Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit, Virus, Google Redirect!


  • This topic is locked This topic is locked
16 replies to this topic

#1 AWILD1

AWILD1

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 15 May 2010 - 07:09 PM

Hi, I'm trying to repair a friends laptop with Windows XP Professional w/sp3 that has the almost same exact problem(s) as my pc did in this post: http://www.bleepingcomputer.com/forums/topic314659.html# except the fake program that took over was called Total PC Defender 2010. I managed to remove the program and I believe all traces of it, (Registry, etc.) and have ran Malwarebytes, SUPERAntiSpyware, TDSSKiller, CCleaner, etc., but still have redirects and Malwarebytes constantly blocking the same IP's as in my other post. I also can't run or access Microsoft Windows Updates. TDSSKiller reports the driver atapi.sys is infected by TDSS rootkit but does not remove it after reboot (tried several times). Again, Any help would be greatly appreciated!


DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by vic hodge at 19:25:19.57 on Sat 05/15/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.265 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\vic hodge\Desktop\windows-kb890830-v3.7.exe
c:\f2a106c80e6ff9d2326940\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\system32\NOTEPAD.EXE
svchost.exe
C:\Documents and Settings\vic hodge\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoneyAgent] "c:\program files\microsoft money\system\mnyexpr.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [LWBMOUSE] c:\program files\targus\paum008u\ver_2.32\LWBWHEEL.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HPHUPD05] c:\program files\hewlett-packard\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: fccaccbebeebe - c:\windows\system32\fccaccbebeebe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R1 aade;aade;c:\windows\system32\aade.sys [2010-3-20 74752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-14 164048]
R1 MpKsle1a2785a;MpKsle1a2785a;c:\windows\system32\mpenginestore\MpKsle1a2785a.sys [2010-5-15 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-14 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-13 303952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-13 20952]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\22.tmp --> c:\windows\system32\22.tmp [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]

=============== Created Last 30 ================

2010-05-15 23:18:56 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-15 23:17:02 0 d-----w- C:\f2a106c80e6ff9d2326940
2010-05-14 10:15:40 0 d-----w- c:\program files\CCleaner
2010-05-14 09:15:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-14 02:30:07 0 d-----w- c:\docume~1\vichod~1\applic~1\Malwarebytes
2010-05-14 02:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-14 02:28:08 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 02:28:08 0 d-----w- c:\docume~1\vichod~1\applic~1\SUPERAntiSpyware.com
2010-05-14 02:27:48 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-14 02:27:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 02:27:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 02:27:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-14 02:27:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 02:12:36 0 d-----w- c:\windows\pss
2010-04-28 22:56:13 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-05-15 02:11:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-20 21:21:28 74752 ------w- c:\windows\system32\aade.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-06 14:19:24 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020620100207\index.dat

============= FINISH: 19:29:46.75 ===============


BC AdBot (Login to Remove)

 


#2 AWILD1

AWILD1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 15 May 2010 - 11:56 PM

I just ran the latest Microsoft Windows Malicious Software Removal Tool (kb890830) and it found the Virus: Win32\Alureon.H (Win32\Alureon.H is a rootkit virus that causes redirects along with other problems). When I clicked the fix button, it said it was partially fixed and rebooted. I ran the program again (quick scan) and it did not find the virus. I'm now running it yet again but this time a complete scan instead of a quick scan.

I'm now able to download Windows updates from Microsoft website and just finished updating Windows.

Google searches, such as when I do a "windows update" search and click on a Microsoft link, are still being hijacked to seek.ind.in/ even after clearing out the temporary Internet Files, etc.

I haven't seen Malwarebytes block any IP's "YET" since running Microsoft Malicious Removal Tool.

Also, I forgot to mention in my first post, I'm not sure if it means anything/related or not but there was no HOST file and had to create one.

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 AM

Posted 17 May 2010 - 03:54 AM

Hi,

Please post fresh dds.txt+attach.txt logs of DDS run.

Download GMER here by clicking download exe -button and then saving it your desktop:
  • Double-click .exe that you downloaded
  • Click rootkit-tab, uncheck files option and then click scan.
  • Don't check
    Show All
    box while scanning in progress!
  • When scanning is ready, click Copy.
  • This copies log to clipboard
  • Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 AWILD1

AWILD1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 17 May 2010 - 05:48 AM

Hi Blade81, Thank you for the help!

Fresh DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by vic hodge at 6:20:32.33 on Mon 05/17/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.191 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\vic hodge\Desktop\dds.scr
C:\WINDOWS\System32\HPZipm12.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [LWBMOUSE] c:\program files\targus\paum008u\ver_2.32\LWBWHEEL.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: fccaccbebeebe - c:\windows\system32\fccaccbebeebe.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-15 64288]
R1 aade;aade;c:\windows\system32\aade.sys [2010-3-20 74752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-14 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-14 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-13 303952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-13 20952]
S1 MpKsle1a2785a;MpKsle1a2785a;\??\c:\windows\system32\mpenginestore\mpksle1a2785a.sys --> c:\windows\system32\mpenginestore\MpKsle1a2785a.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\22.tmp --> c:\windows\system32\22.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1291544]

