[RESOLVED] Internet Connection is Dialing Itself

Printable View

Show 40 post(s) from this thread on one page

June 24th, 2011, 07:52 PM
Broni

Navigate to:
C:\_OTL\MovedFiles
Copy t5ql.dll file from there and paste it to C:\WINDOWS\system32 folder.
Restart computer.
Are the errors gone?
June 24th, 2011, 08:11 PM
davidgsmith

That did it ! :)
June 24th, 2011, 09:00 PM
Broni

Very well, however I'm not very fond of that file.
I can't really find any info about it.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\t5ql.dll
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

Any other issues?
June 24th, 2011, 09:24 PM
davidgsmith

Antivirus results
AhnLab-V3 - 2011.06.25.00 - 2011.06.24 - -
AntiVir - 7.11.10.104 - 2011.06.24 - -
Antiy-AVL - 2.0.3.7 - 2011.06.24 - Trojan/Win32.Agent.gen
Avast - 4.8.1351.0 - 2011.06.24 - Win32:Malware-gen
Avast5 - 5.0.677.0 - 2011.06.24 - Win32:Malware-gen
AVG - 10.0.0.1190 - 2011.06.24 - PSW.Agent.AMUH
BitDefender - 7.2 - 2011.06.25 - -
CAT-QuickHeal - 11.00 - 2011.06.24 - -
ClamAV - 0.97.0.0 - 2011.06.25 - PUA.Packed.ASPack
Commtouch - 5.3.2.6 - 2011.06.24 - -
Comodo - 9180 - 2011.06.25 - -
DrWeb - 5.0.2.03300 - 2011.06.25 - -
eSafe - 7.0.17.0 - 2011.06.23 - -
eTrust-Vet - 36.1.8405 - 2011.06.24 - -
F-Prot - 4.6.2.117 - 2011.06.24 - -
F-Secure - 9.0.16440.0 - 2011.06.24 - -
Fortinet - 4.2.257.0 - 2011.06.24 - -
GData - 22 - 2011.06.25 - Win32:Malware-gen
Ikarus - T3.1.1.104.0 - 2011.06.24 - Trojan-PWS.Win32.Agent
Jiangmin - 13.0.900 - 2011.06.24 - -
K7AntiVirus - 9.106.4840 - 2011.06.24 - Password-Stealer
Kaspersky - 9.0.0.837 - 2011.06.25 - Trojan-PSW.Win32.Agent.xez
McAfee - 5.400.0.1158 - 2011.06.25 - -
McAfee-GW-Edition - 2010.1D - 2011.06.24 - -
Microsoft - 1.7000 - 2011.06.24 - -
NOD32 - 6236 - 2011.06.25 - a variant of Win32/Kheagol.H
Norman - 6.07.10 - 2011.06.24 - -
nProtect - 2011-06-24.01 - 2011.06.24 - -
Panda - 10.0.3.5 - 2011.06.24 - Suspicious file
PCTools - 8.0.0.5 - 2011.06.23 - -
Prevx - 3.0 - 2011.06.25 - -
Rising - 23.63.04.01 - 2011.06.24 - -
Sophos - 4.66.0 - 2011.06.25 - -
SUPERAntiSpyware - 4.40.0.1006 - 2011.06.25 - -
Symantec - 20111.1.0.186 - 2011.06.25 - -
TheHacker - 6.7.0.1.239 - 2011.06.23 - Trojan/PSW.Agent.xez
TrendMicro - 9.200.0.1012 - 2011.06.24 - -
TrendMicro-HouseCall - 9.200.0.1012 - 2011.06.25 - -
VBA32 - 3.12.16.3 - 2011.06.24 - TrojanPSW.Agent.xez
VIPRE - 9683 - 2011.06.25 - -
ViRobot - 2011.6.24.4531 - 2011.06.24 - -
VirusBuster - 14.0.94.0 - 2011.06.24 - Trojan.Kheagol!AxrLEkZrH0Y
File info:
MD5: 246e54d003ee721b7c4390b5a52c4d74
SHA1: 9e0e6ced4b59f9701ef2c0c643ab809f0e11ebf3
SHA256: 96fd23059ac715fb179feb68ada64fc7d6b44d27a1171a0d3b0e9a7f9eb36d5b
File size: 265292 bytes
Scan date: 2011-06-25 01:05:51 (UTC)
June 24th, 2011, 09:25 PM
davidgsmith

Additional informationShow all
MD5 : 246e54d003ee721b7c4390b5a52c4d74
SHA1 : 9e0e6ced4b59f9701ef2c0c643ab809f0e11ebf3
SHA256: 96fd23059ac715fb179feb68ada64fc7d6b44d27a1171a0d3b0e9a7f9eb36d5b
ssdeep: 6144:S+jY5SU5YRIPki/tENvZW72p6xAnOUz0gO9P5TBlOYi0y:S+jySvRXi/WPK2+AOKdsP5T3
OYdy
File size : 265292 bytes
First seen: 2011-06-25 01:05:51
Last seen : 2011-06-25 01:05:51
TrID:
Win32 Executable Generic (38.4%)
Win32 Dynamic Link Library (generic) (34.2%)
Clipper DOS Executable (9.1%)
Generic Win/DOS Executable (9.0%)
DOS Executable Generic (9.0%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: n/a
description..: n/a
original name: n/a
internal name: n/a
file version.: n/a
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: ASPack v2.12
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x60001
timedatestamp....: 0x4DB9CAF7 (Thu Apr 28 20:15:51 2011)
machinetype......: 0x14c (I386)

[[ 6 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.text, 0x1000, 0x56000, 0x39400, 8.00, 6003245f71d4019b706c1bf4ae15fdea
.rdata, 0x57000, 0x4000, 0x4000, 6.66, 1362f3b0da2432d6eab4d1538aba4f35
.data, 0x5B000, 0x3000, 0xA00, 7.76, ce1737aa1aec43251382a44268738fb8
.reloc, 0x5E000, 0x2000, 0x1800, 7.77, 6372c8536a46d4db1725482bb88f0086
.aspack, 0x60000, 0x2000, 0x1200, 5.74, 3d66167acab19483eaa8debecceac03c
.adata, 0x62000, 0x1000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e

[[ 1 import(s) ]]
kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA

[[ 1 export(s) ]]
ecsqxygtbcghyw

Symantec reputation:Suspicious.Insight
June 24th, 2011, 09:30 PM
Broni

See? That's why I don't like that file.

Download Autoruns for Windows: http://technet.microsoft.com/en-us/s.../bb963902.aspx
No installation required.
Simply unzip Autoruns.zip file, and double click on autoruns.exe file to run the program.
Go File>Save, and save it as AutoRuns.txt file to know location.
You must select Text from drop-down menu as a file type:

https://discussions.virtualdr.com/

Attach the file to your next reply.
June 24th, 2011, 10:12 PM
davidgsmith

Other stuff...

Quote:

Note: when i booted up this morning a noticed an Internet Explorer icon on my desktop where there had not been one before. I went to the 'Display' dialogue and clicked on the 'Desktop' tab and there was not a choice to remove the Internet Explorer icon where there should have been. Also on the Screensaver tab at the bottom where the power settings are the 'Energy' logo was missing.
June 24th, 2011, 10:16 PM
Broni

Quote:

noticed an Internet Explorer icon on my desktop where there had not been one before

If you don't need that shortcut, right click on it, click "Delete".

Quote:

Also on the Screensaver tab at the bottom where the power settings are the 'Energy' logo was missing

I don't have XP in front of me and I'd consider it a minor issue.
If you want to pursue it, create new topic at Windows XP forum.

