Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

got some issuse with annoying pc


  • This topic is locked This topic is locked
12 replies to this topic

#1 brownsfan

brownsfan

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 15 May 2010 - 11:30 PM

very aggressive spyware pop up


new dds log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Gary Hazelett at 8:29:17.35 on Sat 05/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.1112 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: Data Protection *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

d:\windows\system32\svchost -k dcomlaunch
d:\windows\system32\svchost -k rpcss
d:\windows\system32\svchost.exe -k netsvcs
d:\windows\system32\svchost.exe -k wudfservicegroup
d:\windows\system32\svchost.exe -k localservice
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\WINDOWS\Explorer.EXE
d:\windows\system32\svchost.exe -k localservice
D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
d:\windows\system32\svchost.exe -k bthsvcs
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
D:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Common Files\Java\Java Update\jusched.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\DOCUME~1\GARYHA~1\LOCALS~1\Temp\dmadmin.exe
D:\WINDOWS\system32\crypserv.exe
D:\Program Files\Belkin\Bluetooth Software\BTTray.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Windows Desktop Search\WindowsSearch.exe
D:\Program Files\magicBlock\magicBlock.exe
D:\Program Files\Java\jre6\bin\javaw.exe
D:\DOCUME~1\GARYHA~1\LOCALS~1\Temp\wscsvc32.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\LightScribe\LSSrvc.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
D:\Program Files\Common Files\Motive\McciCMService.exe
D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
D:\Program Files\CDBurnerXP\NMSAccessU.exe
D:\WINDOWS\system32\nvsvc32.exe
d:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
d:\windows\system32\svchost.exe -k imgsvc
D:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
D:\WINDOWS\system32\SearchIndexer.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\HP\hpcoretech\comp\hpdarc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Documents and Settings\Gary Hazelett\Application Data\mjusbsp\magicJack.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
d:\windows\system32\svchost.exe -k networkservice
D:\Program Files\Spyware Doctor\pctsGui.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
D:\Program Files\Spyware Doctor\TFEngine\TFService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Gary Hazelett\My Documents\Downloads\dds.scr
D:\WINDOWS\system32\SearchProtocolHost.exe
D:\WINDOWS\system32\SearchFilterHost.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm069YYUS&fl=0&ptb=A.nPqNtEDZzoCnygl5pQww&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uWindow Title = Road Runner High Speed Online
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - d:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - d:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-C8ED-EA2EFAD2ED61} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "d:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [TomTomHOME.exe] "d:\program files\tomtom home 2\TomTomHOMERunner.exe" -s
uRun: [cdloader] "d:\documents and settings\gary hazelett\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [swg] "d:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [dmadmin.exe] d:\docume~1\garyha~1\locals~1\temp\dmadmin.exe
mRun: [NvCplDaemon] RUNDLL32.EXE d:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE d:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [HPDJ Taskbar Utility] d:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [NBKeyScan] "d:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [mxomssmenu] "d:\program files\maxtor\onetouch status\maxmenumgr.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "d:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"
mRun: [ISUSPM] "d:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
StartupFolder: d:\docume~1\garyha~1\startm~1\programs\startup\magicb~1.lnk - d:\program files\magicblock\magicBlock.exe
StartupFolder: d:\docume~1\garyha~1\startm~1\programs\startup\ps3med~1.lnk - d:\program files\ps3 media server\PMS.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - d:\program files\belkin\bluetooth software\BTTray.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - d:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - d:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - d:\program files\windows desktop search\WindowsSearch.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &Search
IE: Add to Google Photos Screensa&ver - d:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - d:\program files\belkin\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://d:\windows\java\classes\xmldso.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://activation.rr.com/install/downloads/tgctlcm.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///D:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/stg_drm.ocx
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - d:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://support.magicjack.com/jre-1_5_0_14-windows-i586-p.exe
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///D:/Program%20Files/Mahjong%20Escape%20-%20Ancient%20Japan/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - d:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: d:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - d:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "d:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\garyha~1\applic~1\mozilla\firefox\profiles\t5fiuob4.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: d:\program files\common files\motive\npMotive.dll
FF - plugin: d:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: d:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: d:\program files\picasa2\npPicasa2.dll
FF - plugin: d:\program files\picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;d:\windows\system32\drivers\PCTCore.sys [2010-5-15 218592]
R0 TfFsMon;TfFsMon;d:\windows\system32\drivers\TfFsMon.sys [2010-5-15 51984]
R0 TfSysMon;TfSysMon;d:\windows\system32\drivers\TfSysMon.sys [2010-5-15 59664]
R1 oreans32;oreans32;d:\windows\system32\drivers\oreans32.sys [2010-5-5 33824]
R1 pctgntdi;pctgntdi;d:\windows\system32\drivers\pctgntdi.sys [2010-5-15 233136]
R2 Browser Defender Update Service;Browser Defender Update Service;d:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-5-15 112592]
R2 sdAuxService;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2010-5-15 366840]
R2 sdCoreService;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2010-5-15 1142224]
R2 TomTomHOMEService;TomTomHOMEService;d:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 LgBttPort;LGE Bluetooth TransPort;d:\windows\system32\drivers\lgbtport.sys [2009-6-19 12032]
R3 lgbusenum;LG Bluetooth Bus Enumerator;d:\windows\system32\drivers\lgbtbus.sys [2009-6-19 10496]
R3 LGVMODEM;LGE Virtual Modem;d:\windows\system32\drivers\lgvmodem.sys [2009-6-19 12928]
R3 pctplsg;pctplsg;d:\windows\system32\drivers\pctplsg.sys [2010-5-15 63360]
R3 TfNetMon;TfNetMon;d:\windows\system32\drivers\TfNetMon.sys [2010-5-15 33552]
R3 ThreatFire;ThreatFire;d:\program files\spyware doctor\tfengine\tfservice.exe service --> d:\program files\spyware doctor\tfengine\TFService.exe service [?]
R4 MBAMProtector;MBAMProtector;\??\d:\windows\system32\drivers\mbam.sys --> d:\windows\system32\drivers\mbam.sys [?]
R4 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-3-30 303952]
S3 epmntdrv;epmntdrv;d:\windows\system32\epmntdrv.sys [2010-4-16 13192]
S3 EuGdiDrv;EuGdiDrv;d:\windows\system32\EuGdiDrv.sys [2010-4-16 8456]
S3 motccgp;Motorola USB Composite Device Driver;d:\windows\system32\drivers\motccgp.sys [2008-5-15 18176]
S3 motccgpfl;MotCcgpFlService;d:\windows\system32\drivers\motccgpfl.sys [2008-5-15 7680]
S3 PS3 Media Server;PS3 Media Server;d:\program files\ps3 media server\win32\service\wrapper.exe [2008-8-17 217088]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;d:\windows\system32\drivers\rtl8187.sys --> d:\windows\system32\drivers\RTL8187.sys [?]
S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;d:\program files\google\google desktop search\GoogleDesktop.exe [2007-1-20 29744]
S4 gupdate;Google Update Service (gupdate);d:\program files\google\update\GoogleUpdate.exe [2009-12-29 135664]

=============== Created Last 30 ================


==================== Find3M ====================

2008-08-11 00:49:50 32768 --sha-w- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081020080811\index.dat

============= FINISH: 8:54:14.53 ===============








GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-15 23:28:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: D:\DOCUME~1\GARYHA~1\LOCALS~1\Temp\pxtdipow.sys


---- System - GMER 1.0.15 ----

Code 8A8FB7F8 ZwEnumerateKey
Code 8AC654A0 ZwFlushInstructionCache
Code 8A420E16 IofCallDriver
Code 8A8A5766 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 8A420E1B
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 8A8A576B
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEB8 5 Bytes JMP 8AC654A4
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 5 Bytes JMP 8A8FB7FC
.text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB93C1360, 0x32E00D, 0xE8000020]
.text D:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xACFF6280, 0x7B1C, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text D:\Program Files\Mozilla Firefox\firefox.exe[144] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0132000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[144] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0133000A
.text D:\Program Files\Mozilla Firefox\firefox.exe[144] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0131000C
.text D:\WINDOWS\Explorer.EXE[324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C6000A
.text D:\WINDOWS\Explorer.EXE[324] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CC000A
.text D:\WINDOWS\Explorer.EXE[324] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C5000C
.text D:\WINDOWS\System32\svchost.exe[856] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text D:\WINDOWS\System32\svchost.exe[856] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A2000A
.text D:\WINDOWS\System32\svchost.exe[856] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C
.text D:\WINDOWS\System32\svchost.exe[856] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 02C5000A
.text D:\WINDOWS\System32\svchost.exe[856] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 02C4000A
.text D:\WINDOWS\system32\SearchIndexer.exe[2160] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C D:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text D:\WINDOWS\system32\wuauclt.exe[2796] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text D:\WINDOWS\system32\wuauclt.exe[2796] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text D:\WINDOWS\system32\wuauclt.exe[2796] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 002E000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Modules - GMER 1.0.15 ----

Module \systemroot\PRAGMAcpxuetqxdm\PRAGMAd.sys (*** hidden *** ) A97EB000-A980E000 (143360 bytes)
---- Processes - GMER 1.0.15 ----

Library D:\WINDOWS\system32\dll.dll (*** hidden *** ) @ D:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe [2460] 0x10000000
Library D:\WINDOWS\system32\dll.dll (*** hidden *** ) @ D:\WINDOWS\system32\wuauclt.exe [2796] 0x10000000

---- Services - GMER 1.0.15 ----

Service D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMAcpxuetqxdm <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a3a5901ef (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\000a3a5901ef@000d3c409b29 0x0C 0x6E 0xAC 0x9A ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a5901ef (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\000a3a5901ef@000d3c409b29 0x0C 0x6E 0xAC 0x9A ...
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx@imagepath \systemroot\PRAGMAoibcjxvnmx\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx\modules@PRAGMAd \systemroot\PRAGMAoibcjxvnmx\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAoibcjxvnmx\modules@PRAGMAc \systemroot\PRAGMAoibcjxvnmx\PRAGMAc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a5901ef
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a5901ef@000d3c409b29 0x0C 0x6E 0xAC 0x9A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm@imagepath \systemroot\PRAGMAcpxuetqxdm\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm\modules@PRAGMAd \systemroot\PRAGMAcpxuetqxdm\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAcpxuetqxdm\modules@PRAGMAc \systemroot\PRAGMAcpxuetqxdm\PRAGMAc.dll
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\352DFC58EA831BD4CA7B0F4F7C1999D0\Usage@AiO_Device 1018105800

