Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep seeing pop-ups, system hangs


  • This topic is locked This topic is locked
15 replies to this topic

#1 fxp000

fxp000

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 March 2011 - 08:29 PM

Annoying pop-ups, redirections, machine won't fire up consistantly, hangs while working

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Tazz1 at 12:08:26.99 on Mon 07/03/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.2814.1467 [GMT 11:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Tazz1\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\users\tazz1\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: localhost
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\tazz1\appdata\roaming\mozilla\firefox\profiles\z7prsgv7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tazz1.com.au/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll
FF - plugin: c:\users\tazz1\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\users\tazz1\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\tazz1\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-2-23 64512]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-5-5 172032]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-2-22 1405384]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-2-23 1153368]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2010-5-5 5550592]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2010-5-5 176128]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-2-22 15232]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-6-22 257568]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\drivers\stdriver32.sys [2010-10-11 52824]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-9-13 1343400]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-23 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
.
=============== Created Last 30 ================
.
2011-03-05 00:57:55 -------- d-----w- C:\Mp3 Output
2011-03-05 00:57:53 8676883 ----a-w- c:\windows\system32\mp3Media2.dll
2011-03-05 00:57:52 -------- d-----w- c:\program files\Smallvideosoft
2011-03-04 04:42:26 -------- d-----w- C:\VundoFix Backups
2011-03-04 00:47:23 -------- d-----w- c:\users\tazz1\appdata\roaming\ProgSense
2011-03-04 00:47:23 -------- d-----w- C:\Downloads
2011-03-01 02:44:56 388096 ----a-r- c:\users\tazz1\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-01 02:44:56 -------- d-----w- c:\program files\Trend Micro
2011-03-01 01:46:44 -------- d-----w- c:\program files\Microsoft
2011-02-23 22:41:29 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{29a71aab-be16-42f9-aa7f-a144ff5dd814}\mpengine.dll
2011-02-23 03:36:14 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-23 02:16:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-23 02:16:20 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-02-23 02:15:45 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-02-23 02:15:44 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-23 02:15:08 -------- d-----w- c:\users\tazz1\appdata\local\Sunbelt Software
2011-02-23 02:14:36 -------- dc-h--w- c:\progra~2\{05D7E05D-9BCE-4F9F-8206-9129E8EAAF25}
2011-02-23 02:14:32 -------- d-----w- c:\program files\Lavasoft
2011-02-22 03:20:23 -------- d-----w- c:\windows\rnapxs
2011-02-22 03:20:17 -------- d-----w- c:\program files\CA
2011-02-22 03:06:52 -------- d-----w- c:\progra~2\MFAData
2011-02-22 00:33:56 0 ----a-w- c:\users\tazz1\appdata\local\Tzined.bin
2011-02-22 00:33:55 -------- d-----w- c:\users\tazz1\appdata\local\{37C227EF-FB29-4F61-A191-9B20D5943239}
2011-02-21 01:57:39 -------- d-----w- c:\users\tazz1\appdata\roaming\Leawo
2011-02-21 01:57:34 -------- d-----w- c:\progra~2\Leawo
2011-02-21 01:51:21 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-02-21 01:51:11 -------- d-----w- c:\program files\Leawo
2011-02-21 01:00:06 -------- d-----w- c:\program files\Audacity
2011-02-14 00:49:34 99896 ----a-w- c:\windows\system32\bass.dll
2011-02-14 00:49:34 484352 ----a-w- c:\windows\system32\lame_enc.dll
2011-02-14 00:49:34 16448 ----a-w- c:\windows\system32\basswma.dll
2011-02-14 00:49:34 15872 ----a-w- c:\windows\system32\ogg.dll
2011-02-14 00:49:34 1198592 ----a-w- c:\windows\system32\vorbis.dll
2011-02-14 00:46:45 -------- d-----w- c:\program files\StationPlaylist
2011-02-06 23:04:44 -------- d-----w- c:\program files\SopCast
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: ST31000528AS rev.CC38 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x86467439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8646d7b8]; MOV EAX, [0x8646d834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82C45458] -> \Device\Harddisk0\DR0[0x86446600]
3 CLASSPNP[0x8AB8C59E] -> ntkrnlpa!IofCallDriver[0x82C45458] -> [0x85F2A918]
5 ACPI[0x8340A3B2] -> ntkrnlpa!IofCallDriver[0x82C45458] -> \IdeDeviceP0T0L0-0[0x85603908]
\Driver\atapi[0x86453B20] -> IRP_MJ_CREATE -> 0x86467439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST31000528AS____________________________CC38____#5&15602d3e&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 1953525166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 12:09:20.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 8,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:30 AM

Posted 06 March 2011 - 09:34 PM

Hi, :)

:welcome:

You may be infected with a backdoor trojan. I would suggest you backup your important documents before proceeding.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.


If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 fxp000

fxp000
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 06 March 2011 - 09:43 PM

Thanks for your help JSntgRvr! Appreciate it. Attached contents of the file once reboot took place...



