BleepingComputer.com: somputer slow, not working properly, infected with something...

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

somputer slow, not working properly, infected with something...

#1 User is offline   Faded Picture 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 136
  • Joined: 15-October 09
  • Gender:Female
  • Location:Georgia, USA

Posted 07 September 2011 - 06:02 PM

yesterday my computer started acting a little weird, and noday it has gotten worse. its supoer slow, redirecting me to these You've Won, sites and not letting me go to the site i want to, and every time i turn on the computer, it says RUNDLL pop up saying that a random file isnt found, this times its c:\\users\christy\appdata\local\icesasmc.dll but its a different file every time. i did a malware bytes anti-malware search earlier and it found 2 things:

Quote

Malwarebytes' Anti-Malware 1.44
Database version: 3831
Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

9/7/2011 10:56:20 AM
mbam-log-2011-09-07 (10-56-20).txt

Scan type: Quick Scan
Objects scanned: 114276
Time elapsed: 11 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\oqarozadutodig (Trojan.Agent.U) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Christy\AppData\Local\iceSasmc.dll (Trojan.Agent.U) -> Delete on reboot.



my avast keeps on popping up a little red box in the bottom right side of my screen saying that it has blocked a pop up. last night it was every 2-3 minuites, today its about 30 minutes it will say that, and the action it takes is move to chest. its still slow after the scan, and it will sometimes freeze up for a few seconds.
(hope im doing this right. slight headache so if the wrong things are attached and posted, sorry)





_______________________________________________________________________________________________________





.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_22
Run by Christy at 18:22:03 on 2011-09-07
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.1811 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eBook Technologies\eBook USB Driver\TrayEBU.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://search.autocompletepro.com/?si=10186&bi=400
uStart Page = hxxp://www.facebook.com/
uDefault_Search_URL = hxxp://search.autocompletepro.com/?si=10186&bi=400
uSearch Bar = hxxp://search.autocompletepro.com/?si=10186&bi=400
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn2\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Edit/Remove the Ravenwood Fair Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: Edit/Remove the Ravenwood Fair Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {CD292324-974F-4224-D074-CACA427AA030} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Oqarozadutodig] rundll32.exe "c:\users\christy\appdata\local\iceSasmc.dll",Startup
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ebooku~1.lnk - c:\program files\ebook technologies\ebook usb driver\TrayEBU.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: motive.com\patttbc.att
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3C6A4342-71E2-4B43-93CC-3800C85F1837} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\christy\appdata\roaming\mozilla\firefox\profiles\wh6sxtha.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=LOL&o=16435&locale=en_US&apn_uid=18677A31-757F-44CB-BA79-4E87FD51AEB3&apn_ptnrs=LZ&apn_sauid=9AF63E3B-27A5-451D-AFCF-4C08C085EC02&apn_dtid=YYYYYYYYUS&q=
FF - component: c:\users\christy\appdata\roaming\mozilla\firefox\profiles\wh6sxtha.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
FF - component: c:\users\christy\appdata\roaming\mozilla\firefox\profiles\wh6sxtha.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\retrogamer_2zei\installr\7.bin\NP2zEISb.dll
FF - plugin: c:\users\christy\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\christy\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\christy\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\christy\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zynga Community Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: MediaBar: {E84D42CA-64EB-11DE-A65F-8C3656D89593} - %profile%\extensions\{E84D42CA-64EB-11DE-A65F-8C3656D89593}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - %profile%\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
FF - Ext: Edit/Remove the Ravenwood Fair Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\christy\appdata\roaming\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-19 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-6-15 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-15 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-6-15 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-19 40384]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-19 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-19 40384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-30 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 eBook;eBook;c:\windows\system32\drivers\eBook.sys [2010-5-26 25624]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-30 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-06 12:10:12 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{56723b95-3f7d-442e-b3f9-62e48a16527f}\mpengine.dll
2011-09-04 14:56:52 -------- d-----w- c:\program files\Ask.com
2011-08-24 12:33:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-08-10 21:20:09 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-08-10 21:20:08 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-10 21:20:06 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-08-10 21:19:29 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-08-10 21:19:28 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-08-10 21:19:26 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
.
==================== Find3M ====================
.
2010-10-01 06:11:56 462112 ----a-w- c:\program files\common files\ZugoInstaller.exe
.
============= FINISH: 18:23:11.10 ===============

Attached File(s)

  • Attached File  ark.log (24.29K)
    Number of downloads: 1
  • Attached File  Attach.txt (9.44K)
    Number of downloads: 0

#2 User is offline   HelpBot 

  • Bleepin' Binary Bot
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Bots
  • Posts: 5,607
  • Joined: 05-October 07
  • Gender:Male

Posted 12 September 2011 - 06:05 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/417951 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.

