Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Variant of the redirect bug; nothing I have used will find it!


  • This topic is locked This topic is locked
18 replies to this topic

#1 mteele

mteele

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 13 August 2010 - 09:54 PM

Hi guys,

First let me say thank you in advance for your help in dealing with this malware/virus issue.

It first popped up 4 days ago after my wife downloaded something. The computer was instantly taken over by malware, pushing me to fake antivirus websites, lots of pop-ups, etc. you know the deal. It wouldnt let me run Malwarebytes or download AVG or any other protection software. I messed around with the startup menu, rebooted, and manage to get MWB off and running before it could be stopped by the malware. It and AVG found a few things, but I cant remember what they were. But even after all systems were reported clean, I was still experiancing a problem. Whenever I typed in a URL into the address bar, it would push/redirect the URL to a Google search (my default browser). If I leave Bing as my default search, it would redirect to Bing. For example, if I type CNN.com into my browser, what appears is like I just typed CNN.com into my Google quick search bar in IE. Some websites would pull up fine and seemingly uneffected, but a lot of popular websites seemed to be blocked from access. IE just couldnt find those websites (ESPN, CNN, etc.). Also, when I tried betting to CNET to download the latest MWB version, I would get as far as the file download popping up to save when it would severe the connection. I decided to do things the easy and clean way, reinstall windows 7. I installed Windows 7 onto another hard drive and everything behaved normally again. (I have 4 HDD's, one small drive solely for running Windows, so this was supposed to be an easy fix; it has worked before.)

Then I formatted my original OS hard drive (twice, quick format and full) and then reinstalled Windows 7 x64 again on it. The problem is back!!!!! I dont get it, its the wierdest thing. Kapersky, Malwarebytes, Superantispyware, Spybot S&D, none of them can find it. rKill found a dll file yesterday it identified as Malware in my SysWOW64 folder, but nothing since then. Either the virus hid itself from the main hard drive, or its residing on the drive where I install all my software to, I would think.

The problem is also intermittant to a degree. When I first boot the computer up, all websites will work. But after the computer has been on for a while, the problems begin.

Anyways, I hope that was a somewhat helpful history. On with the DDS log. I just ran these logs, but the problem isnt currently showing up in IE, so is it possible that this log may not be accurate enough? I could not run GMER, as it wont run on a Windows 7 x64 system.


DDS (Ver_10-03-17.01) - NTFSX64
Run by Matthew Teele at 22:50:01.52 on Fri 08/13/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4094.2490 [GMT -4:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
G:\Program Files\Malwarebytes' Anti-Malware\SASCORE64.EXE
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
G:\Program Files\Malwarebytes' Anti-Malware\SUPERAntiSpyware.exe
G:\Program Files\RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\x64\klwtblfs.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10i_ActiveX.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Matthew Teele\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mWinlogon: Userinit=userinit.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - g:\program files\roboform\roboform.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - g:\program files\roboform\roboform.dll
uRun: [SUPERAntiSpyware] g:\program files\malwarebytes' anti-malware\SUPERAntiSpyware.exe
uRun: [RoboForm] "g:\program files\roboform\RoboTaskBarIcon.exe"
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [SpybotSD TeaTimer] c:\program files (x86)\spybot - search & destroy\TeaTimer.exe
mRun: [SunJavaUpdateSched] "c:\program files (x86)\common files\java\java update\jusched.exe"
mRun: [AVP] "c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\avp.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Anti-Banner - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: Customize Menu - file://g:\program files\roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://g:\program files\roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://g:\program files\roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://g:\program files\roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - g:\program files\roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - g:\program files\roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - g:\program files\roboform\RoboFormComShowToolbar.html
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files (x86)\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: c:\progra~2\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~2\kasper~1\kasper~1\sbhook.dll
BHO-X64: IEVkbdBHO Class: {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\x64\ievkbd.dll
BHO-X64: IEVkbdBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - g:\program files\java\bin\jp2ssv.dll
BHO-X64: FilterBHO Class: {E33CF602-D945-461A-83F0-819F76A199F8} - c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\x64\klwtbbho.dll
BHO-X64: link filter bho - No File
TB-X64: {724D43A0-0D85-11D4-9908-00400523E39A} - No File
AppInit_DLLs-X64: c:\progra~2\kasper~1\kasper~1\x64\sbhook64.dll,c:\progra~2\kasper~1\kasper~1\x64\kloehk.dll

