Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Reply
 
Topic Tools
  #1  
Old February 5th, 2012, 12:51 AM
gooner gooner is offline
CTH Subscriber
 
Join Date: Nov 2000
O/S: Windows Vista 32-bit
Location: McLeod Ganj, Dharamsala
Age: 65
Posts: 485
Help please

I have a problem with my Dell Inspiron Mini. I had AVG installed but it was showing errors so I tried to fix it. This failed so I tried to uninstall - also failed. Then I used the AVG uninstall tool which worked. The problem is now I can't reinstall AVG, I tried Avast too but this failed.

Miz on the Applications forum suggested it might be malware and to post here. Any help greatly appreciated.
Reply With Quote


  #2  
Old February 5th, 2012, 10:21 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 51,968
Hello Gooner,

Yes, antivirus problems, then inability to install any, does suggest unseen malware activity. Let's take a look.

To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

Click here and download OldTimer's OTL to your desktop, then click that to open the scan display. At the top click "Scan All Users", then click "Run Scan". Make no other changes at this time.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are also saved in the same location as OTL.exe. Post the contents of those back here please.

-----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • If you can have an open Internet connection, and allow it to download the latest Avast engine detections.
  • {i}If avast! antivirus is already installed, just do the next step.{/i}
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

A lot, but comprehensive, and will make sure we get a good view of everything.
Reply With Quote
  #3  
Old February 5th, 2012, 11:47 PM
gooner gooner is offline
CTH Subscriber
 
Join Date: Nov 2000
O/S: Windows Vista 32-bit
Location: McLeod Ganj, Dharamsala
Age: 65
Posts: 485
Hi Jintan

I tried to do what you said but OTL quickly goes to Not Responding.
Reply With Quote
  #4  
Old February 6th, 2012, 12:01 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 51,968
See if you can access Safe Mode, where the malware is less active. At startup tap the F8 key about once per half-second, then select Safe Mode with Networking from the menu that will appear.

Then for now do any of the steps you are able to, and post those logs please.
Reply With Quote
  #5  
Old February 7th, 2012, 04:34 PM
gooner gooner is offline
CTH Subscriber
 
Join Date: Nov 2000
O/S: Windows Vista 32-bit
Location: McLeod Ganj, Dharamsala
Age: 65
Posts: 485
I tried in Safe mode but still no luck. I managed to do the aswMBR and the log is below.


aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-07 15:27:55
-----------------------------
15:27:55.531 OS Version: Windows 5.1.2600 Service Pack 3
15:27:55.531 Number of processors: 2 586 0x1C02
15:27:55.531 ComputerName: TERRY UserName:
15:27:59.171 Initialze error C0000001 - driver not loaded
15:28:17.140 AVAST engine download error: 0
15:28:29.046 Service scanning
15:28:38.609 Service fc8f074256efddc5 C:\WINDOWS\System32\Drivers\fc8f074256efddc5.sys **HIDDEN**
15:28:40.281 Modules scanning
15:28:40.281 Disk 0 trace - called modules:
15:28:40.281
15:28:40.296 Scan finished successfully
15:28:54.515 The log file has been saved successfully to "C:\Documents and Settings\Elliott Page\Desktop\aswMBR.txt"
Reply With Quote
  #6  
Old February 7th, 2012, 11:31 PM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 51,968
Bogus service caught by that one, so at least a rootkit there.

Safe Mode with Networking for this please:

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Click here and download Kaspersky's TDSSKiller to your desktop, but as you download it, rename it to larry.com then click that file to run TDSSKiller.

In the display that opens click Start scan. Once that completes, follow any prompts to act on anything it located, including as reboot if requested.

When the scan completes it will create a log file on your C drive.

Similar in name to this:

C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt

Your copy will be different - some of those numbers will reflect the date/time it was just run by you there.

Copy/paste those contents back here please.

-----------

Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
Reply With Quote
  #7  
Old February 7th, 2012, 11:42 PM
gooner gooner is offline
CTH Subscriber
 
Join Date: Nov 2000
O/S: Windows Vista 32-bit
Location: McLeod Ganj, Dharamsala
Age: 65
Posts: 485
Ok here's the log:


22:38:19.0343 0208 TDSS rootkit removing tool 2.7.10.0 Feb 7 2012 15:14:46
22:38:19.0859 0208 ================================================== ==========
22:38:19.0859 0208 Current date / time: 2012/02/07 22:38:19.0859
22:38:19.0859 0208 SystemInfo:
22:38:19.0859 0208
22:38:19.0859 0208 OS Version: 5.1.2600 ServicePack: 3.0
22:38:19.0859 0208 Product type: Workstation
22:38:19.0859 0208 ComputerName: TERRY
22:38:19.0859 0208 UserName: Elliott Page
22:38:19.0859 0208 Windows directory: C:\WINDOWS
22:38:19.0859 0208 System windows directory: C:\WINDOWS
22:38:19.0859 0208 Processor architecture: Intel x86
22:38:19.0859 0208 Number of processors: 2
22:38:19.0859 0208 Page size: 0x1000
22:38:19.0859 0208 Boot type: Safe boot with network
22:38:19.0859 0208 ================================================== ==========
22:38:26.0609 0208 !crdlk
22:38:26.0609 0208 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'A'
22:38:26.0609 0208 \Device\Harddisk0\DR0:
22:38:26.0609 0208 Invalid mbr signature
22:38:26.0609 0208 Initialize success
22:38:26.0609 0208 ================================================== ==========
22:38:29.0500 0376 ================================================== ==========
22:38:29.0500 0376 Scan started
22:38:29.0500 0376 Mode: Manual;
22:38:29.0500 0376 ================================================== ==========
22:38:30.0296 0376 Abiosdsk - ok
22:38:30.0312 0376 abp480n5 - ok
22:38:30.0343 0376 ACPI - ok
22:38:30.0375 0376 ACPIEC - ok
22:38:30.0406 0376 adpu160m - ok
22:38:30.0437 0376 aec - ok
22:38:30.0468 0376 AFD - ok
22:38:30.0484 0376 agp440 - ok
22:38:30.0515 0376 agpCPQ - ok
22:38:30.0546 0376 Aha154x - ok
22:38:30.0578 0376 aic78u2 - ok
22:38:30.0593 0376 aic78xx - ok
22:38:30.0671 0376 AliIde - ok
22:38:30.0687 0376 alim1541 - ok
22:38:30.0718 0376 Ambfilt - ok
22:38:30.0750 0376 amdagp - ok
22:38:30.0781 0376 amsint - ok
22:38:30.0859 0376 AR9271 - ok
22:38:30.0890 0376 asc - ok
22:38:30.0921 0376 asc3350p - ok
22:38:30.0937 0376 asc3550 - ok
22:38:31.0015 0376 AsyncMac - ok
22:38:31.0046 0376 atapi - ok
22:38:31.0078 0376 Atdisk - ok
22:38:31.0093 0376 Atmarpc - ok
22:38:31.0140 0376 audstub - ok
22:38:31.0203 0376 BCM43XX - ok
22:38:31.0250 0376 Beep - ok
22:38:31.0296 0376 cbidf - ok
22:38:31.0328 0376 cbidf2k - ok
22:38:31.0359 0376 CCDECODE - ok
22:38:31.0390 0376 cd20xrnt - ok
22:38:31.0406 0376 Cdaudio - ok
22:38:31.0437 0376 Cdfs - ok
22:38:31.0484 0376 Cdrom - ok
22:38:31.0500 0376 Changer - ok
22:38:31.0578 0376 CmBatt - ok
22:38:31.0609 0376 CmdIde - ok
22:38:31.0640 0376 Compbatt - ok
22:38:31.0703 0376 Cpqarray - ok
22:38:31.0750 0376 CtClsFlt - ok
22:38:31.0781 0376 dac2w2k - ok
22:38:31.0796 0376 dac960nt - ok
22:38:31.0859 0376 Disk - ok
22:38:31.0906 0376 dmboot - ok
22:38:31.0937 0376 dmio - ok
22:38:31.0953 0376 dmload - ok
22:38:32.0000 0376 DMusic - ok
22:38:32.0062 0376 dpti2o - ok
22:38:32.0078 0376 drmkaud - ok
22:38:32.0125 0376 EMSC - ok
22:38:32.0203 0376 Fastfat - ok
22:38:32.0234 0376 Suspicious service (NoAccess): fc8f074256efddc5
22:38:32.0265 0376 fc8f074256efddc5 ( LockedService.Multi.Generic ) - warning
22:38:32.0265 0376 fc8f074256efddc5 - detected LockedService.Multi.Generic (1)
22:38:32.0281 0376 Fdc - ok
22:38:32.0312 0376 Fips - ok
22:38:32.0343 0376 Flpydisk - ok
22:38:32.0359 0376 FltMgr - ok
22:38:32.0406 0376 Fs_Rec - ok
22:38:32.0437 0376 Ftdisk - ok
22:38:32.0484 0376 Gpc - ok
22:38:32.0546 0376 HDAudBus - ok
22:38:32.0609 0376 hidusb - ok
22:38:32.0656 0376 hpn - ok
22:38:32.0687 0376 HTTP - ok
22:38:32.0734 0376 i2omgmt - ok
22:38:32.0765 0376 i2omp - ok
22:38:32.0796 0376 i8042prt - ok
22:38:32.0812 0376 ialm - ok
22:38:32.0875 0376 Imapi - ok
22:38:32.0937 0376 ini910u - ok
22:38:32.0984 0376 IntcAzAudAddService - ok
22:38:33.0015 0376 IntelIde - ok
22:38:33.0046 0376 intelppm - ok
22:38:33.0062 0376 Ip6Fw - ok
22:38:33.0093 0376 IpFilterDriver - ok
22:38:33.0125 0376 IpInIp - ok
22:38:33.0156 0376 IpNat - ok
22:38:33.0171 0376 IPSec - ok
22:38:33.0203 0376 IRENUM - ok
22:38:33.0250 0376 isapnp - ok
22:38:33.0312 0376 JSWSCIMD - ok
22:38:33.0343 0376 Kbdclass - ok
22:38:33.0375 0376 kbdhid - ok
22:38:33.0406 0376 kmixer - ok
22:38:33.0421 0376 KSecDD - ok
22:38:33.0500 0376 lbrtfdc - ok
22:38:33.0578 0376 mnmdd - ok
22:38:33.0640 0376 Modem - ok
22:38:33.0656 0376 Monfilt - ok
22:38:33.0687 0376 Mouclass - ok
22:38:33.0734 0376 mouhid - ok
22:38:33.0750 0376 MountMgr - ok
22:38:33.0781 0376 MpKsl3079fb9a - ok
22:38:33.0812 0376 mraid35x - ok
22:38:33.0843 0376 MRxDAV - ok
22:38:33.0859 0376 MRxSmb - ok
22:38:33.0921 0376 Msfs - ok
22:38:33.0953 0376 MSKSSRV - ok
22:38:33.0984 0376 MSPCLOCK - ok
22:38:34.0015 0376 MSPQM - ok
22:38:34.0046 0376 mssmbios - ok
22:38:34.0078 0376 MSTEE - ok
22:38:34.0109 0376 Mup - ok
22:38:34.0125 0376 NABTSFEC - ok
22:38:34.0171 0376 NDIS - ok
22:38:34.0203 0376 NdisIP - ok