  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.


Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 User is offline   Faded Picture 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 136
  • Joined: 15-October 09
  • Gender:Female
  • Location:Georgia, USA

Posted 12 September 2011 - 07:09 PM

im still having the same trouble, only now my computer freezes up more and when it does, it will stay that way. since i posted this, i have had to turn it off the "bad" way, pressing the turn on button, 3 times because it honestly stayed the same way soo long and i could not get it fixed no matter what, ctrl alt delete did nothing.

right now, for some reason i can not attach anything to the post. i click help with attaching files and it still does nothing. so here is the one thing im not suposed to attach.




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_22
Run by Christy at 19:56:16 on 2011-09-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.1642 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Enabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Ask & Record Toolbar\FLVSrvc.exe
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\eBook Technologies\eBook USB Driver\TrayEBU.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\MsiExec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://search.autocompletepro.com/?si=10186&bi=400
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://search.autocompletepro.com/?si=10186&bi=400
uSearch Bar = hxxp://search.autocompletepro.com/?si=10186&bi=400
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn2\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AC-Pro: {0fb6a909-6086-458f-bd92-1f8ee10042a0} - c:\program files\autocompletepro\AutocompletePro.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Canon Easy-WebPrint EX BHO: {3785d0ad-bfff-47f6-bf5b-a587c162fed9} - c:\program files\canon\easy-webprint ex\ewpexbho.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
TB: Canon Easy-WebPrint EX: {759d9886-0c6f-4498-bab6-4a5f47c6c72f} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: {CD292324-974F-4224-D074-CACA427AA030} - No File
EB: Canon Easy-WebPrint EX: {21347690-ec41-4f9a-8887-1f4aee672439} - c:\program files\canon\easy-webprint ex\ewpexhlp.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Ask and Record FLV Service] "c:\program files\ask & record toolbar\FLVSrvc.exe" /run
mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ebooku~1.lnk - c:\program files\ebook technologies\ebook usb driver\TrayEBU.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: motive.com\patttbc.att
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{3C6A4342-71E2-4B43-93CC-3800C85F1837} : DhcpNameServer = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\christy\appdata\roaming\mozilla\firefox\profiles\wh6sxtha.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=MQTgg8FOSS1ndcyYgxuunw&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77cea277&searchfor=
FF - component: c:\users\christy\appdata\roaming\mozilla\firefox\profiles\wh6sxtha.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}\components\XPATLCOM.dll
FF - component: c:\users\christy\appdata\roaming\mozilla\firefox\profiles\wh6sxtha.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\retrogamer_2zei\installr\7.bin\NP2zEISb.dll
FF - plugin: c:\users\christy\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\christy\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\christy\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\christy\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zynga Community Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: MediaBar: {E84D42CA-64EB-11DE-A65F-8C3656D89593} - %profile%\extensions\{E84D42CA-64EB-11DE-A65F-8C3656D89593}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - %profile%\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
FF - Ext: Edit/Remove the Ravenwood Fair Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\christy\appdata\roaming\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-12-19 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-6-15 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-5 77824]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-15 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-6-15 51792]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-19 40384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-19 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-19 40384]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-30 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 eBook;eBook;c:\windows\system32\drivers\eBook.sys [2010-5-26 25624]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-30 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-09-09 21:36:09 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{32e3adf9-cd60-4e1e-b012-b3957d3fe819}\mpengine.dll
2011-09-09 21:30:04 2048 ----a-w- c:\windows\system32\tzres.dll
2011-09-04 14:56:52 -------- d-----w- c:\program files\Ask.com
.
==================== Find3M ====================
.
2011-07-23 11:04:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-20 08:54:36 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-20 08:54:36 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-17 20:13:55 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-17 16:03:18 375808 ----a-w- c:\windows\system32\winsrv.dll
2010-10-01 06:11:56 462112 ----a-w- c:\program files\common files\ZugoInstaller.exe
.
============= FINISH: 19:58:03.50 ===============

#4 User is offline   Casey_boy 

  • Bleeping physicist
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 5,217
  • Joined: 02-January 09
  • Gender:Male
  • Location:United Kingdom

Posted 14 September 2011 - 07:22 AM

Hi,

My name is Casey and I will be helping you with your malware problems.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "Watch Topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey
If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#5 User is offline   Faded Picture 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 136
  • Joined: 15-October 09
  • Gender:Female
  • Location:Georgia, USA

Posted 14 September 2011 - 09:49 AM

okay, thank you for helping me! :)

#6 User is offline   Casey_boy 

  • Bleeping physicist
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 5,217
  • Joined: 02-January 09
  • Gender:Male
  • Location:United Kingdom

Posted 14 September 2011 - 12:41 PM

Hi,

:step1: We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy


:step2: Please disable Ad-Watch - Ad-Aware's Real time agent (for the same reasons as above).