============= SERVICES / DRIVERS ===============

R0 KLBG;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 40464]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2009-9-14 27152]
R1 SASDIFSV;SASDIFSV;g:\program files\malwarebytes' anti-malware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;g:\program files\malwarebytes' anti-malware\saskutil64.sys [2010-2-17 12360]
R2 !SASCORE;SAS Core Service;g:\program files\malwarebytes' anti-malware\SASCore64.exe [2010-6-29 128752]
R2 AVP;Kaspersky Internet Security;c:\program files (x86)\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-10-20 340456]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\spybot - search & destroy\SDWinSec.exe [2010-8-13 1153368]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 21008]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt64win7.sys [2009-3-1 187392]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-8-13 19544]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-13 1255736]

=============== Created Last 30 ================

2010-08-14 01:31:33 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-14 01:31:33 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-08-14 00:56:30 0 d-----w- c:\program files\PeerBlock
2010-08-13 21:38:49 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-08-13 21:38:45 0 d-----w- c:\windows\syswow64\Wat
2010-08-13 21:38:45 0 d-----w- c:\windows\system32\Wat
2010-08-13 21:38:11 0 d-----w- c:\programdata\NVIDIA
2010-08-13 21:37:46 0 d-----w- c:\program files\NVIDIA Corporation
2010-08-13 10:39:49 0 d-----w- c:\programdata\RoboForm
2010-08-13 10:39:22 0 d-----w- c:\program files (x86)\Siber Systems
2010-08-13 10:35:29 311808 ----a-w- c:\windows\system32\msv1_0.dll
2010-08-13 10:35:29 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2010-08-13 10:32:43 99176 ----a-w- c:\windows\syswow64\PresentationHostProxy.dll
2010-08-13 10:32:43 49472 ----a-w- c:\windows\syswow64\netfxperf.dll
2010-08-13 10:32:43 48960 ----a-w- c:\windows\system32\netfxperf.dll
2010-08-13 10:32:43 444752 ----a-w- c:\windows\system32\mscoree.dll
2010-08-13 10:32:43 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2010-08-13 10:32:43 297808 ----a-w- c:\windows\syswow64\mscoree.dll
2010-08-13 10:32:43 295264 ----a-w- c:\windows\syswow64\PresentationHost.exe
2010-08-13 10:32:43 1942856 ----a-w- c:\windows\system32\dfshim.dll
2010-08-13 10:32:43 1130824 ----a-w- c:\windows\syswow64\dfshim.dll
2010-08-13 10:32:43 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-13 07:03:59 976896 ----a-w- c:\windows\system32\inetcomm.dll
2010-08-13 03:54:50 0 d-----w- c:\users\matthe~1\appdata\roaming\SUPERAntiSpyware.com
2010-08-13 03:54:50 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-13 03:54:47 0 d-----w- c:\programdata\!SASCORE
2010-08-13 03:45:05 0 d-----w- c:\users\matthe~1\appdata\roaming\Malwarebytes
2010-08-13 03:44:51 0 d-----w- c:\programdata\Malwarebytes
2010-08-13 03:44:49 24664 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-13 03:41:06 0 d-----w- c:\windows\pss
2010-08-13 02:42:35 0 d-----w- c:\windows\PCHEALTH
2010-08-13 02:38:44 0 d-----w- c:\program files\Microsoft Office
2010-08-13 02:37:11 0 d-----w- c:\programdata\Microsoft Help
2010-08-13 01:48:11 0 d-----w- c:\users\matthe~1\appdata\roaming\GetRightToGo
2010-08-13 00:36:37 0 d-----w- c:\windows\Panther
2010-08-12 22:36:30 149773 ----a-w- c:\windows\system32\drivers\klin.dat
2010-08-12 22:36:29 106765 ----a-w- c:\windows\system32\drivers\klick.dat
2010-08-12 22:36:18 0 d-----w- c:\programdata\Kaspersky Lab
2010-08-12 22:36:18 0 d-----w- c:\program files (x86)\Kaspersky Lab
2010-08-12 22:35:03 0 d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-08-12 22:26:32 0 d-----w- c:\windows\syswow64\Macromed
2010-08-12 21:21:30 0 d-----w- c:\users\matthe~1\appdata\roaming\Azureus
2010-08-12 21:05:07 468480 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-12 21:04:29 0 d-----w- c:\programdata\Sun
2010-08-12 21:04:25 423656 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-08-12 21:04:25 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-08-12 21:04:25 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-08-12 21:04:25 145184 ----a-w- c:\windows\syswow64\java.exe
2010-08-12 21:01:30 0 d-sh--w- c:\windows\Installer
2010-08-12 21:00:49 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-08-12 20:45:58 220672 ----a-w- c:\windows\system32\wintrust.dll
2010-08-12 20:45:58 172032 ----a-w- c:\windows\syswow64\wintrust.dll
2010-08-12 20:45:49 139264 ----a-w- c:\windows\system32\cabview.dll
2010-08-12 20:45:49 132608 ----a-w- c:\windows\syswow64\cabview.dll

