojan.Zbot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Chunky\Application Data\Onotzy\xioll.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chunky\Local Settings\Temp\8.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chunky\Local Settings\Temp\tmp1c9235e5.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chunky\Local Settings\Temp\tmp3d1a5b73.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chunky\Local Settings\Temp\24.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chunky\Local Settings\Temp\tmp249f90da\rappino.exe (Backdoor.Poison) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chunky\Local Settings\Temp\tmpe23ff1f2\rappino.exe (Backdoor.Poison) -> Quarantined and deleted successfully.

C:\Documents and Settings\Chunky\Local Settings\Temp\tmp919b92f8\rappino.exe (Trojan.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\26.tmp (Rootkit.TDSS.Gen) -> Delete on reboot.

C:\WINDOWS\Temp\A.tmp (Rootkit.TDSS.Gen) -> Delete on reboot.

Starbuck · July 2, 2010

Hi asmoeone,

Thanks for the report.

That's some pretty nasty stuff there.

Because of the 'backdoor' trojans found, I feel it's only fair to give you this warning:

It is known that these trojans can communicate with remote computers, download and run code, send emails and redirect browser requests. Unfortunately we cannot be sure about what they have done.

If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojans have been identified there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

For more information read ....Here

If you choose to format and reinstall read...... Here

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy again.

If you do decide to carry on with the cleaning process, please follow these steps:

Step 1

Download TDSSKiller and save it to your Desktop.

Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Click on Start >> Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Step 2

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

This is an example, you may rename ComboFix to anything you want.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with the running of ComboFix.
For more information read:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Then:

Double click on Combo-Fix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
If running Vista, you may not see this screen
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

http://img.photobucket.com/albums/v708/starbuck50/cf1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

In your next reply, please submit:

TDSSKiller.txt

Combofix.txt

Thanks.

asmoeone · July 2, 2010

Thanks, I will read through the info you've supplied.

One quick question: I am currently accessing the web through an old recycled linux desktop (kept for this very purpose). The 2 computers are not intentionally networked together, but do both connect to the internet through the same router, a BT Homehub. Do you think there is any risk that data sent from this linux machine could be compromised?

Starbuck · July 2, 2010

Do you think there is any risk that data sent from this linux machine could be compromised?

I would very much doubt it.

These infections are designed to infect 'Windows' operating systems.

But, on saying that...

If your online banking passwords have been compromised from the Windows m/c, those accounts will be compromised which ever system you use to access them.

It will be the actual accounts that have been compromised.

So by changing the passwords for those accounts, should be ok.

Obviously check the accounts for any unusual debits etc though.

But the Linux system should be fairly immune to these infections.

Does that make sense?

asmoeone · July 2, 2010

yes, thanks

Starbuck · July 2, 2010

Take your time and then let me know how you want to proceed.

asmoeone · July 2, 2010

Well, I think I'd like to follow both options :)

Since this is a second-hand laptop, missing it's installation CDs, I think I'll need to contact MS to get hold of replacement media for the reinstall. In the meantime, I'd like to follow the cleanup process you suggest, as much out of interest as anything (and subject to your caveat of course). Thanks to the linux machine I can assign non-risk activity to the laptop until it gets wiped.

The issue of identity and financial information has been addressed.

Question - You suggest disabling antivirus/antispyware tools before using ComboFix. I have not figured out how to disable MS Security Essentials. Is it sufficient to turn off the real-time protection?

Here is the TDSSKIller.txt

----------------------------------------

20:52:14:567 1772 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49

20:52:14:567 1772 ================================================================================

20:52:14:567 1772 SystemInfo:

20:52:14:567 1772 OS Version: 5.1.2600 ServicePack: 3.0

20:52:14:567 1772 Product type: Workstation

20:52:14:567 1772 ComputerName: 9FDD52CB

20:52:14:567 1772 UserName: Chunky

20:52:14:567 1772 Windows directory: C:\WINDOWS

20:52:14:567 1772 System windows directory: C:\WINDOWS

20:52:14:567 1772 Processor architecture: Intel x86

20:52:14:567 1772 Number of processors: 1

20:52:14:567 1772 Page size: 0x1000

20:52:14:567 1772 Boot type: Normal boot

20:52:14:567 1772 ================================================================================

20:52:14:927 1772 Initialize success

20:52:14:927 1772

20:52:14:927 1772 Scanning Services ...

