Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help with Malware/Adware problems


  • Please log in to reply
12 replies to this topic

#1 Tomhernandez

Tomhernandez

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 03 July 2010 - 09:27 PM

My system recently started redirecting my google searches to different ad sites, so I suspected it to be some kind of virus. I noticed each of the redirects started with something like 'resuls5.google.com' so I did some searching about that on my phone. After looking through tons of others' posts I decided I needed to run some kind of scan to get rid of this thing. Now, I began with trying to update Windows Defender, but it could never reach the update site (suspiciously). I then downloaded Spybot Search and Destroy because it was recommended to use. It also couldn't get to the download/update server either. I finally came across some people saying Malwarebytes Anti-Malware was the way to go. So I grabbed that thing and it actually opened! It did a quick scan and found some stuff, then a full scan and further removed things. I had hoped it would bring me to the end of this stupid virus, but I find myself here. I've read stuff about Combofix being the way to go, but I hesitate to run it without proper recommendation. Malwarebytes keeps finding the same two viruses and deleting them, but they are some how able to recreate themselves. I apologize for the lengthy post, but if someone can help me out it would be awesome. Is running Combofix the way to go?

Responses appreciated,

Tom

Edited by Orange Blossom, 04 July 2010 - 03:22 PM.
Move to AII as no logs posted and prep. guide not followed. ~ OB


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:26 AM

Posted 04 July 2010 - 03:36 PM

Hello please post the last MBAM log with the 2 infections.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Reboot into Safe Mode with Networking
How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode with Networking using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.

RKill....

Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
Do not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.



Next run Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs
old and new MBAM
RKILL
SAS
and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Tomhernandez

Tomhernandez
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 04 July 2010 - 11:05 PM

Ok here is the log from Malwarebytes from last night, I'm gonna post this first, then follow your instructions.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/4/2010 6:59:44 AM
mbam-log-2010-07-04 (06-59-44).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 298274
Time elapsed: 1 hour(s), 7 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\efoyjev.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


That last one is the one that keeps coming back, it says deleted and after reboot it comes back. Ok off to do the other stuff, I'll post all new logs after

Tom

#4 Tomhernandez

Tomhernandez
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 05 July 2010 - 08:02 AM

Ok here's all the new logs, first RKill

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Tom on 07/05/2010 at 2:11:19.


Processes terminated by Rkill or while it was running:


C:\Users\Tom\Downloads\rkill.exe


Rkill completed on 07/05/2010 at 2:11:21.


Next SAS

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2010 at 04:14 AM

Application Version : 4.40.1002

Core Rules Database Version : 5155
Trace Rules Database Version: 2967

Scan type : Complete Scan
Total Scan Time : 02:00:57

Memory items scanned : 385
Memory threats detected : 0
Registry items scanned : 8981
Registry threats detected : 34
File items scanned : 178271
File threats detected : 319

Trojan.IRCBot/Dropper-Gen
[Safe Run Start] C:\WINDOWS\SYSTEM32\SAFERUN.EXE
C:\WINDOWS\SYSTEM32\SAFERUN.EXE
[Safe Run Start] C:\WINDOWS\SYSTEM32\SAFERUN.EXE
[Safe Run Start] C:\WINDOWS\SYSTEM32\SAFERUN.EXE
[Safe Run Start] C:\WINDOWS\SYSTEM32\SAFERUN.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\5A2XSVFI\SPSF12[1].EXE
C:\WINDOWS\TEMP\RMACTIVATE_SSP_ISVB.EXE
C:\WINDOWS\TEMP\WSCRIPTA.EXE

Trojan.Agent/Gen-CDesc[Broad]
[M5T8QL3YW3] C:\WINDOWS\TEMP\MTX.EXE
C:\WINDOWS\TEMP\MTX.EXE
[M5T8QL3YW3] C:\WINDOWS\TEMP\MTX.EXE
C:\Windows\Prefetch\MTX.EXE-3033A0BC.pf

Trojan.Agent/Gen-FakeAV
[fipqwdup] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\CTDAWOAWP\AWWAIUWTSSD.EXE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\CTDAWOAWP\AWWAIUWTSSD.EXE
[fipqwdup] C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\CTDAWOAWP\AWWAIUWTSSD.EXE
C:\WINDOWS\TEMP\ETHLKB.EXE

Adware.Flash Tracking Cookie
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\CONVOAD.TECHNORATIMEDIA.COM
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\IA.MEDIA-IMDB.COM
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\MEDIAFORGEWS.COM
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\OBJECTS.TREMORMEDIA.COM
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\RICHMEDIA247.COM
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\UDN.SPECIFICCLICK.NET
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\CRACKLE.COM
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\WWW.CRACKLE.COM
C:\Users\Tom\AppData\Roaming\MACROMEDIA\FLASH PLAYER\#SHAREDOBJECTS\EZBX2RV4\SECURE-US.IMRWORLDWIDE.COM