22:38:34.0218 0376 NdisTapi - ok
22:38:34.0250 0376 Ndisuio - ok
22:38:34.0281 0376 NdisWan - ok
22:38:34.0312 0376 NDProxy - ok
22:38:34.0328 0376 NetBIOS - ok
22:38:34.0359 0376 NetBT - ok
22:38:34.0500 0376 Npfs - ok
22:38:34.0531 0376 Ntfs - ok
22:38:34.0578 0376 Null - ok
22:38:34.0609 0376 NwlnkFlt - ok
22:38:34.0625 0376 NwlnkFwd - ok
22:38:34.0656 0376 OA012Afx - ok
22:38:34.0687 0376 OA012Ufd - ok
22:38:34.0718 0376 OA012Vid - ok
22:38:34.0750 0376 Parport - ok
22:38:34.0781 0376 PartMgr - ok
22:38:34.0812 0376 ParVdm - ok
22:38:34.0843 0376 PCI - ok
22:38:34.0875 0376 PCIDump - ok
22:38:34.0906 0376 PCIIde - ok
22:38:34.0921 0376 Pcmcia - ok
22:38:34.0953 0376 PDCOMP - ok
22:38:34.0984 0376 PDFRAME - ok
22:38:35.0000 0376 PDRELI - ok
22:38:35.0031 0376 PDRFRAME - ok
22:38:35.0062 0376 perc2 - ok
22:38:35.0093 0376 perc2hib - ok
22:38:35.0203 0376 PptpMiniport - ok
22:38:35.0250 0376 PSched - ok
22:38:35.0265 0376 Ptilink - ok
22:38:35.0296 0376 ql1080 - ok
22:38:35.0328 0376 Ql10wnt - ok
22:38:35.0359 0376 ql12160 - ok
22:38:35.0390 0376 ql1240 - ok
22:38:35.0421 0376 ql1280 - ok
22:38:35.0453 0376 RapportCerberus_34302 - ok
22:38:35.0484 0376 RapportEI - ok
22:38:35.0531 0376 RapportIaso - ok
22:38:35.0562 0376 RapportKELL - ok
22:38:35.0609 0376 RasAcd - ok
22:38:35.0640 0376 Rasl2tp - ok
22:38:35.0687 0376 RasPppoe - ok
22:38:35.0718 0376 Raspti - ok
22:38:35.0718 0376 Rdbss - ok
22:38:35.0750 0376 RDPCDD - ok
22:38:35.0796 0376 rdpdr - ok
22:38:35.0828 0376 RDPWD - ok
22:38:35.0875 0376 redbook - ok
22:38:35.0921 0376 RimUsb - ok
22:38:35.0984 0376 RSUSBSTOR - ok
22:38:36.0031 0376 RTLE8023xp - ok
22:38:36.0093 0376 Secdrv - ok
22:38:36.0171 0376 Serial - ok
22:38:36.0234 0376 Sfloppy - ok
22:38:36.0296 0376 Simbad - ok
22:38:36.0328 0376 sisagp - ok
22:38:36.0359 0376 SLIP - ok
22:38:36.0390 0376 Sparrow - ok
22:38:36.0421 0376 splitter - ok
22:38:36.0500 0376 sr - ok
22:38:36.0531 0376 Srv - ok
22:38:36.0593 0376 streamip - ok
22:38:36.0625 0376 swenum - ok
22:38:36.0640 0376 swmidi - ok
22:38:36.0687 0376 symc810 - ok
22:38:36.0734 0376 symc8xx - ok
22:38:36.0765 0376 sym_hi - ok
22:38:36.0796 0376 sym_u3 - ok
22:38:36.0828 0376 SynTP - ok
22:38:36.0859 0376 sysaudio - ok
22:38:36.0921 0376 Tcpip - ok
22:38:36.0953 0376 TDPIPE - ok
22:38:36.0984 0376 TDTCP - ok
22:38:37.0015 0376 TermDD - ok
22:38:37.0078 0376 TosIde - ok
22:38:37.0140 0376 Udfs - ok
22:38:37.0187 0376 ultra - ok
22:38:37.0250 0376 Update - ok
22:38:37.0312 0376 usbccgp - ok
22:38:37.0343 0376 usbehci - ok
22:38:37.0375 0376 usbhub - ok
22:38:37.0406 0376 usbprint - ok
22:38:37.0421 0376 USBSTOR - ok
22:38:37.0453 0376 usbuhci - ok
22:38:37.0484 0376 usbvideo - ok
22:38:37.0515 0376 VgaSave - ok
22:38:37.0531 0376 viaagp - ok
22:38:37.0562 0376 ViaIde - ok
22:38:37.0609 0376 VolSnap - ok
22:38:37.0687 0376 Wanarp - ok
22:38:37.0718 0376 Wdf01000 - ok
22:38:37.0750 0376 WDICA - ok
22:38:37.0781 0376 wdmaud - ok
22:38:37.0921 0376 WmiAcpi - ok
22:38:38.0031 0376 WSTCODEC - ok
22:38:38.0109 0376 ZDPSp50 - ok
22:38:38.0156 0376 ZTEusbmdm6k - ok
22:38:38.0171 0376 ZTEusbnet - ok
22:38:38.0203 0376 ZTEusbnmea - ok
22:38:38.0234 0376 ZTEusbser6k - ok
22:38:38.0265 0376 ZTEusbvoice - ok
22:38:38.0343 0376 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0
22:38:49.0203 0376 \Device\Harddisk0\DR0 - ok
22:38:49.0203 0376 ================================================== ==========
22:38:49.0203 0376 Scan finished
22:38:49.0203 0376 ================================================== ==========
22:38:49.0250 0368 Detected object count: 1
22:38:49.0250 0368 Actual detected object count: 1
22:40:03.0906 0368 fc8f074256efddc5 ( LockedService.Multi.Generic ) - User select action: Quarantine
22:40:07.0640 0720 ================================================== ==========
22:40:07.0640 0720 Scan started
22:40:07.0640 0720 Mode: Manual;
22:40:07.0640 0720 ================================================== ==========
22:40:07.0796 0720 Abiosdsk - ok
22:40:07.0828 0720 abp480n5 - ok
22:40:07.0875 0720 ACPI - ok
22:40:07.0890 0720 ACPIEC - ok
22:40:07.0921 0720 Scan interrupted by user!
22:40:07.0921 0720 Scan interrupted by user!
22:40:07.0921 0720 ================================================== ==========
22:40:07.0921 0720 Scan finished
22:40:07.0921 0720 ================================================== ==========
22:40:07.0953 0712 Detected object count: 0
22:40:07.0953 0712 Actual detected object count: 0
22:40:14.0609 0200 Deinitialize success
Reply With Quote
  #8  
Old February 9th, 2012, 12:33 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 51,968
If I read that correctly, you allowed it to act on that service, then perhaps started a second run? But let's see what ComboFix does.
Reply With Quote
  #9  
Old February 9th, 2012, 09:53 AM
gooner gooner is offline
CTH Subscriber
 