---- Files - GMER 1.0.15 ----

File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMA5d73.tmp 67072 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMA609f.tmp 343040 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMA6f89.tmp 90624 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMA87de.tmp 90624 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAa01e.tmp 67072 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAb35d.tmp 343040 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAe2a.tmp 90624 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAf72c.tmp 67072 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\PRAGMAf865.tmp 343040 bytes executable
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\pragmamainqt.dll 10274 bytes
File D:\Documents and Settings\Gary Hazelett\Local Settings\Temp\pragmapdconf.ini 35 bytes
File D:\WINDOWS\Temp\PRAGMA1ee3.tmp 142 bytes
File D:\WINDOWS\Temp\PRAGMA75a3.tmp 142 bytes
File D:\WINDOWS\Temp\PRAGMA8bb7.tmp 142 bytes
File D:\WINDOWS\PRAGMAcpxuetqxdm 0 bytes
File D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAc.dll 31232 bytes executable
File D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAcfg.ini 93 bytes
File D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAd.sys 46080 bytes executable <-- ROOTKIT !!!
File D:\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAsrcr.dat 146 bytes
File D:\WINDOWS\PRAGMAibpxusptio 0 bytes
File D:\WINDOWS\PRAGMAibpxusptio\PRAGMAc.dll 31232 bytes executable
File D:\WINDOWS\PRAGMAibpxusptio\PRAGMAcfg.ini 93 bytes
File D:\WINDOWS\PRAGMAibpxusptio\PRAGMAd.sys 46080 bytes executable
File D:\WINDOWS\PRAGMAibpxusptio\PRAGMAsrcr.dat 146 bytes
File D:\WINDOWS\PRAGMAmtixtbdrbc 0 bytes
File D:\WINDOWS\PRAGMAoibcjxvnmx 0 bytes
File D:\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAc.dll 31232 bytes executable
File D:\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAcfg.ini 93 bytes
File D:\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAd.sys 46080 bytes executable
File D:\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAsrcr.dat 146 bytes
File D:\WINDOWS\PRAGMAqipjqvrtcc 0 bytes
File D:\WINDOWS\PRAGMAqipjqvrtcc\pragmabbr.dll 57344 bytes executable
File D:\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAc.dll 31232 bytes executable
File D:\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAcfg.ini 93 bytes
File D:\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAd.sys 46080 bytes executable
File D:\WINDOWS\PRAGMAqipjqvrtcc\pragmaserf.dll 57344 bytes executable
File D:\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAsrcr.dat 146 bytes

---- EOF - GMER 1.0.15 ----



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:33 PM

Posted 16 May 2010 - 05:47 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.
If you follow these instructions, everything should go smoothly.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.


Download PragmaFix and run it. A log will open up when done.

Note - when you run PragmaFix you need an active internet connection!

Post me the log please.

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 17 May 2010 - 12:14 AM

downloaded and installed program............whatever is affecting this pc won't let me run the program it flickers on the screen for a second and nothing more. Also just noticed the task manager is now disabled also

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:33 PM

Posted 17 May 2010 - 12:20 AM

greetings brownsfan

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 17 May 2010 - 09:51 AM

that seemed to have helped quite a bunch no annoying popups or anything so far here is a fresh log:


ComboFix 10-05-16.01 - Gary Hazelett 05/17/2010 1:43.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2559.2165 [GMT -5:00]
Running from: d:\documents and settings\Gary Hazelett\My Documents\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\docume~1\GARYHA~1\LOCALS~1\Temp\wscsvc32.exe
d:\documents and settings\Gary Hazelett\Application Data\Microsoft\Internet Explorer\Quick Launch\Data Protection.lnk
d:\documents and settings\Gary Hazelett\Local Settings\Temporary Internet Files\temp.dmf
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection\About.lnk
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection\Activate.lnk
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection\Buy.lnk
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection\Data Protection Support.lnk
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection\Data Protection.lnk
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection\Scan.lnk
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection\Settings.lnk
d:\documents and settings\Gary Hazelett\Start Menu\Programs\Data Protection\Update.lnk
d:\program files\Data Protection
d:\program files\Data Protection\about.ico
d:\program files\Data Protection\activate.ico
d:\program files\Data Protection\buy.ico
d:\program files\Data Protection\dat.db
d:\program files\Data Protection\datext.dll
d:\program files\Data Protection\dathook.dll
d:\program files\Data Protection\datprot.exe
d:\program files\Data Protection\help.ico
d:\program files\Data Protection\scan.ico
d:\program files\Data Protection\settings.ico
d:\program files\Data Protection\splash.mp3
d:\program files\Data Protection\Uninstall.exe
d:\program files\Data Protection\update.ico
d:\program files\Data Protection\virus.mp3
d:\windows\PRAGMAcpxuetqxdm
d:\windows\PRAGMAcpxuetqxdm\PRAGMAc.dll
d:\windows\PRAGMAcpxuetqxdm\PRAGMAcfg.ini
d:\windows\PRAGMAcpxuetqxdm\PRAGMAd.sys
d:\windows\PRAGMAcpxuetqxdm\PRAGMAsrcr.dat
d:\windows\PRAGMAfulqipjiko
d:\windows\PRAGMAfulqipjiko\PRAGMAc.dll
d:\windows\PRAGMAfulqipjiko\PRAGMAcfg.ini
d:\windows\PRAGMAfulqipjiko\PRAGMAd.sys
d:\windows\PRAGMAfulqipjiko\PRAGMAsrcr.dat
d:\windows\PRAGMAibpxusptio
d:\windows\PRAGMAibpxusptio\PRAGMAc.dll
d:\windows\PRAGMAibpxusptio\PRAGMAcfg.ini
d:\windows\PRAGMAibpxusptio\PRAGMAd.sys
d:\windows\PRAGMAibpxusptio\PRAGMAsrcr.dat
d:\windows\PRAGMAmtixtbdrbc
d:\windows\PRAGMAoibcjxvnmx
d:\windows\PRAGMAoibcjxvnmx\PRAGMAc.dll
d:\windows\PRAGMAoibcjxvnmx\PRAGMAcfg.ini
d:\windows\PRAGMAoibcjxvnmx\PRAGMAd.sys
d:\windows\PRAGMAoibcjxvnmx\PRAGMAsrcr.dat
d:\windows\PRAGMAqhwmcetrxy
d:\windows\PRAGMAqhwmcetrxy\PRAGMAc.dll
d:\windows\PRAGMAqhwmcetrxy\PRAGMAcfg.ini
d:\windows\PRAGMAqhwmcetrxy\PRAGMAd.sys
d:\windows\PRAGMAqhwmcetrxy\PRAGMAsrcr.dat
d:\windows\PRAGMAqipjqvrtcc
d:\windows\PRAGMAqipjqvrtcc\pragmabbr.dll
d:\windows\PRAGMAqipjqvrtcc\PRAGMAc.dll
d:\windows\PRAGMAqipjqvrtcc\PRAGMAcfg.ini
d:\windows\PRAGMAqipjqvrtcc\PRAGMAd.sys
d:\windows\PRAGMAqipjqvrtcc\pragmaserf.dll
d:\windows\PRAGMAqipjqvrtcc\PRAGMAsrcr.dat
d:\windows\PRAGMAsiemntxomb
d:\windows\PRAGMAsiemntxomb\PRAGMAc.dll
d:\windows\PRAGMAsiemntxomb\PRAGMAcfg.ini
d:\windows\PRAGMAsiemntxomb\PRAGMAd.sys
d:\windows\PRAGMAsiemntxomb\PRAGMAsrcr.dat
d:\windows\PRAGMAxnixthossp
d:\windows\PRAGMAxnixthossp\PRAGMAc.dll
d:\windows\PRAGMAxnixthossp\PRAGMAcfg.ini
d:\windows\PRAGMAxnixthossp\PRAGMAd.sys
d:\windows\PRAGMAxnixthossp\PRAGMAsrcr.dat
d:\windows\PRAGMAyriuypesvj
d:\windows\PRAGMAyriuypesvj\PRAGMAc.dll
d:\windows\PRAGMAyriuypesvj\PRAGMAcfg.ini
d:\windows\PRAGMAyriuypesvj\PRAGMAd.sys
d:\windows\PRAGMAyriuypesvj\PRAGMAsrcr.dat