Rogue.AntivirusSoft
HKU\.DEFAULT\Software\avsoft
HKU\S-1-5-18\Software\avsoft

Trojan.DNS-Changer (Hi-Jacked DNS)
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{7796075F-E450-4486-8289-693589554321}#NAMESERVER
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{AA8CD3DD-9EDF-4F3A-A570-44611D0ADDF3}#NAMESERVER
HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{7796075F-E450-4486-8289-693589554321}#NAMESERVER
HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS\INTERFACES\{AA8CD3DD-9EDF-4F3A-A570-44611D0ADDF3}#NAMESERVER
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{7796075F-E450-4486-8289-693589554321}#NAMESERVER
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{AA8CD3DD-9EDF-4F3A-A570-44611D0ADDF3}#NAMESERVER
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS#NAMESERVER
HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS#NAMESERVER
HKLM\SYSTEM\CONTROLSET002\SERVICES\TCPIP\PARAMETERS#NAMESERVER

Malware.Trace
C:\Windows\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
HKU\.DEFAULT\Software\M5T8QL3YW3
HKU\S-1-5-18\Software\M5T8QL3YW3
HKU\.DEFAULT\SOFTWARE\XML
HKU\S-1-5-18\SOFTWARE\XML
HKU\.DEFAULT\SOFTWARE\AVSUITE
HKU\S-1-5-18\SOFTWARE\AVSUITE
HKU\.DEFAULT\Software\V71IQL7HI7
HKU\S-1-5-18\Software\V71IQL7HI7

Adware.AdRotator
HKU\.DEFAULT\Software\Sky-Banners
HKU\S-1-5-18\Software\Sky-Banners
HKU\.DEFAULT\Software\Street-Ads
HKU\S-1-5-18\Software\Street-Ads
HKLM\SOFTWARE\Classes\AppID\{7B6A2552-E65B-4a9e-ADD4-C45577FFD8FD}
HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}
HKLM\SOFTWARE\Classes\AppID\{84C3C236-F588-4c93-84F4-147B2ABBE67B}\apps

Trojan.Agent/Gen-Frauder
C:\USERS\TOM\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\X5C0M1C6\N00A102304801R0409J11000601R6D139521WE7150CB1XDEFC5BADY92D3CBC4Z03003F360[1]

Trojan.Agent/Gen-Nullo[Short]
C:\USERS\TOM\APPDATA\LOCAL\TEMP\DSSKNT.EXE

Rootkit.Agent/Gen-TDSS
C:\USERS\TOM\APPDATA\ROAMING\F510938F.EXE
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\317KUOC9.DLL
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\7E3AA93.DLL
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\M9G179K.DLL