:step3: Download and run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

:step4: Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


Casey
If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#7 User is offline   Faded Picture 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 136
  • Joined: 15-October 09
  • Gender:Female
  • Location:Georgia, USA

Posted 14 September 2011 - 06:32 PM

after doing this, my computer froze up and i could not get it to do anything. it turned off and i tried to turn it on and it wouldnt get to the desktop. by the tmie i got to the desktop it said that system restore restored it to 8-30-11. but here are the results:

ComboFix 11-09-14.02 - Christy 09/14/2011 18:11:30.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3060.1722 [GMT -4:00]
Running from: c:\users\Christy\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {C37D8F93-0602-E43C-40AA-47DAD597F308}
SP: avast! Antivirus *Disabled/Updated* {781C6E77-2038-EBB2-7A1A-7CA8AE10B9B5}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\AutocompletePro
c:\program files\AutocompletePro\64\AutocompletePro64.dll
c:\program files\AutocompletePro\AutocompletePro.dll
c:\program files\AutocompletePro\chrome\autocompleteprochrome.crx
c:\program files\AutocompletePro\ChromeSetSearchInBrowser.exe
c:\program files\AutocompletePro\FireFoxExtension.exe
c:\program files\AutocompletePro\InstTracker.exe
c:\program files\AutocompletePro\support@predictad.com\chrome.manifest
c:\program files\AutocompletePro\support@predictad.com\chrome\content\browserOverlay.xul
c:\program files\AutocompletePro\support@predictad.com\chrome\content\options.js
c:\program files\AutocompletePro\support@predictad.com\chrome\content\options.xul
c:\program files\AutocompletePro\support@predictad.com\chrome\content\utils.js
c:\program files\AutocompletePro\support@predictad.com\defaults\preferences\predictad.js
c:\program files\AutocompletePro\support@predictad.com\install.rdf
c:\program files\AutocompletePro\unins000.dat
c:\program files\AutocompletePro\unins000.exe
c:\program files\Common
c:\program files\Common\VsoVprev.ax
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\programdata\Amazon.ico
c:\programdata\MercadoLivre.ico
c:\users\Christy\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
c:\windows\security\Database\tmp.edb
c:\windows\system32\comct332.ocx
c:\windows\system32\drivers\etc\lmhosts
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-08-14 to 2011-09-14 )))))))))))))))))))))))))))))))
.
.
2011-09-14 22:23 . 2011-09-14 22:23 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-09-14 22:23 . 2011-09-14 22:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-13 10:29 . 2011-08-16 12:48 7152464 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1FF10E62-1DAB-489A-950B-B5220ACEC0DD}\mpengine.dll
2011-09-09 21:30 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
2011-09-08 00:49 . 2011-09-08 00:49 -------- d-----w- c:\programdata\WindowsSearch
2011-09-07 11:12 . 2011-09-07 11:12 -------- d-----w- c:\program files\Real
2011-09-07 10:27 . 2011-09-07 10:27 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Adobe
2011-09-06 23:44 . 2011-09-06 23:44 -------- d-----w- c:\windows\Sun
2011-09-04 14:56 . 2011-09-04 14:57 -------- d-----w- c:\program files\Ask.com
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-23 11:04 . 2011-08-10 21:19 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00 . 2011-08-10 21:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59 . 2011-08-10 21:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59 . 2011-08-10 21:19 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:59 . 2011-08-10 21:19 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:03 . 2011-08-10 21:19 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27 . 2011-08-10 21:19 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25 . 2011-08-10 21:19 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-06 15:31 . 2011-08-10 21:20 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-20 08:54 . 2011-08-10 21:19 3602832 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-06-20 08:54 . 2011-08-10 21:19 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-06-17 20:13 . 2011-08-10 21:19 905104 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-17 16:03 . 2011-08-10 21:20 375808 ----a-w- c:\windows\system32\winsrv.dll
2010-10-01 06:11 . 2010-11-24 03:28 462112 ----a-w- c:\program files\Common Files\ZugoInstaller.exe
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2006-11-02 . 7F15B4953378C8B5161D65C26D5FED4D . 11776 . . [6.0.6000.16386] . . c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll
.
c:\windows\System32\cngaudit.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn2\YTNavAssist.dll" [2011-01-21 213816]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-11 18:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-02-11 365960]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-07 2001648]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-17 4907008]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2010-07-28 1485208]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-11 50688]
eBook USB Driver.lnk - c:\program files\eBook Technologies\eBook USB Driver\TrayEBU.exe [2010-5-26 43544]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 136176]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-04-20 1181328]
R3 eBook;eBook;c:\windows\system32\Drivers\eBook.sys [2009-07-09 25624]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 136176]
R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-10-13 7408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-07-10 691696]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-10-13 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-10-13 74480]
S2 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2007-12-05 77824]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-05-06 51792]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-14 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:01]
.
2011-05-16 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:01]
.
2011-09-14 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:01]
.
2011-09-14 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:01]
.
2011-09-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 01:01]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 22:40]
.
2011-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-30 22:40]
.
2011-09-13 c:\windows\Tasks\Norton Security Scan for Christy.job
- c:\progra~1\NORTON~2\Engine\301~1.8\Nss.exe [2011-01-12 08:19]
.
2011-09-14 c:\windows\Tasks\User_Feed_Synchronization-{0C72B3B8-8328-414A-B638-CA0C72669DEB}.job
- c:\windows\system32\msfeedssync.exe [2011-08-10 09:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uDefault_Search_URL = hxxp://search.autocompletepro.com/?si=10186&bi=400
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\Christy\AppData\Roaming\Mozilla\Firefox\Profiles\wh6sxtha.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJfox000&fl=0&ptb=MQTgg8FOSS1ndcyYgxuunw&url=http://search.mywebsearch.com/mywebsearch/GGmain.jhtml&st=kwd&n=77cea277&searchfor=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Zynga Community Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Virtus Search Opt-in: extension@virtusdesigns.com - %profile%\extensions\extension@virtusdesigns.com
FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com
FF - Ext: MediaBar: {E84D42CA-64EB-11DE-A65F-8C3656D89593} - %profile%\extensions\{E84D42CA-64EB-11DE-A65F-8C3656D89593}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Malware Search: {27c60876-b5c9-4335-b4f3-52b26782220c} - %profile%\extensions\{27c60876-b5c9-4335-b4f3-52b26782220c}
FF - Ext: Edit/Remove the Ravenwood Fair Toolbar: toolbar@ask.com - %profile%\extensions\toolbar@ask.com
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Christy\AppData\Roaming\Move Networks
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-AutocompletePro3_is1 - c:\program files\AutocompletePro\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-14 18:26
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2011-09-14 18:37:17 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-14 22:36
ComboFix2.txt 2010-11-15 15:14
.
Pre-Run: 203,566,104,576 bytes free
Post-Run: 203,830,231,040 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
- - End Of File - - 0E8D20B8B2AF673CC19AE788B09901FF