2011/03/07 13:36:22.0347 5696 TDSS rootkit removing tool 2.4.20.0 Mar 2 2011 10:44:30
2011/03/07 13:36:23.0782 5696 ================================================================================
2011/03/07 13:36:23.0782 5696 SystemInfo:
2011/03/07 13:36:23.0782 5696
2011/03/07 13:36:23.0782 5696 OS Version: 6.1.7600 ServicePack: 0.0
2011/03/07 13:36:23.0782 5696 Product type: Workstation
2011/03/07 13:36:23.0782 5696 ComputerName: TAZZ1-PC
2011/03/07 13:36:23.0782 5696 UserName: Tazz1
2011/03/07 13:36:23.0782 5696 Windows directory: C:\Windows
2011/03/07 13:36:23.0782 5696 System windows directory: C:\Windows
2011/03/07 13:36:23.0782 5696 Processor architecture: Intel x86
2011/03/07 13:36:23.0782 5696 Number of processors: 6
2011/03/07 13:36:23.0782 5696 Page size: 0x1000
2011/03/07 13:36:23.0782 5696 Boot type: Normal boot
2011/03/07 13:36:23.0782 5696 ================================================================================
2011/03/07 13:36:24.0059 5696 Initialize success
2011/03/07 13:36:33.0048 3452 ================================================================================
2011/03/07 13:36:33.0049 3452 Scan started
2011/03/07 13:36:33.0049 3452 Mode: Manual;
2011/03/07 13:36:33.0049 3452 ================================================================================
2011/03/07 13:36:33.0861 3452 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/03/07 13:36:33.0886 3452 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2011/03/07 13:36:33.0919 3452 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/03/07 13:36:33.0952 3452 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/03/07 13:36:33.0968 3452 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2011/03/07 13:36:33.0985 3452 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2011/03/07 13:36:34.0020 3452 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
2011/03/07 13:36:34.0037 3452 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2011/03/07 13:36:34.0067 3452 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2011/03/07 13:36:34.0100 3452 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2011/03/07 13:36:34.0124 3452 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2011/03/07 13:36:34.0135 3452 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2011/03/07 13:36:34.0159 3452 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2011/03/07 13:36:34.0253 3452 amdkmdag (19529728442d4794b96d1b8a9a63eca1) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/03/07 13:36:34.0354 3452 amdkmdap (b44737ff566b5888d15fdb66849f34e5) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/03/07 13:36:34.0370 3452 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2011/03/07 13:36:34.0381 3452 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
2011/03/07 13:36:34.0398 3452 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/03/07 13:36:34.0409 3452 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
2011/03/07 13:36:34.0441 3452 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2011/03/07 13:36:34.0461 3452 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2011/03/07 13:36:34.0473 3452 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2011/03/07 13:36:34.0512 3452 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/03/07 13:36:34.0543 3452 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2011/03/07 13:36:34.0569 3452 AtiHdmiService (c822c615b2f693ef4e5b355432976a81) C:\Windows\system32\drivers\AtiHdmi.sys
2011/03/07 13:36:34.0599 3452 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2011/03/07 13:36:34.0615 3452 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/03/07 13:36:34.0632 3452 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2011/03/07 13:36:34.0656 3452 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/03/07 13:36:34.0686 3452 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
2011/03/07 13:36:34.0709 3452 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/03/07 13:36:34.0729 3452 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/03/07 13:36:34.0745 3452 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2011/03/07 13:36:34.0757 3452 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/03/07 13:36:34.0776 3452 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/03/07 13:36:34.0791 3452 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/03/07 13:36:34.0805 3452 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/03/07 13:36:34.0832 3452 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2011/03/07 13:36:34.0851 3452 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2011/03/07 13:36:34.0868 3452 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2011/03/07 13:36:34.0898 3452 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2011/03/07 13:36:34.0921 3452 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/03/07 13:36:34.0931 3452 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2011/03/07 13:36:34.0959 3452 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2011/03/07 13:36:34.0976 3452 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2011/03/07 13:36:35.0006 3452 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/03/07 13:36:35.0084 3452 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/03/07 13:36:35.0121 3452 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
2011/03/07 13:36:35.0139 3452 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2011/03/07 13:36:35.0157 3452 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2011/03/07 13:36:35.0192 3452 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2011/03/07 13:36:35.0226 3452 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
2011/03/07 13:36:35.0294 3452 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2011/03/07 13:36:35.0370 3452 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2011/03/07 13:36:35.0390 3452 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2011/03/07 13:36:35.0420 3452 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2011/03/07 13:36:35.0443 3452 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2011/03/07 13:36:35.0466 3452 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2011/03/07 13:36:35.0488 3452 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2011/03/07 13:36:35.0510 3452 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2011/03/07 13:36:35.0524 3452 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/03/07 13:36:35.0543 3452 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2011/03/07 13:36:35.0561 3452 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2011/03/07 13:36:35.0580 3452 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2011/03/07 13:36:35.0613 3452 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
2011/03/07 13:36:35.0625 3452 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/03/07 13:36:35.0666 3452 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/03/07 13:36:35.0688 3452 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2011/03/07 13:36:35.0738 3452 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
2011/03/07 13:36:35.0843 3452 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/03/07 13:36:35.0861 3452 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/03/07 13:36:35.0872 3452 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2011/03/07 13:36:35.0902 3452 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2011/03/07 13:36:35.0922 3452 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2011/03/07 13:36:35.0950 3452 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/03/07 13:36:35.0970 3452 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2011/03/07 13:36:35.0986 3452 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2011/03/07 13:36:35.0997 3452 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/03/07 13:36:36.0012 3452 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/03/07 13:36:36.0028 3452 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2011/03/07 13:36:36.0141 3452 IntcAzAudAddService (98b5841cce188b565e0cc460b8fd935f) C:\Windows\system32\drivers\RTKVHDA.sys
2011/03/07 13:36:36.0197 3452 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2011/03/07 13:36:36.0213 3452 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2011/03/07 13:36:36.0227 3452 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/03/07 13:36:36.0246 3452 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/03/07 13:36:36.0257 3452 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2011/03/07 13:36:36.0275 3452 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2011/03/07 13:36:36.0286 3452 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2011/03/07 13:36:36.0303 3452 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/03/07 13:36:36.0324 3452 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/03/07 13:36:36.0340 3452 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/03/07 13:36:36.0362 3452 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2011/03/07 13:36:36.0394 3452 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
2011/03/07 13:36:36.0484 3452 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/03/07 13:36:36.0518 3452 Lbd (336abe8721cbc3110f1c6426da633417) C:\Windows\system32\DRIVERS\Lbd.sys
2011/03/07 13:36:36.0535 3452 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/03/07 13:36:36.0558 3452 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/03/07 13:36:36.0577 3452 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/03/07 13:36:36.0590 3452 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/03/07 13:36:36.0603 3452 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/03/07 13:36:36.0620 3452 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2011/03/07 13:36:36.0642 3452 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2011/03/07 13:36:36.0665 3452 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/03/07 13:36:36.0680 3452 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2011/03/07 13:36:36.0707 3452 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2011/03/07 13:36:36.0727 3452 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2011/03/07 13:36:36.0744 3452 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2011/03/07 13:36:36.0766 3452 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2011/03/07 13:36:36.0783 3452 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2011/03/07 13:36:36.0801 3452 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2011/03/07 13:36:36.0817 3452 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2011/03/07 13:36:36.0843 3452 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/03/07 13:36:36.0860 3452 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/03/07 13:36:36.0876 3452 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/03/07 13:36:36.0887 3452 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