Join Date: Nov 2000
O/S: Windows Vista 32-bit
Location: McLeod Ganj, Dharamsala
Age: 65
Posts: 485
I am not sure what you mean by allowed it to act or by want you want me to do now, what is combofix?
Reply With Quote
  #10  
Old February 10th, 2012, 12:18 AM
gooner gooner is offline
CTH Subscriber
 
Join Date: Nov 2000
O/S: Windows Vista 32-bit
Location: McLeod Ganj, Dharamsala
Age: 65
Posts: 485
Hi Jintan

I had a search for combofix, found it, ran it and here is the log:


ComboFix 12-02-02.02 - Elliott Page 09/02/2012 23:02:23.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.615 [GMT 0:00]
Running from: c:\documents and settings\Elliott Page\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\QuestDns
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Start Menu\Programs\ShopperReports
c:\documents and settings\All Users\Start Menu\Programs\ShopperReports\About Us.lnk
c:\documents and settings\All Users\Start Menu\Programs\ShopperReports\Customer Support.lnk
c:\documents and settings\All Users\Start Menu\Programs\ShopperReports\ShopperReports Uninstall Instructions.lnk
c:\program files\QuestDns
c:\program files\QuestDns\questdns.exe
c:\program files\QuestDns\uninstall.exe
C:\servi3e.bin
.
.
((((((((((((((((((((((((( Files Created from 2012-01-09 to 2012-02-09 )))))))))))))))))))))))))))))))
.
.
2012-02-07 22:40 . 2012-02-07 22:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-07 22:36 . 2012-02-07 22:36 -------- d--h--w- c:\windows\PIF
2012-02-04 23:46 . 2012-02-04 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-02-04 00:30 . 2012-02-04 00:30 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-04 00:06 . 2012-02-04 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-02-04 00:06 . 2012-02-04 00:06 -------- d-----w- c:\program files\AVAST Software
2012-02-03 23:43 . 2012-02-03 23:43 -------- d-----w- c:\program files\CCleaner
2012-02-03 18:21 . 2012-02-03 18:21 -------- d-----w- c:\program files\iTunes
2012-02-03 18:20 . 2012-02-03 18:20 -------- d-----w- c:\documents and settings\Elliott Page\Local Settings\Application Data\Apple
2012-02-03 18:20 . 2012-02-03 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2012-02-03 18:20 . 2012-02-03 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2012-02-03 08:58 . 2012-02-03 08:58 -------- d-----w- c:\program files\Common Files\Java
2012-02-03 08:49 . 2011-11-10 05:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 08:43 . 2012-02-03 08:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-02-02 16:25 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-31 22:17 . 2012-02-04 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-27 23:23 . 2012-01-27 23:23 -------- d-----w- c:\documents and settings\Elliott Page\Local Settings\Application Data\Trusteer
2012-01-27 23:23 . 2012-01-27 23:23 -------- d-----w- c:\program files\Trusteer
2012-01-27 23:22 . 2012-01-27 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-01-25 16:48 . 2012-02-03 18:16 -------- d-----w- c:\program files\QuickTime
2012-01-25 16:47 . 2012-02-03 18:20 -------- d-----w- c:\program files\Apple Software Update
2012-01-25 16:46 . 2012-02-03 18:20 -------- d-----w- c:\program files\Common Files\Apple
2012-01-24 22:29 . 2012-02-03 18:20 -------- d-----w- c:\program files\Password Agent
2012-01-24 11:56 . 2012-01-25 16:45 -------- d-----w- c:\documents and settings\Elliott Page\Local Settings\Application Data\Apple Computer
2012-01-24 11:56 . 2012-01-24 11:57 -------- d-----w- c:\documents and settings\Elliott Page\Application Data\Apple Computer
2012-01-24 11:52 . 2012-02-03 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-01-24 11:52 . 2012-01-24 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-01-24 11:49 . 2012-02-03 18:20 -------- d-----w- c:\program files\Bonjour
2012-01-24 09:43 . 2012-01-24 09:43 43008 ----a-w- c:\windows\system32\drivers\fc8f074256efddc5.sys
2012-01-24 00:29 . 2012-01-23 22:46 31232 ----a-w- c:\documents and settings\Elliott Page\xf9poa4vaz.exe
2012-01-23 23:11 . 2012-02-09 22:29 -------- d-----w- c:\documents and settings\Elliott Page\Application Data\Skype
2012-01-23 23:10 . 2012-01-23 23:11 -------- d-----r- c:\program files\Skype
2012-01-23 23:10 . 2012-01-23 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2012-01-23 22:47 . 2012-01-23 22:46 31232 ----a-w- c:\documents and settings\All Users\xf9poa4vaz.exe
2012-01-23 22:46 . 2012-02-04 00:00 -------- d-----w- c:\documents and settings\Elliott Page\Application Data\Ags
2012-01-23 22:46 . 2012-01-23 22:48 -------- d-----w- c:\documents and settings\Elliott Page\Application Data\Kopa
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2012-01-05 11:32 . 2012-01-05 11:32 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-25 21:57 . 2008-04-25 20:33 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29 . 2008-04-25 20:33 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-25 20:33 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-25 20:33 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-25 20:33 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2010-01-20 39408]