Infected copy of d:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-16 10:54 . 2010-05-16 10:54 -------- d-----w- d:\windows\system32\MpEngineStore
2010-05-15 13:10 . 2010-05-06 15:36 221568 ------w- d:\windows\system32\MpSigStub.exe
2010-05-15 13:10 . 2010-05-15 13:31 -------- d-----w- d:\documents and settings\All Users\Application Data\PC Tools
2010-05-15 12:54 . 2010-05-15 12:54 -------- d-----w- d:\documents and settings\Gary Hazelett\Local Settings\Application Data\Threat Expert
2010-05-15 12:38 . 2010-05-15 13:31 -------- d-----w- d:\program files\Spyware Doctor
2010-05-15 12:38 . 2010-05-15 13:31 -------- d-----w- d:\program files\Common Files\PC Tools
2010-05-15 12:32 . 2010-04-12 22:29 411368 ----a-w- d:\windows\system32\deployJava1.dll
2010-05-15 06:00 . 2010-05-15 06:00 168136 ----a-w- d:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-15 04:47 . 2010-05-15 04:47 -------- d-----w- d:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-15 04:46 . 2010-05-15 04:46 -------- d-----w- d:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-15 04:44 . 2010-05-17 04:35 -------- d-----w- d:\documents and settings\Administrator\Application Data\mjusbsp
2010-05-15 04:43 . 2010-05-15 04:43 -------- d-sh--w- d:\documents and settings\Administrator\IETldCache
2010-05-12 03:27 . 2010-05-12 03:27 -------- d-----w- d:\documents and settings\All Users\Application Data\InstallShield
2010-05-12 03:25 . 2010-05-12 03:33 -------- d-s---w- d:\documents and settings\Gary Hazelett\Local Settings\Application Data\Memeo
2010-05-12 03:25 . 2010-05-12 03:33 -------- d-s---w- d:\documents and settings\All Users\Application Data\Memeo
2010-05-12 03:25 . 2010-05-12 03:25 -------- d-----w- d:\documents and settings\Gary Hazelett\Local Settings\Application Data\{73DF8C24-FEEC-41AF-B020-3FABC7890954}
2010-05-12 03:23 . 2010-05-12 03:23 -------- d-----w- d:\documents and settings\Gary Hazelett\Local Settings\Application Data\Downloaded Installations
2010-05-12 01:33 . 2010-05-12 03:30 -------- d-----w- d:\program files\iCare Format Recovery Software
2010-05-11 23:30 . 2010-05-11 23:30 -------- d-----w- D:\Log
2010-05-11 23:30 . 2008-05-07 23:29 122880 ----a-w- d:\windows\system32\Crypserv.exe
2010-05-11 23:30 . 2008-03-17 16:45 19584 ----a-w- d:\windows\system32\Ckldrv.sys
2010-05-11 23:30 . 1999-06-18 20:49 165888 ----a-w- d:\windows\Ckconfig.exe
2010-05-11 23:30 . 1996-05-03 16:21 27648 ----a-r- d:\windows\Setup_ck.exe
2010-05-11 23:30 . 1996-05-03 14:36 18432 ----a-w- d:\windows\Setup_ck.dll
2010-05-11 23:30 . 1995-07-04 17:33 11776 ----a-w- d:\windows\Ckrfresh.exe
2010-05-11 23:30 . 2010-05-12 03:35 -------- d-----w- d:\program files\Stellar Phoenix Windows Data Recovery
2010-05-11 23:13 . 2010-05-11 23:13 -------- d-----w- d:\program files\PowerQuest
2010-05-11 22:47 . 2010-05-11 22:47 -------- d-----w- d:\program files\LSoft Technologies
2010-05-11 22:19 . 2010-05-11 22:19 -------- d-----w- d:\documents and settings\Gary Hazelett\Local Settings\Application Data\{4F717BFB-FF31-477F-85D1-7BABC44363EC}
2010-05-11 22:06 . 2010-05-11 22:06 -------- d-----w- d:\program files\Western Digital Corp
2010-05-11 21:51 . 2010-05-11 21:52 -------- d-----w- d:\windows\system32\NtmsData
2010-05-08 05:43 . 2010-05-08 05:43 -------- d-----w- d:\documents and settings\All Users\Application Data\LightScribe
2010-05-08 05:42 . 2010-05-08 05:42 -------- d-----w- d:\program files\Common Files\LightScribe
2010-05-08 05:12 . 2010-05-08 05:12 -------- d-----w- d:\program files\Ashkon Software
2010-05-07 02:05 . 2010-05-11 22:07 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\Download Manager
2010-05-07 00:54 . 2010-05-07 02:09 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\Western Digital
2010-05-07 00:54 . 2010-05-07 00:54 -------- d-----w- d:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-05-07 00:51 . 2010-05-07 00:51 -------- d-----w- d:\documents and settings\All Users\Application Data\Western Digital
2010-05-07 00:49 . 2010-05-12 03:22 -------- d-----w- d:\documents and settings\Gary Hazelett\Local Settings\Application Data\Western Digital
2010-05-06 00:02 . 2010-05-06 00:02 -------- d-----w- d:\documents and settings\Gary Hazelett\Local Settings\Application Data\Help
2010-05-05 23:43 . 2010-05-05 23:43 33824 ----a-w- d:\windows\system32\drivers\oreans32.sys
2010-05-05 23:29 . 2010-05-05 23:48 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\Samsung
2010-05-05 22:30 . 2010-05-05 22:31 -------- d-----w- d:\windows\SamsungUSBDriver
2010-05-05 21:43 . 2010-05-12 03:34 -------- d-----w- d:\program files\QPST
2010-05-05 17:35 . 2010-05-12 03:28 -------- d-----w- D:\Hard drive
2010-05-05 17:30 . 2010-05-15 04:42 -------- d-----w- d:\program files\Spybot - Search & Destroy
2010-05-05 17:30 . 2010-05-12 03:35 -------- d-----w- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-05 03:59 . 2010-05-05 03:59 -------- d-----w- d:\program files\Trend Micro
2010-05-02 04:25 . 2010-05-02 04:25 552 ----a-w- d:\windows\system32\d3d8caps.dat
2010-05-02 04:25 . 2010-05-07 01:14 664 ----a-w- d:\windows\system32\d3d9caps.dat
2010-05-02 04:24 . 2010-05-02 04:24 270080 ----a-w- d:\windows\system32\o.dat
2010-05-02 04:24 . 2010-05-02 04:24 -------- d-----w- d:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-02 04:21 . 2010-05-02 04:21 -------- d-sh--w- d:\documents and settings\NetworkService\IETldCache
2010-05-02 04:09 . 2010-05-02 04:09 -------- d-----w- d:\program files\uTorrent
2010-04-28 05:10 . 2001-05-11 18:18 420240 ----a-w- d:\windows\system32\mpg4c32.dll
2010-04-28 05:10 . 2010-04-28 05:23 -------- d-----w- d:\program files\Common Files\MAGIX Shared
2010-04-28 05:09 . 2010-05-05 23:07 -------- d-----w- d:\windows\system32\MAGIX
2010-04-28 05:09 . 1998-10-15 21:28 85504 ----a-w- d:\windows\system32\HtmlWH.dll
2010-04-28 05:09 . 2006-02-06 16:38 475136 ----a-w- d:\windows\system32\mgxoschk.dll
2010-04-28 05:04 . 2010-04-28 05:05 -------- d-----w- D:\New Folder
2010-04-28 04:44 . 2010-04-29 21:06 200 ----a-w- d:\windows\QCPC80UI.dat
2010-04-28 04:43 . 2010-04-28 04:43 -------- d-----w- d:\program files\QCP Converter
2010-04-27 22:16 . 2010-04-27 22:17 -------- d-----w- d:\program files\LG Electronics
2010-04-27 22:04 . 2010-05-05 23:15 -------- d-----w- d:\program files\Mobile Master
2010-04-27 22:04 . 2010-04-27 22:04 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\Jumping Bytes
2010-04-27 21:38 . 2010-04-27 22:03 -------- d-----w- d:\program files\Cell Phone Manager
2010-04-25 13:04 . 2010-05-06 21:56 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\LimeWire
2010-04-25 13:04 . 2010-05-12 03:31 -------- d-----w- d:\program files\Ask.com
2010-04-25 13:03 . 2010-04-25 13:04 -------- d-----w- d:\program files\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 14:31 . 2008-03-14 00:50 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\mjusbsp
2010-05-16 19:12 . 2007-01-20 22:23 -------- d-----w- d:\documents and settings\All Users\Application Data\Google Updater
2010-05-16 08:02 . 2008-07-17 23:36 -------- d-----w- d:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-16 05:28 . 2009-11-21 02:28 -------- d-----w- d:\program files\JDownloader
2010-05-15 13:31 . 2007-10-04 23:38 -------- d---a-w- d:\documents and settings\All Users\Application Data\TEMP
2010-05-15 13:20 . 2008-12-07 01:22 -------- d-----w- d:\program files\TomTom HOME 2
2010-05-15 13:12 . 2010-03-30 15:45 -------- d-----w- d:\program files\Malwarebytes' Anti-Malware
2010-05-15 12:32 . 2008-04-12 21:39 -------- d-----w- d:\program files\Java
2010-05-13 21:30 . 2010-03-13 15:49 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\vlc
2010-05-12 03:36 . 2006-11-11 06:02 -------- d--h--w- d:\program files\InstallShield Installation Information
2010-05-12 03:35 . 2010-04-16 14:49 -------- d-----w- d:\program files\WBFS
2010-05-12 03:27 . 2006-11-11 06:00 -------- d-----w- d:\program files\Common Files\InstallShield
2010-05-06 21:47 . 2010-04-16 15:04 891032 ----a-w- d:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-05-05 23:28 . 2010-05-05 23:24 5632 ----a-w- d:\windows\system32\drivers\StarOpen.sys
2010-05-05 23:24 . 2010-05-05 22:31 -------- d-----w- d:\program files\SAMSUNG
2010-05-05 23:18 . 2010-05-05 23:18 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\InstallShield
2010-05-05 23:18 . 2009-06-30 13:09 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\Move Networks
2010-05-05 23:16 . 2008-05-15 15:16 -------- d-----w- d:\documents and settings\All Users\Application Data\BVRP Software
2010-05-05 05:38 . 2008-05-15 15:09 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\uTorrent
2010-04-29 15:34 . 2006-11-11 06:26 168136 ----a-w- d:\documents and settings\Gary Hazelett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-25 03:45 . 2008-05-27 20:38 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\Nero
2010-04-25 03:22 . 2008-05-27 20:34 -------- d-----w- d:\program files\Common Files\Nero
2010-04-25 03:22 . 2008-05-27 20:34 -------- d-----w- d:\program files\Nero
2010-04-25 03:14 . 2008-05-27 20:34 -------- d-----w- d:\documents and settings\All Users\Application Data\Nero
2010-04-16 17:42 . 2009-09-23 19:30 -------- d-----w- d:\program files\searchandwintoolbar
2010-04-16 16:44 . 2010-04-16 16:44 -------- d-----w- d:\program files\LiveUpdate
2010-04-16 15:15 . 2010-04-16 15:15 -------- d-----w- d:\program files\EASEUS
2010-04-16 14:32 . 2010-04-16 14:32 -------- d-----w- d:\documents and settings\All Users\Application Data\redistpart
2010-04-16 14:32 . 2010-04-16 14:32 -------- d-----w- d:\documents and settings\All Users\Application Data\explauncher
2010-04-16 14:32 . 2010-04-16 14:32 -------- d-----w- d:\documents and settings\All Users\Application Data\launcher
2010-04-16 14:31 . 2010-04-16 14:31 -------- d-----w- d:\program files\Paragon Software
2010-04-08 22:16 . 2010-04-16 15:15 1711232 ----a-w- d:\windows\system32\BootMan.exe
2010-04-06 04:15 . 2008-04-12 21:39 -------- d-----w- d:\program files\Common Files\Java
2010-04-05 04:18 . 2010-04-05 04:12 -------- d-----w- d:\program files\PS3 Media Server
2010-04-01 19:42 . 2010-04-01 19:41 -------- d-----w- d:\program files\iTunes
2010-04-01 19:42 . 2010-04-01 19:41 -------- d-----w- d:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-01 19:41 . 2010-04-01 19:41 -------- d-----w- d:\program files\iPod
2010-04-01 19:41 . 2009-09-10 17:03 -------- d-----w- d:\program files\Common Files\Apple
2010-04-01 19:39 . 2010-04-01 19:38 -------- d-----w- d:\program files\QuickTime
2010-04-01 19:32 . 2009-11-02 13:00 -------- d-----w- d:\program files\Safari
2010-03-31 17:32 . 2008-07-08 23:48 -------- d-----w- d:\program files\TrueSwitchAT&TYahoo
2010-03-30 23:23 . 2010-03-30 23:14 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\Skype
2010-03-30 23:15 . 2010-03-30 23:15 48 ---ha-w- d:\windows\system32\ezsidmv.dat
2010-03-30 23:15 . 2010-03-30 23:15 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\skypePM
2010-03-30 23:14 . 2010-03-30 23:14 -------- d-----w- d:\documents and settings\All Users\Application Data\Skype
2010-03-24 10:55 . 2010-03-24 10:55 172032 ----a-w- d:\windows\system32\nvusmb.exe
2010-03-24 10:55 . 2010-03-24 10:55 172032 ----a-w- d:\windows\system32\nvuide.exe
2010-03-23 03:15 . 2010-03-23 03:15 -------- d-----w- d:\program files\ICQ6Toolbar
2010-03-23 03:15 . 2010-03-23 03:15 -------- d-----w- d:\documents and settings\All Users\Application Data\ICQ
2010-03-21 16:52 . 2010-03-21 16:52 -------- d-----w- d:\documents and settings\Gary Hazelett\Application Data\Malwarebytes
2010-03-21 16:52 . 2010-03-21 16:52 -------- d-----w- d:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-18 16:26 . 2010-03-18 16:26 -------- d-----w- d:\program files\Microsoft Silverlight
2010-03-10 06:15 . 2001-08-18 12:00 420352 ----a-w- d:\windows\system32\vbscript.dll
2010-02-28 19:00 . 2010-02-28 18:52 8 ----a-w- d:\windows\system32\nvModes.dat
2010-02-28 18:31 . 2010-02-28 18:31 21361 ----a-w- d:\windows\system32\drivers\AegisP.sys
2010-02-25 06:24 . 2004-01-08 21:23 916480 ----a-w- d:\windows\system32\wininet.dll
2010-02-24 13:11 . 2001-08-18 12:00 455680 ----a-w- d:\windows\system32\drivers\mrxsmb.sys
2010-02-23 16:51 . 2010-04-16 15:15 86408 ----a-w- d:\windows\system32\setupempdrv03.exe
2010-02-23 16:51 . 2010-04-16 15:15 8456 ----a-w- d:\windows\system32\EuGdiDrv.sys
2010-02-23 16:51 . 2010-04-16 15:15 13192 ----a-w- d:\windows\system32\epmntdrv.sys
2010-02-23 16:51 . 2010-04-16 15:15 14848 ----a-w- d:\windows\system32\EuEpmGdi.dll
2010-02-17 14:10 . 2001-08-18 12:00 2189952 ----a-w- d:\windows\system32\ntoskrnl.exe
2008-04-24 22:38 . 2007-02-20 02:16 122880 ----a-w- d:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="d:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"cdloader"="d:\documents and settings\Gary Hazelett\Application Data\mjusbsp\cdloader2.exe" [2010-02-26 50520]
"swg"="d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2008-11-04 13574144]
"nwiz"="nwiz.exe" [2008-11-04 1630208]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2008-11-04 86016]
"HPDJ Taskbar Utility"="d:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-07-06 176128]
"mxomssmenu"="d:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher"="d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="d:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="d:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