2011/03/07 13:36:36.0909 3452 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2011/03/07 13:36:36.0937 3452 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2011/03/07 13:36:36.0951 3452 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2011/03/07 13:36:36.0969 3452 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/03/07 13:36:36.0996 3452 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2011/03/07 13:36:37.0014 3452 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/03/07 13:36:37.0028 3452 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2011/03/07 13:36:37.0039 3452 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2011/03/07 13:36:37.0062 3452 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/03/07 13:36:37.0094 3452 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2011/03/07 13:36:37.0110 3452 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/03/07 13:36:37.0126 3452 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2011/03/07 13:36:37.0159 3452 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2011/03/07 13:36:37.0191 3452 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
2011/03/07 13:36:37.0218 3452 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/03/07 13:36:37.0242 3452 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/03/07 13:36:37.0253 3452 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/03/07 13:36:37.0277 3452 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/03/07 13:36:37.0291 3452 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2011/03/07 13:36:37.0314 3452 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2011/03/07 13:36:37.0329 3452 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2011/03/07 13:36:37.0385 3452 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/03/07 13:36:37.0405 3452 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2011/03/07 13:36:37.0427 3452 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2011/03/07 13:36:37.0460 3452 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
2011/03/07 13:36:37.0489 3452 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2011/03/07 13:36:37.0511 3452 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/03/07 13:36:37.0529 3452 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
2011/03/07 13:36:37.0541 3452 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/03/07 13:36:37.0554 3452 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/03/07 13:36:37.0599 3452 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2011/03/07 13:36:37.0617 3452 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2011/03/07 13:36:37.0635 3452 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2011/03/07 13:36:37.0657 3452 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2011/03/07 13:36:37.0689 3452 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2011/03/07 13:36:37.0701 3452 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/03/07 13:36:37.0714 3452 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2011/03/07 13:36:37.0744 3452 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2011/03/07 13:36:37.0806 3452 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2011/03/07 13:36:37.0818 3452 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2011/03/07 13:36:37.0847 3452 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2011/03/07 13:36:37.0883 3452 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2011/03/07 13:36:37.0918 3452 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/03/07 13:36:37.0939 3452 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2011/03/07 13:36:37.0959 3452 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2011/03/07 13:36:37.0986 3452 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/03/07 13:36:38.0007 3452 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/03/07 13:36:38.0033 3452 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/03/07 13:36:38.0048 3452 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2011/03/07 13:36:38.0064 3452 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2011/03/07 13:36:38.0081 3452 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/03/07 13:36:38.0099 3452 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/03/07 13:36:38.0118 3452 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2011/03/07 13:36:38.0134 3452 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2011/03/07 13:36:38.0145 3452 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2011/03/07 13:36:38.0169 3452 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2011/03/07 13:36:38.0224 3452 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\Windows\system32\DRIVERS\RsFx0103.sys
2011/03/07 13:36:38.0245 3452 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2011/03/07 13:36:38.0289 3452 RTL8167 (aa9c3881a74a6d66a2ad869b03e8d3f5) C:\Windows\system32\DRIVERS\Rt86win7.sys
2011/03/07 13:36:38.0307 3452 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/03/07 13:36:38.0325 3452 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2011/03/07 13:36:38.0364 3452 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/03/07 13:36:38.0399 3452 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2011/03/07 13:36:38.0420 3452 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2011/03/07 13:36:38.0431 3452 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2011/03/07 13:36:38.0461 3452 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/03/07 13:36:38.0479 3452 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/03/07 13:36:38.0490 3452 sffp_sd (4f1e5b0fe7c8050668dbfade8999aefb) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/03/07 13:36:38.0502 3452 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/03/07 13:36:38.0528 3452 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2011/03/07 13:36:38.0539 3452 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/03/07 13:36:38.0551 3452 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/03/07 13:36:38.0564 3452 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2011/03/07 13:36:38.0595 3452 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2011/03/07 13:36:38.0652 3452 srv (2dbedfb1853f06110ec2aa7f3213c89f) C:\Windows\system32\DRIVERS\srv.sys
2011/03/07 13:36:38.0674 3452 srv2 (db37131d1027c50ea7ee21c8bb4536aa) C:\Windows\system32\DRIVERS\srv2.sys
2011/03/07 13:36:38.0695 3452 srvnet (f5980b74124db9233b33f86fc5ebbb4f) C:\Windows\system32\DRIVERS\srvnet.sys
2011/03/07 13:36:38.0726 3452 stdriver (8bb19094def583e0eece1830457444ee) C:\Windows\system32\DRIVERS\stdriver32.sys
2011/03/07 13:36:38.0740 3452 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2011/03/07 13:36:38.0755 3452 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2011/03/07 13:36:38.0820 3452 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\drivers\tcpip.sys
2011/03/07 13:36:38.0857 3452 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\DRIVERS\tcpip.sys
2011/03/07 13:36:38.0886 3452 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2011/03/07 13:36:38.0899 3452 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2011/03/07 13:36:38.0912 3452 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2011/03/07 13:36:38.0931 3452 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2011/03/07 13:36:38.0949 3452 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2011/03/07 13:36:38.0986 3452 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/03/07 13:36:39.0019 3452 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2011/03/07 13:36:39.0030 3452 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2011/03/07 13:36:39.0052 3452 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
2011/03/07 13:36:39.0086 3452 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/03/07 13:36:39.0099 3452 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2011/03/07 13:36:39.0124 3452 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2011/03/07 13:36:39.0138 3452 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/03/07 13:36:39.0150 3452 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2011/03/07 13:36:39.0174 3452 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
2011/03/07 13:36:39.0197 3452 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
2011/03/07 13:36:39.0212 3452 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2011/03/07 13:36:39.0223 3452 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2011/03/07 13:36:39.0251 3452 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/03/07 13:36:39.0262 3452 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/03/07 13:36:39.0287 3452 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/03/07 13:36:39.0301 3452 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/03/07 13:36:39.0319 3452 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2011/03/07 13:36:39.0337 3452 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/03/07 13:36:39.0359 3452 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2011/03/07 13:36:39.0378 3452 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2011/03/07 13:36:39.0388 3452 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2011/03/07 13:36:39.0410 3452 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/03/07 13:36:39.0427 3452 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2011/03/07 13:36:39.0465 3452 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2011/03/07 13:36:39.0479 3452 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/03/07 13:36:39.0497 3452 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2011/03/07 13:36:39.0514 3452 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2011/03/07 13:36:39.0532 3452 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/07 13:36:39.0540 3452 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/07 13:36:39.0573 3452 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2011/03/07 13:36:39.0597 3452 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2011/03/07 13:36:39.0639 3452 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/03/07 13:36:39.0662 3452 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2011/03/07 13:36:39.0710 3452 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/03/07 13:36:39.0748 3452 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/03/07 13:36:39.0780 3452 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
2011/03/07 13:36:39.0802 3452 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/03/07 13:36:39.0848 3452 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/07 13:36:39.0851 3452 ================================================================================
2011/03/07 13:36:39.0851 3452 Scan finished
2011/03/07 13:36:39.0851 3452 ================================================================================
2011/03/07 13:36:39.0858 5620 Detected object count: 1
2011/03/07 13:36:53.0465 5620 \HardDisk1 - will be cured after reboot
2011/03/07 13:36:53.0485 5620 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/03/07 13:37:37.0107 3912 Deinitialize success