=============== Created Last 30 ================

2010-05-16 03:27:41 667648 ----a-w- c:\windows\system32\BCMLogon.dll
2010-05-16 03:26:47 44032 ----a-w- c:\windows\system32\wltrynt.dll
2010-05-16 03:26:47 18944 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-05-16 03:26:46 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-05-16 03:26:43 86016 ----a-w- c:\windows\system32\preflib.dll
2010-05-16 03:26:43 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-05-16 03:26:36 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-05-16 03:26:36 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-05-16 03:26:36 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-05-16 03:26:29 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-05-16 03:26:29 3096576 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2010-05-16 03:24:41 141056 ------w- c:\windows\system32\drivers\SET36.tmp
2010-05-16 02:04:26 162816 ----a-w- c:\windows\system32\drivers\NETBT.SYS
2010-05-16 01:40:03 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-16 01:38:51 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-16 01:26:37 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-16 01:22:45 0 d-----w- c:\program files\Lavasoft
2010-05-16 00:34:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-16 00:34:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-15 23:18:56 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-14 10:15:40 0 d-----w- c:\program files\CCleaner
2010-05-14 09:15:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-14 02:30:07 0 d-----w- c:\docume~1\vichod~1\applic~1\Malwarebytes
2010-05-14 02:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-14 02:28:08 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 02:28:08 0 d-----w- c:\docume~1\vichod~1\applic~1\SUPERAntiSpyware.com
2010-05-14 02:27:48 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-14 02:27:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 02:27:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 02:27:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-14 02:27:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 02:12:36 0 d-----w- c:\windows\pss
2010-04-28 22:56:13 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-05-16 02:28:57 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-20 21:21:28 74752 ------w- c:\windows\system32\aade.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-06 14:19:24 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020620100207\index.dat

============= FINISH: 6:21:43.13 ===============


Attach Log:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 5/23/2003 1:10:54 AM
System Uptime: 5/17/2010 3:24:34 AM (3 hours ago)

Motherboard: Dell Computer Corporation | | 00U838
Processor: Mobile Intel® Pentium® 4 - M CPU 2.40GHz | Microprocessor | 2393/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 25.615 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 5/17/2010 3:16:56 AM - System Checkpoint

==== Installed Programs ======================


6300
6300_Help
6300Trb
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Acrobat 6.0.1 Standard
Adobe Flash Player 10 ActiveX
AiO_Scan_CDA
AiOSoftwareNPI
ALPS Touch Pad Driver
Amazon Kindle For PC v1.0
ATI Control Panel
ATI Display Driver
avast! Free Antivirus
Broadcom Advanced Control Suite
BufferChm
CCleaner
Compatibility Pack for the 2007 Office system
CP_CalendarTemplates1
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Panorama1Config
cp_PosterPrintConfig
CueTour
CustomerResearchQFolder
Dell Modem-On-Hold
Dell Networking Guide
Dell Solution Center
Dell Support
Dell Wireless WLAN Card
Destinations
DeviceManagementQFolder
DigitImg
DMNetVuObserVer1_7_0
DocProc
DocProcQFolder
DocumentViewer
DocumentViewerQFolder
DVDSentry
Easy CD Creator 5 Basic
eSupportQFolder
Fax_CDA
FullDPAppQFolder
Google Toolbar for Internet Explorer
Google Update Helper
Help and Support Customization
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 7.0
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
hp instant support
HP Memories Disc
HP Photosmart Premier Software 6.5
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
HPPhotoSmartExpress
HPProductAssistant
InstantShareDevices
InstantShareDevicesMFC
InterVideo WinDVD
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 5
Java™ 6 Update 7
Learn2 Player (Uninstall Only)
Magic 3D Coloring Book
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Picture It! Photo 7.0
Microsoft Silverlight
Microsoft Streets and Trips 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSN Toolbar
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MUSICMATCH Jukebox
NewCopy_CDA
OCR Software by I.R.I.S 7.0
OGA Notifier 2.0.0048.0
OpenOffice.org Installer 1.0
PanoStandAlone
PAUM008U Ver_2.32
PCTEL 2304WT V.9x MDC Modem Drivers
PhotoGallery
Photosmart 140,240,7200,7600,7700,7900 Series
ProductContextNPI
PS7200
PSShortcuts
PSUsage
QuickSet
QuickTime
RandMap
Readme
RealPlayer
Scan
ScannerCopy
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Shockwave
SkinsHP1
SlideShow
SolutionCenter
Sonic_PrimoSDK
Spybot - Search & Destroy
Status
SUPERAntiSpyware Free Edition
Toolbox
TrayApp
Unload
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
Wireless
Works Suite OS Pack
Yahoo! Install Manager
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

5/13/2010 11:36:34 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service YahooAUService with arguments "" in order to run the server: {90AFF435-B544-4F94-A0C2-CC020EACA4E3}
5/13/2010 11:22:39 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
5/13/2010 11:22:25 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
5/13/2010 11:22:25 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
5/13/2010 11:22:25 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
5/13/2010 11:21:03 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/13/2010 11:06:46 PM, error: PlugPlayManager [11] - The device Root\LEGACY_9C338223C91A68A392471EA4247E3EC1\0000 disappeared from the system without first being prepared for removal.
5/13/2010 10:58:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/13/2010 10:47:17 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: cdudf_xp Fips intelppm SASDIFSV SASKUTIL
5/13/2010 10:08:08 PM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================



GMER Log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-17 06:35:39
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\VICHOD~1\LOCALS~1\Temp\uwloapow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF11FAC7A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF11FAB36]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xF11FB0EA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF11FB014]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF11FA70C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF11FAC10]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF11FA64C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF11FA6B0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF11FAD30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xF11FB1B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF11FACF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF11FAE70]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xF1207AC6]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xF12078EA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xF1207A24]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 148 804E27B4 4 Bytes JMP 27F11FB0
PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP F1204EC2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP F12078EE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP F1207ACA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP F1203536 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP F1207A28 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? C:\WINDOWS\system32\aade.sys The process cannot access the file because it is being used by another process.

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[972] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[972] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aade.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#5 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 AM

Posted 17 May 2010 - 11:57 AM

Hi again,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe and wait for the process to finish.
3. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)


Is Adobe Acrobat used for other duties than pdf conversions?

Uninstall your current Shockwave player and get the fresh one here if needed.


Uninstall these old Javas:
Java™ 6 Update 5
Java™ 6 Update 7



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned Tdsskiller log.


Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#6 AWILD1

AWILD1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 17 May 2010 - 11:10 PM

Hi,

I'm not sure exactly what all they use Adobe Acrobat for but appears to be for both reading and writing pdf files.

I uninstalled Shockwave Player and then updated to the latest version. Also uninstalled Java updates 5 and 7.

Here is the Kaspersky Online Scan Log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, May 17, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, May 17, 2010 19:15:39
Records in database: 4119635
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 59567
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:21:08

No threats found. Scanned area is clean.

Selected area has been scanned.

-----------------------------------------------------------------------

Here is the TDSSKiller Log:

16:56:47:224 2288 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
16:56:47:224 2288 ================================================================================
16:56:47:224 2288 SystemInfo:

16:56:47:224 2288 OS Version: 5.1.2600 ServicePack: 3.0
16:56:47:224 2288 Product type: Workstation
16:56:47:224 2288 ComputerName: D40ZPD31
16:56:47:224 2288 UserName: vic hodge
16:56:47:224 2288 Windows directory: C:\WINDOWS
16:56:47:224 2288 Processor architecture: Intel x86
16:56:47:224 2288 Number of processors: 1
16:56:47:224 2288 Page size: 0x1000
16:56:47:244 2288 Boot type: Normal boot
16:56:47:244 2288 ================================================================================
16:56:47:244 2288 UnloadDriverW: NtUnloadDriver error 2
16:56:47:244 2288 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
16:56:47:404 2288 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
16:56:47:404 2288 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:56:47:404 2288 wfopen_ex: Trying to KLMD file open
16:56:47:404 2288 wfopen_ex: File opened ok (Flags 2)
16:56:47:404 2288 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
16:56:47:404 2288 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:56:47:404 2288 wfopen_ex: Trying to KLMD file open
16:56:47:404 2288 wfopen_ex: File opened ok (Flags 2)
16:56:47:404 2288 KLAVA engine initialized
16:56:47:714 2288 Initialize success
16:56:47:714 2288
16:56:47:714 2288 Scanning Services ...
16:56:48:285 2288 Raw services enum returned 364 services
16:56:48:305 2288
16:56:48:305 2288 Scanning Drivers ...
16:56:48:686 2288 aade (ba33c40a44ea681dcc55ced5909f4884) C:\WINDOWS\system32\aade.sys
16:56:48:686 2288 Suspicious file (NoAccess): C:\WINDOWS\system32\aade.sys. md5: ba33c40a44ea681dcc55ced5909f4884
16:56:48:806 2288 Aavmker4 (a5246ed2586aa807af0bcf63165a71cc) C:\WINDOWS\system32\drivers\Aavmker4.sys
16:56:49:046 2288 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
16:56:49:156 2288 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:56:49:257 2288 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:56:49:377 2288 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
16:56:49:537 2288 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:56:49:627 2288 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
16:56:49:737 2288 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
16:56:49:858 2288 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:56:49:918 2288 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
16:56:50:008 2288 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
16:56:50:068 2288 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
16:56:50:108 2288 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
16:56:50:178 2288 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
16:56:50:348 2288 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
16:56:50:769 2288 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
16:56:50:889 2288 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
16:56:50:969 2288 ApfiltrService (214cf1d0a1e36147e0bf58f8cc4899e1) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
16:56:51:039 2288 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
16:56:51:129 2288 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
16:56:51:159 2288 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
16:56:51:209 2288 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
16:56:51:270 2288 aswFsBlk (1b6ed99291ddf5d2501554cc5757aab6) C:\WINDOWS\system32\drivers\aswFsBlk.sys
16:56:51:310 2288 aswMon2 (81432b1a4b31036c822eb967decf613c) C:\WINDOWS\system32\drivers\aswMon2.sys
16:56:51:470 2288 aswRdr (3e2b6112d2766f87eda8466fde86a986) C:\WINDOWS\system32\drivers\aswRdr.sys
16:56:51:710 2288 aswSP (d78b644816db540e103d0b0766fd9967) C:\WINDOWS\system32\drivers\aswSP.sys
16:56:52:321 2288 aswTdi (606d731008d98b6ef946730c597c1642) C:\WINDOWS\system32\drivers\aswTdi.sys
16:56:52:672 2288 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:56:52:852 2288 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
16:56:53:383 2288 ati2mtag (83595fb413f5ed5a3fae56f5bc25818b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
16:56:53:823 2288 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:56:54:244 2288 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:56:54:755 2288 BCM43XX (bf84c5cab6392bb4ef01248287f69388) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
16:56:55:135 2288 bcm4sbxp (068523d2cd260069b19ad68adea0d739) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
16:56:55:506 2288 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:56:56:327 2288 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
16:56:57:709 2288 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
16:56:58:400 2288 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:56:59:121 2288 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
16:56:59:642 2288 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:57:00:032 2288 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:57:00:633 2288 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
16:57:01:034 2288 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys
16:57:01:815 2288 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:57:02:305 2288 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys
16:57:02:966 2288 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
16:57:03:417 2288 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
16:57:03:898 2288 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
16:57:04:619 2288 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
16:57:05:230 2288 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
16:57:05:520 2288 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
16:57:05:810 2288 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
16:57:06:411 2288 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:57:07:082 2288 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:57:07:503 2288 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:57:07:954 2288 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:57:08:374 2288 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
16:57:08:705 2288 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:57:09:145 2288 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys
16:57:09:546 2288 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
16:57:10:137 2288 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:57:10:607 2288 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:57:11:178 2288 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:57:11:769 2288 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:57:12:290 2288 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
16:57:12:770 2288 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:57:13:241 2288 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:57:13:481 2288 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:57:13:532 2288 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
16:57:13:622 2288 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
16:57:13:702 2288 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
16:57:13:832 2288 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
16:57:13:882 2288 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
16:57:14:092 2288 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:57:14:253 2288 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
16:57:14:313 2288 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
16:57:14:443 2288 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:57:14:543 2288 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
16:57:14:643 2288 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
16:57:14:723 2288 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
16:57:14:743 2288 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
16:57:14:793 2288 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
16:57:14:894 2288 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
16:57:14:974 2288 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
16:57:15:094 2288 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
16:57:15:164 2288 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
16:57:15:304 2288 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
16:57:15:394 2288 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:57:15:504 2288 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
16:57:15:595 2288 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
16:57:15:835 2288 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:57:16:255 2288 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