I still need Autoruns log.
June 24th, 2011, 10:31 PM
davidgsmith

Autoruns Log

"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" "" "" ""
+ "Adobe Reader Speed Launcher" "Adobe Acrobat SpeedLauncher" "Adobe Systems Incorporated" "c:\program files\adobe\reader 10.0\reader\reader_sl.exe"
+ "igfxhkcmd" "hkcmd Module" "Intel Corporation" "c:\windows\system32\hkcmd.exe"
+ "igfxpers" "persistence Module" "Intel Corporation" "c:\windows\system32\igfxpers.exe"
+ "igfxtray" "igfxTray Module" "Intel Corporation" "c:\windows\system32\igfxtray.exe"
+ "MSC" "Microsoft Security Client User Interface" "Microsoft Corporation" "c:\program files\microsoft security client\msseces.exe"
+ "SunJavaUpdateSched" "Java(TM) Update Scheduler" "Sun Microsystems, Inc." "c:\program files\common files\java\java update\jusched.exe"
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup" "" "" ""
+ "Stickies.lnk" "Stickies 7.0b" "Zhorn Software" "c:\program files\stickies\stickies.exe"
"HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" "" "" ""
+ "Address Book 6" "Outlook Express Setup Library" "Microsoft Corporation" "c:\program files\outlook express\setup50.exe"
+ "Microsoft Outlook Express 6" "Outlook Express Setup Library" "Microsoft Corporation" "c:\program files\outlook express\setup50.exe"
"HKLM\SOFTWARE\Classes\Protocols\Filter" "" "" ""
+ "text/xml" "Microsoft Office XML MIME Filter" "Microsoft Corporation" "c:\program files\common files\microsoft shared\office11\msoxmlmf.dll"
"HKLM\SOFTWARE\Classes\Protocols\Handler" "" "" ""
+ "ms-itss" "Microsoft® InfoTech Storage System Library" "Microsoft Corporation" "c:\program files\common files\microsoft shared\information retrieval\msitss.dll"
+ "mso-offdap" "Microsoft Office XP Web Components" "Microsoft Corporation" "c:\program files\common files\microsoft shared\web components\10\owc10.dll"
+ "mso-offdap11" "Microsoft Office Web Components 2003" "Microsoft Corporation" "c:\program files\common files\microsoft shared\web components\11\owc11.dll"
"HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components" "" "" ""
+ "0" "" "" "File not found: About:Home"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks" "" "" ""
+ "SABShellExecuteHook Class" "ShellExecuteHook" "SuperAdBlocker.com" "c:\program files\superantispyware\sasseh.dll"
"HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers" "" "" ""
+ "EPP" "Microsoft Security Client Shell Extension" "Microsoft Corporation" "c:\program files\microsoft security client\shellext.dll"
+ "SASContextMenu Class" "SUPERAntiSpyware Context Menu Extension" "SUPERAntiSpyware.com" "c:\program files\superantispyware\sasctxmn.dll"
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes' Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
"HKLM\Software\Classes\Directory\ShellEx\ContextMenuHandlers" "" "" ""
+ "EPP" "Microsoft Security Client Shell Extension" "Microsoft Corporation" "c:\program files\microsoft security client\shellext.dll"
+ "SASContextMenu Class" "SUPERAntiSpyware Context Menu Extension" "SUPERAntiSpyware.com" "c:\program files\superantispyware\sasctxmn.dll"
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Directory\Shellex\DragDropHandlers" "" "" ""
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Directory\Shellex\CopyHookHandlers" "" "" ""
+ "FileZilla3CopyHook" "fzshellext Dynamic Link Library" "" "c:\program files\filezilla ftp client\fzshellext.dll"
+ "VPCHostCopyHook" "Virtual PC Host Shell Extension" "Microsoft Corporation" "c:\program files\microsoft virtual pc\vpcshexh.dll"
"HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers" "" "" ""
+ "igfxcui" "igfxpph Module" "Intel Corporation" "c:\windows\system32\igfxpph.dll"
"HKLM\Software\Classes\Folder\Shellex\ColumnHandlers" "" "" ""
+ "PDF Shell Extension" "PDF Shell Extension" "Adobe Systems, Inc." "c:\program files\common files\adobe\acrobat\activex\pdfshell.dll"
+ "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" "" "OpenOffice.org" "c:\program files\openoffice.org 3\basis\program\shlxthdl\shlxthdl.dll"
"HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers" "" "" ""
+ "MBAMShlExt" "Malwarebytes' Anti-Malware" "Malwarebytes Corporation" "c:\program files\malwarebytes' anti-malware\mbamext.dll"
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Classes\Folder\ShellEx\DragDropHandlers" "" "" ""
+ "WinRAR" "" "" "c:\program files\winrar\rarext.dll"
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" "" "" ""
+ "Adobe PDF Link Helper" "Adobe PDF Helper for Internet Explorer" "Adobe Systems Incorporated" "c:\program files\common files\adobe\acrobat\activex\acroiehelpershim.dll"
+ "Adobe PDF Reader Link Helper" "Adobe PDF Helper for Internet Explorer" "Adobe Systems Incorporated" "c:\program files\common files\adobe\acrobat\activex\acroiehelper.dll"
+ "Java(tm) Plug-In 2 SSV Helper" "Java(TM) Platform SE binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jp2ssv.dll"
+ "JQSIEStartDetectorImpl Class" "Java(TM) Quick Starter binary" "Sun Microsystems, Inc." "c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll"
"HKLM\Software\Microsoft\Internet Explorer\Extensions" "" "" ""
+ "Windows Messenger" "Windows Messenger" "Microsoft Corporation" "c:\program files\messenger\msmsgs.exe"
"Task Scheduler" "" "" ""
+ "GoogleUpdateTaskUserS-1-5-21-1454471165-602162358-839522115-1003Core.job" "Google Installer" "Google Inc." "c:\documents and settings\dave\local settings\application data\google\update\googleupdate.exe"
+ "GoogleUpdateTaskUserS-1-5-21-1454471165-602162358-839522115-1003UA.job" "Google Installer" "Google Inc." "c:\documents and settings\dave\local settings\application data\google\update\googleupdate.exe"
+ "MP Scheduled Scan.job" "Microsoft Malware Protection Command Line Utility" "Microsoft Corporation" "c:\program files\microsoft security client\antimalware\mpcmdrun.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "JavaQuickStarterService" "Prefetches JRE files for faster startup of Java applets and applications" "Sun Microsystems, Inc." "c:\program files\java\jre6\bin\jqs.exe"
+ "MDM" "Supports local and remote debugging for Visual Studio and script debuggers. If this service is stopped, the debuggers will not function properly." "Microsoft Corporation" "c:\program files\common files\microsoft shared\vs7debug\mdm.exe"
+ "MsMpSvc" "Helps protect users from malware and other potentially unwanted software" "Microsoft Corporation" "c:\program files\microsoft security client\antimalware\msmpeng.exe"
+ "ose" "Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports." "Microsoft Corporation" "c:\program files\common files\microsoft shared\source engine\ose.exe"
+ "WMPNetworkSvc" "Shares Windows Media Player libraries to other networked players and media devices using Universal Plug and Play" "Microsoft Corporation" "c:\program files\windows media player\wmpnetwk.exe"
"HKLM\System\CurrentControlSet\Services" "" "" ""
+ "aeaudio" "Andrea Audio Stub Driver" "Andrea Electronics Corporation" "c:\windows\system32\drivers\aeaudio.sys"
+ "ATMFBUS" "USB Composite Device Driver (MSS Ver.3)" "DEVGURU Co., LTD." "c:\windows\system32\drivers\atmfbus.sys"
+ "ATMFCVsp" "A600 Cricket CM Port device driver" "DEVGURU Co., LTD.(www.devguru.co.kr)" "c:\windows\system32\drivers\atmfcvsp.sys"
+ "ATMFFLT" "A600 USB Modem Installation CD Device Driver" "DEVGURU Co., LTD." "c:\windows\system32\drivers\atmfflt.sys"
+ "ATMFMdm" "A600 Cricket EVDO Modem Driver" "DEVGURU Co., LTD.(www.devguru.co.kr)" "c:\windows\system32\drivers\atmfmdm.sys"
+ "ATMFNET" "A600 Cricket EVDO Network Adapter device driver" "DEVGURU Co., LTD." "c:\windows\system32\drivers\atmfnet.sys"