"xf9poa4vaz"="c:\documents and settings\Elliott Page\xf9poa4vaz.exe" [2012-01-23 31232]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MobileBroadband"="c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-04-28 252928]
"xf9poa4vaz"="c:\documents and settings\All Users\xf9poa4vaz.exe" [2012-01-23 31232]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Elliott Page\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNDA3200 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3200\WNDA3200WPSMgr.exe [2011-2-15 565248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-01-15 04:11 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Elliott Page\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [15/01/2010 04:07 14248]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [05/01/2012 11:32 931640]
R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [28/04/2010 19:26 9216]
R2 WDCS_WNDA3200;NETGEAR WNDA3200 Device Checking Service;c:\program files\NETGEAR\WNDA3200\WifiDevChkSvc.exe [15/02/2011 13:20 167936]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [15/01/2010 04:12 143840]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [15/02/2011 13:20 57440]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [15/01/2010 05:40 134144]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [15/01/2010 05:40 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [15/01/2010 05:40 272256]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [15/01/2010 05:40 162816]
S0 RapportKELL;RapportKELL;c:\windows\system32\driver s\RapportKELL.sys [05/01/2012 11:32 56208]
S1 MpKsl3079fb9a;MpKsl3079fb9a;\??\c:\windows\system3 2\MpEngineStore\MpKsl3079fb9a.sys --> c:\windows\system32\MpEngineStore\MpKsl3079fb9a.sy s [?]
S1 RapportCerberus_34302;RapportCerberus_34302;c:\doc uments and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\b aseline\RapportCerberus32_34302.sys [05/01/2012 11:34 228208]
S1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2012 11:32 71440]
S2 AMService;AMService;c:\windows\TEMP\gmktsm\setup.e xe run --> c:\windows\TEMP\gmktsm\setup.exe run [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/01/2010 16:38 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfil t.sys [15/01/2010 05:40 1684736]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [15/02/2011 13:19 1759584]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/01/2010 16:38 135664]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\NETGEAR\WNDA3200\jswpsapi.exe [15/02/2011 13:20 360529]
S3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\baselin e\RapportIaso.sys [05/01/2012 11:34 21520]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [01/04/2011 13:42 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [01/04/2011 13:41 105856]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - fc8f074256efddc5
.
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{42c9bafe-3906-11e0-a170-0026b9a1b891}]
\Shell\AutoRun\command - D:\AutoInst.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{e9fcec1f-5c5a-11e0-a172-0026b9a1b891}]
\Shell\AutoRun\command - D:\setup_vmb_lite.exe /checkApplicationPresence
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-20 16:37]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-20 16:37]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2274809979-187098365-1391348757-1006Core.job
- c:\documents and settings\Elliott Page\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-23 23:03]
.
2012-02-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2274809979-187098365-1391348757-1006UA.job
- c:\documents and settings\Elliott Page\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-23 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = wf3.thegrid.org.uk:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-AMService - c:\windows\TEMP\htrppb\setup.exe
Notify-avgrsstarter - avgrsstx.dll
Notify-crentel - c:\documents and settings\NetworkService\Local Settings\Application Data\crentel.dll
SafeBoot-MCODS
AddRemove-QuestDns - c:\program files\QuestDns\uninstall.exe
.
.
.
************************************************** ************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-09 23:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
************************************************** ************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\f c8f074256efddc5]
"ImagePath"="\SystemRoot\System32\Drivers\fc8f0742 56efddc5.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1220)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a 1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(1280)
c:\windows\system32\WININET.dll
.
Completion time: 2012-02-09 23:15:05
ComboFix-quarantined-files.txt 2012-02-09 23:14
.
Pre-Run: 116,566,773,760 bytes free
Post-Run: 117,162,393,600 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 859EAB720CAF5A9226DA54C57B1CAF15
Reply With Quote
  #11  
Old February 10th, 2012, 01:32 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 51,968
The ComboFix I recommended here Gooner. I understand this is tough to do, when working from the infected system itself. But you used an outdated version, so be sure to download the latest one.