Adware.Tracking Cookie
cdn4.specificclick.net [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
cloud.video.unrulymedia.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
convoad.technoratimedia.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
core.insightexpressai.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
crackle.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
ec.atdmt.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
ia.media-imdb.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
media.mtvnservices.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
media.scanscout.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
media.socialvibe.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
mediaforgews.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
objects.tremormedia.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
richmedia247.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
s0.2mdn.net [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
secure-us.imrworldwide.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
udn.specificclick.net [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
video.redorbit.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
www.crackle.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
www.naiadsystems.com [ C:\Users\Tom\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\EZBX2RV4 ]
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@247realmedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@247realmedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@2o7[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@3.v.d.cltomedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@a1.interclick[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@a1.interclick[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@a1.interclick[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@a1.interclick[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.wsod[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[10].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[5].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[6].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[7].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[8].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.yieldmanager[9].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ad.zanox[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adbrite[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adbrite[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adbureau[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adecn[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adecn[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adfarm1.adition[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adlegend[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@admarketplace[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@admarketplace[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adprofile[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.ad4game[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.adap[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.addynamix[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.as4x.tmcs.ticketmaster[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.bittorrent[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.bootcampmedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.bootcampmedia[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.bridgetrack[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.bridgetrack[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.christianpost[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.lycos[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.myadplatform[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.pointroll[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.pointroll[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.redorbit[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.smartadx[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.techguy[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.tentonhammer[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.undertone[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ads.undertone[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adserver.adreactor[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adserver.adtechus[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adserver.overclock[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adsrv1.maxsitesrevenues[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adsrv2.maxsitesrevenues[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@advertise[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@advertise[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@advertising.sheknows[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@advertising[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@advertising[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adx.bidsystem[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adx.bidsystem[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@adxpose[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@apmebf[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@at.atwola[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@atdmt[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@atdmt[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@atlas.entrepreneur[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@atwola[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bannertgt[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bighitbox[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bizzclick[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bluestreak[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bluestreak[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bridge1.admarketplace[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bridge2.admarketplace[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bs.serving-sys[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@bs.serving-sys[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@burstnet[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@burstnet[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@burstnet[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@burstnet[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@c.q.d.cltomedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@casalemedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@casalemedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cdn1.trafficmp[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cdn4.specificclick[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cdn4.specificclick[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cdn4.specificclick[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cgm.adbureau[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cgm.adbureau[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@chitika[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@citi.bridgetrack[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@click.cashengines[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clickforensics[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clickforensics[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clickpayz4.91423.blueseek[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clickpayz5.91449.blueseek[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clicksor[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clicksor[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clicksor[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clicktorrent[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clicktorrent[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clicktorrent[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clicktorrent[5].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@clicktorrent[6].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cltomedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cltomedia[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cltomedia[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cnfg.clarionmediausa[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@cnfg.maxsitesrevenues[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@collective-media[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@content.yieldmanager[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@content.yieldmanager[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@content.yieldmanager[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@content.yieldmanager[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@content.yieldmanager[7].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@counter.surfcounters[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@crackle[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@crackle[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@d.mediadakine[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@dc.tremormedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@doubleclick[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@e-2dj6wmmyoodzado.stats.esomniture[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@eb.adbureau[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@edgeadx[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@electronicarts.112.2o7[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@entrepreneur.122.2o7[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ext-us.bestofmedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ext-us.bestofmedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@eyewonder[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@fastclick[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@fastclick[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@gearslutz.advertserve[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@i.o.d.cltomedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@iacas.adbureau[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@imrworldwide[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@insightexpressai[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@interclick[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@intermundomedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@invitemedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@invitemedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@invitemedia[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@invitemedia[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@k.l.d.cltomedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@kanoodle[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@kontera[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@kontera[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@linksynergy[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@lucidmedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@maxsitesrevenues[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@media6degrees[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@media6degrees[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@media6degrees[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@mediafire[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@mediaplex[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@mediaplex[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@microsoftinternetexplorer.112.2o7[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@microsoftmachinetranslation.112.2o7[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@microsoftsto.112.2o7[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@microsoftwga.112.2o7[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@microsoftwindows.112.2o7[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@msnbc.112.2o7[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@msnportal.112.2o7[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@myroitracking[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@myroitracking[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@network.alluremedia.com[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@network.realmedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@oasn03.247realmedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@oasn04.247realmedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@oasn04.247realmedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@p.h.d.cltomedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@p.v.q.cltomedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@p1430.superclick[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@pointroll[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@pointroll[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@questionmarket[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@questionmarket[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@questionmarket[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@questionmarket[5].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@rds.adprofile[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@realmedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@realmedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@realmedia[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@realmedia[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@realmedia[6].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@revsci[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@revsci[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@revsci[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@revsci[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@revsci[6].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@richmedia.yahoo[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@rotator.adjuggler[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@rotator.adjuggler[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@rotator.adjuggler[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@ru4[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@server.iad.liveperson[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@server.iad.liveperson[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@server.iad.liveperson[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@serving-sys[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@serving-sys[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@serving-sys[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@smartadserver[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@smartadserver[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@smartadserver[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@smartadserver[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@specificclick[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@specificclick[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@specificclick[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@specificmedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@specificmedia[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@specificmedia[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@specificmedia[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@specificmedia[5].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@statcounter[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@statcounter[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@statse.webtrendslive[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@support.mediafire[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@tacoda[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@tacoda[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@theclickcheck[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@tracker.pegsanalytics[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@trafficmp[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@trafficmp[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@trafficmp[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@trafficmp[5].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@tribalfusion[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@tribalfusion[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@tripod[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@viacom.adbureau[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@videoegg.adbureau[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@videoegg.adbureau[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@windows-media-player.software.informer[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@wjadserver[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.burstbeacon[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.burstbeacon[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.burstnet[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.burstnet[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.burstnet[4].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.googleadservices[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.googleadservices[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www.mediafire[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www7.addfreestats[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@www7.addfreestats[2].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@xiti[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@xm.xtendmedia[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@xm.xtendmedia[3].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@yamaha.com.122.2o7[1].txt
C:\Users\Tom\AppData\Roaming\Microsoft\Windows\Cookies\tom@zedo[1].txt
media1.break.com [ C:\Windows\System32\config\systemprofile\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\9JN9ZWAR ]
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@247realmedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adbrite[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ads.smartadx[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@atdmt[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@bannertgt[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clicksor[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cnfg.clarionmediausa[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@cnfg.maxsitesrevenues[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@media6degrees[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@mediatraffic[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@myroitracking[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@oasn04.247realmedia[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@smartadx[1].txt

Trojan.Agent/Gen-FakeAlert[Mares]
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\VDBDPLS.DLL
C:\WINDOWS\TEMP\GQUHBYP.EXE

Rootkit.TDSS
C:\WINDOWS\SYSTEM32\ERNEL32.DLL

Trojan.Agent/Gen-Chalgara
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\31Y93O7O.DLL
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\5SK5Y.DLL
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\5WS55.DLL
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\K79GMY.DLL
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\K931W9U.DLL
C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\S79S1E.DLL

Trojan.Agent/Gen-CDesc[Gen]
C:\WINDOWS\TEMP\MTW.EXE

and finally the MBam log after all the others

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4277

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/5/2010 9:00:41 AM
mbam-log-2010-07-05 (09-00-41).txt

Scan type: Quick scan
Objects scanned: 129206
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skb (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7796075f-e450-4486-8289-693589554321}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.66,93.188.161.206 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\efoyjev.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Windows\Temp\jghrjtyu.exe (Adware.AdRotator) -> Quarantined and deleted successfully.


Going to restart and see if it keeps acting up. How do the logs look, is there anything else I need to do?
Thanks,

TH

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:26 AM

Posted 05 July 2010 - 12:00 PM

Hi, the rootkitagent,IRCBot and TDDS infections ..are dangerous.. I need to tell you this here.
This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


To continue,,TDDS Killer
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

GMER Rootkit scan:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Tomhernandez

Tomhernandez
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 05 July 2010 - 08:16 PM

Alright, I'm making preparations to reformat if that is what has to be done. Here are the two log files you asked for, please let me know after these if there is nothing that can be done.