+ "ATMFNVsp" "A600 Cricket NMEA Port Serial Port device driver" "DEVGURU Co., LTD.(www.devguru.co.kr)" "c:\windows\system32\drivers\atmfnvsp.sys"
+ "ATMFVsp" "A600 Cricket Diagnostics Port" "DEVGURU Co., LTD.(www.devguru.co.kr)" "c:\windows\system32\drivers\atmfvsp.sys"
+ "catchme" "" "" "File not found: C:\DOCUME~1\Dave\LOCALS~1\Temp\catchme.sys"
+ "Changer" "" "" "File not found: C:\WINDOWS\System32\Drivers\Changer.sys"
+ "E100B" "Intel(R) PRO/100 Adapter NDIS 5.1 driver" "Intel Corporation" "c:\windows\system32\drivers\e100b325.sys"
+ "i2omgmt" "" "" "File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys"
+ "ialm" "Intel Graphics Miniport Driver" "Intel Corporation" "c:\windows\system32\drivers\ialmnt5.sys"
+ "lbrtfdc" "" "" "File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys"
+ "MpKsl314409bf" "KSLDriver" "Microsoft Corporation" "c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{9f4b36ea-4b3f-4b70-9a9b-d842d11bf524}\mpksl314409bf.sys"
+ "MpKsl5e374436" "" "" "File not found: C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FCED001E-29B4-4EEB-96CA-FCC0A4C6D691}\MpKsl5e374436.sys"
+ "OMCI" "OMCI Device Driver" "Dell Computer Corporation" "c:\windows\system32\drivers\omci.sys"
+ "PCIDump" "" "" "File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys"
+ "PDCOMP" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys"
+ "PDFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys"
+ "PDRELI" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys"
+ "PDRFRAME" "" "" "File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys"
+ "Ptilink" "Direct Parallel Link Driver" "Parallel Technologies, Inc." "c:\windows\system32\drivers\ptilink.sys"
+ "SASDIFSV" "SASDIFSV.SYS" "SUPERAdBlocker.com and SUPERAntiSpyware.com" "c:\program files\superantispyware\sasdifsv.sys"
+ "SASKUTIL" "SASKUTIL.SYS" "SUPERAdBlocker.com and SUPERAntiSpyware.com" "c:\program files\superantispyware\saskutil.sys"
+ "Secdrv" "SafeDisc driver" "Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K." "c:\windows\system32\drivers\secdrv.sys"
+ "smwdm" "SoundMAX Integrated Digital Audio " "Analog Devices, Inc." "c:\windows\system32\drivers\smwdm.sys"
+ "WDICA" "" "" "File not found: C:\WINDOWS\System32\Drivers\WDICA.sys"
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32" "" "" ""
+ "msacm.iac2" "Indeo® audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax"
+ "msacm.l3acm" "MPEG Layer-3 Audio Codec for MSACM" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codeca.acm"
+ "msacm.trspch" "DSP Group TrueSpeech(TM) Audio Codec for MSACM V3.50" "DSP GROUP, INC." "c:\windows\system32\tssoft32.acm"
+ "vidc.cvid" "Cinepak® Codec" "Radius Inc." "c:\windows\system32\iccvid.dll"
+ "vidc.DIVX" "DivX" "DivX, Inc." "c:\windows\system32\divx.dll"
+ "VIDC.FPS1" "Fraps" "Beepa P/L" "c:\windows\system32\frapsvid.dll"
+ "vidc.iv31" "" "" "c:\windows\system32\ir32_32.dll"
+ "vidc.iv32" "" "" "c:\windows\system32\ir32_32.dll"
+ "vidc.iv41" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "vidc.iv50" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "vidc.yv12" "DivX" "DivX, Inc." "c:\windows\system32\divx.dll"
"HKLM\Software\Classes\Filter" "" "" ""
+ "Indeo® video 4.4 Compression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
+ "Indeo® video 4.4 Decompression Filter" "Intel Indeo® Video 4.5" "Intel Corporation" "c:\windows\system32\ir41_32.ax"
"HKLM\Software\Classes\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance" "" "" ""
+ "9x8Resize" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "ACELP.net Audio Decoder" "ACELP.net Audio Decoder" "Sipro Lab Telecom Inc." "c:\windows\system32\acelpdec.ax"
+ "Allocator Fix" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "AVS Video Out" "AVSVideoOutFilter DirectShow Filter" "Online Media Technologies Ltd" "c:\program files\common files\avsmedia\activex\avsvideooutfilter3.ax"
+ "Bitmap" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "CyberLink Audio Decoder" "CyberLink Audio Filter" "CyberLink Corp." "c:\program files\cyberlink\powerdvd\claud.ax"
+ "CyberLink Audio Effect" "CyberLink Audio Effect Filter" "CyberLink Corporation" "c:\program files\cyberlink\powerdvd\claudfx.ax"
+ "CyberLink DxVA Filter 2" "" "" "c:\program files\cyberlink\powerdvd\cldxva.ax"
+ "CyberLink Video/SP Decoder" "CyberLink Video/SP Filter" "CyberLink Corp." "c:\program files\cyberlink\powerdvd\clvsd.ax"
+ "DivX AAC Decoder" "AAC Audio Decoder Filter" "DivX, Inc." "c:\program files\divx\divx plus directshow filters\daac.ax"
+ "DivX Decoder Filter" "DivX Decoder Filter" "DivX, Inc." "c:\program files\divx\divx codec\divxdec.ax"
+ "DivX H.264 Decoder" "DivX H.264 Decoder Filter" "DivX, Inc." "c:\program files\divx\divx plus directshow filters\divxdech264.ax"
+ "DivX MKV Demux" "DivX MKV Splitter" "" "c:\program files\divx\divx plus directshow filters\dmfsource.ax"
+ "DivX MKV Demux (unrestricted)" "DivX MKV Splitter" "" "c:\program files\divx\divx plus directshow filters\dmfsource.ax"
+ "Frame Eater" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Indeo® audio software" "Indeo® audio software" "Intel Corporation" "c:\windows\system32\iac25_32.ax"
+ "Indeo® video 5.10 Compression Filter" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "Indeo® video 5.10 Decompression Filter" "Intel Indeo® video 5.10" "Intel Corporation" "c:\windows\system32\ir50_32.dll"
+ "MPEG Layer-3 Decoder" "MPEG Layer-3 Audio Decoder" "Fraunhofer Institut Integrierte Schaltungen IIS" "c:\windows\system32\l3codecx.ax"
+ "Record Queue" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "ShotDetect" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "Stetch" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "TrueMotion 2.0 Decompressor" "TrueMotion 2.0 Decompressor" "The Duck Corporation" "c:\windows\system32\tm20dec.ax"
+ "Virtual Audio Renderer" "ST Virtual Renderers" "Swift-Tools SARL" "c:\program files\common files\swishzone.com\szcommon-video080303.dll"
+ "Virtual Video Renderer" "ST Virtual Renderers" "Swift-Tools SARL" "c:\program files\common files\swishzone.com\szcommon-video080303.dll"
+ "WIA Stream Snapshot Filter" "WIA Stream Snapshot Filter" "MyCompanyName" "c:\windows\system32\wiasf.ax"
+ "WM VIH2 Fix" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Audio Analyzer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Black Frame Generator" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT DirectX Transform Wrapper" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT DV Extract Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT FormatConversion" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Import Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Interlacer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Log Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT MuxDeMux Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Sample Info Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Screen capture Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Switch Filter" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Virtual Renderer" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Virtual Source" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
+ "WMT Volume" "Movie Maker Filters" "Microsoft Corporation" "c:\program files\movie maker\wmm2filt.dll"
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "" "" ""
+ "!SASWinLogon" "SUPERAntiSpyware WinLogon Processor" "SUPERAntiSpyware.com" "c:\program files\superantispyware\saswinlo.dll"
+ "igfxcui" "igfxdev Module" "Intel Corporation" "c:\windows\system32\igfxdev.dll"
"HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" "" "" ""
+ "PDF Port" "Acrobat ® PDF Port" "Adobe Systems Incorporated." "c:\windows\system32\pdfports.dll"
June 24th, 2011, 10:55 PM
Broni