2011/09/14 18:45:25.0001 4796 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17
2011/09/14 18:45:25.0297 4796 ================================================================================
2011/09/14 18:45:25.0297 4796 SystemInfo:
2011/09/14 18:45:25.0297 4796
2011/09/14 18:45:25.0297 4796 OS Version: 6.0.6002 ServicePack: 2.0
2011/09/14 18:45:25.0297 4796 Product type: Workstation
2011/09/14 18:45:25.0297 4796 ComputerName: CHRISTY-PC
2011/09/14 18:45:25.0297 4796 UserName: Christy
2011/09/14 18:45:25.0297 4796 Windows directory: C:\Windows
2011/09/14 18:45:25.0297 4796 System windows directory: C:\Windows
2011/09/14 18:45:25.0297 4796 Processor architecture: Intel x86
2011/09/14 18:45:25.0297 4796 Number of processors: 2
2011/09/14 18:45:25.0297 4796 Page size: 0x1000
2011/09/14 18:45:25.0297 4796 Boot type: Normal boot
2011/09/14 18:45:25.0297 4796 ================================================================================
2011/09/14 18:45:26.0249 4796 Initialize success
2011/09/14 18:45:49.0305 4120 ================================================================================
2011/09/14 18:45:49.0305 4120 Scan started
2011/09/14 18:45:49.0305 4120 Mode: Manual;
2011/09/14 18:45:49.0305 4120 ================================================================================
2011/09/14 18:45:49.0805 4120 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/09/14 18:45:49.0883 4120 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/09/14 18:45:49.0914 4120 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/09/14 18:45:49.0961 4120 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/09/14 18:45:49.0976 4120 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/09/14 18:45:50.0179 4120 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
2011/09/14 18:45:50.0241 4120 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/09/14 18:45:50.0319 4120 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/09/14 18:45:50.0382 4120 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/09/14 18:45:50.0413 4120 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/09/14 18:45:50.0429 4120 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/09/14 18:45:50.0460 4120 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/09/14 18:45:50.0491 4120 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/09/14 18:45:50.0553 4120 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/09/14 18:45:50.0569 4120 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/09/14 18:45:50.0616 4120 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\Windows\system32\drivers\aswFsBlk.sys
2011/09/14 18:45:50.0647 4120 aswMonFlt (58254e06b36b984e33ae314c0ea8f1a5) C:\Windows\system32\drivers\aswMonFlt.sys
2011/09/14 18:45:50.0678 4120 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\Windows\system32\drivers\aswRdr.sys
2011/09/14 18:45:50.0725 4120 aswSP (d78b644816db540e103d0b0766fd9967) C:\Windows\system32\drivers\aswSP.sys
2011/09/14 18:45:50.0850 4120 aswTdi (606d731008d98b6ef946730c597c1642) C:\Windows\system32\drivers\aswTdi.sys
2011/09/14 18:45:50.0897 4120 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/09/14 18:45:50.0928 4120 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/09/14 18:45:51.0037 4120 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/09/14 18:45:51.0099 4120 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/09/14 18:45:51.0177 4120 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/09/14 18:45:51.0209 4120 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/09/14 18:45:51.0240 4120 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/09/14 18:45:51.0302 4120 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/09/14 18:45:51.0333 4120 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/09/14 18:45:51.0349 4120 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/09/14 18:45:51.0396 4120 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/09/14 18:45:51.0443 4120 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/09/14 18:45:51.0677 4120 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/09/14 18:45:51.0770 4120 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/09/14 18:45:51.0833 4120 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/09/14 18:45:51.0942 4120 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/09/14 18:45:52.0519 4120 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/09/14 18:45:52.0659 4120 Compbatt (4fc0a44da7603229e1a9454126a59efd) C:\Windows\system32\drivers\compbatt.sys
2011/09/14 18:45:53.0127 4120 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/09/14 18:45:53.0455 4120 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/09/14 18:45:53.0876 4120 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
2011/09/14 18:45:54.0344 4120 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/09/14 18:45:54.0781 4120 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/09/14 18:45:55.0124 4120 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/09/14 18:45:55.0233 4120 e1express (04944f4fc4f0477185f5d26ae0ddb90e) C:\Windows\system32\DRIVERS\e1e6032.sys
2011/09/14 18:45:55.0296 4120 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/09/14 18:45:55.0358 4120 eBook (609a1b6945796e8dc509b2fdd9fee6a9) C:\Windows\system32\Drivers\eBook.sys
2011/09/14 18:45:55.0405 4120 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/09/14 18:45:55.0483 4120 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/09/14 18:45:55.0530 4120 ErrDev (f2a80de2d1b7116052c09cb4d4ca1416) C:\Windows\system32\drivers\errdev.sys