==================== Find3M ====================

2010-07-29 06:30:34 82944 ----a-w- c:\windows\syswow64\iccvid.dll
2010-07-27 14:03:24 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-06-30 07:13:46 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\syswow64\wininet.dll
2010-06-30 06:25:18 1226240 ----a-w- c:\windows\syswow64\urlmon.dll
2010-06-30 06:22:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-06-30 06:22:34 5971456 ----a-w- c:\windows\syswow64\mshtml.dll
2010-06-30 06:22:33 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-06-30 06:21:57 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-06-30 06:21:47 185856 ----a-w- c:\windows\syswow64\iepeers.dll
2010-06-30 06:21:47 176640 ----a-w- c:\windows\syswow64\ieui.dll
2010-06-30 06:21:46 10985472 ----a-w- c:\windows\syswow64\ieframe.dll
2010-06-30 06:21:44 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-06-30 06:19:16 12800 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-06-22 03:21:15 463360 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-22 03:20:50 404992 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-06-22 03:20:34 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-06-19 07:05:01 5507968 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-06-19 06:53:18 52224 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 06:33:29 3955080 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-06-19 06:33:29 3899784 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-06-19 06:23:50 37376 ----a-w- c:\windows\syswow64\rtutils.dll
2010-06-19 04:32:34 3122688 ----a-w- c:\windows\system32\win32k.sys
2010-06-16 06:11:10 340992 ----a-w- c:\windows\system32\schannel.dll
2010-06-16 05:48:35 224256 ----a-w- c:\windows\syswow64\schannel.dll
2010-06-08 06:02:06 1233920 ----a-w- c:\windows\syswow64\msxml3.dll
2010-06-08 05:36:31 1877504 ----a-w- c:\windows\system32\msxml3.dll
2010-05-27 07:24:13 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-05-27 06:34:09 46080 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 04:11:32 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2010-05-19 19:48:12 144384 ----a-w- c:\windows\system32\cdd.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-07-14 04:55:03 32768 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-07-14 04:55:03 16384 --sha-w- c:\windows\syswow64\config\systemprofile\appdata\roaming\microsoft\windows\cookies\index.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 22:50:30.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:08 PM

Posted 21 August 2010 - 01:27 PM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  1. Double click on RSIT.exe to run RSIT.
  2. Click Continue at the disclaimer screen.
  3. Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  1. Reply to this thread; do not start another!
  2. Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  3. Do not run any other tool until instructed to do so!
  4. Let me know if any of the links do not work or if any of the tools do not work.
  5. Tell me about problems or symptoms that occur during the fix.
  6. Do not run any other programs or open any other windows while doing a fix.
  7. Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 mteele

mteele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 21 August 2010 - 08:08 PM

I still have symptoms of a website not being available. If I restart the computer it fixes the problem though. But lately, no URL's I type into the address bar have been redirecting me to a Google search.

Here is the log:

Logfile of random's system information tool 1.08 (written by random/random)
Run by Matthew Teele at 2010-08-21 21:05:45
Microsoft Windows 7 Home Premium
System drive C: has 9 GB (30%) free of 31 GB
Total RAM: 4094 MB (69% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:05:49 PM, on 8/21/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
G:\Program Files\RoboForm\robotaskbaricon.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10i_ActiveX.exe
C:\Users\Matthew Teele\Desktop\Malware Tools\RSIT.exe
C:\Program Files (x86)\trend micro\Matthew Teele.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/forums/topic339619.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - G:\Program Files\RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - G:\Program Files\RoboForm\roboform.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\Malwarebytes' Anti-Malware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [RoboForm] "G:\Program Files\RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Customize Menu - file://G:\Program Files\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://G:\Program Files\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://G:\Program Files\RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://G:\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\Program Files\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\Program Files\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\Program Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\Program Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - G:\Program Files\Malwarebytes' Anti-Malware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9382 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
IEVkbdBHO Class - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll [2009-10-20 68112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
G:\Program Files\RoboForm\roboform.dll [2010-08-13 6042176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-08-17 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E33CF602-D945-461A-83F0-819F76A199F8}]
FilterBHO Class - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll [2009-10-20 268816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - G:\Program Files\RoboForm\roboform.dll [2010-08-13 6042176]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"AVP"=C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [2010-08-18 340520]
"SunJavaUpdateSched"=C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=G:\Program Files\Malwarebytes' Anti-Malware\SUPERAntiSpyware.exe [2010-07-19 2957040]
"RoboForm"=G:\Program Files\RoboForm\RoboTaskBarIcon.exe [2010-08-13 160328]
"PeerBlock"=C:\Program Files\PeerBlock\peerblock.exe [2009-09-28 2101848]
"SpybotSD TeaTimer"=C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\!SASCORE]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=5
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"ForceActiveDesktopOn"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-08-21 21:05:45 ----D---- C:\rsit
2010-08-21 21:05:45 ----D---- C:\Program Files (x86)\trend micro
2010-08-17 21:20:40 ----D---- C:\Program Files (x86)\Common Files\Java
2010-08-17 21:20:20 ----A---- C:\Windows\SysWOW64\deployJava1.dll
2010-08-17 21:20:14 ----D---- C:\Program Files (x86)\Java
2010-08-15 02:12:30 ----A---- C:\TDSSKiller.2.4.1.1_15.08.2010_02.12.30_log.txt
2010-08-14 23:13:10 ----A---- C:\TDSSKiller.2.4.1.1_14.08.2010_23.13.10_log.txt
2010-08-14 00:16:43 ----D---- C:\ProgramData\Adobe
2010-08-14 00:16:42 ----D---- C:\Program Files (x86)\Common Files\Adobe
2010-08-13 21:31:33 ----D---- C:\ProgramData\Spybot - Search & Destroy
2010-08-13 21:31:33 ----D---- C:\Program Files (x86)\Spybot - Search & Destroy
2010-08-13 21:22:35 ----D---- C:\32788R22FWJFW
2010-08-13 17:38:45 ----D---- C:\Windows\SysWOW64\Wat
2010-08-13 17:38:11 ----D---- C:\ProgramData\NVIDIA
2010-08-13 06:39:49 ----D---- C:\ProgramData\RoboForm
2010-08-13 06:39:22 ----D---- C:\Program Files (x86)\Siber Systems
2010-08-13 06:35:29 ----A---- C:\Windows\SysWOW64\msv1_0.dll
2010-08-13 06:32:43 ----A---- C:\Windows\SysWOW64\PresentationHostProxy.dll
2010-08-13 06:32:43 ----A---- C:\Windows\SysWOW64\PresentationHost.exe
2010-08-13 06:32:43 ----A---- C:\Windows\SysWOW64\netfxperf.dll
2010-08-13 06:32:43 ----A---- C:\Windows\SysWOW64\mscoree.dll
2010-08-13 06:32:43 ----A---- C:\Windows\SysWOW64\dfshim.dll
2010-08-13 03:04:17 ----A---- C:\Windows\SysWOW64\asycfilt.dll
2010-08-13 03:04:15 ----A---- C:\Windows\SysWOW64\ntdll.dll
2010-08-13 03:04:13 ----A---- C:\Windows\SysWOW64\vbscript.dll
2010-08-13 03:04:13 ----A---- C:\Windows\SysWOW64\schannel.dll
2010-08-13 03:04:12 ----A---- C:\Windows\SysWOW64\wmp.dll
2010-08-13 03:04:11 ----A---- C:\Windows\SysWOW64\CertEnroll.dll
2010-08-13 03:04:10 ----A---- C:\Windows\SysWOW64\wmploc.DLL
2010-08-13 03:04:07 ----A---- C:\Windows\SysWOW64\secproc_ssp_isv.dll
2010-08-13 03:04:07 ----A---- C:\Windows\SysWOW64\secproc_ssp.dll
2010-08-13 03:04:07 ----A---- C:\Windows\SysWOW64\secproc_isv.dll
2010-08-13 03:04:07 ----A---- C:\Windows\SysWOW64\secproc.dll
2010-08-13 03:04:07 ----A---- C:\Windows\SysWOW64\RMActivate_ssp_isv.exe
2010-08-13 03:04:07 ----A---- C:\Windows\SysWOW64\RMActivate_ssp.exe
2010-08-13 03:04:07 ----A---- C:\Windows\SysWOW64\RMActivate_isv.exe