Go ahead with other steps from my reply #34
June 24th, 2011, 11:00 PM
davidgsmith

Tomorrow
June 24th, 2011, 11:02 PM
Broni

OK...
June 25th, 2011, 06:06 PM
davidgsmith

Here is the restore point thingy.

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Dave
->Temp folder emptied: 49154 bytes
->Temporary Internet Files folder emptied: 23102617 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 2307 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 12010 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 18725 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 22.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Dave
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb

Restore points cleared and new OTL Restore Point set!

OTL by OldTimer - Version 3.2.24.1 log created on 06252011_175225

Files\Folders moved on Reboot...
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\OIWEKUFO\c[4].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\NA66ZOUR\c[5].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\NA66ZOUR\showthread[1].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\FSI90243\c[1].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\FSI90243\c[2].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\77DOASZS\c[2].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\77DOASZS\iepngfix[1].htc moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\77DOASZS\partner[1].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\Content.IE5\77DOASZS\showthread[2].htm moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
C:\Documents and Settings\Dave\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

Registry entries deleted on Reboot...
June 25th, 2011, 06:32 PM
davidgsmith

Broni,

Quote:

Your computer is clean

I downloaded all the other programs you mentioned.
Thanks for all that you have done. :)
THis has sure been an adventure :D

Now for the BAD NEWS ! :eek:

When I came home from work this afternoon I turned my computer on and walked out of the room for a couple minutes and when I came back in it was dialing up my internet connection again. :(

This kind of confirms a suspicion I had that this thing is date sensitive. That it only does this once a day. Yesterday morning (Friday) I booted up with no problem,and I told you that. But today I remembered that Thursday night I remained online with you past midnight, so that whatever it does/sends out, it was already connected. Like I had said in the past this would only happen once a day at the first time I'd turn the computer on.

Do you have any more ideas?
Dave
June 25th, 2011, 06:38 PM
Broni

At this point....

In this forum, we make sure, your computer is free of malware and your computer is clean :)
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

Good luck!
June 25th, 2011, 06:47 PM
fink

One thing to check before you start a new thread is to have a look in Internet explorer>tools>internet options>connections and make sure that "never dial a connection" is checked.....

http://img543.imageshack.us/img543/4606/mwsnap074.jpg
June 25th, 2011, 07:32 PM
davidgsmith

Thanks Fink, I shut that off. It was set to 'always' but I don't remember it connecting on it's own till a couple weeks ago. But I am getting old and the memory is a bit weak at times. :)

Broni..... what about the t5ql.dll thing? Anthing to do about that?
June 25th, 2011, 07:32 PM
Broni

Thanks fink :)

You may also check Task Scheduler.
June 25th, 2011, 07:45 PM
Broni

Quote:

what about the t5ql.dll thing?

Leave it alone for now.
June 25th, 2011, 07:51 PM
davidgsmith

Actually Broni, there were 4 of them is the Task Scheduler... 2 from Google and two from I don't know where. The 2 google ones were set at 'Daily' and it was started back on 6/4/11, about the time this started.....

Well, I'm all squeaky clean anyway :)

Thanks again.
Dave
June 25th, 2011, 07:52 PM
davidgsmith

ok on the t5ql.dll thingy...
Dave
June 25th, 2011, 08:12 PM
Broni

Quote:

there were 4 of them is the Task Scheduler... 2 from Google and two from I don't know where. The 2 google ones were set at 'Daily' and it was started back on 6/4/11, about the time this started.....

Ha!
Nice :)
June 25th, 2011, 10:16 PM
davidgsmith

LOL :)
Thank you again sir for all you do for everyone.
Dave
June 25th, 2011, 11:56 PM
Broni

You're very welcome https://discussions.virtualdr.com/
July 3rd, 2011, 11:29 AM
davidgsmith

Broni,
I've been thinking about the t5ql.dll trojan on my computer. I am very uncomfortable with it being there.
If you remember in post#44 I submitted to virustotal.com to have it checked and there were quite a few hits. I downloaded one the the a/v programs that found it as a trojan. VBA32. After install it found t5ql.dll, in fact every 2 seconds it was popping up a 'virus found' box. I also ran a scan which it found it. The problem is that the program could do no type of action to remove it. Under 'Action Taken' it said 'Not Removed'. That's it!

So I'm reading this post here at the forum.
http://discussions.virtualdr.com/sho...d.php?t=249403

And it seems to me that this trojan is similar, and I'm beginning to feel that my only solution is a complete format and reinstall of XP.
What do you think?
Thanks,
Dave
July 3rd, 2011, 11:57 AM
Broni
Yeah, I think we have to remove that file, but let's re-run some scans first.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  - Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  - Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  NOTE1. If Combofix asks you to install Recovery Console, please allow it.
  NOTE 2. If Combofix asks you to update the program, always do so.
  - Close any open browsers.
  - WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  - Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  - If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe
- Double-click on the Rkill desktop icon to run the tool.
- If using Vista or Windows 7 right-click on it and choose Run As Administrator.
- A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
- If not, delete the file, then download and use the one provided in Link 2.
- If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
- Do not reboot until instructed.
- If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
July 3rd, 2011, 01:10 PM
davidgsmith

OK Broni,

When Combo Fix first started I got the following alert ....

In the title bar it said "Parasite Found!"
The body said, " The following files were trying to attach to Combo Fox. They shall be disabled. Kindly notedown on paper, the name of each file. We may need it later.
C:\Windows\System32\t5ql.dll

Then at the first reboot, I got this one....

Explorer.exe Unable to locate component.
...."This application failed to start because t5ql.dll was not found. Re-installing the application may fix this problem"
Then Combo Fix continued running after I clicked OK.
Then on the last restart I got the same one again.

Explorer.exe Unable to locate component.
...."This application failed to start because t5ql.dll was not found. Re-installing the application may fix this problem"

Other than that it ran fine.... here is the log.....