2011/09/14 18:45:55.0623 4120 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/09/14 18:45:55.0655 4120 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/09/14 18:45:55.0686 4120 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/09/14 18:45:55.0764 4120 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/09/14 18:45:55.0795 4120 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/09/14 18:45:55.0826 4120 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/09/14 18:45:55.0873 4120 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/09/14 18:45:55.0935 4120 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/09/14 18:45:55.0982 4120 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/09/14 18:45:56.0029 4120 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/09/14 18:45:56.0154 4120 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/09/14 18:45:56.0201 4120 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/09/14 18:45:56.0247 4120 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/09/14 18:45:56.0294 4120 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/09/14 18:45:56.0341 4120 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/09/14 18:45:56.0419 4120 HSF_DPV (99f85640054ba65190b860d878a7c9ae) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/09/14 18:45:56.0497 4120 HSXHWBS2 (fe440536bd98af772130dc3a6fe1915f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
2011/09/14 18:45:56.0528 4120 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/09/14 18:45:56.0575 4120 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/09/14 18:45:56.0622 4120 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/09/14 18:45:56.0700 4120 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\drivers\iastor.sys
2011/09/14 18:45:56.0762 4120 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/09/14 18:45:56.0949 4120 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/09/14 18:45:57.0012 4120 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/09/14 18:45:57.0168 4120 IntcAzAudAddService (f8f53c5449f15b23d4c61d51d2701da8) C:\Windows\system32\drivers\RTKVHDA.sys
2011/09/14 18:45:57.0230 4120 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\DRIVERS\intelide.sys
2011/09/14 18:45:57.0277 4120 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/09/14 18:45:57.0324 4120 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/09/14 18:45:57.0386 4120 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/09/14 18:45:57.0433 4120 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/09/14 18:45:57.0480 4120 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/09/14 18:45:57.0511 4120 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/09/14 18:45:57.0558 4120 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/09/14 18:45:57.0667 4120 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/09/14 18:45:57.0729 4120 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/09/14 18:45:57.0761 4120 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/09/14 18:45:57.0776 4120 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/09/14 18:45:57.0870 4120 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/09/14 18:45:57.0963 4120 Lbd (713cd5267abfb86fe90a72e384e82a38) C:\Windows\system32\DRIVERS\Lbd.sys
2011/09/14 18:45:57.0995 4120 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/09/14 18:45:58.0073 4120 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/09/14 18:45:58.0104 4120 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/09/14 18:45:58.0151 4120 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/09/14 18:45:58.0213 4120 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/09/14 18:45:58.0260 4120 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/09/14 18:45:58.0291 4120 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/09/14 18:45:58.0338 4120 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/09/14 18:45:58.0385 4120 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/09/14 18:45:58.0431 4120 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/09/14 18:45:58.0509 4120 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/09/14 18:45:58.0619 4120 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/09/14 18:45:58.0650 4120 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/09/14 18:45:58.0697 4120 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/09/14 18:45:58.0728 4120 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/09/14 18:45:58.0775 4120 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/09/14 18:45:58.0884 4120 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/09/14 18:45:58.0977 4120 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/09/14 18:45:59.0024 4120 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/09/14 18:45:59.0165 4120 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/09/14 18:45:59.0211 4120 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/09/14 18:45:59.0243 4120 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/09/14 18:45:59.0289 4120 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