16:57:16:466 2288 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:57:16:966 2288 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:57:17:447 2288 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:57:17:607 2288 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:57:17:728 2288 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:57:17:798 2288 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:57:17:908 2288 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:57:17:968 2288 klmd23 (f736ee0d4da5b9bcc2c8539c8add06e2) C:\WINDOWS\system32\drivers\klmd.sys
16:57:18:108 2288 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:57:18:188 2288 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
16:57:18:278 2288 Lbd (713cd5267abfb86fe90a72e384e82a38) C:\WINDOWS\system32\DRIVERS\Lbd.sys
16:57:18:379 2288 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys
16:57:18:539 2288 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys
16:57:18:689 2288 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
16:57:18:739 2288 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:57:18:809 2288 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:57:18:869 2288 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
16:57:18:979 2288 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
16:57:19:059 2288 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
16:57:19:290 2288 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:57:19:390 2288 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:57:19:580 2288 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:57:19:650 2288 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:57:19:670 2288 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:57:19:700 2288 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:57:19:761 2288 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:57:19:861 2288 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
16:57:19:941 2288 MxlW2k (19dd5c581eef70134ccef87d626f4417) C:\WINDOWS\system32\drivers\MxlW2k.sys
16:57:20:051 2288 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
16:57:20:121 2288 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:57:20:211 2288 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:57:20:231 2288 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:57:20:261 2288 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
16:57:20:291 2288 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:57:20:371 2288 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\NETBT.SYS
16:57:20:472 2288 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
16:57:20:542 2288 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:57:20:672 2288 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
16:57:20:862 2288 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:57:20:992 2288 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:57:21:253 2288 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:57:21:273 2288 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:57:21:533 2288 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
16:57:21:984 2288 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
16:57:22:494 2288 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
16:57:22:635 2288 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:57:22:675 2288 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:57:22:735 2288 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:57:22:805 2288 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:57:22:855 2288 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:57:22:955 2288 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
16:57:23:185 2288 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
16:57:23:256 2288 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
16:57:23:386 2288 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:57:23:436 2288 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
16:57:23:556 2288 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
16:57:23:606 2288 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:57:23:716 2288 Ptserial (6a3fbbbba5f228b003ef64070f7b3fe4) C:\WINDOWS\system32\DRIVERS\ptserial.sys
16:57:23:896 2288 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys
16:57:23:977 2288 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys
16:57:24:107 2288 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
16:57:24:217 2288 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
16:57:24:297 2288 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
16:57:24:377 2288 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
16:57:24:457 2288 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
16:57:24:557 2288 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:57:24:607 2288 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:57:24:678 2288 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:57:24:748 2288 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:57:24:848 2288 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:57:24:948 2288 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:57:25:058 2288 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:57:25:208 2288 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
16:57:25:268 2288 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:57:25:349 2288 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
16:57:25:369 2288 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
16:57:25:379 2288 SASKUTIL (67d2688756dd304af655349baad82bff) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
16:57:25:539 2288 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:57:25:629 2288 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:57:25:719 2288 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:57:25:789 2288 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:57:25:929 2288 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
16:57:26:030 2288 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
16:57:26:130 2288 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:57:26:210 2288 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:57:26:280 2288 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
16:57:26:420 2288 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\STAC97.sys
16:57:26:500 2288 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:57:26:600 2288 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:57:26:660 2288 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
16:57:26:751 2288 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
16:57:27:422 2288 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
16:57:27:542 2288 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
16:57:27:832 2288 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:57:28:223 2288 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:57:28:393 2288 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:57:28:423 2288 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
16:57:28:473 2288 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:57:28:603 2288 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
16:57:28:753 2288 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
16:57:28:844 2288 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:57:28:954 2288 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
16:57:29:074 2288 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:57:29:284 2288 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:57:29:344 2288 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:57:29:374 2288 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:57:29:474 2288 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:57:29:515 2288 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:57:29:545 2288 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:57:29:645 2288 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:57:29:745 2288 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:57:29:845 2288 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
16:57:29:895 2288 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
16:57:30:045 2288 Vmodem (09c2fcd4e379e6ab804a58caa2a3508b) C:\WINDOWS\system32\DRIVERS\vmodem.sys
16:57:30:206 2288 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:57:30:286 2288 Vpctcom (081bc31edda73d40defd347e580f9144) C:\WINDOWS\system32\DRIVERS\vpctcom.sys
16:57:30:486 2288 Vvoice (db18922f81e90d95e69f45ab8e9fc5c1) C:\WINDOWS\system32\DRIVERS\vvoice.sys
16:57:30:536 2288 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:57:30:676 2288 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
16:57:30:756 2288 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:57:30:897 2288 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:57:30:937 2288 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:57:30:937 2288
16:57:30:937 2288 Completed
16:57:30:937 2288
16:57:30:937 2288 Results:
16:57:30:937 2288 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:57:30:937 2288 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:57:30:937 2288
16:57:30:947 2288 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
16:57:30:947 2288 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
16:57:30:947 2288 KLMD(ARK) unloaded successfully

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 AM

Posted 18 May 2010 - 01:03 AM

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 AWILD1

AWILD1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 18 May 2010 - 05:41 AM

Hi,

Strange, I tried to post this earlier and Internet Explorer 8 popped up an alert that said "Internet Explorer Has Modified This Page To Help Prevent Cross-Site Scripting" and went to a blank page, then I wan't able to visit any sections of www.bleepingcomputer.com for awhile. Never had this happen before. I wasn't able to visit the site yesterday for a while also. Weird!