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 8,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:30 AM

Posted 07 March 2011 - 12:56 AM

Lets perform some scans:

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

---------------------------------------------------

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.


If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 fxp000

fxp000
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 07 March 2011 - 05:47 PM

Run all the scans, seems to be getting back to normal again. It found a couple of things and then removed them. Thanks again,


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5983

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/03/2011 9:28:38 AM
mbam-log-2011-03-08 (09-28-38).txt

Scan type: Quick scan
Objects scanned: 163499
Time elapsed: 2 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\comsats.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 8,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:30 AM

Posted 07 March 2011 - 06:40 PM

How about Combofix?

No request for help throughout private messaging will be attended.


If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 fxp000

fxp000
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 07 March 2011 - 06:42 PM

Sorry, my fault.. attached

ComboFix 11-03-07.02 - Tazz1 08/03/2011 9:36.1.6 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.2814.1716 [GMT 11:00]
Running from: c:\users\Tazz1\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Tazz1\AppData\Local\{37C227EF-FB29-4F61-A191-9B20D5943239}
c:\users\Tazz1\AppData\Local\{37C227EF-FB29-4F61-A191-9B20D5943239}\chrome\content\overlay.xul
c:\users\Tazz1\AppData\Local\{37C227EF-FB29-4F61-A191-9B20D5943239}\install.rdf
c:\windows\system32\LogFiles\AIT\AitEventLog.etl.001
c:\windows\system32\LogFiles\AIT\AitEventLog.etl.002
c:\windows\system32\LogFiles\AIT\AitEventLog.etl.003
c:\windows\system32\LogFiles\AIT\AitEventLog.etl.004
c:\windows\system32\LogFiles\AIT\AitEventLog.etl.005
c:\windows\system32\LogFiles\HTTPERR\httperr1.log
c:\windows\system32\LogFiles\Scm\0144507f-5bad-4f49-b4da-624b01f59a5f
c:\windows\system32\LogFiles\Scm\0405cf47-9ab2-4641-a672-b4564e3d9a5c
c:\windows\system32\LogFiles\Scm\05ee699f-ab25-42d8-8781-558c5d1d2fad
c:\windows\system32\LogFiles\Scm\071d41b6-8806-4eb0-b661-6cb67be6e86e
c:\windows\system32\LogFiles\Scm\0cb35306-c0c4-4648-8dd8-225e9896c36d
c:\windows\system32\LogFiles\Scm\0d9b5d92-3a22-486d-a887-3aa21597cf27
c:\windows\system32\LogFiles\Scm\0e12083c-0335-49db-9542-ba1ec6d83ecc
c:\windows\system32\LogFiles\Scm\1035fce3-ea04-457f-8516-5726d4e907a5
c:\windows\system32\LogFiles\Scm\129df217-c96f-43b8-80b8-f5cb515f3799
c:\windows\system32\LogFiles\Scm\18e6d428-d26c-4169-bedf-3b5bddc952f6
c:\windows\system32\LogFiles\Scm\18eff24b-f5b2-42a1-b73d-51b6b250d380
c:\windows\system32\LogFiles\Scm\1ec9510d-a439-4950-9399-b6399edf9ea7
c:\windows\system32\LogFiles\Scm\2375f586-1009-41fb-b54e-30d8af2b781d
c:\windows\system32\LogFiles\Scm\24fa84a0-e087-48ec-bc51-2b9c4c815d78
c:\windows\system32\LogFiles\Scm\2bd05ba6-988d-4bd3-a9cd-9a39f80af524
c:\windows\system32\LogFiles\Scm\2c59ecaf-3a27-4640-9f4b-519b05bdd70f
c:\windows\system32\LogFiles\Scm\367f930a-a3db-4112-b1f1-50e92a171c88
c:\windows\system32\LogFiles\Scm\3c1e3ca0-05e7-4b94-bb3e-c5b3d9be3c4e
c:\windows\system32\LogFiles\Scm\3e719565-c593-42f1-a2a1-7cc7b4d8bf53
c:\windows\system32\LogFiles\Scm\4040e761-8758-4007-b2fe-142b24bf4b16
c:\windows\system32\LogFiles\Scm\43aadb25-412a-4fe7-a3c0-006d25cdd442
c:\windows\system32\LogFiles\Scm\50fb5a03-0e1e-48de-b8a1-bee9d7d2cd0f
c:\windows\system32\LogFiles\Scm\53acefa9-9c55-449f-adb8-e285c18a398a
c:\windows\system32\LogFiles\Scm\5b184694-64c3-4633-94c5-945b3fa561d6
c:\windows\system32\LogFiles\Scm\5c2c622f-70e9-4194-a7da-033e827365ad
c:\windows\system32\LogFiles\Scm\60158c7a-6808-42cd-95ee-afd9a57925db
c:\windows\system32\LogFiles\Scm\6375cc1c-d975-48d2-9cd5-63db19b10d4a
c:\windows\system32\LogFiles\Scm\68ffaacb-f315-4f94-aa1a-39646c429c58
c:\windows\system32\LogFiles\Scm\6aef0c98-2cb4-4b67-8c70-4c977c7355cc
c:\windows\system32\LogFiles\Scm\6b7ac694-8d6d-481b-9dd8-2a3a741ada6d
c:\windows\system32\LogFiles\Scm\6c4b7b1f-cb72-466b-b604-521865566b80
c:\windows\system32\LogFiles\Scm\6eee93cf-5a37-413e-bf49-fc76411293e7
c:\windows\system32\LogFiles\Scm\731e9c62-95b5-4c8c-ab64-4cc591c9ff5b
c:\windows\system32\LogFiles\Scm\73259f86-29d6-42ff-b1e7-634f6e40d4f8
c:\windows\system32\LogFiles\Scm\75365a4f-1809-4c8e-94d2-0df982518b5e
c:\windows\system32\LogFiles\Scm\7baae3e3-6e4a-491e-96e7-70e3a119cb8b
c:\windows\system32\LogFiles\Scm\7d3c7871-a917-4ef0-82e8-5f0a96423051
c:\windows\system32\LogFiles\Scm\7eca5450-5484-44b7-a53d-f9b85bd0e459
c:\windows\system32\LogFiles\Scm\800a05a0-d371-411e-b1f3-2dd0306e2f67
c:\windows\system32\LogFiles\Scm\8905ecd8-016f-4dc2-90e6-a5f1fa6a841a
c:\windows\system32\LogFiles\Scm\9334c323-f100-4656-9ba0-e4aa69c0f9c2
c:\windows\system32\LogFiles\Scm\9819952e-2f75-4026-8f02-9ad04e07a22f