ComboFix 11-07-02.03 - Dave 07/03/2011 12:49:11.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.623 [GMT -5:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
* Created a new restore point
.
The following files were disabled during the run:
c:\windows\system32\t5ql.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-07-03 13:09 . 2011-07-03 13:09 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{50884F5D-CF93-4986-BD4E-577092981CFC}\MpKsl55594903.sys
2011-07-02 09:56 . 2011-06-07 15:55 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{50884F5D-CF93-4986-BD4E-577092981CFC}\mpengine.dll
2011-06-29 00:40 . 2011-06-29 00:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-06-28 00:58 . 2011-06-28 00:58 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Secunia PSI
2011-06-28 00:58 . 2011-06-28 00:58 -------- d-----w- c:\program files\Secunia
2011-06-28 00:48 . 2011-06-28 00:48 -------- d-----w- c:\program files\WOT
2011-06-25 01:06 . 2009-03-21 14:06 265292 ----a-w- c:\windows\system32\t5ql.dll.vir
2011-06-24 02:26 . 2011-06-24 02:26 -------- d-----w- c:\program files\Common Files\Java
2011-06-24 02:26 . 2011-05-04 09:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-15 23:53 . 2011-06-28 22:16 -------- d-----w- c:\documents and settings\Dave\Application Data\FileZilla
2011-06-15 23:52 . 2011-06-15 23:52 -------- d-----w- c:\program files\FileZilla FTP Client
2011-06-15 21:39 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-07 15:55 . 2011-03-23 00:44 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-29 14:11 . 2010-09-10 13:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2010-09-10 13:30 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 09:52 . 2010-07-04 20:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 07:25 . 2010-07-04 20:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2010-07-04 06:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:36 . 2010-08-20 03:52 164880 ---ha-w- c:\documents and settings\Dave\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 03:36 . 2004-08-04 12:00 110080 ----a-w- c:\windows\system32\imm32.dll
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-04-29 . C8270B953FBCFB9B5310488DB779EC4E . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
Stickies.lnk - c:\program files\stickies\stickies.exe [2010-7-4 1101824]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 17:29 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-15 03:39 136176 ----atw- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-07-19 23:06 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-07-19 23:09 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2010-11-30 18:20 997408 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2010-07-05 13:13 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-10-01 18:23 2424560 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Games\\Activision\\JN6 - Golden Bear Challenge\\JNGBCGolf.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
"c:\\Program Files\\Games\\Microsoft Games\\Midtown Madness 2\\MIDTOWN2.ICD"=
"c:\\Program Files\\Games\\Microsoft Games\\MechWarrior Vengeance\\MW4.ICD"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6667:TCP"= 6667:TCP:IRC
"3783:TCP"= 3783:TCP:voice chat
"27900:TCP"= 27900:TCP:Master Svc
"28900:TCP"= 28900:TCP:Master Service ll
"29900:TCP"= 29900:TCP:GP Connect
"29901:TCP"= 29901:TCP:GP Search
"13139:TCP"= 13139:TCP:CUST UDP
"6515:TCP"= 6515:TCP:Dplay UDP
"6500:TCP"= 6500:TCP:Query
.
R1 MpKsl55594903;MpKsl55594903;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{50884F5D-CF93-4986-BD4E-577092981CFC}\MpKsl55594903.sys [7/3/2011 8:09 AM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 67656]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848]
R3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\ATMFBUS.sys [7/4/2010 2:24 AM 47360]
R3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\ATMFCVsp.sys [7/4/2010 2:24 AM 153600]
R3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\ATMFMdm.sys [7/4/2010 2:24 AM 153472]
R3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\ATMFNET.sys [7/4/2010 2:24 AM 103424]
R3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\ATMFNVsp.sys [7/4/2010 2:24 AM 153600]
R3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\ATMFVsp.sys [7/4/2010 2:24 AM 153472]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S1 MpKsl5e374436;MpKsl5e374436;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FCED001E-29B4-4EEB-96CA-FCC0A4C6D691}\MpKsl5e374436.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FCED001E-29B4-4EEB-96CA-FCC0A4C6D691}\MpKsl5e374436.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\ATMFFLT.sys [7/4/2010 2:24 AM 13312]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL55594903
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-07-03 c:\windows\Tasks\User_Feed_Synchronization-{E9462B1D-DE15-4239-8878-D5206A58D0F7}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thehungersite.com/clickToGive/home.faces?siteId=1
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{BDDE120D-FFE9-4679-A943-C78332774491}: NameServer = 10.133.20.11 10.132.20.11
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\045ulcui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thehungersite.com/clickToGive/home.faces?siteId=1
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Beach Tranquility Screen Saver - c:\windows\system32\BEACHT~1.SCR
AddRemove-Sierra Utilities - c:\program files\Sierra On-Line\sutil32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 12:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1216)
c:\windows\system32\t5ql.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
.
- - - - - - - > 'lsass.exe'(1272)
c:\windows\system32\t5ql.dll
.
- - - - - - - > 'explorer.exe'(272)
c:\windows\system32\WININET.dll
.
Completion time: 2011-07-03 12:55:59
ComboFix-quarantined-files.txt 2011-07-03 17:55
.
Pre-Run: 13,404,372,992 bytes free
Post-Run: 13,534,429,184 bytes free
.
- - End Of File - - 1EEF749D6450C0B9105FD517F3105EAC
July 3rd, 2011, 01:22 PM
Broni

Please, re-run Combofix one more time.
July 3rd, 2011, 01:44 PM
davidgsmith

Everything happened as it did the first time... same error msgs.