2010-08-13 03:04:07 ----A---- C:\Windows\SysWOW64\RMActivate.exe
2010-08-13 03:04:00 ----A---- C:\Windows\SysWOW64\shell32.dll
2010-08-13 03:03:58 ----A---- C:\Windows\SysWOW64\t2embed.dll
2010-08-13 03:03:58 ----A---- C:\Windows\SysWOW64\inetcomm.dll
2010-08-13 03:03:55 ----A---- C:\Windows\SysWOW64\ntoskrnl.exe
2010-08-13 03:03:55 ----A---- C:\Windows\SysWOW64\ntkrnlpa.exe
2010-08-13 03:03:53 ----A---- C:\Windows\SysWOW64\mshtml.dll
2010-08-13 03:03:53 ----A---- C:\Windows\SysWOW64\ieframe.dll
2010-08-13 03:03:52 ----A---- C:\Windows\SysWOW64\urlmon.dll
2010-08-13 03:03:52 ----A---- C:\Windows\SysWOW64\mstime.dll
2010-08-13 03:03:51 ----A---- C:\Windows\SysWOW64\wininet.dll
2010-08-13 03:03:51 ----A---- C:\Windows\SysWOW64\msfeedssync.exe
2010-08-13 03:03:51 ----A---- C:\Windows\SysWOW64\msfeedsbs.dll
2010-08-13 03:03:51 ----A---- C:\Windows\SysWOW64\jsproxy.dll
2010-08-13 03:03:51 ----A---- C:\Windows\SysWOW64\ieui.dll
2010-08-13 03:03:51 ----A---- C:\Windows\SysWOW64\iepeers.dll
2010-08-13 03:03:51 ----A---- C:\Windows\SysWOW64\iedkcs32.dll
2010-08-13 03:03:49 ----A---- C:\Windows\SysWOW64\wow32.dll
2010-08-13 03:03:49 ----A---- C:\Windows\SysWOW64\user.exe
2010-08-13 03:03:49 ----A---- C:\Windows\SysWOW64\setup16.exe
2010-08-13 03:03:49 ----A---- C:\Windows\SysWOW64\ntvdm64.dll
2010-08-13 03:03:49 ----A---- C:\Windows\SysWOW64\instnm.exe
2010-08-13 03:03:49 ----A---- C:\Windows\SysWOW64\explorer.exe
2010-08-13 03:03:49 ----A---- C:\Windows\explorer.exe
2010-08-13 03:03:48 ----A---- C:\Windows\SysWOW64\rtutils.dll
2010-08-13 03:03:44 ----A---- C:\Windows\SysWOW64\iccvid.dll
2010-08-13 03:03:43 ----A---- C:\Windows\SysWOW64\CPFilters.dll
2010-08-13 03:03:42 ----A---- C:\Windows\SysWOW64\psisdecd.dll
2010-08-13 03:03:41 ----A---- C:\Windows\SysWOW64\tsbyuv.dll
2010-08-13 03:03:41 ----A---- C:\Windows\SysWOW64\quartz.dll
2010-08-13 03:03:41 ----A---- C:\Windows\SysWOW64\msyuv.dll
2010-08-13 03:03:41 ----A---- C:\Windows\SysWOW64\msvidc32.dll
2010-08-13 03:03:41 ----A---- C:\Windows\SysWOW64\msrle32.dll
2010-08-13 03:03:41 ----A---- C:\Windows\SysWOW64\mciavi32.dll
2010-08-13 03:03:41 ----A---- C:\Windows\SysWOW64\iyuv_32.dll
2010-08-13 03:03:41 ----A---- C:\Windows\SysWOW64\avifil32.dll
2010-08-13 03:03:39 ----A---- C:\Windows\SysWOW64\msxml3.dll
2010-08-13 03:03:39 ----A---- C:\Windows\SysWOW64\jscript.dll
2010-08-13 03:03:37 ----A---- C:\Windows\SysWOW64\sspicli.dll
2010-08-13 03:03:37 ----A---- C:\Windows\SysWOW64\secur32.dll
2010-08-13 03:03:34 ----A---- C:\Windows\SysWOW64\msasn1.dll
2010-08-13 03:03:34 ----A---- C:\Windows\SysWOW64\fontsub.dll
2010-08-13 03:03:34 ----A---- C:\Windows\SysWOW64\atmlib.dll
2010-08-13 03:03:34 ----A---- C:\Windows\SysWOW64\atmfd.dll
2010-08-13 03:03:33 ----A---- C:\Windows\SysWOW64\tzres.dll
2010-08-12 23:54:50 ----D---- C:\Users\Matthew Teele\AppData\Roaming\SUPERAntiSpyware.com
2010-08-12 23:54:50 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2010-08-12 23:54:47 ----D---- C:\ProgramData\!SASCORE
2010-08-12 23:45:05 ----D---- C:\Users\Matthew Teele\AppData\Roaming\Malwarebytes
2010-08-12 23:44:56 ----A---- C:\Windows\SysWOW64\drivers\mbamswissarmy.sys
2010-08-12 23:44:51 ----D---- C:\ProgramData\Malwarebytes
2010-08-12 23:41:06 ----D---- C:\Windows\pss
2010-08-12 22:43:39 ----D---- C:\Program Files (x86)\Microsoft Works
2010-08-12 22:43:10 ----D---- C:\Program Files (x86)\Microsoft Visual Studio
2010-08-12 22:43:10 ----D---- C:\Program Files (x86)\Common Files\DESIGNER
2010-08-12 22:42:35 ----D---- C:\Windows\PCHEALTH
2010-08-12 22:42:34 ----D---- C:\Program Files (x86)\Microsoft.NET
2010-08-12 22:37:11 ----D---- C:\ProgramData\Microsoft Help
2010-08-12 21:48:11 ----D---- C:\Users\Matthew Teele\AppData\Roaming\GetRightToGo
2010-08-12 20:36:37 ----D---- C:\Windows\Panther
2010-08-12 19:38:00 ----D---- C:\Windows\Prefetch
2010-08-12 19:37:45 ----ASH---- C:\pagefile.sys
2010-08-12 19:37:42 ----ASH---- C:\hiberfil.sys
2010-08-12 18:36:18 ----D---- C:\ProgramData\Kaspersky Lab
2010-08-12 18:36:18 ----D---- C:\Program Files (x86)\Kaspersky Lab
2010-08-12 18:35:03 ----D---- C:\ProgramData\Kaspersky Lab Setup Files
2010-08-12 18:26:34 ----D---- C:\Users\Matthew Teele\AppData\Roaming\Macromedia
2010-08-12 18:26:34 ----D---- C:\Users\Matthew Teele\AppData\Roaming\Adobe
2010-08-12 18:26:32 ----D---- C:\Windows\SysWOW64\Macromed
2010-08-12 18:07:45 ----A---- C:\TDSSKiller.2.4.1.1_12.08.2010_18.07.45_log.txt
2010-08-12 17:21:30 ----D---- C:\Users\Matthew Teele\AppData\Roaming\Azureus
2010-08-12 17:04:29 ----D---- C:\ProgramData\Sun
2010-08-12 17:04:25 ----A---- C:\Windows\SysWOW64\javaws.exe
2010-08-12 17:04:25 ----A---- C:\Windows\SysWOW64\javaw.exe
2010-08-12 17:04:25 ----A---- C:\Windows\SysWOW64\java.exe
2010-08-12 17:01:30 ----SHD---- C:\Windows\Installer
2010-08-12 16:45:58 ----A---- C:\Windows\SysWOW64\wintrust.dll
2010-08-12 16:45:49 ----A---- C:\Windows\SysWOW64\cabview.dll
2010-08-12 16:44:56 ----D---- C:\Users\Matthew Teele\AppData\Roaming\Identities
2010-08-12 16:44:52 ----SD---- C:\Users\Matthew Teele\AppData\Roaming\Microsoft
2010-08-12 16:44:52 ----D---- C:\Users\Matthew Teele\AppData\Roaming\Media Center Programs
2010-08-12 16:44:42 ----SHD---- C:\Recovery
2010-08-12 16:44:38 ----D---- C:\Windows\SoftwareDistribution
2010-08-10 16:24:57 ----SHD---- C:\System Volume Information