d:\documents and settings\Gary Hazelett\Start Menu\Programs\Startup\
magicBlock.lnk - d:\program files\magicBlock\magicBlock.exe [2008-5-3 479232]
PS3 Media Server.lnk - d:\program files\PS3 Media Server\PMS.exe [2009-3-9 169367]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - d:\program files\Belkin\Bluetooth Software\BTTray.exe [2003-7-29 499773]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - d:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]
Windows Search.lnk - d:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= d:\documents and settings\Gary Hazelett\My Documents\My Pictures\Truck\DSC02505.JPG
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "d:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\D:^Documents and Settings^Gary Hazelett^Start Menu^Programs^Startup^TrueAssistant.lnk]
path=d:\documents and settings\Gary Hazelett\Start Menu\Programs\Startup\TrueAssistant.lnk
backup=d:\windows\pss\TrueAssistant.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cdloader]
2010-02-26 23:43 50520 ----a-w- d:\documents and settings\Gary Hazelett\Application Data\mjusbsp\cdloader2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-03-31 14:03 68856 ----a-w- d:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=2 (0x2)
"gupdate"=2 (0x2)
"GoogleDesktopManager-022208-143751"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"d:\\Program Files\\v8200\\DMMultiView\\MultiView.exe"=
"d:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"d:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"d:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"d:\\Documents and Settings\\Gary Hazelett\\Application Data\\mjusbsp\\magicJack.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"<NO NAME>"=

R1 oreans32;oreans32;d:\windows\system32\drivers\oreans32.sys [5/5/2010 6:43 PM 33824]
R2 TomTomHOMEService;TomTomHOMEService;d:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 6:31 AM 92008]
R3 LgBttPort;LGE Bluetooth TransPort;d:\windows\system32\drivers\lgbtport.sys [6/19/2009 12:59 PM 12032]
R3 lgbusenum;LG Bluetooth Bus Enumerator;d:\windows\system32\drivers\lgbtbus.sys [6/19/2009 12:59 PM 10496]
R3 LGVMODEM;LGE Virtual Modem;d:\windows\system32\drivers\lgvmodem.sys [6/19/2009 12:59 PM 12928]
S2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/30/2010 10:45 AM 303952]
S2 WinDefend;Windows Defender;"d:\program files\Windows Defender\MsMpEng.exe" --> d:\program files\Windows Defender\MsMpEng.exe [?]
S3 epmntdrv;epmntdrv;d:\windows\system32\epmntdrv.sys [4/16/2010 10:15 AM 13192]
S3 EuGdiDrv;EuGdiDrv;d:\windows\system32\EuGdiDrv.sys [4/16/2010 10:15 AM 8456]
S3 MBAMProtector;MBAMProtector;\??\d:\windows\system32\drivers\mbam.sys --> d:\windows\system32\drivers\mbam.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;d:\windows\system32\drivers\motccgp.sys [5/15/2008 9:51 AM 18176]
S3 motccgpfl;MotCcgpFlService;d:\windows\system32\drivers\motccgpfl.sys [5/15/2008 9:51 AM 7680]
S3 PS3 Media Server;PS3 Media Server;d:\program files\PS3 Media Server\win32\service\wrapper.exe [8/17/2008 3:40 AM 217088]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;d:\windows\system32\DRIVERS\RTL8187.sys --> d:\windows\system32\DRIVERS\RTL8187.sys [?]
S4 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;d:\program files\Google\Google Desktop Search\GoogleDesktop.exe [1/20/2007 5:24 PM 29744]
S4 gupdate;Google Update Service (gupdate);d:\program files\Google\Update\GoogleUpdate.exe [12/29/2009 12:45 AM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-04-22 18:09 451872 ----a-w- d:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-05-17 d:\windows\Tasks\Google Software Updater.job
- d:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-20 19:01]

2010-05-17 d:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 05:45]

2010-05-17 d:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- d:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 05:45]

2010-05-17 d:\windows\Tasks\User_Feed_Synchronization-{C09AA802-4343-4618-BC20-7C6F8711DDC1}.job
- d:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZRxdm069YYUS&fl=0&ptb=A.nPqNtEDZzoCnygl5pQww&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
IE: Add to Google Photos Screensa&ver - d:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - d:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://d:\windows\Java\classes\xmldso.cab
FF - ProfilePath - d:\documents and settings\Gary Hazelett\Application Data\Mozilla\Firefox\Profiles\t5fiuob4.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: d:\program files\Common Files\Motive\npMotive.dll
FF - plugin: d:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: d:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: d:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: d:\program files\Picasa2\npPicasa2.dll
FF - plugin: d:\program files\Picasa2\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - d:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
d:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
d:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{4E7BD74F-2B8D-469E-C8ED-EA2EFAD2ED61} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - d:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
HKLM-Run-NBKeyScan - d:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
HKLM-Run-ISUSPM - d:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
AddRemove-Autorun Virus Remover_is1 - i:\autorunremover\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 09:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(464)
d:\windows\system32\WININET.dll
d:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(524)
d:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1080)
d:\windows\system32\WININET.dll
d:\progra~1\WINDOW~3\wmpband.dll
d:\windows\system32\ieframe.dll
d:\windows\system32\mshtml.dll
d:\windows\system32\msls31.dll
d:\windows\system32\webcheck.dll
d:\windows\system32\WPDShServiceObj.dll
d:\windows\system32\btncopy.dll
d:\windows\system32\PortableDeviceTypes.dll
d:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
d:\program files\Belkin\Bluetooth Software\bin\btwdins.exe
d:\windows\system32\crypserv.exe
d:\program files\Java\jre6\bin\jqs.exe
d:\program files\Common Files\LightScribe\LSSrvc.exe
d:\program files\Maxtor\Sync\SyncServices.exe
d:\program files\Common Files\Motive\McciCMService.exe
d:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
d:\program files\CDBurnerXP\NMSAccessU.exe
d:\windows\system32\nvsvc32.exe
d:\windows\System32\HPZipm12.exe
d:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
d:\windows\system32\SearchIndexer.exe
d:\windows\system32\RUNDLL32.EXE
d:\windows\system32\rundll32.exe
d:\program files\Java\jre6\bin\javaw.exe
d:\program files\iPod\bin\iPodService.exe
d:\program files\HP\Digital Imaging\bin\hpqgalry.exe
d:\program files\HP\hpcoretech\comp\hpdarc.exe
d:\documents and settings\Gary Hazelett\Application Data\mjusbsp\magicJack.exe
d:\windows\system32\SearchProtocolHost.exe
d:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2010-05-17 09:41:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-17 14:41

Pre-Run: 62,398,922,752 bytes free
Post-Run: 65,447,739,392 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - 1C74BB460E091EFA036EB3EB895F5DE5


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:33 PM

Posted 17 May 2010 - 01:05 PM

Hello brownsfan

before we go any further I would like you to rerun pragmafix

Pragmafix

Download Pragmafix by Noahdfear from here and save it in a place you can remember such as, your desktop.
  • Click on Pragmafix.exe to run it
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
    CODE
    C:\PragmaFix.log
  • Please post the results here.

Now I need some extra information from combofix

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\qoobox\ComboFix2.txt
  • click ok
  • copy and paste the report into this topic for me to review

"information and logs"
    In your next post I need the following
    1. let me know about pragmafix
    2. extra report from combofix
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 17 May 2010 - 10:32 PM

Hi thanks for the response pc seems to be doing ok now just redirecting when you click on a search result to a different site than what its suppose to be....