ComboFix 11-07-02.03 - Dave 07/03/2011 13:35:18.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.545 [GMT -5:00]
Running from: c:\documents and settings\Dave\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-07-03 13:09 . 2011-07-03 13:09 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{50884F5D-CF93-4986-BD4E-577092981CFC}\MpKsl55594903.sys
2011-07-02 09:56 . 2011-06-07 15:55 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{50884F5D-CF93-4986-BD4E-577092981CFC}\mpengine.dll
2011-06-29 00:40 . 2011-06-29 00:40 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-06-28 00:58 . 2011-06-28 00:58 -------- d-----w- c:\documents and settings\Dave\Local Settings\Application Data\Secunia PSI
2011-06-28 00:58 . 2011-06-28 00:58 -------- d-----w- c:\program files\Secunia
2011-06-28 00:48 . 2011-06-28 00:48 -------- d-----w- c:\program files\WOT
2011-06-25 01:06 . 2009-03-21 14:06 265292 ----a-w- c:\windows\system32\t5ql.dll.vir
2011-06-24 02:26 . 2011-06-24 02:26 -------- d-----w- c:\program files\Common Files\Java
2011-06-24 02:26 . 2011-05-04 09:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-06-15 23:53 . 2011-06-28 22:16 -------- d-----w- c:\documents and settings\Dave\Application Data\FileZilla
2011-06-15 23:52 . 2011-06-15 23:52 -------- d-----w- c:\program files\FileZilla FTP Client
2011-06-15 21:39 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-07 15:55 . 2011-03-23 00:44 7074640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-05-29 14:11 . 2010-09-10 13:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11 . 2010-09-10 13:30 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-04 09:52 . 2010-07-04 20:45 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-04 07:25 . 2010-07-04 20:45 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2010-07-04 06:54 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:36 . 2010-08-20 03:52 164880 ---ha-w- c:\documents and settings\Dave\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2011-04-29 17:25 . 2004-08-04 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-29 03:36 . 2004-08-04 12:00 110080 ----a-w- c:\windows\system32\imm32.dll
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-04-29 . C8270B953FBCFB9B5310488DB779EC4E . 110080 . . [5.1.2600.5512] . . c:\windows\system32\imm32.dll
[7] 2008-04-14 . 0DA85218E92526972A821587E6A8BF8F . 110080 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2004-08-04 . 87CA7CE6469577F059297B9D6556D66D . 110080 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\imm32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-19 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-19 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-19 114688]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896]
Stickies.lnk - c:\program files\stickies\stickies.exe [2010-7-4 1101824]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Symantec Fax Starter Edition Port.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
backup=c:\windows\pss\Symantec Fax Starter Edition Port.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-30 17:29 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-01-15 03:39 136176 ----atw- c:\documents and settings\Dave\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-07-19 23:06 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-07-19 23:09 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2010-11-30 18:20 997408 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2010-07-05 13:13 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-10-01 18:23 2424560 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Games\\Activision\\JN6 - Golden Bear Challenge\\JNGBCGolf.exe"=
"c:\\Documents and Settings\\Dave\\Application Data\\GameRanger\\GameRanger\\GameRanger.exe"=
"c:\\Program Files\\Games\\Microsoft Games\\Midtown Madness 2\\MIDTOWN2.ICD"=
"c:\\Program Files\\Games\\Microsoft Games\\MechWarrior Vengeance\\MW4.ICD"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6667:TCP"= 6667:TCP:IRC
"3783:TCP"= 3783:TCP:voice chat
"27900:TCP"= 27900:TCP:Master Svc
"28900:TCP"= 28900:TCP:Master Service ll
"29900:TCP"= 29900:TCP:GP Connect
"29901:TCP"= 29901:TCP:GP Search
"13139:TCP"= 13139:TCP:CUST UDP
"6515:TCP"= 6515:TCP:Dplay UDP
"6500:TCP"= 6500:TCP:Query
.
R1 MpKsl55594903;MpKsl55594903;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{50884F5D-CF93-4986-BD4E-577092981CFC}\MpKsl55594903.sys [7/3/2011 8:09 AM 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 67656]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 1:44 AM 993848]
R3 ATMFBUS;A600 USB Composite Device Driver;c:\windows\system32\drivers\ATMFBUS.sys [7/4/2010 2:24 AM 47360]
R3 ATMFCVsp;A600 Cricket CM Port;c:\windows\system32\drivers\ATMFCVsp.sys [7/4/2010 2:24 AM 153600]
R3 ATMFMdm;A600 Cricket EVDO Modem;c:\windows\system32\drivers\ATMFMdm.sys [7/4/2010 2:24 AM 153472]
R3 ATMFNET;A600 Cricket EVDO Network Adapter;c:\windows\system32\drivers\ATMFNET.sys [7/4/2010 2:24 AM 103424]
R3 ATMFNVsp;A600 Cricket NMEA Port Serial Port;c:\windows\system32\drivers\ATMFNVsp.sys [7/4/2010 2:24 AM 153600]
R3 ATMFVsp;A600 Cricket Diagnostics Port;c:\windows\system32\drivers\ATMFVsp.sys [7/4/2010 2:24 AM 153472]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S1 MpKsl5e374436;MpKsl5e374436;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FCED001E-29B4-4EEB-96CA-FCC0A4C6D691}\MpKsl5e374436.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{FCED001E-29B4-4EEB-96CA-FCC0A4C6D691}\MpKsl5e374436.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 ATMFFLT;A600 USB Modem Installation CD;c:\windows\system32\drivers\ATMFFLT.sys [7/4/2010 2:24 AM 13312]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL55594903
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 17:26]
.
2011-07-03 c:\windows\Tasks\User_Feed_Synchronization-{E9462B1D-DE15-4239-8878-D5206A58D0F7}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.thehungersite.com/clickToGive/home.faces?siteId=1
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: Interfaces\{BDDE120D-FFE9-4679-A943-C78332774491}: NameServer = 10.133.20.11 10.132.20.11
FF - ProfilePath - c:\documents and settings\Dave\Application Data\Mozilla\Firefox\Profiles\045ulcui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thehungersite.com/clickToGive/home.faces?siteId=1
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: User Agent Switcher: {e968fc70-8f95-4ab9-9e79-304de2a71ee1} - %profile%\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 13:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1216)
c:\windows\system32\t5ql.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
.
- - - - - - - > 'lsass.exe'(1272)
c:\windows\system32\t5ql.dll
.
- - - - - - - > 'explorer.exe'(2996)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-03 13:41:06
ComboFix-quarantined-files.txt 2011-07-03 18:41
.
Pre-Run: 13,490,958,336 bytes free
Post-Run: 13,494,730,752 bytes free
.
- - End Of File - - 888ACF4BFCEF86CAE5346F58E4E6407A
July 3rd, 2011, 01:57 PM
Broni
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
- Link 1 (.exe file)
  Link 2 (zipped file)
  Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.
- Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
- Click the Report tab, then click Scan.
- Check Drivers, Stealth, and uncheck the rest.
- Click OK.
- Wait until it's finished and then go to File > Save Report.
- Save the report to your Desktop.
- Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".
July 3rd, 2011, 02:18 PM
davidgsmith

1 Attachment(s)

Problem....
When I started RKUnhooker first I got the

RKUnhooker.exe Unable to loacate component....
...."This application failed to start because t5ql.dll was not found. Re-installing the application may fix this problem"

Then it started to install and I got this.....
See attachment...
Then when i clicked on the Report tab it came up again, and the whole tab was blank... clicking on other tabs was normal.

Do you want me to run 'Scan' anyway?
July 3rd, 2011, 02:46 PM
Broni
Please download GMER from one of the following locations and save it to your desktop:
- Main Mirror
  This version will download a randomly named file (Recommended)
- Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
- Disconnect from the Internet and close all running programs.
- Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
- Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
- Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  https://discussions.virtualdr.com/im.../2011/07/5.gif
- GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
- If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
- Now click the Scan button. If you see a rootkit warning window, click OK.
- When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
- Click the Copy button and paste the results into your next reply.
- Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.
July 3rd, 2011, 04:01 PM
davidgsmith

Here's GMER..... takes forever :D

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-03 15:57:54
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800EB-00DJF0 rev.77.07W77
Running: 9pq84zny.exe; Driver: C:\DOCUME~1\Dave\LOCALS~1\Temp\pgliapoc.sys

---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\Dave\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Dave\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [372] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [552] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [712] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [756] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\Program Files\Secunia\PSI\PSIA.exe [868] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [1196] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [1216] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [1260] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [1272] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\Program Files\Microsoft Security Client\msseces.exe [1380] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1424] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\hkcmd.exe [1432] 0x00420000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\igfxpers.exe [1456] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1480] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe [1516] 0x10000000
Library C:\WINDOWS\System32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1556] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1600] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1636] 0x10000000
Library C:\WINDOWS\System32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1732] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\Program Files\Secunia\PSI\psi_tray.exe [1740] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\Program Files\stickies\stickies.exe [1776] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1952] 0x10000000
Library C:\WINDOWS\System32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [2016] 0x10000000
Library C:\WINDOWS\System32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [2228] 0x10000000
Library C:\WINDOWS\system32\t5ql.dll (*** hidden *** ) @ C:\WINDOWS\system32\igfxsrvc.exe [3876] 0x10000000

---- EOF - GMER 1.0.15 ----
July 3rd, 2011, 04:16 PM
Broni
Download TDSSKiller and save it to your desktop.
- Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
- If an infected file is detected, the default action will be Cure, click on Continue.
- If a suspicious file is detected, the default action will be Skip, click on Continue.
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
July 3rd, 2011, 04:42 PM
davidgsmith

That 'unable to find component' error keeps popping up.