First TDSSKiller

20:56:39:616 0272 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
20:56:39:616 0272 ================================================================================
20:56:39:616 0272 SystemInfo:

20:56:39:616 0272 OS Version: 6.1.7600 ServicePack: 0.0
20:56:39:616 0272 Product type: Workstation
20:56:39:616 0272 ComputerName: TOM-PC
20:56:39:616 0272 UserName: Tom
20:56:39:616 0272 Windows directory: C:\Windows
20:56:39:616 0272 System windows directory: C:\Windows
20:56:39:616 0272 Processor architecture: Intel x86
20:56:39:616 0272 Number of processors: 2
20:56:39:616 0272 Page size: 0x1000
20:56:39:616 0272 Boot type: Normal boot
20:56:39:616 0272 ================================================================================
20:56:40:068 0272 Initialize success
20:56:40:068 0272
20:56:40:068 0272 Scanning Services ...
20:56:41:644 0272 Raw services enum returned 465 services
20:56:41:675 0272 Suspicious serv efoyjev (h: 0, b: 1)
20:56:41:675 0272
20:56:41:675 0272 Hidden service detected!
20:56:41:675 0272 Service name: efoyjev
20:56:41:675 0272 Image path:
20:56:41:675 0272 Type "delete" (without quotes) to delete it:


I did NOT type delete, only pushed enter and that's what came up. Next is GMER

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-05 21:15:08
Windows 6.1.7600
Running: 5m39tr3y.exe; Driver: C:\Users\Tom\AppData\Local\Temp\uwldipow.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E36AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E36104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E363F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1F2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E1E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E361DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E36958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E366F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E36F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E371A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A4F599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A73F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\efoyjev.sys A device attached to the system is not functioning. !
PAGE PCIIDEX.SYS!AtaPortSetBusData + 3B67 88DDE769 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!AtaPortSetBusData + 3BBD 88DDE7BF 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!AtaPortSetBusData + 408D 88DDEC8F 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!AtaPortSetBusData + 4126 88DDED28 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!AtaPortSetBusData + 468B 88DDF28D 4 Bytes [3C, 89, 5F, 85]
PAGE ...
PAGE PCIIDEX.SYS!DllInitialize + 179 88DDF9A5 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!DllInitialize + D47 88DE0573 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!DllInitialize + DBB 88DE05E7 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!AtaPortInitializeEx + 749 88DE0DAF 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!AtaPortInitializeEx + 7E4 88DE0E4A 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!AtaPortInitializeEx + 871 88DE0ED7 4 Bytes [3C, 89, 5F, 85]
PAGE PCIIDEX.SYS!AtaPortInitializeEx + 979 88DE0FDF 4 Bytes [3C, 89, 5F, 85]
.text ataport.SYS!DllInitialize + FFFEB36D 8371E0C5 4 Bytes [FC, 7F, 5F, 85]
.text ataport.SYS!AtaPortInitialize + 49B6 83727E94 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!AtaPortGetParentBusType + 83F1 83731C65 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!AtaPortGetParentBusType + 8447 83731CBB 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!AtaPortGetParentBusType + 8859 837320CD 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!AtaPortGetParentBusType + 88F2 83732166 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!DllInitialize + AD1 83733829 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!DllInitialize + 2749 837354A1 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!DllInitialize + 27D8 83735530 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!DllInitialize + 2CBD 83735A15 4 Bytes [FC, 7F, 5F, 85]
PAGE ataport.SYS!DllInitialize + 4CBB 83737A13 4 Bytes [FC, 7F, 5F, 85]
PAGE ...
.text CLASSPNP.SYS!ClassReleaseRemoveLock + 3286 8919A2AC 4 Bytes [9C, 71, A5, 85]
.text CLASSPNP.SYS!ClassReleaseRemoveLock + 3317 8919A33D 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassCompleteRequest + 119 8919A5A0 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassCompleteRequest + 72B 8919ABB2 4 Bytes [C4, 29, 5E, 85]
.text CLASSPNP.SYS!ClassSendSrbSynchronous + 1EA 8919B364 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassIoComplete + 2D4 8919B892 4 Bytes [C4, 29, 5E, 85]
.text CLASSPNP.SYS!ClassDeviceControl + 72B 8919C6D5 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassDeviceControl + CAE 8919CC58 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassSendIrpSynchronous + 3A 8919D1E6 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassReadDriveCapacity + 6BC 8919E716 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassReadDriveCapacity + 74E 8919E7A8 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + 498 8919ED81 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + 89D 8919F186 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + 9A2 8919F28B 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + EE9 8919F7D2 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassSpinDownPowerHandler + 13CE 8919FCB7 4 Bytes [4C, 05, DC, 96]
.text ...
.text CLASSPNP.SYS!ClassNotifyFailurePredicted + F38 891A1411 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassInternalIoControl + 87 891A1AED 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassInternalIoControl + 175 891A1BDB 4 Bytes [C4, 29, 5E, 85]
.text CLASSPNP.SYS!ClassReleaseChildLock + 1B5 891A1E2E 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassGetDriverExtension + 110 891A2050 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassGetDriverExtension + 1D4 891A2114 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassSendStartUnit + CC 891A247E 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassSendSrbAsynchronous + 143 891A3B6B 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassIoCompleteAssociated + 29B 891A57C4 4 Bytes [C4, 29, 5E, 85]
.text CLASSPNP.SYS!ClassDebugPrint + 1327 891A6BFA 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassDebugPrint + 13BD 891A6C90 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassDebugPrint + 15F3 891A6EC6 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassDebugPrint + 172E 891A7001 4 Bytes [4C, 05, DC, 96]
.text CLASSPNP.SYS!ClassDebugPrint + 1857 891A712A 4 Bytes [4C, 05, DC, 96]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E410340, 0x3EE217, 0xE8000020]
.text peauth.sys 9D617C9D 28 Bytes [15, A7, 7F, E0, 80, 15, C4, ...]
.text peauth.sys 9D617CC1 28 Bytes [15, A7, 7F, E0, 80, 15, C4, ...]