======List of files/folders modified in the last 1 months======

2010-08-21 21:05:48 ----D---- C:\Windows\Temp
2010-08-21 21:05:45 ----RD---- C:\Program Files (x86)
2010-08-21 10:31:48 ----D---- C:\Windows\System32
2010-08-21 10:31:48 ----D---- C:\Windows\inf
2010-08-18 17:40:41 ----D---- C:\Windows\SysWOW64
2010-08-17 21:20:40 ----D---- C:\Program Files (x86)\Common Files
2010-08-16 19:22:20 ----D---- C:\Windows\Microsoft.NET
2010-08-16 19:22:19 ----RSD---- C:\Windows\assembly
2010-08-16 00:07:45 ----D---- C:\Windows\SysWOW64\en-US
2010-08-14 00:17:04 ----D---- C:\Windows\winsxs
2010-08-14 00:16:43 ----HD---- C:\ProgramData
2010-08-13 20:56:30 ----RD---- C:\Program Files
2010-08-13 17:38:47 ----D---- C:\Windows
2010-08-13 17:38:05 ----D---- C:\Windows\Help
2010-08-13 17:24:21 ----D---- C:\Program Files (x86)\Windows Media Player
2010-08-13 17:24:20 ----D---- C:\Windows\SysWOW64\migration
2010-08-13 17:24:20 ----D---- C:\Program Files (x86)\Windows Mail
2010-08-13 17:24:20 ----D---- C:\Program Files (x86)\Internet Explorer
2010-08-13 17:24:19 ----D---- C:\Windows\ehome
2010-08-13 17:24:19 ----D---- C:\Windows\AppPatch
2010-08-13 07:31:38 ----D---- C:\Windows\rescache
2010-08-13 06:31:07 ----D---- C:\Windows\debug
2010-08-13 03:37:03 ----D---- C:\Windows\Logs
2010-08-12 23:44:56 ----D---- C:\Windows\SysWOW64\drivers
2010-08-12 22:43:38 ----D---- C:\Program Files (x86)\Common Files\microsoft shared
2010-08-12 22:43:07 ----D---- C:\Windows\ShellNew
2010-08-12 22:42:42 ----RSD---- C:\Windows\Fonts
2010-08-12 22:42:35 ----SD---- C:\ProgramData\Microsoft
2010-08-12 22:38:06 ----A---- C:\Windows\win.ini
2010-08-12 22:38:05 ----D---- C:\Program Files (x86)\Common Files\System
2010-08-12 18:26:34 ----D---- C:\Windows\Downloaded Program Files
2010-08-12 16:44:54 ----SHD---- C:\$Recycle.Bin
2010-08-12 16:44:49 ----RD---- C:\Users