Here is the log

2011/07/03 16:39:40.0140 0764 TDSS rootkit removing tool 2.5.8.0 Jun 28 2011 19:12:16
2011/07/03 16:39:40.0843 0764 ================================================================================
2011/07/03 16:39:40.0843 0764 SystemInfo:
2011/07/03 16:39:40.0843 0764
2011/07/03 16:39:40.0843 0764 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/03 16:39:40.0843 0764 Product type: Workstation
2011/07/03 16:39:40.0843 0764 ComputerName: COMPUTER1
2011/07/03 16:39:40.0843 0764 UserName: Dave
2011/07/03 16:39:40.0843 0764 Windows directory: C:\WINDOWS
2011/07/03 16:39:40.0843 0764 System windows directory: C:\WINDOWS
2011/07/03 16:39:40.0843 0764 Processor architecture: Intel x86
2011/07/03 16:39:40.0843 0764 Number of processors: 1
2011/07/03 16:39:40.0843 0764 Page size: 0x1000
2011/07/03 16:39:40.0843 0764 Boot type: Normal boot
2011/07/03 16:39:40.0843 0764 ================================================================================
2011/07/03 16:39:42.0515 0764 Initialize success
2011/07/03 16:40:04.0796 3620 ================================================================================
2011/07/03 16:40:04.0796 3620 Scan started
2011/07/03 16:40:04.0796 3620 Mode: Manual;
2011/07/03 16:40:04.0796 3620 ================================================================================
2011/07/03 16:40:05.0140 3620 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/03 16:40:05.0218 3620 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/03 16:40:05.0343 3620 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/07/03 16:40:05.0421 3620 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/03 16:40:05.0500 3620 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/03 16:40:05.0968 3620 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/03 16:40:06.0031 3620 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/03 16:40:06.0140 3620 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/03 16:40:06.0234 3620 ATMFBUS (07cac813cdc45dbf8696d0e02b06f622) C:\WINDOWS\system32\DRIVERS\ATMFBUS.sys
2011/07/03 16:40:06.0296 3620 ATMFCVsp (00541bd4b04c68e3882ec2da104ef301) C:\WINDOWS\system32\DRIVERS\ATMFCVsp.sys
2011/07/03 16:40:06.0375 3620 ATMFFLT (a93c25ecc84872eff7b9f23843b9e22f) C:\WINDOWS\system32\DRIVERS\ATMFFLT.sys
2011/07/03 16:40:06.0453 3620 ATMFMdm (ad613953334d98e98af4101d951d0b3a) C:\WINDOWS\system32\DRIVERS\ATMFMdm.sys
2011/07/03 16:40:06.0500 3620 ATMFNET (a73c4dfa3a5e21c5f2ae695b7df7883b) C:\WINDOWS\system32\DRIVERS\ATMFNET.sys
2011/07/03 16:40:06.0562 3620 ATMFNVsp (88bf42cd1efe78eb411a01b0114641d8) C:\WINDOWS\system32\DRIVERS\ATMFNVsp.sys
2011/07/03 16:40:06.0609 3620 ATMFVsp (217c7c09dfb0726dd957536f5feec208) C:\WINDOWS\system32\DRIVERS\ATMFVsp.sys
2011/07/03 16:40:06.0703 3620 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/03 16:40:06.0796 3620 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/03 16:40:06.0984 3620 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/03 16:40:07.0109 3620 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/03 16:40:07.0187 3620 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/03 16:40:07.0250 3620 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/03 16:40:07.0593 3620 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/03 16:40:07.0687 3620 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/03 16:40:07.0812 3620 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/03 16:40:07.0875 3620 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/03 16:40:07.0953 3620 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/03 16:40:08.0093 3620 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/03 16:40:08.0171 3620 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/07/03 16:40:08.0312 3620 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/03 16:40:08.0375 3620 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/03 16:40:08.0453 3620 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/03 16:40:08.0500 3620 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/03 16:40:08.0593 3620 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/03 16:40:08.0671 3620 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/03 16:40:08.0750 3620 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/03 16:40:08.0812 3620 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/03 16:40:08.0875 3620 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/03 16:40:09.0015 3620 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/03 16:40:09.0187 3620 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/03 16:40:09.0312 3620 ialm (240d0f5d7caafd87bd8d801a97bbe041) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/07/03 16:40:09.0421 3620 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/03 16:40:09.0546 3620 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/03 16:40:09.0625 3620 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/03 16:40:09.0671 3620 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/03 16:40:09.0750 3620 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/03 16:40:09.0828 3620 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/03 16:40:09.0890 3620 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/03 16:40:09.0953 3620 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/03 16:40:10.0015 3620 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/03 16:40:10.0093 3620 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/03 16:40:10.0140 3620 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/03 16:40:10.0218 3620 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/03 16:40:10.0296 3620 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/03 16:40:10.0468 3620 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/03 16:40:10.0546 3620 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/03 16:40:10.0609 3620 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/03 16:40:10.0687 3620 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/03 16:40:10.0750 3620 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/03 16:40:10.0828 3620 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/07/03 16:40:10.0984 3620 MpKsl92b8fc33 (5f53edfead46fa7adb78eee9ecce8fdf) C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{341EDE8A-E00E-410E-A6F6-7375DD8DA5C7}\MpKsl92b8fc33.sys
2011/07/03 16:40:11.0140 3620 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/03 16:40:11.0265 3620 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/03 16:40:11.0375 3620 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/03 16:40:11.0453 3620 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/03 16:40:11.0531 3620 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/03 16:40:11.0593 3620 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/03 16:40:11.0687 3620 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/03 16:40:11.0765 3620 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/03 16:40:11.0859 3620 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/03 16:40:11.0937 3620 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/03 16:40:12.0015 3620 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/03 16:40:12.0093 3620 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/03 16:40:12.0187 3620 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/03 16:40:12.0265 3620 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/03 16:40:12.0359 3620 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/03 16:40:12.0484 3620 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/03 16:40:12.0593 3620 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/03 16:40:12.0718 3620 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/03 16:40:12.0765 3620 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/03 16:40:12.0859 3620 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/03 16:40:12.0953 3620 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
2011/07/03 16:40:13.0078 3620 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/03 16:40:13.0171 3620 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/03 16:40:13.0265 3620 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/03 16:40:13.0343 3620 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/03 16:40:13.0468 3620 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/03 16:40:13.0546 3620 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/03 16:40:13.0937 3620 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/03 16:40:14.0031 3620 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/03 16:40:14.0109 3620 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\WINDOWS\system32\DRIVERS\psi_mf.sys
2011/07/03 16:40:14.0203 3620 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/03 16:40:14.0500 3620 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/03 16:40:14.0593 3620 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/03 16:40:14.0687 3620 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/03 16:40:14.0781 3620 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/03 16:40:14.0875 3620 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/03 16:40:14.0953 3620 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/03 16:40:15.0046 3620 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/03 16:40:15.0125 3620 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/03 16:40:15.0250 3620 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/03 16:40:15.0375 3620 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/07/03 16:40:15.0437 3620 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/07/03 16:40:15.0546 3620 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/03 16:40:15.0640 3620 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/03 16:40:15.0687 3620 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/03 16:40:15.0796 3620 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/07/03 16:40:15.0984 3620 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys
2011/07/03 16:40:16.0125 3620 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/03 16:40:16.0187 3620 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/03 16:40:16.0312 3620 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/03 16:40:16.0421 3620 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/03 16:40:16.0468 3620 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/03 16:40:16.0750 3620 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/03 16:40:16.0890 3620 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/03 16:40:16.0984 3620 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/03 16:40:17.0062 3620 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/03 16:40:17.0156 3620 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/03 16:40:17.0328 3620 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/03 16:40:17.0484 3620 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/03 16:40:17.0593 3620 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/03 16:40:17.0671 3620 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/03 16:40:17.0750 3620 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/03 16:40:17.0843 3620 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/03 16:40:17.0921 3620 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/03 16:40:18.0046 3620 vmm (817da66b1b889fad1dbf669e0e2f3228) C:\WINDOWS\system32\Drivers\vmm.sys
2011/07/03 16:40:18.0125 3620 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/03 16:40:18.0234 3620 VPCNetS2 (2abe8281db609d8bb1bd1b2f93800d5f) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
2011/07/03 16:40:18.0359 3620 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/03 16:40:18.0484 3620 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/03 16:40:18.0703 3620 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/03 16:40:18.0781 3620 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/03 16:40:18.0875 3620 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/03 16:40:19.0000 3620 Boot (0x1200) (0f6321570c9b21326dede84bd0315627) \Device\Harddisk0\DR0\Partition0
2011/07/03 16:40:19.0046 3620 Boot (0x1200) (b9a8a5b0044fa15a1caeda7f7fe4178f) \Device\Harddisk0\DR0\Partition1
2011/07/03 16:40:19.0046 3620 ================================================================================
2011/07/03 16:40:19.0046 3620 Scan finished
2011/07/03 16:40:19.0046 3620 ================================================================================
2011/07/03 16:40:19.0078 3524 Detected object count: 0
2011/07/03 16:40:19.0078 3524 Actual detected object count: 0
July 3rd, 2011, 04:47 PM
Broni