Anyway, There was a crash in PEV.cfxxe after stage 2 in Combofix while scanning. I clicked the "Don't Send" button and it finished scanning without any more errors.


Combofix Log:

ComboFix 10-05-16.02 - vic hodge 05/18/2010 3:18.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.308 [GMT -4:00]
Running from: c:\documents and settings\vic hodge\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\etc\host
c:\windows\system32\drivers\fad.sys

.
((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-17 21:20 . 2010-05-17 21:21 -------- d-----w- c:\windows\system32\Adobe
2010-05-17 21:04 . 2010-05-17 21:04 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-05-16 03:27 . 2005-12-19 21:08 667648 ----a-w- c:\windows\system32\BCMLogon.dll
2010-05-16 03:26 . 2005-12-19 21:08 44032 ----a-w- c:\windows\system32\wltrynt.dll
2010-05-16 03:26 . 2005-12-19 21:08 18944 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-05-16 03:26 . 2005-12-19 21:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-05-16 03:26 . 2005-12-19 21:08 86016 ----a-w- c:\windows\system32\preflib.dll
2010-05-16 03:26 . 2005-12-19 21:08 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-05-16 03:26 . 2005-12-19 21:08 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-05-16 03:26 . 2005-12-19 21:08 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-05-16 03:26 . 2005-12-19 21:08 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-05-16 03:26 . 2005-12-19 21:08 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-05-16 02:04 . 2010-05-16 02:04 162816 ----a-w- c:\windows\system32\drivers\NETBT.SYS
2010-05-16 01:40 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-16 01:40 . 2010-05-16 01:40 -------- dc----w- c:\windows\system32\DRVSTORE
2010-05-16 01:38 . 2010-05-16 01:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-16 01:26 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-16 01:26 . 2010-05-16 01:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-16 01:22 . 2010-05-16 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-16 01:22 . 2010-05-16 01:27 -------- d-----w- c:\program files\Lavasoft
2010-05-16 00:34 . 2010-05-17 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-16 00:34 . 2010-05-16 02:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-15 23:18 . 2010-05-16 02:27 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-14 10:15 . 2010-05-14 10:15 -------- d-----w- c:\program files\CCleaner
2010-05-14 09:17 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-14 09:17 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-14 09:17 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-14 09:17 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-14 09:17 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-14 09:17 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-14 09:17 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-14 09:16 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-14 09:16 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-14 09:15 . 2010-05-14 09:15 -------- d-----w- c:\program files\Alwil Software
2010-05-14 09:15 . 2010-05-14 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-14 02:30 . 2010-05-14 02:30 -------- d-----w- c:\documents and settings\vic hodge\Application Data\Malwarebytes
2010-05-14 02:28 . 2010-05-14 02:28 52224 ----a-w- c:\documents and settings\vic hodge\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-14 02:28 . 2010-05-15 18:57 117760 ----a-w- c:\documents and settings\vic hodge\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-14 02:28 . 2010-05-14 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-14 02:28 . 2010-05-14 02:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 02:28 . 2010-05-14 02:28 -------- d-----w- c:\documents and settings\vic hodge\Application Data\SUPERAntiSpyware.com
2010-05-14 02:27 . 2010-05-14 02:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-14 02:27 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 02:27 . 2010-05-14 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-14 02:27 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 02:27 . 2010-05-14 08:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:56 . 2010-04-28 22:56 503808 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-562748e8-n\msvcp71.dll
2010-04-28 22:56 . 2010-04-28 22:56 499712 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-562748e8-n\jmc.dll
2010-04-28 22:56 . 2010-04-28 22:56 348160 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-562748e8-n\msvcr71.dll
2010-04-28 22:56 . 2010-04-28 22:56 12800 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42d04c5c-n\decora-d3d.dll
2010-04-28 22:56 . 2010-04-28 22:56 61440 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42d04c5c-n\decora-sse.dll
2010-04-28 22:56 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 21:01 . 2008-03-24 22:31 -------- d-----w- c:\program files\Java
2010-05-17 21:01 . 2008-03-24 22:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 03:27 . 2003-08-28 21:33 -------- d-----w- c:\program files\Dell
2010-05-16 02:28 . 2003-08-28 21:43 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-29 00:01 . 2010-03-18 23:22 439816 ----a-w- c:\documents and settings\vic hodge\Application Data\Real\Update\setup3.10\setup.exe
2010-04-16 00:02 . 2009-03-23 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-08 00:34 . 2010-04-08 00:34 -------- d-----w- c:\documents and settings\vic hodge\Application Data\Office Genuine Advantage
2010-03-20 21:21 . 2010-03-20 21:21 74752 ------w- c:\windows\system32\aade.sys
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2002-08-29 10:00 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"PCTVOICE"="pctspk.exe" [2003-02-24 163840]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2002-08-23 143360]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-12-07 294912]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 245760]
"LWBMOUSE"="c:\program files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" [2003-05-19 438272]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-08 212992]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 06:41 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-22 12:55 483328 ----a-r- c:\windows\SYSTEM32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-05-22 13:03 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-16 12:21 28672 -c----w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2002-07-17 16:00 200767 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2003-11-03 08:29 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-03-29 12:29 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-11-08 03:07 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-11 22:31 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"AOL ACS"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [5/15/2010 9:40 PM 64288]
R1 aade;aade;c:\windows\SYSTEM32\aade.sys [3/20/2010 5:21 PM 74752]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [5/14/2010 5:17 AM 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [5/14/2010 5:17 AM 19024]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/13/2010 10:27 PM 20952]
S1 MpKsle1a2785a;MpKsle1a2785a;\??\c:\windows\system32\MpEngineStore\MpKsle1a2785a.sys --> c:\windows\system32\MpEngineStore\MpKsle1a2785a.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/13/2010 10:27 PM 303952]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\22.tmp --> c:\windows\system32\22.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2010 9:49 PM 135664]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1291544]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 01:49]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 01:49]