Pragmafix is letting me run it now here is new log:

Mon 05/17/2010 22:25:52.03

No embedded null keys found


I don't seem to have a combofix2 txt i have a ComboFix-quarantined-files here is that log if that helps:

thanks for all the help



2010-05-17 14:40:31 . 2010-05-17 14:40:31 1,646 ----a-w- D:\Qoobox\Quarantine\Registry_backups\AddRemove-Autorun Virus Remover_is1.reg.dat
2010-05-17 14:39:19 . 2010-05-17 14:39:19 181 ----a-w- D:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ISUSPM.reg.dat
2010-05-17 14:39:17 . 2010-05-17 14:39:18 160 ----a-w- D:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NBKeyScan.reg.dat
2010-05-17 14:39:11 . 2010-05-17 14:39:11 245 ----a-w- D:\Qoobox\Quarantine\Registry_backups\HKCU-Run-IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}.reg.dat
2010-05-17 14:39:09 . 2010-05-17 14:39:09 171 ----a-w- D:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440}.reg.dat
2010-05-17 14:39:08 . 2010-05-17 14:39:08 171 ----a-w- D:\Qoobox\Quarantine\Registry_backups\WebBrowser-{4E7BD74F-2B8D-469E-C8ED-EA2EFAD2ED61}.reg.dat
2010-05-17 06:54:24 . 2010-05-17 06:54:24 13,286 ----a-w- D:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-05-17 06:39:03 . 2010-05-17 06:39:03 655 ----a-w- D:\Qoobox\Quarantine\Registry_backups\Service_PRAGMAsiemntxomb.reg.dat
2010-05-17 06:29:21 . 2010-05-17 06:41:34 102 ----a-w- D:\Qoobox\Quarantine\catchme.log
2010-05-17 05:50:02 . 2010-05-17 05:50:05 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAsiemntxomb\PRAGMAsrcr.dat.vir
2010-05-17 05:50:02 . 2010-05-17 05:50:02 91 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAsiemntxomb\PRAGMAcfg.ini.vir
2010-05-17 05:50:00 . 2010-05-17 05:50:00 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAsiemntxomb\PRAGMAc.dll.vir
2010-05-17 05:49:52 . 2010-05-17 05:49:52 48,128 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAsiemntxomb\PRAGMAd.sys.vir
2010-05-17 04:44:16 . 2010-05-17 04:44:21 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAfulqipjiko\PRAGMAsrcr.dat.vir
2010-05-17 04:44:16 . 2010-05-17 04:44:16 91 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAfulqipjiko\PRAGMAcfg.ini.vir
2010-05-17 04:44:15 . 2010-05-17 04:44:15 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAfulqipjiko\PRAGMAc.dll.vir
2010-05-17 04:44:08 . 2010-05-17 04:44:08 48,128 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAfulqipjiko\PRAGMAd.sys.vir
2010-05-17 03:16:04 . 2010-05-17 03:16:06 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqhwmcetrxy\PRAGMAsrcr.dat.vir
2010-05-17 03:16:04 . 2010-05-17 03:16:04 91 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqhwmcetrxy\PRAGMAcfg.ini.vir
2010-05-17 03:16:03 . 2010-05-17 03:16:03 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqhwmcetrxy\PRAGMAc.dll.vir
2010-05-17 03:15:42 . 2010-05-17 03:15:42 48,128 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqhwmcetrxy\PRAGMAd.sys.vir
2010-05-16 19:13:17 . 2010-05-16 19:13:21 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAxnixthossp\PRAGMAsrcr.dat.vir
2010-05-16 19:13:17 . 2010-05-16 19:13:17 91 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAxnixthossp\PRAGMAcfg.ini.vir
2010-05-16 19:13:16 . 2010-05-16 19:13:16 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAxnixthossp\PRAGMAc.dll.vir
2010-05-16 19:13:09 . 2010-05-16 19:13:09 48,128 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAxnixthossp\PRAGMAd.sys.vir
2010-05-16 10:54:12 . 2010-05-16 10:54:15 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAyriuypesvj\PRAGMAsrcr.dat.vir
2010-05-16 10:54:12 . 2010-05-16 10:54:12 91 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAyriuypesvj\PRAGMAcfg.ini.vir
2010-05-16 10:54:10 . 2010-05-16 10:54:10 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAyriuypesvj\PRAGMAc.dll.vir
2010-05-16 10:54:02 . 2010-05-16 10:54:02 48,128 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAyriuypesvj\PRAGMAd.sys.vir
2010-05-15 14:24:55 . 2010-05-15 14:24:57 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAsrcr.dat.vir
2010-05-15 14:24:55 . 2010-05-15 14:24:55 93 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAcfg.ini.vir
2010-05-15 14:24:55 . 2010-05-15 14:24:55 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAc.dll.vir
2010-05-15 14:24:54 . 2010-05-15 14:24:54 46,080 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAd.sys.vir
2010-05-15 13:10:01 . 2010-05-15 13:10:01 93 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAcfg.ini.vir
2010-05-15 13:10:01 . 2010-05-15 13:10:02 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAsrcr.dat.vir
2010-05-15 13:10:01 . 2010-05-15 13:10:01 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAc.dll.vir
2010-05-15 13:10:00 . 2010-05-15 13:10:00 46,080 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAd.sys.vir
2010-05-15 12:14:01 . 2010-05-15 12:14:01 93 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAibpxusptio\PRAGMAcfg.ini.vir
2010-05-15 12:14:01 . 2010-05-15 12:14:06 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAibpxusptio\PRAGMAsrcr.dat.vir
2010-05-15 12:14:01 . 2010-05-15 12:14:01 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAibpxusptio\PRAGMAc.dll.vir
2010-05-15 12:13:57 . 2010-05-15 12:13:57 46,080 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAibpxusptio\PRAGMAd.sys.vir
2010-05-15 04:11:47 . 2010-05-15 04:11:47 75,738 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\splash.mp3.vir
2010-05-15 04:11:47 . 2010-05-15 04:11:47 29,256 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\virus.mp3.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 708 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Application Data\Microsoft\Internet Explorer\Quick Launch\Data Protection.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,608 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Start Menu\Programs\Data Protection\Data Protection Support.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 702 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Start Menu\Programs\Data Protection\Data Protection.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,570 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Start Menu\Programs\Data Protection\About.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,588 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Start Menu\Programs\Data Protection\Activate.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,558 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Start Menu\Programs\Data Protection\Buy.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,564 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Start Menu\Programs\Data Protection\Scan.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,588 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Start Menu\Programs\Data Protection\Settings.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,576 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Start Menu\Programs\Data Protection\Update.lnk.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,150 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\about.ico.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,150 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\activate.ico.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,150 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\buy.ico.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 5,430 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\help.ico.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,150 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\scan.ico.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,150 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\settings.ico.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,150 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\update.ico.vir
2010-05-15 04:11:29 . 2010-05-15 04:11:29 1,699,840 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\datprot.exe.vir
2010-05-15 04:11:07 . 2010-05-15 04:11:07 61,440 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\Uninstall.exe.vir
2010-05-15 04:11:07 . 2010-05-15 04:11:07 22,528 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\dathook.dll.vir
2010-05-15 04:11:06 . 2010-05-15 04:11:06 41,984 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\datext.dll.vir
2010-05-15 04:11:05 . 2010-05-15 04:11:05 6,820,136 ----a-w- D:\Qoobox\Quarantine\D\Program Files\Data Protection\dat.db.vir
2010-05-15 03:25:54 . 2010-05-15 03:25:54 57,344 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\pragmabbr.dll.vir
2010-05-15 03:25:53 . 2010-05-15 03:25:54 57,344 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\pragmaserf.dll.vir
2010-05-15 03:25:48 . 2010-05-15 03:25:53 146 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAsrcr.dat.vir
2010-05-15 03:25:48 . 2010-05-15 03:25:48 93 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAcfg.ini.vir
2010-05-15 03:25:48 . 2010-05-15 03:25:48 31,232 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAc.dll.vir
2010-05-15 03:25:48 . 2010-05-15 03:25:48 46,080 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAd.sys.vir
2010-03-14 22:28:02 . 2010-03-14 22:28:02 1,036 ----a-w- D:\Qoobox\Quarantine\D\Documents and Settings\Gary Hazelett\Local Settings\Temporary Internet Files\temp.dmf.vir
2001-08-18 12:00:00 . 2001-08-18 12:00:00 4,224 ----a-w- D:\Qoobox\Quarantine\D\WINDOWS\system32\Drivers\rdpcdd.sys.vir


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:33 PM

Posted 17 May 2010 - 10:43 PM

Greetings

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

sorry my fault I wanted this report

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\Qoobox\Add-Remove Programs.txt
  • click ok
  • copy and paste the report into this topic for me to review

TDSSKiller:
  • Please Download TDSSKiller.zip and save it on your desktop.
  • extract (unzip) its contents to your Desktop.
  • double-click the TDSSKiller Folder on your desktop.
  • right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
CODE
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start then Computer then Vista ( C:).
  • Please post the contents of that log in your next reply

"information and logs"
    In your next post I need the following
    1. extra report from combofix
    2. report from TDDSkiller
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 18 May 2010 - 04:11 PM

hi everything seems to be doing alot better now thank you so much again for all your help

here are the logs you asked for:

combofix add remove log:



µTorrent
2006 International Building Code®
530TX+
7300_Help
7300Trb
7400
Ad-Aware SE Personal
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.2
Advertising Center
AiO_Scan
AiOSoftware
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
ATI Display Driver
ATT-HSI
Autorun Virus Remover 2.3
Avery Wizard 3.1
Belkin Bluetooth Software
BufferChm
BusinessCardsMX 3.98
CDBurnerXP
Copy
CP_AtenaShokunin1Config
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
D-Link DFE-530TX+
D-Link PCI Fast Ethernet Adapter
DesignPro 5
Destinations
Director
DMMultiView
DocProc
DocumentViewer
DolbyFiles
DVD Shrink 3.2
EASEUS Partition Master 5.5.1 Home Edition
Elf Bowling - Hawaiian Vacation
Fax
GeoVision ADPCM
GeoVision H264
GeoVision JPEG
GeoVision MPEG2
GeoVision MPEG4
GeoVision MPEG4 ASP
GeoVision MPEG4 AVC
Google Desktop
Google Earth
Google Pack Screensaver
Google Update Helper
Google Updater
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HPHDiscovery
HPODiscovery
HPSystemDiagnostics
ImagXpress
InstantShare
iPhone Configuration Utility
iTunes
J2SE Runtime Environment 5.0 Update 14
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 5
JDownloader
Legal Publisher
LG Bluetooth Drivers
LG MC USB U330 driver
LG USB Modem Drivers
LightScribe System Software
LimeWire 5.5.8
magicBlock
Mah Jong Quest 2 (remove only)
Mahjong Escape - Ancient Japan
MarketResearch
Maxtor Manager
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Access 2000 SR-1 Runtime
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft XML Parser
Microsoft XML Parser and SDK
Movie Templates - Starter Kit
Mozilla Firefox (3.6.3)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 9 Trial
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero DiscSpeed
Nero DriveSpeed
Nero InfoTool
Nero Installer
Nero PhotoSnap
Nero Recode
Nero Rescue Agent
Nero ShowTime
Nero StartSmart
Nero Vision
Nero WaveEditor
NeroBurningROM
NeroExpress
neroxml
NVIDIA Drivers
OGA Notifier 2.0.0048.0
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
overland
PanoStandAlone
PartitionMagic
Perfect Attorney Premium
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
Picasa 3
PowerQuest PartitionMagic 8.0
PrintScreen
ProductContext
Professor Teaches Excel 2003
PS8400
PSPrinters06
QBFC2
QBFC2CA
QCP Converter
QFolder
Quick Estimator 2005
QuickProjects
QuickTime
Readme
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Rosetta Stone V3
Safari
Samsung Anycall CDMA Driver
Samsung Anycall HSP Driver
Samsung Anycall HSP Plus Driver
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung USB Driver (MCCI 4.16)
Scan
ScannerCopy
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB980470)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Segoe UI
SkinsHP1
SkyCaddie Desktop
SonicStage 4.3
SoundTrax
TeamViewer 5
TomTom HOME 2.7.3.1894
TomTom HOME Visual Studio Merge Modules
Total Access Memo 2000
TrayApp
TrueSwitch Wizard AT&T Yahoo!
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB981715)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Outlook 2007 Junk Email Filter (kb981726)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VCRedistSetup
VKB V5.0f
VLC media player 1.0.5
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinRAR archiver
Xilisoft iPhone Ringtone Maker
XPS Essentials Pack
XPS Essentials Pack 1.0
Yahoo! Messenger