c:\windows\system32\LogFiles\Scm\9b75c702-ea13-406a-badb-6c588ee4375b
c:\windows\system32\LogFiles\Scm\9ef78d5c-400e-4b8b-9407-cba8499a3842
c:\windows\system32\LogFiles\Scm\9efacbe6-a797-4905-a0c6-014cd3000dbb
c:\windows\system32\LogFiles\Scm\9f54b95f-5096-4803-ae61-e9b3ac5b616d
c:\windows\system32\LogFiles\Scm\a1cfa52f-06f2-418d-addb-cd6456d66f43
c:\windows\system32\LogFiles\Scm\a2cfb6f3-b3ae-4971-8e29-c415be22d2e5
c:\windows\system32\LogFiles\Scm\a2fad91d-ad4b-4dc8-b54a-16e5a2509562
c:\windows\system32\LogFiles\Scm\a316e645-1c56-45a6-bd6a-7dca79778090
c:\windows\system32\LogFiles\Scm\a6394592-54ce-4e93-8d64-1a068f462632
c:\windows\system32\LogFiles\Scm\a8db3181-142f-47ba-a77c-537ee38c7524
c:\windows\system32\LogFiles\Scm\ab771a9f-fb0f-4fa1-8b5f-48186615901e
c:\windows\system32\LogFiles\Scm\abc4e813-2c35-423a-b9ed-98d961a40cda
c:\windows\system32\LogFiles\Scm\ac598bdb-dcb1-4ef1-a020-8965d2c90d3c
c:\windows\system32\LogFiles\Scm\b9bee219-c29e-4310-819c-147a5a0e045e
c:\windows\system32\LogFiles\Scm\bba67ad0-4ba0-4b44-827b-ff419b70c057
c:\windows\system32\LogFiles\Scm\c57d1471-0187-49ce-8591-60ddbe186189
c:\windows\system32\LogFiles\Scm\c90440a0-6d8f-423f-8f42-83eef05ce708
c:\windows\system32\LogFiles\Scm\cce5a817-1478-4fae-b891-af2dc4a81161
c:\windows\system32\LogFiles\Scm\d21f6024-191f-4454-bbbc-09a650da2549
c:\windows\system32\LogFiles\Scm\d622195c-d680-4fea-9c56-59660c7c9e94
c:\windows\system32\LogFiles\Scm\d8bb5b7f-d0ca-4f67-a3d7-73e1d05f63da
c:\windows\system32\LogFiles\Scm\d94c195f-d83d-47d6-92e8-22ee0c129fd5
c:\windows\system32\LogFiles\Scm\de8699d2-8a05-42f7-8a85-5162af47d26a
c:\windows\system32\LogFiles\Scm\de8bae53-2809-4f75-85ef-427d364b9b2c
c:\windows\system32\LogFiles\Scm\de8d44a6-8c15-42f3-a041-30d513e6e12b
c:\windows\system32\LogFiles\Scm\e0898d80-b413-4a13-89c9-884d5fb30020
c:\windows\system32\LogFiles\Scm\e2da83d6-0db6-44bd-9a7e-50549eb8cd15
c:\windows\system32\LogFiles\Scm\e6c47c21-2598-47ee-a9e1-dd0e65ab98e5
c:\windows\system32\LogFiles\Scm\e6f3a527-8b0b-43fa-94eb-584032761924
c:\windows\system32\LogFiles\Scm\e79b2998-8f63-451a-a56d-26edc0a5098a
c:\windows\system32\LogFiles\Scm\e7af08c4-8dfe-4d1c-8a0d-d08313ade667
c:\windows\system32\LogFiles\Scm\e8164c0d-216c-4b6b-9eb8-31bf958b8014
c:\windows\system32\LogFiles\Scm\ed08c096-49c2-4484-b6fc-c3f2fc24eaf3
c:\windows\system32\LogFiles\Scm\f1369a11-e983-4458-b390-712efa1cba44
c:\windows\system32\LogFiles\Scm\f40a0466-ad46-487a-b365-ea6ba0eb81a1
c:\windows\system32\LogFiles\Scm\f93c7104-998a-4a38-b935-775a3138b3c3
c:\windows\system32\LogFiles\Scm\fd1b03db-3a50-45a1-aa9b-0e26f12e59ca
c:\windows\system32\LogFiles\Scm\fdbe551b-2d4e-4575-9b83-8ac25d568fef
c:\windows\system32\LogFiles\Scm\ffb8486a-9861-4b82-be38-c7f8fb1b6605
c:\windows\system32\LogFiles\Scm\SCM.EVM
c:\windows\system32\LogFiles\Scm\SCM.EVM.1
c:\windows\system32\LogFiles\Scm\SCM.EVM.2
c:\windows\system32\LogFiles\Scm\SCM.EVM.3
c:\windows\system32\LogFiles\Scm\SCM.EVM.4
c:\windows\system32\LogFiles\Scm\SCM.EVM.5
c:\windows\system32\LogFiles\Srt\bcdinfo.txt
c:\windows\system32\LogFiles\Srt\bootfailure.txt
c:\windows\system32\LogFiles\Srt\bootstat.dat
c:\windows\system32\LogFiles\Srt\disklayout.txt
c:\windows\system32\LogFiles\Srt\SrtTrail.txt
c:\windows\system32\LogFiles\WMI\Terminal-Services-Core.etl
c:\windows\system32\LogFiles\WMI\Terminal-Services-IP-Virtualization.etl
c:\windows\system32\LogFiles\WMI\Terminal-Services-RPC-Client.etl
c:\windows\system32\LogFiles\WMI\Terminal-Services-Unified-APIs.etl
c:\windows\system32\LogFiles\WUDF\WUDFTrace.etl
.
.
((((((((((((((((((((((((( Files Created from 2011-02-07 to 2011-03-07 )))))))))))))))))))))))))))))))
.
.
2011-03-07 22:39 . 2011-03-07 22:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-07 22:39 . 2011-03-07 22:39 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Malwarebytes
2011-03-07 22:24 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\programdata\Malwarebytes
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-07 22:24 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-07 16:00 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-03-07 03:51 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-07 03:49 . 2011-02-22 22:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{833074C9-0F0B-43CE-AE6D-6F0BE9C9DBDB}\mpengine.dll
2011-03-07 03:49 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-03-07 03:49 . 2010-11-02 04:46 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-03-07 03:49 . 2010-11-02 04:23 107520 ----a-w- c:\windows\system32\cdd.dll
2011-03-05 00:57 . 2011-03-05 00:57 -------- d-----w- C:\Mp3 Output
2011-03-05 00:57 . 2009-06-08 04:33 8676883 ----a-w- c:\windows\system32\mp3Media2.dll
2011-03-05 00:57 . 2011-03-05 00:57 -------- d-----w- c:\program files\Smallvideosoft
2011-03-04 04:42 . 2011-03-04 04:42 -------- d-----w- C:\VundoFix Backups
2011-03-04 00:47 . 2011-03-04 00:56 -------- d-----w- C:\Downloads
2011-03-04 00:47 . 2011-03-04 00:47 -------- d-----w- c:\users\Tazz1\AppData\Roaming\ProgSense