20:52:15:428 1772 Raw services enum returned 320 services

20:52:15:438 1772

20:52:15:438 1772 Scanning Drivers ...

20:52:16:199 1772 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

20:52:16:259 1772 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

20:52:16:319 1772 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

20:52:16:409 1772 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

20:52:16:459 1772 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

20:52:16:590 1772 ApfiltrService (090880e9bf20f928bc341f96d27c019e) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys

20:52:16:770 1772 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

20:52:16:830 1772 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

20:52:16:950 1772 ati2mtag (246248aada156450be611eceaa5fe033) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

20:52:17:150 1772 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

20:52:17:211 1772 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

20:52:17:321 1772 b57w2k (3a3a82ffd268bcfb7ae6a48cecf00ad9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

20:52:17:441 1772 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

20:52:17:521 1772 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

20:52:17:581 1772 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys

20:52:17:691 1772 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys

20:52:17:771 1772 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys

20:52:17:821 1772 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys

20:52:17:892 1772 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

20:52:17:992 1772 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

20:52:18:072 1772 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

20:52:18:122 1772 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

20:52:18:172 1772 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

20:52:18:232 1772 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

20:52:18:282 1772 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

20:52:18:382 1772 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

20:52:18:442 1772 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

20:52:18:563 1772 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

20:52:18:663 1772 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

20:52:18:743 1772 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

20:52:18:803 1772 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

20:52:18:843 1772 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

20:52:18:913 1772 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

20:52:18:953 1772 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

20:52:18:993 1772 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

20:52:19:093 1772 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

20:52:19:193 1772 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

20:52:19:243 1772 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

20:52:19:304 1772 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

20:52:19:364 1772 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

20:52:19:504 1772 HSFHWICH (a84bbbdd125d370593004f6429f8445c) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys

20:52:19:594 1772 HSF_DPV (b678fa91cf4a1c19b462d8db04cd02ab) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYS

20:52:19:824 1772 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

20:52:20:615 1772 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

20:52:20:716 1772 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

20:52:20:766 1772 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

20:52:20:826 1772 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

20:52:20:876 1772 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

20:52:20:966 1772 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

20:52:21:016 1772 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

20:52:21:106 1772 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

20:52:21:176 1772 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

20:52:21:256 1772 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

20:52:21:306 1772 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

20:52:21:357 1772 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

20:52:21:407 1772 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

20:52:21:477 1772 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys

20:52:21:527 1772 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

20:52:21:577 1772 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

20:52:21:717 1772 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

20:52:21:807 1772 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

20:52:21:857 1772 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

20:52:21:937 1772 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

20:52:21:987 1772 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

20:52:22:038 1772 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

20:52:22:118 1772 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys

20:52:22:268 1772 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

20:52:22:358 1772 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

20:52:22:428 1772 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

20:52:22:498 1772 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

20:52:22:558 1772 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

20:52:22:618 1772 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

20:52:22:678 1772 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

20:52:22:739 1772 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

20:52:22:809 1772 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

20:52:22:859 1772 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

20:52:22:899 1772 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

20:52:22:979 1772 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

20:52:23:019 1772 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

20:52:23:059 1772 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

20:52:23:099 1772 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

20:52:23:169 1772 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

20:52:23:249 1772 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

20:52:23:299 1772 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

20:52:23:369 1772 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

20:52:23:419 1772 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

20:52:23:470 1772 OZSCR (ab2b07ac4afd38f574d903eaf9e98a60) C:\WINDOWS\system32\DRIVERS\ozscr.sys