tdsskiller log:



15:54:55:671 2904 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
15:54:55:671 2904 ================================================================================
15:54:55:671 2904 SystemInfo:

15:54:55:671 2904 OS Version: 5.1.2600 ServicePack: 3.0
15:54:55:671 2904 Product type: Workstation
15:54:55:671 2904 ComputerName: HOME
15:54:55:671 2904 UserName: Gary Hazelett
15:54:55:671 2904 Windows directory: D:\WINDOWS
15:54:55:671 2904 Processor architecture: Intel x86
15:54:55:671 2904 Number of processors: 1
15:54:55:671 2904 Page size: 0x1000
15:54:55:671 2904 Boot type: Normal boot
15:54:55:671 2904 ================================================================================
15:54:55:671 2904 UnloadDriverW: NtUnloadDriver error 2
15:54:55:671 2904 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
15:54:55:796 2904 wfopen_ex: Trying to open file D:\WINDOWS\system32\config\system
15:54:55:796 2904 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:54:55:796 2904 wfopen_ex: Trying to KLMD file open
15:54:55:796 2904 wfopen_ex: File opened ok (Flags 2)
15:54:55:796 2904 wfopen_ex: Trying to open file D:\WINDOWS\system32\config\software
15:54:55:796 2904 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:54:55:796 2904 wfopen_ex: Trying to KLMD file open
15:54:55:796 2904 wfopen_ex: File opened ok (Flags 2)
15:54:55:796 2904 KLAVA engine initialized
15:54:56:109 2904 Initialize success
15:54:56:109 2904
15:54:56:109 2904 Scanning Services ...
15:54:56:156 2904 Raw services enum returned 402 services
15:54:56:171 2904
15:54:56:171 2904 Scanning Drivers ...
15:54:56:437 2904 ACPI (8fd99680a539792a30e97944fdaecf17) D:\WINDOWS\system32\DRIVERS\ACPI.sys
15:54:56:578 2904 ACPIEC (9859c0f6936e723e4892d7141b1327d5) D:\WINDOWS\system32\drivers\ACPIEC.sys
15:54:56:656 2904 aec (8bed39e3c35d6a489438b8141717a557) D:\WINDOWS\system32\drivers\aec.sys
15:54:56:718 2904 AegisP (023867b6606fbabcdd52e089c4a507da) D:\WINDOWS\system32\DRIVERS\AegisP.sys
15:54:56:796 2904 AFD (7e775010ef291da96ad17ca4b17137d7) D:\WINDOWS\System32\drivers\afd.sys
15:54:57:015 2904 ALCXWDM (f5d4d3899e16e1f75398297844386226) D:\WINDOWS\system32\drivers\ALCXWDM.SYS
15:54:57:218 2904 AmdK8 (a2d5f093f9cb160c183c77015704f156) D:\WINDOWS\system32\DRIVERS\AmdK8.sys
15:54:57:406 2904 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) D:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:54:57:437 2904 atapi (9f3a2f5aa6875c72bf062c712cfa2674) D:\WINDOWS\system32\DRIVERS\atapi.sys
15:54:57:546 2904 ati2mtag (58f6f26083828fd18696f3592323ba21) D:\WINDOWS\system32\DRIVERS\ati2mtag.sys
15:54:57:593 2904 Atmarpc (9916c1225104ba14794209cfa8012159) D:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:54:57:656 2904 audstub (d9f724aa26c010a217c97606b160ed68) D:\WINDOWS\system32\DRIVERS\audstub.sys
15:54:57:718 2904 Beep (da1f27d85e0d1525f6621372e7b685e9) D:\WINDOWS\system32\drivers\Beep.sys
15:54:57:781 2904 BthEnum (b279426e3c0c344893ed78a613a73bde) D:\WINDOWS\system32\DRIVERS\BthEnum.sys
15:54:57:796 2904 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) D:\WINDOWS\system32\DRIVERS\bthmodem.sys
15:54:57:812 2904 BthPan (80602b8746d3738f5886ce3d67ef06b6) D:\WINDOWS\system32\DRIVERS\bthpan.sys
15:54:57:890 2904 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) D:\WINDOWS\system32\Drivers\BTHport.sys
15:54:57:921 2904 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) D:\WINDOWS\system32\Drivers\BTHUSB.sys
15:54:58:015 2904 BTKRNL (58a9fcbb9d3307c27bae4f39009ffb87) D:\WINDOWS\system32\drivers\btkrnl.sys
15:54:58:109 2904 BTSERIAL (cbf5a79f3d2177e80ca79c2bc20119db) D:\WINDOWS\system32\drivers\btserial.sys
15:54:58:140 2904 BTSLBCSP (26fa6f56ce3152505d8a44cdeabe002f) D:\WINDOWS\system32\drivers\btslbcsp.sys
15:54:58:187 2904 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) D:\WINDOWS\system32\drivers\cbidf2k.sys
15:54:58:250 2904 Cdaudio (c1b486a7658353d33a10cc15211a873b) D:\WINDOWS\system32\drivers\Cdaudio.sys
15:54:58:312 2904 Cdfs (c885b02847f5d2fd45a24e219ed93b32) D:\WINDOWS\system32\drivers\Cdfs.sys
15:54:58:343 2904 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) D:\WINDOWS\system32\DRIVERS\cdrom.sys
15:54:58:437 2904 Disk (044452051f3e02e7963599fc8f4f3e25) D:\WINDOWS\system32\DRIVERS\disk.sys
15:54:58:515 2904 dmboot (d992fe1274bde0f84ad826acae022a41) D:\WINDOWS\system32\drivers\dmboot.sys
15:54:58:562 2904 dmio (7c824cf7bbde77d95c08005717a95f6f) D:\WINDOWS\system32\drivers\dmio.sys
15:54:58:578 2904 dmload (e9317282a63ca4d188c0df5e09c6ac5f) D:\WINDOWS\system32\drivers\dmload.sys
15:54:58:609 2904 DMusic (8a208dfcf89792a484e76c40e5f50b45) D:\WINDOWS\system32\drivers\DMusic.sys
15:54:58:656 2904 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) D:\WINDOWS\system32\drivers\drmkaud.sys
15:54:58:750 2904 Edspport (ac68016a4ece9eeb4dee7e77598c0a0f) D:\WINDOWS\system32\DRIVERS\es56tpi.sys
15:54:58:812 2904 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) D:\WINDOWS\system32\epmntdrv.sys
15:54:58:828 2904 es1371 (a55dd7d8ced5d2624a9ee2dda7be0319) D:\WINDOWS\system32\drivers\es1371mp.sys
15:54:58:875 2904 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) D:\WINDOWS\system32\EuGdiDrv.sys
15:54:58:890 2904 Fastfat (38d332a6d56af32635675f132548343e) D:\WINDOWS\system32\drivers\Fastfat.sys
15:54:58:937 2904 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) D:\WINDOWS\system32\DRIVERS\fdc.sys
15:54:59:000 2904 FETNDISB (95bc4d8493fe30312f5e1ab57ef36083) D:\WINDOWS\system32\DRIVERS\dlkfet5b.sys
15:54:59:046 2904 Fips (d45926117eb9fa946a6af572fbe1caa3) D:\WINDOWS\system32\drivers\Fips.sys
15:54:59:062 2904 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) D:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:54:59:125 2904 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) D:\WINDOWS\system32\drivers\fltmgr.sys
15:54:59:156 2904 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) D:\WINDOWS\system32\drivers\Fs_Rec.sys
15:54:59:187 2904 Ftdisk (6ac26732762483366c3969c9e4d2259d) D:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:54:59:203 2904 gameenum (065639773d8b03f33577f6cdaea21063) D:\WINDOWS\system32\DRIVERS\gameenum.sys
15:54:59:250 2904 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) D:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:54:59:265 2904 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) D:\WINDOWS\system32\DRIVERS\msgpc.sys
15:54:59:296 2904 HidBth (7bd2de4c85eb4241eed57672b16a7d8d) D:\WINDOWS\system32\DRIVERS\hidbth.sys
15:54:59:328 2904 hidusb (ccf82c5ec8a7326c3066de870c06daf1) D:\WINDOWS\system32\DRIVERS\hidusb.sys
15:54:59:406 2904 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) D:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:54:59:437 2904 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) D:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:54:59:484 2904 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) D:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:54:59:546 2904 HTTP (f80a415ef82cd06ffaf0d971528ead38) D:\WINDOWS\system32\Drivers\HTTP.sys
15:54:59:609 2904 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) D:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:54:59:671 2904 Imapi (083a052659f5310dd8b6a6cb05edcf8e) D:\WINDOWS\system32\DRIVERS\imapi.sys
15:54:59:734 2904 ip6fw (3bb22519a194418d5fec05d800a19ad0) D:\WINDOWS\system32\drivers\ip6fw.sys
15:54:59:843 2904 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) D:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:54:59:859 2904 IpInIp (b87ab476dcf76e72010632b5550955f5) D:\WINDOWS\system32\DRIVERS\ipinip.sys
15:54:59:906 2904 IpNat (cc748ea12c6effde940ee98098bf96bb) D:\WINDOWS\system32\DRIVERS\ipnat.sys
15:54:59:921 2904 IPSec (23c74d75e36e7158768dd63d92789a91) D:\WINDOWS\system32\DRIVERS\ipsec.sys
15:54:59:953 2904 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) D:\WINDOWS\system32\DRIVERS\irenum.sys
15:54:59:984 2904 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) D:\WINDOWS\system32\DRIVERS\isapnp.sys
15:55:00:015 2904 Kbdclass (463c1ec80cd17420a542b7f36a36f128) D:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:55:00:031 2904 kbdhid (9ef487a186dea361aa06913a75b3fa99) D:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:55:00:078 2904 kmixer (692bcf44383d056aed41b045a323d378) D:\WINDOWS\system32\drivers\kmixer.sys
15:55:00:125 2904 KSecDD (b467646c54cc746128904e1654c750c1) D:\WINDOWS\system32\drivers\KSecDD.sys
15:55:00:171 2904 LgBttPort (fa522813fdca27e60302b77f169972af) D:\WINDOWS\system32\DRIVERS\lgbtport.sys
15:55:00:234 2904 lgbusenum (50707aa5d4bb694e3f6b0a00b09e664a) D:\WINDOWS\system32\DRIVERS\lgbtbus.sys
15:55:00:296 2904 LGVMODEM (7a47926c78596d1e245d27e1aeb7bf55) D:\WINDOWS\system32\DRIVERS\lgvmodem.sys
15:55:00:406 2904 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) D:\WINDOWS\system32\drivers\mnmdd.sys
15:55:00:609 2904 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) D:\WINDOWS\system32\drivers\Modem.sys
15:55:00:656 2904 motccgp (a10fa04b73a9d97e5cf77eb1d5a88165) D:\WINDOWS\system32\DRIVERS\motccgp.sys
15:55:00:703 2904 motccgpfl (aad6191a4daa519f04ab12b2af73e356) D:\WINDOWS\system32\DRIVERS\motccgpfl.sys
15:55:00:734 2904 MotoSwitchService (fd8c2cef7ad8b23c6714103d621fac1f) D:\WINDOWS\system32\DRIVERS\motswch.sys
15:55:00:812 2904 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) D:\WINDOWS\system32\DRIVERS\mouclass.sys
15:55:00:906 2904 mouhid (b1c303e17fb9d46e87a98e4ba6769685) D:\WINDOWS\system32\DRIVERS\mouhid.sys
15:55:00:968 2904 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) D:\WINDOWS\system32\drivers\MountMgr.sys
15:55:01:109 2904 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) D:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
15:55:01:156 2904 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) D:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
15:55:01:171 2904 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) D:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:55:01:218 2904 MRxSmb (f3aefb11abc521122b67095044169e98) D:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:55:01:265 2904 Msfs (c941ea2454ba8350021d774daf0f1027) D:\WINDOWS\system32\drivers\Msfs.sys
15:55:01:312 2904 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) D:\WINDOWS\system32\drivers\MSKSSRV.sys
15:55:01:328 2904 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) D:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:55:01:343 2904 MSPQM (bad59648ba099da4a17680b39730cb3d) D:\WINDOWS\system32\drivers\MSPQM.sys