This web searches as a school login. Can you confirm that?

uInternet Settings,ProxyServer = wf3.thegrid.org.uk:80


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:

Code:
KillAll::
Driver::
fc8f074256efddc5
File::
c:\windows\system32\drivers\fc8f074256efddc5.sys
c:\documents and settings\Elliott Page\xf9poa4vaz.exe
c:\documents and settings\All Users\xf9poa4vaz.exe
Folder::
c:\documents and settings\Elliott Page\Application Data\Ags
c:\documents and settings\Elliott Page\Application Data\Kopa
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xf9poa4vaz"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xf9poa4vaz"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\explorer.exe"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\fc8f074256efddc5]
Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

---------

Download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup-1.60.01800.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

----------

Disable your antivirus program and click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner.

If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Then click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

Click Start. This scan may take a while, so please be patient.

If infection is found, at the end of the scan click "List of found threats".

In that display, at the bottom, select the option to save the results as a text file, and save that to your desktop. Post that back here please.

Post that log, the C:\ComboFix.txt log and the Malwarebytes log please.
Reply With Quote
  #12  
Old February 10th, 2012, 09:56 AM
gooner gooner is offline
CTH Subscriber
 
Join Date: Nov 2000
O/S: Windows Vista 32-bit
Location: McLeod Ganj, Dharamsala
Age: 65
Posts: 485
Wow this is tough. I downloaded from your link but got TDSSKiller not combo. Created the text file dropped it on the icon but got an error message then nothing.
Reply With Quote
  #13  
Old February 11th, 2012, 12:34 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 51,968
This link?
Reply With Quote
  #14  
Old February 12th, 2012, 01:08 AM
gooner gooner is offline
CTH Subscriber
 
Join Date: Nov 2000
O/S: Windows Vista 32-bit
Location: McLeod Ganj, Dharamsala
Age: 65
Posts: 485
Hi Jintan

Sorry I must have missed the option for a text file on ESET. I am running it again and will post the log later. Here are the other 2 also there is a protection log in Malwarebytes which I have included at the end.

Thanks

Terry

Combofix log:


ComboFix 12-02-10.03 - Elliott Page 11/02/2012 19:08:49.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.523 [GMT 0:00]
Running from: c:\documents and settings\Elliott Page\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Elliott Page\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
FILE ::
"c:\documents and settings\All Users\xf9poa4vaz.exe"
"c:\documents and settings\Elliott Page\xf9poa4vaz.exe"
"c:\windows\system32\drivers\fc8f074256efddc5. sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\xf9poa4vaz.exe
c:\documents and settings\Elliott Page\Application Data\Ags
c:\documents and settings\Elliott Page\Application Data\Kopa
c:\documents and settings\Elliott Page\Application Data\Kopa\lodyxaz.tmp
c:\documents and settings\Elliott Page\Application Data\Kopa\lodyxaz.ybf
c:\documents and settings\Elliott Page\GoToAssistDownloadHelper.exe
c:\documents and settings\Elliott Page\xf9poa4vaz.exe
c:\windows\system32\drivers\fc8f074256efddc5.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSERVICE
-------\Legacy_FC8F074256EFDDC5
-------\Service_AMService
-------\Service_fc8f074256efddc5
.
.
((((((((((((((((((((((((( Files Created from 2012-01-11 to 2012-02-11 )))))))))))))))))))))))))))))))
.
.
2012-02-07 22:40 . 2012-02-07 22:40 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-07 22:36 . 2012-02-07 22:36 -------- d--h--w- c:\windows\PIF
2012-02-04 23:46 . 2012-02-04 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG2012
2012-02-04 00:30 . 2012-02-04 00:30 -------- d-----w- c:\windows\system32\wbem\Repository
2012-02-04 00:06 . 2012-02-04 00:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-02-04 00:06 . 2012-02-04 00:06 -------- d-----w- c:\program files\AVAST Software
2012-02-03 23:43 . 2012-02-03 23:43 -------- d-----w- c:\program files\CCleaner
2012-02-03 18:21 . 2012-02-03 18:21 -------- d-----w- c:\program files\iTunes
2012-02-03 18:20 . 2012-02-03 18:20 -------- d-----w- c:\documents and settings\Elliott Page\Local Settings\Application Data\Apple
2012-02-03 18:20 . 2012-02-03 18:20 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2012-02-03 18:20 . 2012-02-03 18:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2012-02-03 08:58 . 2012-02-03 08:58 -------- d-----w- c:\program files\Common Files\Java
2012-02-03 08:49 . 2011-11-10 05:54 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 08:43 . 2012-02-03 08:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2012-02-02 16:25 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2012-01-31 22:17 . 2012-02-04 23:43 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2012-01-27 23:23 . 2012-01-27 23:23 -------- d-----w- c:\documents and settings\Elliott Page\Local Settings\Application Data\Trusteer
2012-01-27 23:23 . 2012-01-27 23:23 -------- d-----w- c:\program files\Trusteer
2012-01-27 23:22 . 2012-01-27 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-01-25 16:48 . 2012-01-25 16:48 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-01-25 16:48 . 2012-02-03 18:16 -------- d-----w- c:\program files\QuickTime
2012-01-25 16:47 . 2012-02-03 18:20 -------- d-----w- c:\program files\Apple Software Update
2012-01-25 16:46 . 2012-02-03 18:20 -------- d-----w- c:\program files\Common Files\Apple
2012-01-24 22:29 . 2012-02-03 18:20 -------- d-----w- c:\program files\Password Agent
2012-01-24 11:56 . 2012-01-25 16:45 -------- d-----w- c:\documents and settings\Elliott Page\Local Settings\Application Data\Apple Computer
2012-01-24 11:56 . 2012-01-24 11:57 -------- d-----w- c:\documents and settings\Elliott Page\Application Data\Apple Computer
2012-01-24 11:52 . 2012-02-03 18:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2012-01-24 11:52 . 2012-01-24 11:54 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2012-01-24 11:49 . 2012-02-03 18:20 -------- d-----w- c:\program files\Bonjour
2012-01-23 23:11 . 2012-02-09 23:20 -------- d-----w- c:\documents and settings\Elliott Page\Application Data\Skype
2012-01-23 23:10 . 2012-01-23 23:11 -------- d-----r- c:\program files\Skype
2012-01-23 23:10 . 2012-01-23 23:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2012-01-05 11:32 . 2012-01-05 11:32 56208 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
2011-11-25 21:57 . 2008-04-25 20:33 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:29 . 2008-04-25 20:33 1868544 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2008-04-25 20:33 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2008-04-25 20:33 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2008-04-25 20:33 152064 ----a-w- c:\windows\system32\schannel.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-02-09_23.09.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-02-11 19:30 . 2012-02-11 19:30 16384 c:\windows\temp\Perflib_Perfdata_a38.dat
+ 2012-02-11 19:28 . 2012-02-11 19:28 16384 c:\windows\temp\Perflib_Perfdata_2fc.dat
+ 2008-04-25 20:33 . 2012-02-11 19:34 80724 c:\windows\system32\perfc009.dat
- 2008-04-25 20:33 . 2012-02-09 22:15 80724 c:\windows\system32\perfc009.dat
+ 2008-04-25 20:33 . 2012-02-11 19:34 466330 c:\windows\system32\perfh009.dat
- 2008-04-25 20:33 . 2012-02-09 22:15 466330 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2010-01-20 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-09-01 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MobileBroadband"="c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\MobileBroadband.exe" [2010-04-28 252928]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Elliott Page\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NETGEAR WNDA3200 Smart Wizard.lnk - c:\program files\NETGEAR\WNDA3200\WNDA3200WPSMgr.exe [2011-2-15 565248]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]
.
[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-01-15 04:11 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Elliott Page\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [15/01/2010 04:07 14248]
R0 RapportKELL;RapportKELL;c:\windows\system32\driver s\RapportKELL.sys [05/01/2012 11:32 56208]
R1 RapportCerberus_34302;RapportCerberus_34302;c:\doc uments and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\b aseline\RapportCerberus32_34302.sys [05/01/2012 11:34 228208]
R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [05/01/2012 11:32 71440]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [05/01/2012 11:32 931640]
R2 VmbService;Vodafone Mobile Broadband Service;c:\program files\Vodafone\Vodafone Mobile Broadband\Bin\VmbService.exe [28/04/2010 19:26 9216]
R2 WDCS_WNDA3200;NETGEAR WNDA3200 Device Checking Service;c:\program files\NETGEAR\WNDA3200\WifiDevChkSvc.exe [15/02/2011 13:20 167936]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [15/01/2010 04:12 143840]
R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [15/02/2011 13:20 57440]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [15/01/2010 05:40 134144]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [15/01/2010 05:40 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [15/01/2010 05:40 272256]
R3 RapportIaso;RapportIaso;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\baselin e\RapportIaso.sys [05/01/2012 11:34 21520]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [15/01/2010 05:40 162816]
S1 MpKsl3079fb9a;MpKsl3079fb9a;\??\c:\windows\system3 2\MpEngineStore\MpKsl3079fb9a.sys --> c:\windows\system32\MpEngineStore\MpKsl3079fb9a.sy s [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [20/01/2010 16:38 135664]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfil t.sys [15/01/2010 05:40 1684736]
S3 AR9271;Atheros AR9271 Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [15/02/2011 13:19 1759584]
S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [20/01/2010 16:38 135664]
S3 jswpsapi;JumpStart Wi-Fi Protected Setup;c:\program files\NETGEAR\WNDA3200\jswpsapi.exe [15/02/2011 13:20 360529]
S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [01/04/2011 13:42 114688]
S3 ZTEusbvoice;ZTE VoUSB Port;c:\windows\system32\drivers\zteusbvoice.sys [01/04/2011 13:41 105856]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - RAPPORTCERBERUS_34302
*NewlyCreated* - RAPPORTEI
*NewlyCreated* - RAPPORTIASO
*NewlyCreated* - RAPPORTKELL
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-20 16:37]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-20 16:37]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2274809979-187098365-1391348757-1006Core.job
- c:\documents and settings\Elliott Page\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-23 23:03]
.
2012-02-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2274809979-187098365-1391348757-1006UA.job
- c:\documents and settings\Elliott Page\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-23 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyServer = wf3.thegrid.org.uk:80
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
.
.
************************************************** ************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-11 19:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
************************************************** ************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1600BEVT-75ZCT2 rev.11.01A11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x86EEA31B
user & kernel MBR OK
.
************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1240)
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a 1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(1300)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(236)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Trusteer\Rapport\bin\RapportService.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\System32\ping.exe
.
************************************************** ************************
.
Completion time: 2012-02-11 19:40:13 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-11 19:40
ComboFix2.txt 2012-02-09 23:15
.
Pre-Run: 116,212,838,400 bytes free
Post-Run: 116,298,420,224 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Micro soft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 6289BDCE677CF71C2EEE853ABF7BCE95