---- User code sections - GMER 1.0.15 ----

? C:\Windows\System32\svchost.exe[1408] image checksum mismatch; time/date stamp mismatch;

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\rundll32.exe[1188] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75435E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1188] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75435E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1188] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75435E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[1188] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75435E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs] 51EC8B55
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit] 1845DB51
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter] F855DD56
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit] E8084DDC
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm] 000004D2
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit] FF184589
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr] 40516015
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy] F845DD00
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp] 8B104DDC
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common] 1865DAF0
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] 0004B9E8
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type] 8BC88B00
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode] F74199C6
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode] C28B5EF9
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit] C9184503
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 40516015
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle] 244C8B00
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 748D9908
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress] FEF70109
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError] 2BC28B5E
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 244403C1
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 15FFC308
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [00405160] C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange] 04244C8B
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep] F9F74199
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] FFC3C28B
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA] 40516015
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 646A9900
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount] 33F9F759
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 24543BC0
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C09C0F04
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx] EC8B55C3
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 0204EC81
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx] 68560000
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 515815FF
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegCloseKey] 00FFB8F0
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegOpenKeyExW] 8D500000
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation] FFFEFC8D
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] C93351FF
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW] 558D5151
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 8D5052FC
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegQueryValueExW] FFFDFC85
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx] FF5150FF
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW] 40504415
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 56216A00
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] FFFC75FF
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] 40515C15
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] 0CC48300
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegDisablePredefinedCacheEx] C01BD8F7
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] EC8B55C3
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 458B5151
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObjectEx] 33565308
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree] 57C88BF6
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree] 33FC7589
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 01518DFF
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 802974CA
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 7420063C
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [75FF850A] C:\Windows\system32\ole32.dll (Microsoft OLE for Windows/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 45FF470C
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 330274FF
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 46C88BFF
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] 8A01518D
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] DB844119
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] CA2BF975
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventWrite] D772F13B
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventEnabled] 5FFC458B
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventRegister] C3C95B5E
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 83EC8B55
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] FF0A7500
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 45C7F845
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 000001FC
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 0C4D8B00
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] F84D3941
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 016A3275
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 15FF5750
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [00405154] C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[1408] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen] EB0CC483
IAT C:\Windows\System32\rundll32.exe[1704] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75435E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[1704] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75435E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[1704] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75435E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\System32\rundll32.exe[1704] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75435E25] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 85E25E50

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\efoyjev@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\efoyjev@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\efoyjev@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\efoyjev@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\efoyjev@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\efoyjev@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\efoyjev@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\efoyjev@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----


Gonna wait on your reply to see if I absolutely must reinstall my OS.
Thanks for your help so far,

TH

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:26 AM

Posted 05 July 2010 - 08:34 PM

Rerun the killer and delete
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Tomhernandez

Tomhernandez
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 05 July 2010 - 09:27 PM

Ok I re-ran that and deleted it, it some some further scanning and I rebooted my system. Here is the log from that,

22:22:23:878 3488 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
22:22:23:878 3488 ================================================================================
22:22:23:878 3488 SystemInfo:

22:22:23:878 3488 OS Version: 6.1.7600 ServicePack: 0.0
22:22:23:878 3488 Product type: Workstation
22:22:23:878 3488 ComputerName: TOM-PC
22:22:23:879 3488 UserName: Tom
22:22:23:880 3488 Windows directory: C:\Windows
22:22:23:880 3488 System windows directory: C:\Windows
22:22:23:880 3488 Processor architecture: Intel x86
22:22:23:880 3488 Number of processors: 2
22:22:23:880 3488 Page size: 0x1000
22:22:23:882 3488 Boot type: Normal boot
22:22:23:882 3488 ================================================================================
22:22:24:739 3488 Initialize success
22:22:24:740 3488
22:22:24:741 3488 Scanning Services ...
22:22:26:376 3488 Raw services enum returned 465 services
22:22:26:388 3488 Suspicious serv efoyjev (h: 0, b: 1)
22:22:26:388 3488
22:22:26:389 3488 Hidden service detected!
22:22:26:389 3488 Service name: efoyjev
22:22:26:390 3488 Image path:
22:22:26:391 3488 Type "delete" (without quotes) to delete it: 22:22:33:816 3488
22:22:33:816 3488 By user detect efoyjev
22:22:33:816 3488 RegNode HKLM\SYSTEM\ControlSet001\services\efoyjev infected by TDSS rootkit ... 22:22:33:817 3488 will be deleted on reboot
22:22:33:856 3488 RegNode HKLM\SYSTEM\ControlSet002\services\efoyjev infected by TDSS rootkit ... 22:22:33:856 3488 will be deleted on reboot
22:22:33:872 3488 File C:\Windows\system32\drivers\efoyjev.sys infected by TDSS rootkit ... 22:22:33:873 3488 will be deleted on reboot
22:22:33:874 3488
22:22:33:875 3488 Scanning Drivers ...
22:22:34:953 3488 1394ohci (6d2aca41739bfe8cb86ee8e85f29697d) C:\Windows\system32\DRIVERS\1394ohci.sys
22:22:34:981 3488 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
22:22:35:009 3488 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
22:22:35:106 3488 adfs (6d7f09cd92a9fef3a8efce66231fdd79) C:\Windows\system32\drivers\adfs.sys
22:22:35:161 3488 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
22:22:35:291 3488 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
22:22:35:327 3488 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
22:22:35:366 3488 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
22:22:35:463 3488 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
22:22:35:509 3488 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
22:22:35:538 3488 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
22:22:35:562 3488 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
22:22:35:669 3488 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
22:22:35:684 3488 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
22:22:35:709 3488 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
22:22:35:755 3488 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
22:22:35:795 3488 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
22:22:35:904 3488 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
22:22:35:927 3488 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
22:22:35:957 3488 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
22:22:35:998 3488 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
22:22:36:111 3488 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
22:22:36:144 3488 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
22:22:36:238 3488 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
22:22:36:349 3488 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
22:22:36:383 3488 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
22:22:36:413 3488 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
22:22:36:439 3488 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
22:22:36:546 3488 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
22:22:36:570 3488 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
22:22:36:605 3488 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
22:22:36:639 3488 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
22:22:36:740 3488 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
22:22:36:763 3488 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
22:22:36:789 3488 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
22:22:36:820 3488 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
22:22:36:862 3488 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
22:22:36:948 3488 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
22:22:36:991 3488 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
22:22:37:035 3488 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
22:22:37:120 3488 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
22:22:37:153 3488 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
22:22:37:196 3488 CnxtHdAudService (a4d44ab8423791db757b38150ec599a4) C:\Windows\system32\drivers\CHDRT32.sys
22:22:37:297 3488 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
22:22:37:315 3488 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
22:22:37:335 3488 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
22:22:37:365 3488 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
22:22:37:405 3488 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
22:22:37:488 3488 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
22:22:37:521 3488 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
22:22:37:577 3488 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
22:22:37:690 3488 e1express (0535bfbedb9378ddd15bdf9957d57d71) C:\Windows\system32\DRIVERS\e1e6232.sys
22:22:37:847 3488 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
22:22:38:281 3488 efoyjev (80c6af4f948d4168fc90da1a6f4b6924) C:\Windows\system32\drivers\efoyjev.sys
22:22:38:281 3488 Suspicious file (NoAccess): C:\Windows\system32\drivers\efoyjev.sys. md5: 80c6af4f948d4168fc90da1a6f4b6924
22:22:38:384 3488 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
22:22:38:509 3488 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
22:22:38:584 3488 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
22:22:38:824 3488 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
22:22:38:945 3488 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
22:22:39:068 3488 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
22:22:39:135 3488 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
22:22:39:184 3488 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
22:22:39:217 3488 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
22:22:39:253 3488 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
22:22:39:316 3488 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
22:22:39:384 3488 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
22:22:39:413 3488 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
22:22:39:451 3488 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
22:22:39:526 3488 HBtnKey (7dad592a4d28092d584cfb4deef1373d) C:\Windows\system32\DRIVERS\cpqbttn.sys
22:22:39:567 3488 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
22:22:39:608 3488 HdAudAddService (3530cad25deba7dc7de8bb51632cbc5f) C:\Windows\system32\drivers\HdAudio.sys
22:22:39:640 3488 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
22:22:39:718 3488 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
22:22:39:773 3488 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
22:22:39:897 3488 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
22:22:39:965 3488 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
22:22:40:018 3488 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
22:22:40:139 3488 HSF_DPV (1882827f41dee51c70e24c567c35bfb5) C:\Windows\system32\DRIVERS\HSX_DPV.sys
22:22:40:273 3488 HSXHWAZL (a44ddf3ba83e4664bf4de9220097578c) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
22:22:40:316 3488 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
22:22:40:415 3488 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
22:22:40:439 3488 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
22:22:40:476 3488 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
22:22:40:511 3488 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
22:22:40:608 3488 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
22:22:40:627 3488 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
22:22:40:656 3488 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
22:22:40:680 3488 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
22:22:40:782 3488 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
22:22:40:810 3488 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
22:22:40:832 3488 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
22:22:40:885 3488 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
22:22:40:982 3488 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
22:22:40:999 3488 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
22:22:41:038 3488 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\Windows\system32\drivers\klmd.sys
22:22:41:077 3488 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
22:22:41:122 3488 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
22:22:41:225 3488 LHidFilt (f5e165b4e3df145f6e8bf3c0573f94d8) C:\Windows\system32\DRIVERS\LHidFilt.Sys
22:22:41:262 3488 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
22:22:41:304 3488 LMouFilt (b46e39b8ae439d7ce75a923e7f950040) C:\Windows\system32\DRIVERS\LMouFilt.Sys
22:22:41:382 3488 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
22:22:41:476 3488 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
22:22:41:512 3488 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
22:22:41:546 3488 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
22:22:41:572 3488 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
22:22:41:612 3488 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
22:22:41:691 3488 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
22:22:41:728 3488 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
22:22:41:764 3488 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
22:22:41:883 3488 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
22:22:41:965 3488 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
22:22:42:084 3488 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
22:22:42:126 3488 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
22:22:42:153 3488 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
22:22:42:239 3488 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
22:22:42:280 3488 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
22:22:42:329 3488 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
22:22:42:359 3488 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
22:22:42:451 3488 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
22:22:42:496 3488 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\DRIVERS\msahci.sys
22:22:42:525 3488 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
22:22:42:602 3488 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
22:22:42:637 3488 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
22:22:42:662 3488 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
22:22:42:683 3488 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
22:22:42:707 3488 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
22:22:42:745 3488 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
22:22:42:809 3488 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
22:22:42:842 3488 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
22:22:42:870 3488 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