15:55:01:390 2904 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) D:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:55:01:406 2904 Mup (2f625d11385b1a94360bfc70aaefdee1) D:\WINDOWS\system32\drivers\Mup.sys
15:55:01:468 2904 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) D:\WINDOWS\system32\DRIVERS\mxopswd.sys
15:55:01:500 2904 NDIS (1df7f42665c94b825322fae71721130d) D:\WINDOWS\system32\drivers\NDIS.sys
15:55:01:515 2904 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) D:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:55:01:531 2904 Ndisuio (f927a4434c5028758a842943ef1a3849) D:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:55:01:593 2904 NdisWan (edc1531a49c80614b2cfda43ca8659ab) D:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:55:01:609 2904 NDProxy (6215023940cfd3702b46abc304e1d45a) D:\WINDOWS\system32\drivers\NDProxy.sys
15:55:01:656 2904 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) D:\WINDOWS\system32\DRIVERS\netbios.sys
15:55:01:750 2904 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) D:\WINDOWS\system32\DRIVERS\netbt.sys
15:55:02:000 2904 NetworkX (5ef7dd401771693245d46f4b0b69fe2b) D:\WINDOWS\system32\ckldrv.sys
15:55:02:125 2904 Npfs (3182d64ae053d6fb034f44b6def8034a) D:\WINDOWS\system32\drivers\Npfs.sys
15:55:02:171 2904 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) D:\WINDOWS\system32\drivers\Ntfs.sys
15:55:02:203 2904 Null (73c1e1f395918bc2c6dd67af7591a3ad) D:\WINDOWS\system32\drivers\Null.sys
15:55:02:468 2904 nv (83780f3a86d2804912f22f6e37cd2254) D:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:55:02:937 2904 nvatabus (46deed4c6c5fa765f9a2c723be60348d) D:\WINDOWS\system32\DRIVERS\nvatabus.sys
15:55:02:968 2904 nvraid (a5c77d944410fadee380fb20b432760d) D:\WINDOWS\system32\DRIVERS\nvraid.sys
15:55:02:984 2904 nv_agp (3194e2f6c9000c39dcf9d0580754f714) D:\WINDOWS\system32\DRIVERS\nv_agp.sys
15:55:03:046 2904 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) D:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:55:03:062 2904 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) D:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:55:03:093 2904 oreans32 (b99575d16f887883b821d372ff292c20) D:\WINDOWS\system32\drivers\oreans32.sys
15:55:03:171 2904 Parport (5575faf8f97ce5e713d108c2a58d7c7c) D:\WINDOWS\system32\DRIVERS\parport.sys
15:55:03:203 2904 PartMgr (beb3ba25197665d82ec7065b724171c6) D:\WINDOWS\system32\drivers\PartMgr.sys
15:55:03:234 2904 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) D:\WINDOWS\system32\drivers\ParVdm.sys
15:55:03:250 2904 PCI (a219903ccf74233761d92bef471a07b1) D:\WINDOWS\system32\DRIVERS\pci.sys
15:55:03:281 2904 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) D:\WINDOWS\system32\DRIVERS\pciide.sys
15:55:03:343 2904 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) D:\WINDOWS\system32\drivers\Pcmcia.sys
15:55:03:468 2904 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) D:\WINDOWS\system32\DRIVERS\raspptp.sys
15:55:03:515 2904 PQNTDrv (4228630829c0e521c43d882a00533374) D:\WINDOWS\system32\drivers\PQNTDrv.sys
15:55:03:531 2904 Processor (a32bebaf723557681bfc6bd93e98bd26) D:\WINDOWS\system32\DRIVERS\processr.sys
15:55:03:562 2904 PSched (09298ec810b07e5d582cb3a3f9255424) D:\WINDOWS\system32\DRIVERS\psched.sys
15:55:03:593 2904 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) D:\WINDOWS\system32\DRIVERS\ptilink.sys
15:55:03:656 2904 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) D:\WINDOWS\system32\Drivers\PxHelp20.sys
15:55:03:921 2904 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) D:\WINDOWS\system32\DRIVERS\rasacd.sys
15:55:03:937 2904 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) D:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:55:03:968 2904 RasPppoe (5bc962f2654137c9909c3d4603587dee) D:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:55:04:000 2904 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) D:\WINDOWS\system32\DRIVERS\raspti.sys
15:55:04:015 2904 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) D:\WINDOWS\system32\DRIVERS\rdbss.sys
15:55:04:062 2904 RDPCDD (12d0672947d65df1fb999dd784b4ce56) D:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:55:04:062 2904 Suspicious file (Forged): D:\WINDOWS\system32\DRIVERS\RDPCDD.sys. Real md5: 12d0672947d65df1fb999dd784b4ce56, Fake md5: 4912d5b403614ce99c28420f75353332
15:55:04:062 2904 File "D:\WINDOWS\system32\DRIVERS\RDPCDD.sys" infected by TDSS rootkit ... 15:55:07:218 2904 Backup copy found, using it..
15:55:07:250 2904 will be cured on next reboot
15:55:07:390 2904 rdpdr (15cabd0f7c00c47c70124907916af3f1) D:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:55:07:437 2904 RDPWD (6728e45b66f93c08f11de2e316fc70dd) D:\WINDOWS\system32\drivers\RDPWD.sys
15:55:07:484 2904 redbook (f828dd7e1419b6653894a8f97a0094c5) D:\WINDOWS\system32\DRIVERS\redbook.sys
15:55:07:546 2904 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) D:\WINDOWS\system32\DRIVERS\rfcomm.sys
15:55:07:609 2904 RT2500 (e67493848b31f7f9123b6bbf6b2ad1b2) D:\WINDOWS\system32\DRIVERS\RT2500.sys
15:55:07:656 2904 rtl8139 (d507c1400284176573224903819ffda3) D:\WINDOWS\system32\DRIVERS\RTL8139.SYS
15:55:07:718 2904 Secdrv (90a3935d05b494a5a39d37e71f09a677) D:\WINDOWS\system32\DRIVERS\secdrv.sys
15:55:07:765 2904 serenum (0f29512ccd6bead730039fb4bd2c85ce) D:\WINDOWS\system32\DRIVERS\serenum.sys
15:55:07:781 2904 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) D:\WINDOWS\system32\DRIVERS\serial.sys
15:55:07:812 2904 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) D:\WINDOWS\system32\drivers\Sfloppy.sys
15:55:07:859 2904 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) D:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
15:55:07:906 2904 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) D:\WINDOWS\system32\drivers\splitter.sys
15:55:07:937 2904 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) D:\WINDOWS\system32\DRIVERS\sr.sys
15:55:07:984 2904 Srv (89220b427890aa1dffd1a02648ae51c3) D:\WINDOWS\system32\DRIVERS\srv.sys
15:55:08:031 2904 sscdbus (2d4027c46b4c6e45875e3c4ba3f67492) D:\WINDOWS\system32\DRIVERS\sscdbus.sys
15:55:08:062 2904 sscdmdfl (f548f1eba107bc19e91189e6a460bd0e) D:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
15:55:08:125 2904 sscdmdm (71d348d53597379dfe1de255d70af13c) D:\WINDOWS\system32\DRIVERS\sscdmdm.sys
15:55:08:218 2904 sscdserd (18b3f4ac9f5a7706159152412113a372) D:\WINDOWS\system32\DRIVERS\sscdserd.sys
15:55:08:281 2904 StarOpen (306521935042fc0a6988d528643619b3) D:\WINDOWS\system32\drivers\StarOpen.sys
15:55:08:328 2904 swenum (3941d127aef12e93addf6fe6ee027e0f) D:\WINDOWS\system32\DRIVERS\swenum.sys
15:55:08:390 2904 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) D:\WINDOWS\system32\drivers\swmidi.sys
15:55:08:468 2904 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) D:\WINDOWS\system32\drivers\sysaudio.sys
15:55:08:531 2904 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) D:\WINDOWS\system32\DRIVERS\tcpip.sys
15:55:08:593 2904 TDPIPE (6471a66807f5e104e4885f5b67349397) D:\WINDOWS\system32\drivers\TDPIPE.sys
15:55:08:609 2904 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) D:\WINDOWS\system32\drivers\TDTCP.sys
15:55:08:656 2904 TermDD (88155247177638048422893737429d9e) D:\WINDOWS\system32\DRIVERS\termdd.sys
15:55:08:703 2904 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) D:\WINDOWS\system32\drivers\Udfs.sys
15:55:08:734 2904 UimBus (de1b2980484aaf20a1dd8b743f96284b) D:\WINDOWS\system32\DRIVERS\UimBus.sys
15:55:08:781 2904 Uim_IM (e40d444bc1d1fbc2cadfbcc99551bae0) D:\WINDOWS\system32\Drivers\Uim_IM.sys
15:55:08:875 2904 Update (402ddc88356b1bac0ee3dd1580c76a31) D:\WINDOWS\system32\DRIVERS\update.sys
15:55:08:921 2904 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) D:\WINDOWS\system32\Drivers\usbaapl.sys
15:55:08:968 2904 usbaudio (e919708db44ed8543a7c017953148330) D:\WINDOWS\system32\drivers\usbaudio.sys
15:55:09:031 2904 usbbus (9419faac6552a51542dbba02971c841c) D:\WINDOWS\system32\DRIVERS\lgusbbus.sys
15:55:09:078 2904 usbccgp (173f317ce0db8e21322e71b7e60a27e8) D:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:55:09:125 2904 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) D:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
15:55:09:281 2904 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) D:\WINDOWS\system32\DRIVERS\usbehci.sys
15:55:09:328 2904 usbhub (1ab3cdde553b6e064d2e754efe20285c) D:\WINDOWS\system32\DRIVERS\usbhub.sys
15:55:09:359 2904 USBModem (f74a54774a9b0afeb3c40adec68aa600) D:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
15:55:09:406 2904 usbohci (0daecce65366ea32b162f85f07c6753b) D:\WINDOWS\system32\DRIVERS\usbohci.sys
15:55:09:421 2904 usbprint (a717c8721046828520c9edf31288fc00) D:\WINDOWS\system32\DRIVERS\usbprint.sys
15:55:09:437 2904 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) D:\WINDOWS\system32\DRIVERS\usbscan.sys
15:55:09:453 2904 usbstor (a32426d9b14a089eaa1d922e0c5801a9) D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:55:09:484 2904 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) D:\WINDOWS\System32\drivers\vga.sys
15:55:09:531 2904 VolSnap (4c8fcb5cc53aab716d810740fe59d025) D:\WINDOWS\system32\drivers\VolSnap.sys
15:55:09:546 2904 Wanarp (e20b95baedb550f32dd489265c1da1f6) D:\WINDOWS\system32\DRIVERS\wanarp.sys
15:55:09:609 2904 wdmaud (6768acf64b18196494413695f0c3a00f) D:\WINDOWS\system32\drivers\wdmaud.sys
15:55:09:671 2904 WpdUsb (cf4def1bf66f06964dc0d91844239104) D:\WINDOWS\system32\DRIVERS\wpdusb.sys
15:55:09:687 2904 WudfPf (f15feafffbb3644ccc80c5da584e6311) D:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:55:09:750 2904 yukonwxp (4322c32ced8c4772e039616dcbf01d3f) D:\WINDOWS\system32\DRIVERS\yk51x86.sys
15:55:09:750 2904 Reboot required for cure complete..
15:55:09:859 2904 Cure on reboot scheduled successfully
15:55:09:859 2904
15:55:09:859 2904 Completed
15:55:09:859 2904
15:55:09:859 2904 Results:
15:55:09:859 2904 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:55:09:859 2904 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:55:09:859 2904
15:55:09:859 2904 fclose_ex: Trying to close file D:\WINDOWS\system32\config\system
15:55:09:859 2904 fclose_ex: Trying to close file D:\WINDOWS\system32\config\software
15:55:09:859 2904 UnloadDriverW: NtUnloadDriver error 1
15:55:09:875 2904 KLMD(ARK) unloaded successfully