2004-04-22 c:\windows\Tasks\HP DArC Task 2003-04-08 07:12ewlett-Packard72002003-04-08 16:45N35I1B3RB7G.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-08 16:45]

2010-05-18 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2004-04-22 13:03]

2010-05-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-fccaccbebeebe - c:\windows\system32\fccaccbebeebe.dll
SafeBoot-klmdb.sys
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
AddRemove-Adobe Flash Player ActiveX - c:\windows\system32\Macromed\Flash\uninstall_activeX.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 03:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-05-18 03:32:49
ComboFix-quarantined-files.txt 2010-05-18 07:32

Pre-Run: 27,265,675,264 bytes free
Post-Run: 27,351,314,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 72FBDC5667CC1009E4945D4B1C0DAF22

------------------------------------------------------------------------


New DDS Log:



DDS (Ver_10-03-17.01) - NTFSx86
Run by vic hodge at 5:45:15.01 on Tue 05/18/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.201 [GMT -4:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
C:\Documents and Settings\vic hodge\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [ATIModeChange] Ati2mdxx.exe
mRun: [PCTVOICE] pctspk.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [LWBMOUSE] c:\program files\targus\paum008u\ver_2.32\LWBWHEEL.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-5-15 64288]
R1 aade;aade;c:\windows\system32\aade.sys [2010-3-20 74752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-5-14 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-5-14 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-5-13 303952]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-5-14 40384]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-5-13 20952]
S1 MpKsle1a2785a;MpKsle1a2785a;\??\c:\windows\system32\mpenginestore\mpksle1a2785a.sys --> c:\windows\system32\mpenginestore\MpKsle1a2785a.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\22.tmp --> c:\windows\system32\22.tmp [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1291544]

=============== Created Last 30 ================

2010-05-18 07:16:27 0 d-sha-r- C:\cmdcons
2010-05-18 07:14:16 98816 ----a-w- c:\windows\sed.exe
2010-05-18 07:14:16 77312 ----a-w- c:\windows\MBR.exe
2010-05-18 07:14:16 256512 ----a-w- c:\windows\PEV.exe
2010-05-18 07:14:16 161792 ----a-w- c:\windows\SWREG.exe
2010-05-17 21:20:27 0 d-----w- c:\windows\system32\Adobe
2010-05-17 21:04:04 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-05-16 03:27:41 667648 ----a-w- c:\windows\system32\BCMLogon.dll
2010-05-16 03:26:47 44032 ----a-w- c:\windows\system32\wltrynt.dll
2010-05-16 03:26:47 18944 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-05-16 03:26:46 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-05-16 03:26:43 86016 ----a-w- c:\windows\system32\preflib.dll
2010-05-16 03:26:43 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-05-16 03:26:36 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-05-16 03:26:36 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-05-16 03:26:36 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-05-16 03:26:29 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-05-16 03:26:29 3096576 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2010-05-16 03:24:41 141056 ------w- c:\windows\system32\drivers\SET36.tmp
2010-05-16 02:04:26 162816 ----a-w- c:\windows\system32\drivers\NETBT.SYS
2010-05-16 01:40:03 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-16 01:38:51 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-16 01:26:37 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-16 01:22:45 0 d-----w- c:\program files\Lavasoft
2010-05-16 00:34:35 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-16 00:34:35 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-15 23:18:56 0 d-----w- c:\windows\system32\MpEngineStore
2010-05-14 10:15:40 0 d-----w- c:\program files\CCleaner
2010-05-14 09:15:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-05-14 02:30:07 0 d-----w- c:\docume~1\vichod~1\applic~1\Malwarebytes
2010-05-14 02:28:23 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-14 02:28:08 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 02:28:08 0 d-----w- c:\docume~1\vichod~1\applic~1\SUPERAntiSpyware.com
2010-05-14 02:27:48 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-14 02:27:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 02:27:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 02:27:31 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-14 02:27:30 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 02:12:36 0 d-----w- c:\windows\pss
2010-04-28 22:56:13 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-05-16 02:28:57 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-03-20 21:21:28 74752 ------w- c:\windows\system32\aade.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 15:54:36 11070976 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-17 13:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-06 14:19:24 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010020620100207\index.dat

============= FINISH: 5:46:39.33 ===============


#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 AM

Posted 18 May 2010 - 08:04 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/317058/rootkit-virus-google-redirect/?p=1762269
Driver::
aade
Collect::
c:\windows\system32\aade.sys



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows, disable protection and refering to the picture above, drag CFScript into ComboFix.exe (note: have internet connection enabled while doing this).
Then post the resultant log. Is the browser still redirecting?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 AWILD1

AWILD1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 19 May 2010 - 12:48 AM

Hi,


There was the same crash again in PEV.cfxxe after stage 2 in ComboFix while scanning. Again, I clicked the "Don't Send" button and it finished scanning without any more errors.

I ran the ComboFix script but do not remember if I had the Internet connection active or not while running. I don't believe it was - Should I run it again? After running the script and the laptop rebooted, I tried to do several Google searches for a few minutes but didn't notice any redirects at all.

The Internet Explorer seems to take quite a while to load up and the Laptop seems to be rather slow a lot with the busy light showing activity but not really seeing much happen in the Task Managers Processes window. I will watch it closer later. There may just need to be some more tweaking done on the Plug-ins and startup items since he had so many things starting up before. I will try and adjust them more later. Anyway, I tried to shut down most of the un-needed running processes (mainly Microsoft Office and HP items) after rebooting and before running ComboFix since they really make the boot up time real long and didn't want anything to mess with ComboFix while running. Here is the latest ComboFix log...