2011/09/14 18:45:59.0321 4120 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/09/14 18:45:59.0383 4120 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/09/14 18:45:59.0414 4120 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/09/14 18:45:59.0461 4120 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/09/14 18:45:59.0508 4120 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/09/14 18:45:59.0523 4120 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/09/14 18:45:59.0742 4120 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/09/14 18:45:59.0773 4120 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/09/14 18:45:59.0804 4120 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/09/14 18:45:59.0835 4120 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/09/14 18:45:59.0882 4120 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/09/14 18:45:59.0976 4120 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/09/14 18:46:00.0007 4120 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/09/14 18:46:00.0085 4120 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/09/14 18:46:00.0132 4120 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/09/14 18:46:00.0179 4120 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/09/14 18:46:00.0210 4120 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/09/14 18:46:00.0272 4120 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/09/14 18:46:00.0350 4120 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/09/14 18:46:00.0397 4120 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/09/14 18:46:00.0444 4120 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/09/14 18:46:00.0522 4120 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/09/14 18:46:00.0553 4120 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/09/14 18:46:00.0584 4120 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/09/14 18:46:00.0615 4120 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/09/14 18:46:00.0662 4120 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/09/14 18:46:00.0693 4120 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/09/14 18:46:00.0803 4120 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/09/14 18:46:00.0865 4120 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/09/14 18:46:00.0912 4120 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/09/14 18:46:00.0943 4120 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/09/14 18:46:01.0052 4120 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/09/14 18:46:01.0099 4120 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/09/14 18:46:01.0130 4120 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/09/14 18:46:01.0193 4120 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
2011/09/14 18:46:01.0255 4120 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/09/14 18:46:01.0395 4120 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/09/14 18:46:01.0427 4120 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/09/14 18:46:01.0505 4120 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/09/14 18:46:01.0567 4120 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
2011/09/14 18:46:01.0629 4120 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/09/14 18:46:01.0692 4120 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/09/14 18:46:01.0739 4120 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/09/14 18:46:01.0848 4120 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/09/14 18:46:01.0910 4120 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/09/14 18:46:02.0035 4120 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/09/14 18:46:02.0097 4120 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/09/14 18:46:02.0144 4120 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/09/14 18:46:02.0175 4120 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/09/14 18:46:02.0222 4120 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/09/14 18:46:02.0300 4120 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/09/14 18:46:02.0331 4120 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/09/14 18:46:02.0378 4120 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/09/14 18:46:02.0503 4120 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/09/14 18:46:02.0597 4120 SASDIFSV (5bf35c4ea3f00fa8d3f1e5bf03d24584) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/14 18:46:02.0659 4120 SASENUM (a22f08c98ac2f44587bf3a1fb52bf8cd) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2011/09/14 18:46:02.0706 4120 SASKUTIL (c7d81c10d3befeee41f3408714637438) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2011/09/14 18:46:02.0737 4120 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/09/14 18:46:02.0846 4120 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/09/14 18:46:02.0893 4120 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/09/14 18:46:02.0909 4120 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/09/14 18:46:02.0955 4120 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/09/14 18:46:03.0002 4120 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/09/14 18:46:03.0080 4120 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/09/14 18:46:03.0158 4120 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/09/14 18:46:03.0205 4120 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/09/14 18:46:03.0252 4120 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/09/14 18:46:03.0299 4120 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/09/14 18:46:03.0345 4120 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/09/14 18:46:03.0408 4120 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/09/14 18:46:03.0455 4120 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/09/14 18:46:03.0533 4120 sptd (cdddec541bc3c96f91ecb48759673505) C:\Windows\system32\Drivers\sptd.sys
2011/09/14 18:46:03.0533 4120 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: cdddec541bc3c96f91ecb48759673505