2011-03-04 00:47 . 2011-03-04 01:08 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Orbit
2011-03-02 00:20 . 2011-03-02 00:20 -------- d-----w- c:\windows\Sun
2011-03-01 02:44 . 2011-03-01 02:44 388096 ----a-r- c:\users\Tazz1\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-01 02:44 . 2011-03-01 02:44 -------- d-----w- c:\program files\Trend Micro
2011-03-01 01:46 . 2011-03-01 01:46 -------- d-----w- c:\program files\Microsoft
2011-02-23 03:36 . 2011-02-22 01:00 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-02-23 02:16 . 2011-02-25 04:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-23 02:16 . 2011-02-23 02:18 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-02-23 02:15 . 2011-02-22 01:00 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-02-23 02:15 . 2011-02-23 02:15 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-23 02:15 . 2011-02-23 02:15 -------- d-----w- c:\users\Tazz1\AppData\Local\Sunbelt Software
2011-02-23 02:14 . 2011-02-23 02:14 -------- dc-h--w- c:\programdata\{05D7E05D-9BCE-4F9F-8206-9129E8EAAF25}
2011-02-23 02:14 . 2011-02-23 02:14 -------- d-----w- c:\programdata\Lavasoft
2011-02-23 02:14 . 2011-02-23 02:14 -------- d-----w- c:\program files\Lavasoft
2011-02-22 03:20 . 2011-02-22 04:19 -------- d-----w- c:\windows\rnapxs
2011-02-22 03:20 . 2011-02-22 04:26 -------- d-----w- c:\program files\CA
2011-02-22 03:06 . 2011-02-22 03:06 -------- d-----w- c:\programdata\MFAData
2011-02-22 00:33 . 2011-02-22 00:33 0 ----a-w- c:\users\Tazz1\AppData\Local\Tzined.bin
2011-02-21 01:57 . 2011-02-21 01:57 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Leawo
2011-02-21 01:57 . 2011-02-21 01:57 -------- d-----w- c:\programdata\Leawo
2011-02-21 01:51 . 2011-02-22 23:38 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-02-21 01:51 . 2011-02-21 01:51 -------- d-----w- c:\program files\Leawo
2011-02-21 01:00 . 2011-02-22 23:38 -------- d-----w- c:\program files\Audacity
2011-02-14 00:49 . 2010-06-17 02:31 99896 ----a-w- c:\windows\system32\bass.dll
2011-02-14 00:49 . 2009-10-30 04:59 16448 ----a-w- c:\windows\system32\basswma.dll
2011-02-14 00:49 . 2009-03-03 13:02 1198592 ----a-w- c:\windows\system32\vorbis.dll
2011-02-14 00:49 . 2008-12-15 10:54 15872 ----a-w- c:\windows\system32\ogg.dll
2011-02-14 00:49 . 2008-09-24 10:33 484352 ----a-w- c:\windows\system32\lame_enc.dll
2011-02-14 00:46 . 2011-02-22 23:38 -------- d-----w- c:\program files\StationPlaylist
2011-02-06 23:04 . 2011-02-06 23:04 -------- d-----w- c:\program files\SopCast
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-01 02:01 . 2010-10-07 04:27 560320 ----a-w- c:\programdata\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-03-01 01:36 . 2010-10-17 22:13 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2011-02-02 06:11 . 2010-09-07 22:55 222080 ------w- c:\windows\system32\MpSigStub.exe
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\QuickTime\QTTask .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [N/A]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-22 8120864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [N/A]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [N/A]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\users\Tazz1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-03-01 1405384]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-10 1343400]
R4 cpuz130;cpuz130;c:\users\ADMINI~1\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-29 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-29 366936]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-02-22 64512]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-05 172032]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-05 5550592]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-05 176128]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-01-12 257568]
S3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\DRIVERS\stdriver32.sys [2010-10-11 52824]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-07 c:\windows\Tasks\Ad-Aware Scan (s).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-02-22 13:06]
.
2011-03-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-02-22 13:06]
.
2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1006198809-1406768349-2668989619-1000Core.job
- c:\users\Tazz1\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-17 01:05]
.
2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1006198809-1406768349-2668989619-1000UA.job
- c:\users\Tazz1\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-17 01:05]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: localhost
FF - ProfilePath - c:\users\Tazz1\AppData\Roaming\Mozilla\Firefox\Profiles\z7prsgv7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tazz1.com.au/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-03-08 09:40:44
ComboFix-quarantined-files.txt 2011-03-07 22:40
.
Pre-Run: 948,844,072,960 bytes free
Post-Run: 949,065,269,248 bytes free
.
- - End Of File - - 47862BA678657601F3ECB56B335E6A77