Latest ComboFix Log:


ComboFix 10-05-16.02 - vic hodge 05/18/2010 15:30:23.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.258 [GMT -4:00]
Running from: c:\documents and settings\vic hodge\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\vic hodge\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\aade.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aade.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AADE
-------\Service_aade


((((((((((((((((((((((((( Files Created from 2010-04-18 to 2010-05-18 )))))))))))))))))))))))))))))))
.

2010-05-17 21:20 . 2010-05-17 21:21 -------- d-----w- c:\windows\system32\Adobe
2010-05-17 21:04 . 2010-05-17 21:04 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2010-05-16 03:27 . 2005-12-19 21:08 667648 ----a-w- c:\windows\system32\BCMLogon.dll
2010-05-16 03:26 . 2005-12-19 21:08 44032 ----a-w- c:\windows\system32\wltrynt.dll
2010-05-16 03:26 . 2005-12-19 21:08 18944 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2010-05-16 03:26 . 2005-12-19 21:08 1347584 ----a-w- c:\windows\system32\WLTRAY.EXE
2010-05-16 03:26 . 2005-12-19 21:08 86016 ----a-w- c:\windows\system32\preflib.dll
2010-05-16 03:26 . 2005-12-19 21:08 2129920 ----a-w- c:\windows\system32\WLBCGCBPRO731.DLL
2010-05-16 03:26 . 2005-12-19 21:08 69632 ----a-w- c:\windows\system32\bcmwlpkt.dll
2010-05-16 03:26 . 2005-12-19 21:08 33664 ----a-w- c:\windows\system32\drivers\BCMWLNPF.SYS
2010-05-16 03:26 . 2005-12-19 21:08 1200128 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2010-05-16 03:26 . 2005-12-19 21:08 757760 ----a-w- c:\windows\system32\bcm1xsup.dll
2010-05-16 02:04 . 2010-05-16 02:04 162816 ----a-w- c:\windows\system32\drivers\NETBT.SYS
2010-05-16 01:40 . 2010-02-04 15:53 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-16 01:40 . 2010-05-16 01:40 -------- dc----w- c:\windows\system32\DRVSTORE
2010-05-16 01:38 . 2010-05-16 01:37 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-05-16 01:26 . 2010-02-04 15:53 2954656 -c--a-w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}\Ad-AwareInstaller.exe
2010-05-16 01:26 . 2010-05-16 01:27 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-05-16 01:22 . 2010-05-16 01:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-16 01:22 . 2010-05-16 01:27 -------- d-----w- c:\program files\Lavasoft
2010-05-16 00:34 . 2010-05-17 05:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-16 00:34 . 2010-05-16 02:29 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-15 23:18 . 2010-05-16 02:27 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-14 10:15 . 2010-05-14 10:15 -------- d-----w- c:\program files\CCleaner
2010-05-14 09:17 . 2010-05-06 20:33 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-14 09:17 . 2010-05-06 20:39 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-14 09:17 . 2010-05-06 20:34 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-14 09:17 . 2010-05-06 20:39 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-14 09:17 . 2010-05-06 20:33 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-14 09:17 . 2010-05-06 20:33 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-14 09:17 . 2010-05-06 20:33 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-05-14 09:16 . 2010-05-06 20:59 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-14 09:16 . 2010-05-06 20:59 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-14 09:15 . 2010-05-14 09:15 -------- d-----w- c:\program files\Alwil Software
2010-05-14 09:15 . 2010-05-14 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-14 02:30 . 2010-05-14 02:30 -------- d-----w- c:\documents and settings\vic hodge\Application Data\Malwarebytes
2010-05-14 02:28 . 2010-05-14 02:28 52224 ----a-w- c:\documents and settings\vic hodge\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-14 02:28 . 2010-05-15 18:57 117760 ----a-w- c:\documents and settings\vic hodge\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-14 02:28 . 2010-05-14 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-14 02:28 . 2010-05-14 02:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-14 02:28 . 2010-05-14 02:28 -------- d-----w- c:\documents and settings\vic hodge\Application Data\SUPERAntiSpyware.com
2010-05-14 02:27 . 2010-05-14 02:27 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-14 02:27 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-14 02:27 . 2010-05-14 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-14 02:27 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-14 02:27 . 2010-05-14 08:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-28 22:56 . 2010-04-28 22:56 503808 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-562748e8-n\msvcp71.dll
2010-04-28 22:56 . 2010-04-28 22:56 499712 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-562748e8-n\jmc.dll
2010-04-28 22:56 . 2010-04-28 22:56 348160 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-562748e8-n\msvcr71.dll
2010-04-28 22:56 . 2010-04-28 22:56 12800 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42d04c5c-n\decora-d3d.dll
2010-04-28 22:56 . 2010-04-28 22:56 61440 ----a-w- c:\documents and settings\vic hodge\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-42d04c5c-n\decora-sse.dll
2010-04-28 22:56 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 21:01 . 2008-03-24 22:31 -------- d-----w- c:\program files\Java
2010-05-17 21:01 . 2008-03-24 22:29 -------- d-----w- c:\program files\Common Files\Java
2010-05-16 03:27 . 2003-08-28 21:33 -------- d-----w- c:\program files\Dell
2010-05-16 02:28 . 2003-08-28 21:43 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-29 00:01 . 2010-03-18 23:22 439816 ----a-w- c:\documents and settings\vic hodge\Application Data\Real\Update\setup3.10\setup.exe
2010-04-16 00:02 . 2009-03-23 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-04-08 00:34 . 2010-04-08 00:34 -------- d-----w- c:\documents and settings\vic hodge\Application Data\Office Genuine Advantage
2010-03-10 06:15 . 2002-08-29 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2006-06-23 15:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2002-08-29 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-11-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 28672]
"PCTVOICE"="pctspk.exe" [2003-02-24 163840]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2002-08-23 143360]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-12-07 294912]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-07-17 28672]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2003-06-24 245760]
"LWBMOUSE"="c:\program files\TARGUS\PAUM008U\Ver_2.32\LWBWHEEL.exe" [2003-05-19 438272]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-05-07 188416]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-04-08 212992]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-03-30 437584]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 06:41 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
2003-05-22 12:55 483328 ----a-r- c:\windows\SYSTEM32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
2003-05-22 13:03 49152 ----a-r- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2002-07-16 12:21 28672 -c----w- c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2002-07-17 16:00 200767 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2003-11-03 08:29 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-03-29 12:29 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2008-11-08 03:07 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-05-11 22:31 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"AOL ACS"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [5/15/2010 9:40 PM 64288]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [5/14/2010 5:17 AM 164048]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [5/14/2010 5:17 AM 19024]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/13/2010 10:27 PM 303952]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/13/2010 10:27 PM 20952]
S1 MpKsle1a2785a;MpKsle1a2785a;\??\c:\windows\system32\MpEngineStore\MpKsle1a2785a.sys --> c:\windows\system32\MpEngineStore\MpKsle1a2785a.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\22.tmp --> c:\windows\system32\22.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2010 9:49 PM 135664]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1291544]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 01:49]