20:52:23:520 1772 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

20:52:23:580 1772 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

20:52:23:620 1772 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

20:52:23:700 1772 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

20:52:23:800 1772 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

20:52:23:840 1772 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

20:52:23:950 1772 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

20:52:23:990 1772 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

20:52:24:070 1772 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

20:52:24:141 1772 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

20:52:24:261 1772 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

20:52:24:321 1772 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

20:52:24:371 1772 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

20:52:24:421 1772 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

20:52:24:471 1772 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

20:52:24:521 1772 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

20:52:24:601 1772 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

20:52:24:691 1772 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

20:52:24:761 1772 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys

20:52:24:832 1772 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

20:52:24:882 1772 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

20:52:24:912 1772 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

20:52:24:982 1772 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

20:52:25:042 1772 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

20:52:25:102 1772 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

20:52:25:192 1772 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

20:52:25:282 1772 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys

20:52:25:342 1772 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

20:52:25:402 1772 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

20:52:25:502 1772 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

20:52:25:583 1772 Tcpip (80c9acb727f808129c31537c4f4e687a) C:\WINDOWS\system32\DRIVERS\tcpip.sys

20:52:25:583 1772 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\tcpip.sys. Real md5: 80c9acb727f808129c31537c4f4e687a, Fake md5: 9aefa14bd6b182d61e3119fa5f436d3d

20:52:25:583 1772 File "C:\WINDOWS\system32\DRIVERS\tcpip.sys" infected by TDSS rootkit ... 20:52:25:723 1772 Backup copy found, using it..

20:52:25:793 1772 will be cured on next reboot

20:52:25:913 1772 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

20:52:25:973 1772 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

20:52:26:033 1772 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

20:52:26:083 1772 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

20:52:26:264 1772 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

20:52:26:304 1772 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

20:52:26:364 1772 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

20:52:26:444 1772 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

20:52:26:524 1772 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

20:52:26:554 1772 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

20:52:26:584 1772 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

20:52:26:734 1772 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

20:52:26:794 1772 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

20:52:26:874 1772 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

20:52:26:975 1772 winachsf (0c5b9cf1bdf998750d9c5eeb5f8c55ac) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

20:52:27:075 1772 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

20:52:27:155 1772 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

20:52:27:165 1772 Reboot required for cure complete..

20:52:27:736 1772 Cure on reboot scheduled successfully

20:52:27:736 1772

20:52:27:736 1772 Completed

20:52:27:736 1772

20:52:27:736 1772 Results:

20:52:27:736 1772 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

20:52:27:736 1772 File objects infected / cured / cured on reboot: 1 / 0 / 1

20:52:27:736 1772

20:52:27:736 1772 KLMD(ARK) unloaded successfully

Starbuck · July 2, 2010

Question - You suggest disabling antivirus/antispyware tools before using ComboFix. I have not figured out how to disable MS Security Essentials. Is it sufficient to turn off the real-time protection?

yes, follow these instructions:

Click on the MSSE icon in the taskbar.

then click open.

Click on the Settings tab.

click on Real-time protection ( left hand side)

Untick ... turn on real-time protection (recommended)

click on save changes

I see that TDSSKiller has started to remove and replace items.

Let's see what CF will follow up with.

asmoeone · July 3, 2010

Here it is...ComboFix.txt

-------------------------------------

ComboFix 10-07-01.02 - Chunky 03/07/2010 9:00.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.624 [GMT 1:00]

Running from: c:\documents and settings\Chunky\Desktop\Combo-Fix.exe

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

.

((((((((((((((((((((((((( Files Created from 2010-06-03 to 2010-07-03 )))))))))))))))))))))))))))))))

.

2010-07-01 11:24 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-01 11:24 . 2010-07-01 11:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-01 11:24 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-29 07:08 . 2010-06-29 07:08 69232 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-06-25 07:27 . 2010-06-25 07:27 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-25 07:20 . 2010-06-25 07:20 -------- d-----w- c:\documents and settings\Chunky\Local Settings\Application Data\PCHealth

2010-06-25 07:20 . 2010-06-25 07:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth

2010-06-20 16:10 . 2010-06-24 22:59 -------- d-----w- c:\documents and settings\Chunky\Local Settings\Application Data\Spotify

2010-06-20 16:10 . 2010-06-24 22:59 -------- d-----w- c:\documents and settings\Chunky\Application Data\Spotify

2010-06-20 16:10 . 2010-06-20 16:10 655360 ----a-w- c:\documents and settings\Chunky\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll

2010-06-20 16:10 . 2010-06-20 16:10 282624 ----a-w- c:\documents and settings\Chunky\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll

2010-06-20 16:10 . 2010-06-20 16:10 208896 ----a-w- c:\documents and settings\Chunky\Application Data\Spotify\Gracenote\gnsdk_dsp.dll

2010-06-20 16:10 . 2010-06-20 16:10 -------- d-----w- c:\program files\Spotify

2010-06-17 10:22 . 2010-06-17 10:22 -------- d-----w- c:\documents and settings\Chunky\Local Settings\Application Data\Bit Computing

2010-06-09 09:14 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-07 17:10 . 2010-06-07 17:10 -------- d-----w- c:\program files\Foxit Software

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-03 07:57 . 2010-01-02 14:46 -------- d-----w- c:\documents and settings\Chunky\Application Data\Dropbox

2010-07-02 19:54 . 2004-08-04 12:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys

2010-07-02 17:21 . 2009-01-04 15:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-07-01 12:33 . 2010-03-05 01:48 -------- d-----w- c:\documents and settings\Chunky\Application Data\Urydi

2010-07-01 12:32 . 2009-04-11 23:54 -------- d-----w- c:\documents and settings\Chunky\Application Data\Onotzy

2010-07-01 10:38 . 2010-04-21 07:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-29 07:08 . 2010-04-12 12:08 -------- d-----w- c:\program files\Microsoft Security Essentials

2010-06-23 00:13 . 2009-07-21 20:57 -------- d-----w- c:\documents and settings\Chunky\Application Data\vlc

2010-06-10 15:53 . 2010-04-26 19:09 -------- d-----w- c:\documents and settings\Chunky\Application Data\uTorrent

2010-06-09 10:25 . 2008-08-12 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-06-05 00:56 . 2009-02-09 21:28 -------- d-----w- c:\program files\Microsoft Silverlight

2010-06-01 19:34 . 2010-06-01 19:34 503808 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-54817dde-n\msvcp71.dll

2010-06-01 19:34 . 2010-06-01 19:34 499712 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-54817dde-n\jmc.dll

2010-06-01 19:34 . 2010-06-01 19:34 348160 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-54817dde-n\msvcr71.dll

2010-06-01 19:34 . 2010-06-01 19:34 61440 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24eb3439-n\decora-sse.dll

2010-06-01 19:34 . 2010-06-01 19:34 12800 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-24eb3439-n\decora-d3d.dll

2010-06-01 17:37 . 2010-04-12 12:10 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-18 23:24 . 2010-04-26 19:10 -------- d-----w- c:\program files\uTorrent

2010-05-09 22:53 . 2009-01-04 15:36 -------- d-----w- c:\program files\Google

2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-20 10:48 . 2010-04-20 10:48 503808 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2b516f6b-n\msvcp71.dll

2010-04-20 10:48 . 2010-04-20 10:48 499712 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2b516f6b-n\jmc.dll

2010-04-20 10:48 . 2010-04-20 10:48 348160 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2b516f6b-n\msvcr71.dll

2010-04-20 10:48 . 2010-04-20 10:48 61440 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ec28388-n\decora-sse.dll

2010-04-20 10:48 . 2010-04-20 10:48 12800 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-5ec28388-n\decora-d3d.dll

2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-13 18:10 . 2010-04-13 18:10 152576 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2010-04-13 18:10 . 2010-04-12 12:08 79488 ----a-w- c:\documents and settings\Chunky\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-04-12 16:29 . 2010-04-20 10:48 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-12 16:29 . 2008-08-12 20:12 69232 ----a-w- c:\documents and settings\Chunky\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-11 16:36 . 2010-04-11 16:36 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys

2010-04-11 16:36 . 2010-04-11 16:36 333192 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgldx86.sys

2010-04-11 16:36 . 2010-04-11 16:36 28424 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgmfx86.sys

2010-04-11 16:32 . 2010-01-02 14:46 91696 ----a-w- c:\documents and settings\Chunky\Application Data\Dropbox\bin\Uninstall.exe

2010-04-11 16:31 . 2010-04-11 16:31 13264416 ----a-w- c:\documents and settings\Chunky\Application Data\Dropbox\cache\Dropbox-update-0.7.110.exe

2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Chunky\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Chunky\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Chunky\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-11-10 344064]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]

"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-06-01 1093208]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Chunky\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Chunky\Application Data\Dropbox\bin\Dropbox.exe [2010-2-26 21979992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Documents and Settings\\Chunky\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [12/08/2008 21:05 92550]

S2 gupdate1c985eb53826ce0;Google Update Service (gupdate1c985eb53826ce0);c:\program files\Google\Update\GoogleUpdate.exe [03/02/2009 11:36 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

.