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 KLBG;Kaspersky Lab Boot Guard Driver; C:\Windows\system32\DRIVERS\klbg.sys []
R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys []
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys []
R1 kl1;kl1; C:\Windows\system32\DRIVERS\kl1.sys []
R1 KLIF;Kaspersky Lab Driver; C:\Windows\system32\DRIVERS\klif.sys []
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter; C:\Windows\system32\DRIVERS\klim6.sys []
R1 SASDIFSV;SASDIFSV; \??\G:\Program Files\Malwarebytes' Anti-Malware\SASDIFSV64.SYS [2010-02-17 14920]
R1 SASKUTIL;SASKUTIL; \??\G:\Program Files\Malwarebytes' Anti-Malware\SASKUTIL64.SYS [2010-02-17 12360]
R3 BthEnum;Bluetooth Request Block Driver; C:\Windows\system32\DRIVERS\BthEnum.sys []
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys []
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys []
R3 klmouflt;Kaspersky Lab KLMOUFLT; C:\Windows\system32\DRIVERS\klmouflt.sys []
R3 pbfilter;pbfilter; \??\C:\Program Files\PeerBlock\pbfilter.sys [2009-09-28 19544]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys []
R3 RTL8167;Realtek 8167 NT Driver; C:\Windows\system32\DRIVERS\Rt64win7.sys []
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 !SASCORE;SAS Core Service; G:\Program Files\Malwarebytes' Anti-Malware\SASCORE64.EXE [2010-06-29 128752]
R2 AVP;Kaspersky Internet Security; C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe [2010-08-18 340520]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe []
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe []

-----------------EOF-----------------


#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:08 PM

Posted 22 August 2010 - 01:35 PM

NOTE: If for some reason you are unable to complete a step(s), skip that step and continue with the rest of the steps. Please describe your problem with the step in your next reply.

Step 1

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 2

a

Often redirection is caused by a DNS and Hosts file hijack. Flush and restore both.

Clean Hosts File
    * Access folder C:\WINDOWS\SYSTEM32\DRIVERS\ETC in Explorer.
  1. Open file HOSTS in Notepad . Before making changes, do a Save As and save a backup of this file as HOSTS.BAK .
  2. Reopen the HOSTS file.
  3. Delete all entries in this file except for the following and any other entries you are sure have legitimate uses:

    127.0.0.1 localhost
  4. Save the file.
Note: If you use customized Hosts Files such as the mvps hosts file, you will need to download and install it again. Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE.

b

Flush DNS:
  1. Open up a command prompt Start > Run > "cmd.exe" > OK.
  2. Type in the command ipconfig /flushdns.
Step 3

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.
  1. Please download TFC by OldTimer to your desktop.
  2. Open the file and close any other windows.
  3. It will close all programs itself when run; make sure to let it run uninterrupted.
  4. Click the Start button to begin the process. The program should not take long to finish its job.
  5. After it is finished, it should reboot your machine, if not, do this yourself to ensure a complete clean.
Step 4

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  1. Detects and removes malware ( viruses, worms, trojans, etc. )
  2. Detects and removes grayware and spyware
  3. Restores damage caused by malware to your system.
  4. Notifies about vulnerabilities in installed programs and connected network services.
  5. Multi-platform support for: Windows, Linux, Solaris.
  6. Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, make a note of the file location of anything that cannot be deleted so you can delete it yourself. Please post that list in your next reply.

Step 5

We need to disconnect your computer from the Internet. By doing this, it prevents any further Internet activity until the removal of malware is complete. You need to make it impossible for viruses, trojan horses, worms and spyware to call for backup once you start to dismantle them. They will continue to infect your computer with new variants while you are connected to the Internet. We also need to prevent hackers from controlling your system and they will try to prevent you from removing the pests they installed on your computer.