22:22:42:898 3488 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
22:22:42:988 3488 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
22:22:43:034 3488 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
22:22:43:088 3488 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
22:22:43:181 3488 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
22:22:43:207 3488 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
22:22:43:229 3488 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
22:22:43:258 3488 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
22:22:43:280 3488 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
22:22:43:361 3488 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
22:22:43:405 3488 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
22:22:43:582 3488 netw5v32 (58218ec6b61b1169cf54aab0d00f5fe2) C:\Windows\system32\DRIVERS\netw5v32.sys
22:22:43:704 3488 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
22:22:43:732 3488 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
22:22:43:783 3488 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
22:22:43:881 3488 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
22:22:44:090 3488 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
22:22:44:416 3488 nvlddmkm (05b288b25c2ebd9a4e9e5114ae790876) C:\Windows\system32\DRIVERS\nvlddmkm.sys
22:22:44:582 3488 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
22:22:44:612 3488 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
22:22:44:641 3488 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
22:22:44:677 3488 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
22:22:44:782 3488 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
22:22:44:810 3488 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
22:22:44:839 3488 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
22:22:44:874 3488 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
22:22:44:970 3488 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
22:22:45:005 3488 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
22:22:45:029 3488 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
22:22:45:071 3488 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
22:22:45:181 3488 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
22:22:45:207 3488 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
22:22:45:247 3488 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
22:22:45:293 3488 PxHelp20 (d970470f8f39470bdae94d313a1ccdce) C:\Windows\system32\Drivers\PxHelp20.sys
22:22:45:435 3488 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
22:22:45:557 3488 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
22:22:45:585 3488 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
22:22:45:612 3488 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
22:22:45:644 3488 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
22:22:45:745 3488 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
22:22:45:803 3488 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
22:22:45:921 3488 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
22:22:46:132 3488 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
22:22:46:279 3488 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
22:22:46:315 3488 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
22:22:46:347 3488 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
22:22:46:396 3488 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
22:22:46:456 3488 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
22:22:46:547 3488 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
22:22:46:588 3488 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\Windows\system32\DRIVERS\rimmptsk.sys
22:22:46:633 3488 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\Windows\system32\DRIVERS\rimsptsk.sys
22:22:46:694 3488 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\Windows\system32\Drivers\RimUsb.sys
22:22:46:743 3488 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
22:22:46:836 3488 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
22:22:46:893 3488 RTL8187B (8e7d6dbba555c5d5a02decc79fe9c638) C:\Windows\system32\DRIVERS\rtl8187B.sys
22:22:46:975 3488 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
22:22:46:994 3488 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
22:22:47:088 3488 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
22:22:47:168 3488 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
22:22:47:210 3488 sdbus (aa826e35f6d28a8e5d1efeb337f24ba2) C:\Windows\system32\DRIVERS\sdbus.sys
22:22:47:238 3488 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
22:22:47:343 3488 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
22:22:47:371 3488 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
22:22:47:402 3488 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
22:22:47:429 3488 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
22:22:47:524 3488 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
22:22:47:538 3488 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\DRIVERS\sffp_sd.sys
22:22:47:571 3488 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
22:22:47:593 3488 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
22:22:47:622 3488 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
22:22:47:730 3488 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
22:22:47:822 3488 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
22:22:47:924 3488 SNP2UVC (59c9b920a1767cb857c5fb2e1e66e7e4) C:\Windows\system32\DRIVERS\snp2uvc.sys
22:22:48:038 3488 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
22:22:48:100 3488 srv (50a83ca406c808bd35ac9141a0c7618f) C:\Windows\system32\DRIVERS\srv.sys
22:22:48:164 3488 srv2 (dce7e10feaabd4cae95948b3de5340bb) C:\Windows\system32\DRIVERS\srv2.sys
22:22:48:276 3488 SrvHsfHDA (e00fdfaff025e94f9821153750c35a6d) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
22:22:48:348 3488 SrvHsfV92 (ceb4e3b6890e1e42dca6694d9e59e1a0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
22:22:48:487 3488 SrvHsfWinac (bc0c7ea89194c299f051c24119000e17) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
22:22:48:604 3488 srvnet (bd1433a32792fd0dc450479094fc435a) C:\Windows\system32\DRIVERS\srvnet.sys
22:22:48:659 3488 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
22:22:48:694 3488 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
22:22:48:742 3488 SynTP (f5d926807bd9bc0af68f9376144de425) C:\Windows\system32\DRIVERS\SynTP.sys
22:22:48:874 3488 Tcpip (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\drivers\tcpip.sys
22:22:49:030 3488 TCPIP6 (2cc3d75488abd3ec628bbb9a4fc84efc) C:\Windows\system32\DRIVERS\tcpip.sys
22:22:49:151 3488 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
22:22:49:194 3488 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
22:22:49:228 3488 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
22:22:49:257 3488 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
22:22:49:362 3488 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
22:22:49:387 3488 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
22:22:49:416 3488 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
22:22:49:444 3488 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
22:22:49:553 3488 udfs (09cc3e16f8e5ee7168e01cf8fcbe061a) C:\Windows\system32\DRIVERS\udfs.sys
22:22:49:593 3488 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
22:22:49:619 3488 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
22:22:49:642 3488 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
22:22:49:747 3488 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
22:22:49:793 3488 usbaudio (2436a42aab4ad48a9b714e5b0f344627) C:\Windows\system32\drivers\usbaudio.sys
22:22:49:841 3488 usbbus (5353218b3265e3b8190335059f697a11) C:\Windows\system32\DRIVERS\lgusbbus.sys
22:22:49:945 3488 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
22:22:49:972 3488 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
22:22:50:014 3488 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\Windows\system32\DRIVERS\lgusbdiag.sys
22:22:50:042 3488 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys
22:22:50:148 3488 usbhub (ee6ef93ccfa94fae8c6ab298273d8ae2) C:\Windows\system32\DRIVERS\usbhub.sys
22:22:50:178 3488 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\Windows\system32\DRIVERS\lgusbmodem.sys
22:22:50:204 3488 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
22:22:50:218 3488 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
22:22:50:274 3488 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
22:22:50:385 3488 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
22:22:50:412 3488 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
22:22:50:459 3488 usbvideo (f642a7e4bf78cfa359cca0a3557c28d7) C:\Windows\system32\Drivers\usbvideo.sys
22:22:50:568 3488 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
22:22:50:596 3488 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
22:22:50:617 3488 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
22:22:50:652 3488 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
22:22:50:754 3488 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
22:22:50:777 3488 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
22:22:50:805 3488 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
22:22:50:833 3488 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
22:22:50:940 3488 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
22:22:50:976 3488 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
22:22:51:004 3488 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
22:22:51:031 3488 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
22:22:51:135 3488 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
22:22:51:164 3488 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
22:22:51:202 3488 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
22:22:51:206 3488 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
22:22:51:274 3488 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
22:22:51:320 3488 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
22:22:51:410 3488 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
22:22:51:453 3488 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
22:22:51:511 3488 winachsf (e096ffb754f1e45ae1bddac1275ae2c5) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
22:22:51:600 3488 WinUsb (30fc6e5448d0cbaaa95280eeef7fedae) C:\Windows\system32\DRIVERS\WinUsb.sys
22:22:51:644 3488 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
22:22:51:665 3488 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
22:22:51:686 3488 WudfPf (6f9b6c0c93232cff47d0f72d6db1d21e) C:\Windows\system32\drivers\WudfPf.sys
22:22:51:771 3488 WUDFRd (f91ff1e51fca30b3c3981db7d5924252) C:\Windows\system32\DRIVERS\WUDFRd.sys
22:22:51:817 3488 XAudio (19e7c173b6242ad7521e537ae54768bf) C:\Windows\system32\DRIVERS\xaudio.sys
22:22:51:819 3488 Reboot required for cure complete..
22:22:52:197 3488 Cure on reboot scheduled successfully
22:22:52:197 3488
22:22:52:197 3488 Completed
22:22:52:198 3488
22:22:52:198 3488 Results:
22:22:52:199 3488 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
22:22:52:199 3488 File objects infected / cured / cured on reboot: 1 / 0 / 1
22:22:52:199 3488
22:22:52:205 3488 KLMD(ARK) unloaded successfully