Malwarebytes log:


Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.11.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Elliott Page :: TERRY [administrator]

Protection: Enabled

11/02/2012 19:50:20
mbam-log-2012-02-11 (19-50-20).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 169717
Time elapsed: 9 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 8
HKCR\AppID\{0D82ACD6-A652-4496-A298-2BDE705F4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\AppID\{7025E484-D4B0-441a-9F0B-69063BD679CE} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\AppID\{8258B35C-05B8-4c0e-9525-9BCCC70F8F2D} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\AppID\{A89256AD-EC17-4a83-BEF5-4B8BC4F39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\Typelib\{ACC62306-9A63-4864-BD2F-C8825D2D7EA6} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKCR\Interface\{21BA420E-161C-413A-B21E-4E42AE1F4226} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\QuestDns (Adware.QuestDns) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_QUE STDNS_SERVICE (Adware.QuestDns) -> Quarantined and deleted successfully.

Registry Values Detected: 1
HKLM\SOFTWARE\Mozilla\Firefox\extensions|ShopperRe ports@ShopperReports.com (ShopperReports) -> Data: C:\Program Files\ShopperReports3\bin\3.0.489.0\firefox\firefo xtoolbar\extensions -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Malwarbytes Protection log:

2012/02/11 19:49:55 GMT TERRY Elliott Page MESSAGE Starting protection
2012/02/11 19:50:08 GMT TERRY Elliott Page MESSAGE Protection started successfully
2012/02/11 19:50:11 GMT TERRY Elliott Page MESSAGE Starting IP protection
2012/02/11 19:50:38 GMT TERRY Elliott Page MESSAGE IP Protection started successfully
2012/02/11 19:53:48 GMT TERRY Elliott Page MESSAGE Executing scheduled update: Daily
2012/02/11 19:53:50 GMT TERRY Elliott Page MESSAGE Database already up-to-date
2012/02/11 20:03:38 GMT TERRY Elliott Page MESSAGE Starting protection
2012/02/11 20:03:58 GMT TERRY Elliott Page MESSAGE Protection started successfully
2012/02/11 20:04:01 GMT TERRY Elliott Page MESSAGE Starting IP protection
2012/02/11 20:04:19 GMT TERRY Elliott Page MESSAGE IP Protection started successfully
2012/02/11 20:13:13 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:13:16 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:13:22 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:13:34 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:13:58 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:14:13 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:14:16 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:14:22 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:14:34 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:14:59 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:15:13 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:15:16 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:15:23 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:15:35 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:15:59 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:16:14 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:16:17 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:16:23 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:16:35 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:16:59 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:17:14 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:17:17 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:17:23 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:17:35 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:17:59 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:18:14 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:18:17 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:18:23 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:18:35 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:18:59 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:19:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:19:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:19:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:20:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:20:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:20:44 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:20:47 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:20:53 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:21:05 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:21:29 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:21:44 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:21:47 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:21:53 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:22:05 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:22:29 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:22:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:22:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:22:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:23:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:23:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:23:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:23:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:23:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:24:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:24:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:24:44 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:24:47 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:24:53 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:25:05 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:25:29 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:25:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:25:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:25:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:26:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:26:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:26:44 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:26:47 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:26:53 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:27:05 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:27:29 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:27:44 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:27:47 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:27:53 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:28:05 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:28:29 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:28:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:28:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:28:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:29:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:29:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:29:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:29:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:29:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:30:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:30:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:30:44 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:30:47 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:30:53 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:31:05 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:31:29 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:31:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:31:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:31:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:32:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:32:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:32:44 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:32:47 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:32:53 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:33:05 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:33:29 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:33:44 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:33:47 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:33:53 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:34:05 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:34:29 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:34:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:34:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:34:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:35:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:35:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:35:44 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:35:47 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:35:53 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:36:05 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:36:29 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:36:44 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:36:47 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:36:53 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:37:05 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:37:29 GMT TERRY Elliott Page IP-BLOCK 63.223.106.17 (Type: outgoing)
2012/02/11 20:38:14 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:38:17 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:38:23 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:38:35 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:38:59 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:39:14 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:39:17 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:39:23 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:39:35 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:39:59 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:40:14 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:40:17 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:40:23 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:40:35 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:40:59 GMT TERRY Elliott Page IP-BLOCK 46.249.59.47 (Type: outgoing)
2012/02/11 20:41:14 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:41:17 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:41:23 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:41:35 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:41:59 GMT TERRY Elliott Page IP-BLOCK 95.215.2.8 (Type: outgoing)
2012/02/11 20:42:15 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:42:18 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:42:24 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:42:36 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
2012/02/11 20:43:00 GMT TERRY Elliott Page IP-BLOCK 95.215.2.7 (Type: outgoing)
Reply With Quote
  #15  
Old February 12th, 2012, 01:35 AM
Jintan's Avatar
Jintan Jintan is offline
Cyber Tech Help Moderator
 
Join Date: Dec 2004
Posts: 51,968
detected hooks:
\Driver\atapi DriverStartIo -> 0x86EEA31B
user & kernel MBR OK

Now showing a new subsystem hook. May be due to you just removing that malware driver, protecting it's turf. Regardless of other steps, please run and post new TDSSKiller and aswMBR scan logs please.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT +1. The time now is 09:04 AM.