Contents of the 'Scheduled Tasks' folder

2010-07-03 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-04 17:49]

2010-07-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 10:36]

2010-07-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 10:36]

2010-07-03 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-25 20:40]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

Trusted Zone: motive.com\pbttbc.bt

FF - ProfilePath - c:\documents and settings\Chunky\Application Data\Mozilla\Firefox\Profiles\i6qwppnv.default\

FF - prefs.js: browser.startup.homepage - hxxp://mail.yahoo.com/

FF - plugin: c:\documents and settings\Chunky\Application Data\Mozilla\Firefox\Profiles\i6qwppnv.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np32asw.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npBTEmailConfig.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

------- File Associations -------

.

.txt=

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKCU-Run-AdobeBridge - (no file)

HKCU-Run-TimeTrack Task - c:\documents and settings\Chunky\My Documents\Temp\timetrack.exe

HKLM-Run-COMODO Firewall Pro - c:\program files\COMODO\Firewall\cfp.exe

SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2010-07-03 09:03

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)

c:\windows\system32\Ati2evxx.dll

c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2280)

c:\windows\system32\WININET.dll

c:\documents and settings\Chunky\Application Data\Dropbox\bin\DropboxExt.13.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

Completion time: 2010-07-03 09:05:36

ComboFix-quarantined-files.txt 2010-07-03 08:05

Pre-Run: 21,592,268,800 bytes free

Post-Run: 22,382,325,760 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - F19AD829040B753FB9785B43A8C2DA67

Starbuck · July 3, 2010

Hi asmoeone,

Thanks for that.

On to the next part now:

Step 1

Close any open browsers.

Close/disable all anti virus, firewall and anti malware programs so they do not interfere with the running of ComboFix:

Open Notepad - it must be Notepad, not Wordpad.

Copy the text below in the code box by highlighting all the text and pressing Ctrl+C

Folder::
c:\documents and settings\Chunky\Application Data\Urydi 
c:\documents and settings\Chunky\Application Data\Onotzy

Go to the Notepad window and click Edit >> Paste

Then click File >> Save

Name the file "CFScript.txt" (including the quotes)

Save the file to your Desktop

The main ComboFix.exe program should be on your Desktop

Drag the file you just created... CFScript.txt and drop it on the main ComboFix.exe icon

as below.

http://i275.photobucket.com/albums/jj285/Bleeping/Combofix/cf.gif

Now please wait for ComboFix to finish running.

Please Note: Do not mouse click in the combofix window while it is running - this may cause your system to hang/crash

Step 2

Download TFC by OldTimer to your desktop

Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
It will close all programs when run, so make sure you have saved all your work before you begin.
Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Step 3

Download OTL to your desktop.
if you have problems, try this download link:
OTL
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check

.

http://img.photobucket.com/albums/v708/starbuck50/new/newOtl2.png

netsvcs
msconfig
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.

http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
.
Click the Run Scan button.

http://img.photobucket.com/albums/v708/starbuck50/runscan.png
Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

In your next reply, please submit:

New combofix.txt

Both reports from OTL (if they are too big to post, please add them as attachments)

Thanks.

asmoeone · July 3, 2010

New ComboFix.txt

----------------------------

ComboFix 10-07-01.02 - Chunky 03/07/2010 13:23:12.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.636 [GMT 1:00]

Running from: c:\documents and settings\Chunky\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Chunky\Desktop\CFScript.txt

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Chunky\Application Data\Onotzy

c:\documents and settings\Chunky\Application Data\Urydi

c:\documents and settings\Chunky\Application Data\Urydi\ryyte.tmp