Am I good to go now?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:26 AM

Posted 05 July 2010 - 09:48 PM

Good how's the redirects,gone now..
I would still like to do these and be sure there is nothing left,before we mop up.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


An Online scan with ESET
Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\ESET\ESET Online Scanner\log.txt
    folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\ESET\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Tomhernandez

Tomhernandez
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 06 July 2010 - 12:18 AM

The redirects have gone away, and internet explorer has stopped randomly opening itself. Here is the MBAMM log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4281

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

7/5/2010 11:46:00 PM
mbam-log-2010-07-05 (23-46-00).txt

Scan type: Quick scan
Objects scanned: 129515
Time elapsed: 13 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skb (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7796075f-e450-4486-8289-693589554321}\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.66,93.188.161.206 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Yeah the ESET took some time, but here is the log it created

C:\Users\Tom\AppData\Local\Temp\winservice.exe probably a variant of Win32/Injector.CEO trojan cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5A2XSVFI\id2[1].htm multiple threats deleted - quarantined


I'm pretty sure it quarintined them, and I checked the delete files box then finish.
What are you thoughts?

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:26 AM

Posted 06 July 2010 - 12:05 PM

Ok this looks good her. The dangerous infection is the injector that ESET deleted.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 Tomhernandez

Tomhernandez
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 06 July 2010 - 01:45 PM

Cool, thanks for all your help with my computer. I'm gonna get on and make that restore point soon.

Thanks again,

Tom

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:26 AM

Posted 06 July 2010 - 01:56 PM

You're welcome,, That injector has a chance to come back,so first sign of anything post back here. It shouldn't but the infection has a capability.

Tips to protect yourself against malware and reduce the potential for re-infection:Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.

Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read:
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users