2010-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-14 01:49]

2004-04-22 c:\windows\Tasks\HP DArC Task 2003-04-08 07:12ewlett-Packard72002003-04-08 16:45N35I1B3RB7G.job
- c:\program files\HP\hpcoretech\comp\hpdarc.exe [2003-04-08 16:45]

2010-05-18 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe [2004-04-22 13:03]

2010-05-18 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-18 15:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???x???x???????????????????x???????????x???x???????????x???????????x???x??????????????????????????????????????????w????????????j??w????x???x??????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(676)
c:\windows\system32\WININET.dll
c:\program files\TARGUS\PAUM008U\Ver_2.32\MOUSEDLL.DLL
c:\windows\system32\ieframe.dll
c:\program files\Apoint\Apoint.DLL
c:\windows\system32\Vxdif.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\pctspk.exe
c:\program files\Apoint\Apntex.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqnrs08.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-05-18 15:48:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-18 19:47

Pre-Run: 27,374,751,744 bytes free
Post-Run: 27,266,543,616 bytes free

- - End Of File - - 501A1BD8932F5529FC3808CE4CC31C77


#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 AM

Posted 19 May 2010 - 01:04 AM

Hi,

No need to run again but look for zip file with name like [4]-Submit in c:\qoobox\quarantine folder. Upload it to this website. Kindly include a link to this topic. Let me know when that's done.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 AWILD1

AWILD1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 19 May 2010 - 01:21 AM

Hi,

OK, The file was just submitted. Again, Thank you for all your help.

#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 AM

Posted 19 May 2010 - 11:27 AM

Thanks for the file submission smile.gif

QUOTE
The Internet Explorer seems to take quite a while to load up and the Laptop seems to be rather slow a lot with the busy light showing activity but not really seeing much happen in the Task Managers Processes window.

Has the hard drive been defragged lately? How much RAM does the system have installed?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 AWILD1

AWILD1
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:09 PM

Posted 19 May 2010 - 01:11 PM

Hi,

I'm not sure when it was last defragged but when I checked it out, it said it was only 7% Fragmented and did not need to be defragged. There is 68% free space on the hard drive and the system has 512mb of RAM. The slowness seems to be more software/setting related. I will defrag the drive after everything is done and setup.

Was the file that was removed and uploaded the virus/problem with the laptop? Did the last report(s) show any other problems? I forgot to mention also, when I first copied the first DDS.txt report from the laptop to my thumb/flash drive and then inserted the drive into this (my) PC, it almost instantly popped up a NOD32 virus warning that it was infected and was cleaned/deleted. It said the following:

5/14/2010 2:35:11 AM - AMON - file J:\m.exe - Win32/Agent.OKD trojan - deleted - Event occurred at an attempt to access the file by the application: C:\WINDOWS\Explorer.EXE.

5/14/2010 2:34:47 AM - AMON - file J:\Autorun.inf - Win32/AutoRun.Agent.GZ worm - deleted - NT AUTHORITY\SYSTEM Event occurred at an attempt to access the file by the application: C:\WINDOWS\System32\svchost.exe.

It deleted the m.exe and autorun.inf files instead of Quarantining them so I'm not able to upload them for inspection. Do you think my PC is Ok or do you think something may of slipped by?

Thanks again

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:09 AM

Posted 20 May 2010 - 12:10 AM

QUOTE
Was the file that was removed and uploaded the virus/problem with the laptop? Did the last report(s) show any other problems?

Yes, the uploaded file was bad one. I shall provide some final steps below.

QUOTE
Do you think my PC is Ok or do you think something may of slipped by?

If system doesn't have any symptoms I'd say it's safe.



THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK


Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button (at the lower left hand corner of your screen)
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then double-click it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok
  • Run Secunia vulnerability check here and fix its findings.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation Install Comodo HopSurf.., Make Comodo my default search provider and Make Comodo Search my homepage and install firewall ONLY!). Both providers have support forums that help with configuration related questions.


  • Just a final reminder for you. I am trying to stress these two points.
    UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
    Make sure all of your security programs are up to date.
    Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


    Once again, please post and tell me how things are going with your system... problems etc.

    Have a great day,
    Blade cool.gif

    Microsoft Windows Insider MVP 2016-2017

    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006
    unite_blue.png

    Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users