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 8,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:30 AM

Posted 07 March 2011 - 07:00 PM

Download the enclosed file and save it next to Combofix.



Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Edited by JSntgRvr, 07 March 2011 - 07:00 PM.

No request for help throughout private messaging will be attended.


If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 fxp000

fxp000
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 07 March 2011 - 07:16 PM

ComboFix 11-03-07.02 - Tazz1 08/03/2011 11:05:25.2.6 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.2814.1399 [GMT 11:00]
Running from: c:\users\Tazz1\Desktop\ComboFix.exe
Command switches used :: c:\users\Tazz1\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Code.z19mful_.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_global.asax.8l8ed_m4.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_GlobalResources.drq7mxre.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Theme_humanity.4b30ch0d.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_1vkmv7cy.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_5hrkygyw.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_5v-gztzz.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_5xu5ny9l.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_75anixkm.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_7o4mu5ld.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_8or_scfq.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_bknxpqyn.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_cad5c2rr.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_cd-dlpwj.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_ck38smo8.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_cofoxg33.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_d2uxem2p.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_d9z3dkq7.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_dfb7mer_.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_ebprfh7j.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_ecwktusl.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_efqjmpod.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_eknxk7em.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_gck6uamn.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_hh1eouyv.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_hp2h_45r.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_ij_pbjqb.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_jg1joryd.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_jpjvdnei.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_kcyceszf.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_kebzzxxb.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_list_stat.ascx.b7661b20.17pejpzj.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_list_stat.ascx.b7661b20.munxja_s.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_mysbul_q.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_owpjs4nv.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_pagination.ascx.b7661b20.1memglz0.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_pagination.ascx.b7661b20.sjcznz52.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_pobi7uez.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_qbghltkn.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_qtehiv9g.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_rgiujhwk.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_rnxh_ree.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_tha0ubxt.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_ufzk-t0m.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_vrhleods.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_vuxpxifv.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_vz1if8lj.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_w7v2h1oc.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_wfgrm_wg.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_yz-rdzzn.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_zmb-bcmk.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\App_Web_zunsgjpc.dll
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\0faaff65\f0800649_a47ccb01\AjaxControlToolkit.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\1ca77690\1b42e42b_7192cb01\RJS.Web.WebControl.PopCalendar.Net.2008.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\1da3ae4e\230a0d33_9795cb01\Web2Controls.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\279a4f86\6b679582_d37bcb01\FredCK.FCKeditorV2.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\29627a5f\5636b682_d37bcb01\MySql.Data.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\2a9e7355\86f0b182_d37bcb01\MediaHandlerPro.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\54b0b724\602c84a7_c095cb01\PaypalIntegration.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\9d488e24\6fd0cf7f_1591cb01\SpiceLogicPayPalStd.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\dc03ea48\5fa7b882_d37bcb01\UrlRewritingNet.UrlRewriter.DLL
c:\users\Tazz1\AppData\Local\Temp\Temporary ASP.NET Files\eezyaz_video\7ea95930\5b5e2e69\assembly\dl3\ffa5ed26\ec125384_f4d9cb01\com.flajaxian.FileUploader.DLL
c:\windows\system32\LogFiles\HTTPERR\httperr1.log
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
c:\windows\system32\LogFiles . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-08 00:08 . 2011-03-08 00:10 -------- d-----w- c:\users\Tazz1\AppData\Local\temp
2011-03-08 00:08 . 2011-03-08 00:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-08 00:08 . 2011-03-08 00:08 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2011-03-07 23:46 . 2011-03-07 23:51 -------- d-----w- c:\users\Tazz1\AppData\Local\Temporary Projects
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Malwarebytes
2011-03-07 22:24 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\programdata\Malwarebytes
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-07 22:24 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-07 16:00 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-03-07 03:51 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-07 03:49 . 2011-02-22 22:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{833074C9-0F0B-43CE-AE6D-6F0BE9C9DBDB}\mpengine.dll
2011-03-07 03:49 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-03-07 03:49 . 2010-11-02 04:46 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-03-07 03:49 . 2010-11-02 04:23 107520 ----a-w- c:\windows\system32\cdd.dll
2011-03-05 00:57 . 2011-03-05 00:57 -------- d-----w- C:\Mp3 Output
2011-03-05 00:57 . 2009-06-08 04:33 8676883 ----a-w- c:\windows\system32\mp3Media2.dll
2011-03-05 00:57 . 2011-03-05 00:57 -------- d-----w- c:\program files\Smallvideosoft
2011-03-04 04:42 . 2011-03-04 04:42 -------- d-----w- C:\VundoFix Backups
2011-03-04 00:47 . 2011-03-04 00:56 -------- d-----w- C:\Downloads
2011-03-04 00:47 . 2011-03-04 00:47 -------- d-----w- c:\users\Tazz1\AppData\Roaming\ProgSense
2011-03-04 00:47 . 2011-03-04 01:08 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Orbit
2011-03-02 00:20 . 2011-03-02 00:20 -------- d-----w- c:\windows\Sun
2011-03-01 02:44 . 2011-03-01 02:44 388096 ----a-r- c:\users\Tazz1\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-01 02:44 . 2011-03-01 02:44 -------- d-----w- c:\program files\Trend Micro
2011-03-01 01:46 . 2011-03-01 01:46 -------- d-----w- c:\program files\Microsoft
2011-02-23 02:16 . 2011-03-07 23:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-23 02:16 . 2011-03-07 23:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-02-23 02:15 . 2011-02-23 02:15 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-23 02:15 . 2011-02-23 02:15 -------- d-----w- c:\users\Tazz1\AppData\Local\Sunbelt Software
2011-02-23 02:14 . 2011-03-07 23:04 -------- d-----w- c:\programdata\Lavasoft
2011-02-22 03:20 . 2011-02-22 04:19 -------- d-----w- c:\windows\rnapxs
2011-02-22 03:20 . 2011-02-22 04:26 -------- d-----w- c:\program files\CA
2011-02-22 03:06 . 2011-02-22 03:06 -------- d-----w- c:\programdata\MFAData
2011-02-22 00:33 . 2011-02-22 00:33 0 ----a-w- c:\users\Tazz1\AppData\Local\Tzined.bin
2011-02-21 01:57 . 2011-02-21 01:57 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Leawo
2011-02-21 01:57 . 2011-02-21 01:57 -------- d-----w- c:\programdata\Leawo
2011-02-21 01:51 . 2011-02-22 23:38 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-02-21 01:51 . 2011-02-21 01:51 -------- d-----w- c:\program files\Leawo
2011-02-21 01:00 . 2011-02-22 23:38 -------- d-----w- c:\program files\Audacity
2011-02-14 00:49 . 2010-06-17 02:31 99896 ----a-w- c:\windows\system32\bass.dll
2011-02-14 00:49 . 2009-10-30 04:59 16448 ----a-w- c:\windows\system32\basswma.dll
2011-02-14 00:49 . 2009-03-03 13:02 1198592 ----a-w- c:\windows\system32\vorbis.dll
2011-02-14 00:49 . 2008-12-15 10:54 15872 ----a-w- c:\windows\system32\ogg.dll
2011-02-14 00:49 . 2008-09-24 10:33 484352 ----a-w- c:\windows\system32\lame_enc.dll
2011-02-14 00:46 . 2011-02-22 23:38 -------- d-----w- c:\program files\StationPlaylist
2011-02-06 23:04 . 2011-02-06 23:04 -------- d-----w- c:\program files\SopCast
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-01 02:01 . 2010-10-07 04:27 560320 ----a-w- c:\programdata\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-03-01 01:36 . 2010-10-17 22:13 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2011-02-02 06:11 . 2010-09-07 22:55 222080 ------w- c:\windows\system32\MpSigStub.exe
.
<pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
</pre>
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-04 102400]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-22 8120864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\users\Tazz1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\DRIVERS\stdriver32.sys [2010-10-11 52824]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-10 1343400]
R4 cpuz130;cpuz130;c:\users\ADMINI~1\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-29 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-29 366936]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-05 172032]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-05 5550592]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-05 176128]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-01-12 257568]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1006198809-1406768349-2668989619-1000Core.job
- c:\users\Tazz1\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-17 01:05]
.
2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1006198809-1406768349-2668989619-1000UA.job
- c:\users\Tazz1\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-17 01:05]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: localhost
FF - ProfilePath - c:\users\Tazz1\AppData\Roaming\Mozilla\Firefox\Profiles\z7prsgv7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tazz1.com.au/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2011-03-08 11:12:28 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-08 00:12
ComboFix2.txt 2011-03-07 22:40
.
Pre-Run: 948,787,159,040 bytes free
Post-Run: 948,534,677,504 bytes free
.
- - End Of File - - 31B662FE89C01AF9EE441E2DF315FEBF

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 8,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:30 AM

Posted 07 March 2011 - 09:48 PM

One Adobe Application's file remains infected. I will remove this file with the following script. Should you experience a problem with an Adobe application, remove and reinstall the program

Remove the prevous CFScript.txt file. Download the enclosed file and save it next to Combofix.



Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Lets empty the temp folders:

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Lets check for remnants:

Perform an Eset online scan and post its report.

You don't seem to have an antivirus program active. I would recommend AVAST.

Edited by JSntgRvr, 07 March 2011 - 09:49 PM.

No request for help throughout private messaging will be attended.


If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 fxp000

fxp000
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 07 March 2011 - 11:07 PM