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\WINDOWS\system32\winlogon.exe
- C:\WINDOWS\system32\svchost.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.
July 3rd, 2011, 06:08 PM
davidgsmith

winlogon.exe

Antivirus results
AhnLab-V3 - 2011.07.04.00 - 2011.07.03 - -
AntiVir - 7.11.10.200 - 2011.07.03 - -
Antiy-AVL - 2.0.3.7 - 2011.07.03 - -
Avast - 4.8.1351.0 - 2011.07.03 - -
Avast5 - 5.0.677.0 - 2011.07.03 - -
AVG - 10.0.0.1190 - 2011.07.03 - -
BitDefender - 7.2 - 2011.07.03 - -
CAT-QuickHeal - 11.00 - 2011.07.03 - -
ClamAV - 0.97.0.0 - 2011.07.03 - -
Commtouch - 5.3.2.6 - 2011.07.03 - -
Comodo - 9265 - 2011.07.03 - -
DrWeb - 5.0.2.03300 - 2011.07.03 - -
eSafe - 7.0.17.0 - 2011.07.03 - -
eTrust-Vet - 36.1.8421 - 2011.07.01 - -
F-Prot - 4.6.2.117 - 2011.07.03 - -
F-Secure - 9.0.16440.0 - 2011.07.03 - -
Fortinet - 4.2.257.0 - 2011.07.02 - -
GData - 22 - 2011.07.03 - -
Ikarus - T3.1.1.104.0 - 2011.07.03 - -
Jiangmin - 13.0.900 - 2011.07.03 - -
K7AntiVirus - 9.107.4863 - 2011.07.01 - -
Kaspersky - 9.0.0.837 - 2011.07.03 - -
McAfee - 5.400.0.1158 - 2011.07.03 - -
McAfee-GW-Edition - 2010.1D - 2011.07.03 - -
Microsoft - 1.7000 - 2011.07.03 - -
NOD32 - 6262 - 2011.07.03 - -
Norman - 6.07.10 - 2011.07.03 - -
nProtect - 2011-07-03.01 - 2011.07.03 - -
Panda - 10.0.3.5 - 2011.07.03 - -
PCTools - 8.0.0.5 - 2011.07.01 - -
Prevx - 3.0 - 2011.07.04 - -
Rising - 23.64.04.03 - 2011.07.01 - -
Sophos - 4.67.0 - 2011.07.03 - -
SUPERAntiSpyware - 4.40.0.1006 - 2011.07.03 - -
Symantec - 20111.1.0.186 - 2011.07.03 - -
TheHacker - 6.7.0.1.247 - 2011.07.03 - -
TrendMicro - 9.200.0.1012 - 2011.07.03 - -
TrendMicro-HouseCall - 9.200.0.1012 - 2011.07.03 - -
VBA32 - 3.12.16.4 - 2011.07.01 - -
VIPRE - 9762 - 2011.07.03 - -
ViRobot - 2011.7.2.4546 - 2011.07.03 - -
VirusBuster - 14.0.107.2 - 2011.07.03 - -
File info:
MD5: ed0ef0a136dec83df69f04118870003e
SHA1: f77a7cd78877527023ebfb35e83b75ef59d3df07
SHA256: 45377cb8e9f0120f836fc8261c711f7dbf7199117afb3652ebf100d5f0429b1e
File size: 507904 bytes
Scan date: 2011-07-03 21:51:20 (UTC)
July 3rd, 2011, 06:20 PM
davidgsmith

svchost.exe

Antivirus results
AhnLab-V3 - 2011.07.04.00 - 2011.07.03 - -
AntiVir - 7.11.10.200 - 2011.07.03 - -
Antiy-AVL - 2.0.3.7 - 2011.07.03 - -
Avast - 4.8.1351.0 - 2011.07.03 - -
Avast5 - 5.0.677.0 - 2011.07.03 - -
AVG - 10.0.0.1190 - 2011.07.03 - -
BitDefender - 7.2 - 2011.07.03 - -
CAT-QuickHeal - 11.00 - 2011.07.03 - -
ClamAV - 0.97.0.0 - 2011.07.03 - -
Commtouch - 5.3.2.6 - 2011.07.03 - -
Comodo - 9265 - 2011.07.03 - -
DrWeb - 5.0.2.03300 - 2011.07.03 - -
eSafe - 7.0.17.0 - 2011.07.03 - -
eTrust-Vet - 36.1.8421 - 2011.07.01 - -
F-Prot - 4.6.2.117 - 2011.07.03 - -
F-Secure - 9.0.16440.0 - 2011.07.03 - -
Fortinet - 4.2.257.0 - 2011.07.02 - -
GData - 22 - 2011.07.03 - -
Ikarus - T3.1.1.104.0 - 2011.07.03 - -
Jiangmin - 13.0.900 - 2011.07.03 - -
K7AntiVirus - 9.107.4863 - 2011.07.01 - -
Kaspersky - 9.0.0.837 - 2011.07.03 - -
McAfee - 5.400.0.1158 - 2011.07.03 - -
McAfee-GW-Edition - 2010.1D - 2011.07.03 - -
Microsoft - 1.7000 - 2011.07.03 - -
NOD32 - 6262 - 2011.07.03 - -
Norman - 6.07.10 - 2011.07.03 - -
nProtect - 2011-07-03.01 - 2011.07.03 - -
Panda - 10.0.3.5 - 2011.07.03 - -
PCTools - 8.0.0.5 - 2011.07.01 - -
Prevx - 3.0 - 2011.07.04 - -
Rising - 23.64.04.03 - 2011.07.01 - -
Sophos - 4.67.0 - 2011.07.03 - -
SUPERAntiSpyware - 4.40.0.1006 - 2011.07.03 - -
Symantec - 20111.1.0.186 - 2011.07.03 - -
TheHacker - 6.7.0.1.247 - 2011.07.03 - -
TrendMicro - 9.200.0.1012 - 2011.07.03 - -
TrendMicro-HouseCall - 9.200.0.1012 - 2011.07.04 - -
VBA32 - 3.12.16.4 - 2011.07.01 - -
VIPRE - 9763 - 2011.07.04 - -
ViRobot - 2011.7.2.4546 - 2011.07.03 - -
VirusBuster - 14.0.107.2 - 2011.07.03 - -
File info:
MD5: 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1: 49083ae3725a0488e0a8fbbe1335c745f70c4667
SHA256: 2910ebc692d833d949bfd56059e8106d324a276d5f165f874f3fb1b6c613cdd5
File size: 14336 bytes
Scan date: 2011-07-03 22:15:24 (UTC)
July 3rd, 2011, 06:29 PM
Broni

Create new Windows profile with admin rights as described here: http://support.microsoft.com/kb/811151 and see, if you'll be getting same errors there.
July 3rd, 2011, 08:59 PM
davidgsmith

Well no error msgs because t5ql.dll has copied itself back into the C:\windows\system32 folder....

It's been a long day Broni,
I appreciate all your help.
More and more I think it's in the mbr.

Dave

Show 40 post(s) from this thread on one page