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:33 PM

Posted 18 May 2010 - 04:36 PM

ello

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Advertising Center
    Java™ 6 Update 5


    and click on remove

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic


"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. Log From ESET Online Scanner
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 brownsfan

brownsfan
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:33 PM

Posted 20 May 2010 - 10:28 AM

Here are new requested logs
everything seems to running good now

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4116

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/18/2010 11:00:14 PM
mbam-log-2010-05-18 (23-00-14).txt

Scan type: Quick scan
Objects scanned: 139329
Time elapsed: 5 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\WINDOWS\system32\o.dat (Rogue.AntispywareSoft) -> Quarantined and deleted successfully.



other log:

D:\Documents and Settings\Gary Hazelett\My Documents\Downloads\CDMA_Workshop_2.7_FULL_free-gsm-unlock.blogspot.com.rar multiple threats
D:\Documents and Settings\Gary Hazelett\My Documents\Downloads\USB.Autorun.Virus.Removal_upload.lu.rar Win32/HackTool.Patcher.A application
D:\Hard drive\Brock U3\Haunted3D.rar a variant of Win32/HackTool.Patcher.A application
D:\Hard drive\Documents and Settings\All Users\Desktop\XP, Vista or Office 2007 Activation\XP Pro\RockXP v4.0\RockXP v4.0.exe Win32/PSWTool.PWDump2 application
D:\Hard drive\Documents and Settings\Bro\Local Settings\Application Data\Mozilla\Firefox\Profiles\8rzyiarl.default\Cache\93E5EC6Ed01 a variant of Win32/Spy.Agent.NQS trojan
D:\Hard drive\Documents and Settings\Bro\Local Settings\Temp\ir_ext_temp_0\AutoPlay\Docs\XP\XP Genuine Fix (Best).exe Win32/PSWTool.PWDump2 application
D:\Hard drive\Documents and Settings\Brock\Local Settings\Temp\rundll.exe probably a variant of MSIL/Spy.Keylogger.I trojan
D:\Hard drive\Documents and Settings\Brock\Local Settings\Temp\update-plugins.exe NSIS/TrojanDownloader.Agent.NBL.Gen trojan
D:\Hard drive\Documents and Settings\Brock\Local Settings\Temp\Explorer\rundll.exe probably a variant of MSIL/Spy.Keylogger.I trojan
D:\Hard drive\Documents and Settings\Brock\Local Settings\Temp\newtemp\rundll.exe probably a variant of MSIL/Spy.Keylogger.I trojan
D:\Hard drive\Documents and Settings\Brock\My Documents\Google_Earth_Pro_Gold.rar multiple threats
D:\Hard drive\Program Files\AIO Wireless Hack Toolz\AIO Wireless Hack Toolz.exe multiple threats
D:\Hard drive\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application
D:\Qoobox\Quarantine\D\Program Files\Data Protection\datext.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\Program Files\Data Protection\dathook.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\Program Files\Data Protection\datprot.exe.vir a variant of Win32/Kryptik.EHZ trojan
D:\Qoobox\Quarantine\D\Program Files\Data Protection\Uninstall.exe.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAcpxuetqxdm\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAfulqipjiko\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAfulqipjiko\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAibpxusptio\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAibpxusptio\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAoibcjxvnmx\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqhwmcetrxy\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqhwmcetrxy\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\pragmabbr.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAqipjqvrtcc\pragmaserf.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAsiemntxomb\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAsiemntxomb\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAxnixthossp\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAxnixthossp\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAyriuypesvj\PRAGMAc.dll.vir a variant of Win32/Kryptik.EJL trojan
D:\Qoobox\Quarantine\D\WINDOWS\PRAGMAyriuypesvj\PRAGMAd.sys.vir a variant of Win32/Rootkit.Kryptik.AZ trojan
D:\Qoobox\Quarantine\D\WINDOWS\system32\Drivers\rdpcdd.sys.vir Win32/Olmarik.ZC trojan


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:33 PM

Posted 20 May 2010 - 11:24 AM

Open Notepad.
Copy this in the Notepad-file:

CODE
@ECHO OFF
IF EXIST log.txt DEL log.txt
ECHO Deleting files>>log.txt
FOR %%g in (
"D:\Documents and Settings\Gary Hazelett\My Documents\Downloads\CDMA_Workshop_2.7_FULL_free-gsm-unlock.blogspot.com.rar"
"D:\Documents and Settings\Gary Hazelett\My Documents\Downloads\USB.Autorun.Virus.Removal_upload.lu.rar"
"D:\Hard drive\Brock U3\Haunted3D.rar"
"D:\Hard drive\Documents and Settings\All Users\Desktop\XP, Vista or Office 2007 Activation\XP Pro\RockXP v4.0\RockXP v4.0.exe"
"D:\Hard drive\Documents and Settings\Brock\My Documents\Google_Earth_Pro_Gold.rar"
"D:\Hard drive\Program Files\AIO Wireless Hack Toolz\AIO Wireless Hack Toolz.exe"
"D:\Hard drive\Program Files\Hotspot Shield\bin\openvpnas.exe" ) DO (
IF EXIST %%g (
ATTRIB -r -s -h %%g
DEL %%g
IF EXIST %%g (
ECHO %%g not deleted>>log.txt
) ELSE (
ECHO %%g deleted>>log.txt)
) ELSE (
ECHO %%g not found>>log.txt))
START NOTEPAD.EXE log.txt


Go to File - Save as...
Fill in the next values:
Location: Desktop
File name: del.bat
File type: All files (*.*).
Now, click Save.
Doubleclick del.bat.
Post the contents of the logfile that opens in your next reply.


Very well done!! This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are.

The Online scan is mostly reporting backups created during the course of this fix, Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.

:Uninstall ComboFix:
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

:Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and useing often.

please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:33 PM

Posted 23 May 2010 - 01:43 PM

Since the issue is resolved, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

The fixes and advice in this thread are for this machine only.
Do not apply the instructions from this thread to your own machine.
Please start a new thread describing your issue and someone will be along to assist you.


With Regards,
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users