ComboFix Log

ComboFix 11-03-07.02 - Tazz1 08/03/2011 14:08:35.3.6 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.2814.1713 [GMT 11:00]
Running from: c:\users\Tazz1\Desktop\ComboFix.exe
Command switches used :: c:\users\Tazz1\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\windows\system32\LogFiles
c:\windows\system32\LogFiles\HTTPERR\httperr1.log
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession7.etl
c:\windows\system32\LogFiles\WMI\RtBackup\EtwRTUBPM.etl
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-08 03:11 . 2011-03-08 03:12 -------- d-----w- c:\users\Tazz1\AppData\Local\temp
2011-03-08 03:11 . 2011-03-08 03:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-08 03:11 . 2011-03-08 03:11 -------- d-----w- c:\users\Classic .NET AppPool\AppData\Local\temp
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Malwarebytes
2011-03-07 22:24 . 2010-12-20 07:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\programdata\Malwarebytes
2011-03-07 22:24 . 2011-03-07 22:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-07 22:24 . 2010-12-20 07:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-07 16:00 . 2010-09-14 06:07 276992 ----a-w- c:\windows\system32\wcncsvc.dll
2011-03-07 03:51 . 2011-01-07 07:31 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-07 03:49 . 2011-02-22 22:35 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{833074C9-0F0B-43CE-AE6D-6F0BE9C9DBDB}\mpengine.dll
2011-03-07 03:49 . 2011-02-03 05:45 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-03-07 03:49 . 2010-11-02 04:46 728448 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-03-07 03:49 . 2010-11-02 04:23 107520 ----a-w- c:\windows\system32\cdd.dll
2011-03-05 00:57 . 2011-03-05 00:57 -------- d-----w- C:\Mp3 Output
2011-03-05 00:57 . 2009-06-08 04:33 8676883 ----a-w- c:\windows\system32\mp3Media2.dll
2011-03-05 00:57 . 2011-03-05 00:57 -------- d-----w- c:\program files\Smallvideosoft
2011-03-04 04:42 . 2011-03-04 04:42 -------- d-----w- C:\VundoFix Backups
2011-03-04 00:47 . 2011-03-04 00:56 -------- d-----w- C:\Downloads
2011-03-04 00:47 . 2011-03-04 00:47 -------- d-----w- c:\users\Tazz1\AppData\Roaming\ProgSense
2011-03-04 00:47 . 2011-03-04 01:08 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Orbit
2011-03-02 00:20 . 2011-03-02 00:20 -------- d-----w- c:\windows\Sun
2011-03-01 02:44 . 2011-03-01 02:44 388096 ----a-r- c:\users\Tazz1\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-03-01 02:44 . 2011-03-01 02:44 -------- d-----w- c:\program files\Trend Micro
2011-03-01 01:46 . 2011-03-01 01:46 -------- d-----w- c:\program files\Microsoft
2011-02-23 02:16 . 2011-03-07 23:05 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-02-23 02:16 . 2011-03-07 23:03 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-02-23 02:15 . 2011-02-23 02:15 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-02-23 02:15 . 2011-02-23 02:15 -------- d-----w- c:\users\Tazz1\AppData\Local\Sunbelt Software
2011-02-23 02:14 . 2011-03-07 23:04 -------- d-----w- c:\programdata\Lavasoft
2011-02-22 03:20 . 2011-02-22 04:19 -------- d-----w- c:\windows\rnapxs
2011-02-22 03:20 . 2011-02-22 04:26 -------- d-----w- c:\program files\CA
2011-02-22 03:06 . 2011-02-22 03:06 -------- d-----w- c:\programdata\MFAData
2011-02-22 00:33 . 2011-02-22 00:33 0 ----a-w- c:\users\Tazz1\AppData\Local\Tzined.bin
2011-02-21 01:57 . 2011-02-21 01:57 -------- d-----w- c:\users\Tazz1\AppData\Roaming\Leawo
2011-02-21 01:57 . 2011-02-21 01:57 -------- d-----w- c:\programdata\Leawo
2011-02-21 01:51 . 2011-02-22 23:38 -------- d-----w- c:\program files\K-Lite Codec Pack
2011-02-21 01:51 . 2011-02-21 01:51 -------- d-----w- c:\program files\Leawo
2011-02-21 01:00 . 2011-02-22 23:38 -------- d-----w- c:\program files\Audacity
2011-02-14 00:49 . 2010-06-17 02:31 99896 ----a-w- c:\windows\system32\bass.dll
2011-02-14 00:49 . 2009-10-30 04:59 16448 ----a-w- c:\windows\system32\basswma.dll
2011-02-14 00:49 . 2009-03-03 13:02 1198592 ----a-w- c:\windows\system32\vorbis.dll
2011-02-14 00:49 . 2008-12-15 10:54 15872 ----a-w- c:\windows\system32\ogg.dll
2011-02-14 00:49 . 2008-09-24 10:33 484352 ----a-w- c:\windows\system32\lame_enc.dll
2011-02-14 00:46 . 2011-02-22 23:38 -------- d-----w- c:\program files\StationPlaylist
2011-02-06 23:04 . 2011-02-06 23:04 -------- d-----w- c:\program files\SopCast
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-01 02:01 . 2010-10-07 04:27 560320 ----a-w- c:\programdata\Microsoft\VWDExpress\10.0\1033\ResourceCache.dll
2011-03-01 01:36 . 2010-10-17 22:13 205984 ----a-w- c:\programdata\Microsoft\VBExpress\10.0\1033\ResourceCache.dll
2011-02-02 06:11 . 2010-09-07 22:55 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-04 102400]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-22 8120864]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
c:\users\Tazz1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 stdriver;Sound Tap Upper Class Filter Driver v2.0.0.0;c:\windows\system32\DRIVERS\stdriver32.sys [2010-10-11 52824]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-09-10 1343400]
R4 cpuz130;cpuz130;c:\users\ADMINI~1\AppData\Local\Temp\cpuz130\cpuz_x32.sys [x]
R4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE [2009-07-23 47128]
R4 RsFx0103;RsFx0103 Driver;c:\windows\system32\DRIVERS\RsFx0103.sys [2009-03-29 239336]
R4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2009-03-29 366936]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-05 172032]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-05 5550592]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-05 176128]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-01-12 257568]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1006198809-1406768349-2668989619-1000Core.job
- c:\users\Tazz1\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-17 01:05]
.
2011-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1006198809-1406768349-2668989619-1000UA.job
- c:\users\Tazz1\AppData\Local\Google\Update\GoogleUpdate.exe [2010-09-17 01:05]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
Trusted Zone: localhost
FF - ProfilePath - c:\users\Tazz1\AppData\Roaming\Mozilla\Firefox\Profiles\z7prsgv7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.tazz1.com.au/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\conhost.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2011-03-08 14:15:05 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-08 03:15
ComboFix2.txt 2011-03-08 00:12
ComboFix3.txt 2011-03-07 22:40
.
Pre-Run: 948,492,873,728 bytes free
Post-Run: 948,532,723,712 bytes free
.
- - End Of File - - E8133A1E0B481860FE5CDBC5B94D84BE


I ran eset online and it came back with nothing. - No file created

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 8,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:30 AM

Posted 08 March 2011 - 12:48 AM

How is the computer doing?

No request for help throughout private messaging will be attended.


If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 fxp000

fxp000
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 08 March 2011 - 05:29 PM

So far so good. With your help it seems that I've managed to get rid of this annoying thing! I will be recommending this site as much as possible to people! Thanks again

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 8,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:30 AM

Posted 08 March 2011 - 10:33 PM

Congratulations.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix to Uninstall and click on it. That should remove the application.

Please download OTC by OldTimer.
  • Save it to your desktop.
  • Please double-click OTC.exe to run it. (Vista users, please right click on OTC.exe and select "Run as an Administrator")
  • This will delete the tools we used in the removal of malware, including this program.
  • If you are asked to reboot to complete the removal process then please do so
Upon restart, manually remove any remaining tools.

The following is a list of tools and utilities that I like to suggest to people.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.


If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 fxp000

fxp000
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 08 March 2011 - 10:54 PM

Thanks again guys, you're a lifesaver!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users