2011/09/14 18:46:03.0548 4120 sptd - detected LockedFile.Multi.Generic (1)
2011/09/14 18:46:03.0642 4120 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/09/14 18:46:03.0704 4120 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
2011/09/14 18:46:03.0720 4120 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
2011/09/14 18:46:03.0767 4120 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
2011/09/14 18:46:03.0845 4120 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/09/14 18:46:03.0891 4120 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/09/14 18:46:03.0923 4120 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/09/14 18:46:03.0954 4120 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/09/14 18:46:04.0094 4120 Tcpip (2756186e287139310997090797e0182b) C:\Windows\system32\drivers\tcpip.sys
2011/09/14 18:46:04.0157 4120 Tcpip6 (2756186e287139310997090797e0182b) C:\Windows\system32\DRIVERS\tcpip.sys
2011/09/14 18:46:04.0203 4120 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/09/14 18:46:04.0235 4120 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/09/14 18:46:04.0281 4120 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/09/14 18:46:04.0313 4120 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/09/14 18:46:04.0359 4120 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/09/14 18:46:04.0437 4120 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/09/14 18:46:04.0469 4120 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/09/14 18:46:04.0531 4120 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/09/14 18:46:04.0562 4120 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/09/14 18:46:04.0609 4120 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/09/14 18:46:04.0656 4120 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/09/14 18:46:04.0703 4120 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/09/14 18:46:04.0749 4120 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/09/14 18:46:04.0765 4120 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/09/14 18:46:04.0812 4120 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/09/14 18:46:04.0859 4120 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/09/14 18:46:04.0890 4120 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/09/14 18:46:04.0968 4120 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/09/14 18:46:04.0999 4120 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/09/14 18:46:05.0061 4120 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/09/14 18:46:05.0108 4120 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/09/14 18:46:05.0139 4120 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/09/14 18:46:05.0171 4120 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/09/14 18:46:05.0217 4120 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/09/14 18:46:05.0280 4120 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/09/14 18:46:05.0311 4120 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/09/14 18:46:05.0342 4120 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/09/14 18:46:05.0373 4120 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/09/14 18:46:05.0405 4120 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/09/14 18:46:05.0451 4120 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/09/14 18:46:05.0498 4120 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/09/14 18:46:05.0529 4120 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/09/14 18:46:05.0561 4120 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/09/14 18:46:05.0607 4120 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/09/14 18:46:05.0654 4120 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/09/14 18:46:05.0670 4120 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/09/14 18:46:05.0732 4120 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/09/14 18:46:05.0795 4120 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/09/14 18:46:05.0904 4120 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/09/14 18:46:06.0029 4120 WmiAcpi (48ca581c12022ac60fe82e2b96fbf5d4) C:\Windows\system32\drivers\wmiacpi.sys
2011/09/14 18:46:06.0153 4120 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/09/14 18:46:06.0200 4120 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/09/14 18:46:06.0263 4120 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/09/14 18:46:06.0325 4120 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2011/09/14 18:46:06.0372 4120 MBR (0x1B8) (04d4350ae5fb6fc2ad3e7c26b1323c68) \Device\Harddisk0\DR0
2011/09/14 18:46:06.0387 4120 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/09/14 18:46:06.0419 4120 Boot (0x1200) (f277b50c80bdda632a5cf952a19bdff6) \Device\Harddisk0\DR0\Partition0
2011/09/14 18:46:06.0450 4120 Boot (0x1200) (a2d57b6371eef5a3ad3c83604d66cad0) \Device\Harddisk0\DR0\Partition1
2011/09/14 18:46:06.0465 4120 ================================================================================
2011/09/14 18:46:06.0465 4120 Scan finished
2011/09/14 18:46:06.0465 4120 ================================================================================
2011/09/14 18:46:06.0481 5136 Detected object count: 2
2011/09/14 18:46:06.0481 5136 Actual detected object count: 2
2011/09/14 18:46:24.0483 5136 LockedFile.Multi.Generic(sptd) - User select action: Skip
2011/09/14 18:46:24.0530 5136 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/09/14 18:46:24.0530 5136 \Device\Harddisk0\DR0 - ok
2011/09/14 18:46:24.0530 5136 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/14 18:46:28.0539 5360 Deinitialize success

#8 User is offline   Casey_boy 

  • Bleeping physicist
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 5,217
  • Joined: 02-January 09
  • Gender:Male
  • Location:United Kingdom

Posted 15 September 2011 - 09:44 AM

Hi,

Backdoor Warning (TDL4)

I hate to give you bad news but one or more of the identified infections is a backdoor trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. In addition to the backdoor Trojan that has been identified, your computer is afflicted with multiple other infections. Although we can make an attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.

If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, equally we cannnot repair the damages it may possibly have caused to vital system files.

Please note that even if we should be successful in removing these infections from your system, it is quite possible that the changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall?

Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post.

Casey
If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#9 User is offline   Casey_boy 

  • Bleeping physicist
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 5,217
  • Joined: 02-January 09
  • Gender:Male
  • Location:United Kingdom

Posted 19 September 2011 - 04:47 PM

Hi,

This is a 3 day bump.

Hopefully you're still with us but please be aware that if there is no reply within two days, then this topic will be closed as stale.

Casey
If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#10 User is offline   Faded Picture 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 136
  • Joined: 15-October 09
  • Gender:Female
  • Location:Georgia, USA

Posted 19 September 2011 - 06:24 PM

Sorry. i have been doing school stuff, but i have done what you said to do because after reading t my computer messed up, so i just got fnished with it last night. sorry for not responding. my computer wouldnt go to the desktop, but now its working fine.

#11 User is offline   Casey_boy 

  • Bleeping physicist
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 5,217
  • Joined: 02-January 09
  • Gender:Male
  • Location:United Kingdom

Posted 20 September 2011 - 05:32 AM

OK, so you reformatted and reinstalled?

I'll give you some tips to help prevent reinfection in the future - big thing: install and regularly update an Anti Virus program.

Below I have outlined a series of categories that outline how you can increase the security of your computer and help prevent reinfection. Please take the time to read through them and follow the advice given.

Keep Windows up-to-date
Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure.

  • Windows Vista users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP2) can be obtained directly from Microsoft here.


Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.


Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.


  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.


  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.


  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.

    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites


  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.


  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.


  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.


  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.


  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.


  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.


Make Internet Explorer more secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.



Regularly Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.


Install an AntiSpyware Program

Several good and free antispyware programs are available to download, I recommend that you install one in addition to your anti-virus program. Some examples are Malwarebytes AntiMalware and SuperAntiSpyware.

Install SpywareBlaster

SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Casey
If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

#12 User is offline   Faded Picture 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 136
  • Joined: 15-October 09
  • Gender:Female
  • Location:Georgia, USA

Posted 20 September 2011 - 08:49 AM

ok thank you very much. im still in the process of updating the computer. hace not had much time on it yet, but i will do all of this. thanks again.

#13 User is offline   Casey_boy 

  • Bleeping physicist
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Instructor
  • Posts: 5,217
  • Joined: 02-January 09
  • Gender:Male
  • Location:United Kingdom

Posted 20 September 2011 - 04:15 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
If I have been helping you and I do not reply within 48hours, feel free to send me a PM.

* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users