Close ALL browser windows (including this one). Exit all processes and items in your System tray.

According to how your computer connects to the Internet, please disconnect your computer from the Internet. Possible means of disconnecting your computer from the Internet include:
  • Physically remove the cable for your broadband Internet service “Always On” Connection from your computer.
  • Turn your modem off.
  • Disconnect your modem cable from your computer.
  • Turn the device off for Hand-held wireless connections.
  • Some laptops have a switch that will disconnect the laptop from the Internet.
Step 6

During the process of removing malware from your computer, there are times you may need to use specialized fix tools. Certain embedded files that are part of these specialized fix tools may be detected by your antivirus or anti-malware scanner as a RiskTool, Hacking tool, Potentially unwanted tool, a virus or a Trojan when that is not the case.
These tools have been carefully created and tested by security experts so if your antivirus or anti-malware program flags them as malware, then it is a False Positive. Antivirus scanners cannot distinguish between good and malicious use of such programs; therefore, they may alert you or even automatically remove them. In these cases, the removal of these files can have unpredictable results and unintentional results.
To avoid any problems while using a specialized fix tool, it is very important that you temporarily disable your antivirus and/or anti-malware programs before using the specialized fix tool.
When your system has been cleaned, it is important that you enable your security programs to avoid reinfection.
Please disable the following program(s):

Spybot - S&D TeaTimer

We need to disable Spybot TeaTimer as it may interfere with the cleaning.
Please do not enable it until I tell you that your HijackThis log is clean.

A
  1. Right-click the Spybot icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  2. If you have the new version 1.5, Click once on Resident Protection, then right click the Spybot[b] icon again and make sure [b]Resident Protection is now unchecked. The Spybot icon in the System Tray should now be now colorless.
  3. If you have Version 1.4, Click on Exit Spybot S&D Resident.
B

Second step, For Either Version :
  1. Open Spybot S&D.
  2. Click Mode, choose Advanced Mode.
  3. Go To the bottom of the vertical Panel on the Left, Click Tools.
  4. In left panel, click Resident (shows a red/white shield).
  5. If your firewall raises a question, say OK.
  6. In the Resident protection status frame, uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active.
  7. OK any prompts.
  8. Use File > Exit to terminate Spybot.
  9. Reboot your machine for the changes to take effect.
    Don't forget to restart Spybot - Search and Destroy's Teatimer when your machine is clean and undo the changes above.

SUPERAntiSpyware

We need to disable SUPERAntiSpyware as it may interfere with the fixes that we need to make.
  1. Right click on the icon in your System Tray.
  2. Click Exit
  3. Make sure that the program, SUPERAntiSpyware itself, is also closed/not running.
Step 7

Now we will address the HijackThis fixes.
  1. If you have not already done so, please download Trend Micro - HijackThis.
  2. Double click HJTInstall.exe to begin installation.
  3. Accept the installation location, which by default is C:\Program Files\Trend Micro\HijackThis or click the Browse... button if you want to save it in another location.
  4. Click Install.
  5. A shortcut will be created on your Desktop and HijackThis will run automatically.
  6. Click the button labeled Do a system scan only.
  7. Click the Scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
  8. Click in the boxes to the left of the following entries to place check marks (make sure not to miss any):

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Program Files\Malwarebytes' Anti-Malware\SUPERAntiSpyware.exe

  9. Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.
Step 8

Optional Fixes is the name that we use for fixes for unnecessary programs that load during startup and run in the background. These programs are not required to start automatically as you can start them manually if you need them. You would be removing the program from your startup but you would not be removing the program itself.

Your computer may be sluggish due to the many programs loading during startup and running in the background that are not necessary. Windows has a facility for starting programs at startup time. Some of these programs are required for your computer and the applications installed on it to run correctly. A good example of such a program is a virus-checking application that must always run, constantly checking for and isolating or removing files with viruses. Other such programs are not strictly required, or are optional. In some cases, you can gain significant performance enhancements by disabling the automatic startup of these programs. In many cases, the functionality offered by the programs is still available by starting the programs manually by, for example, starting the program from the Windows Start->Programs menu. Media players and instant messaging programs often fall into this category. In fact, it is common for many modern software applications, when installed, to add programs at startup that add items to the system tray or shortcut (context) menus in Windows Explorer to provide quick access to the features and functions of these applications. While they may be useful, they do increase boot time and consume system resources. It is advised that you disable these programs so that they do not take up necessary resources or slow the boot time.

Other than ScanRegistry, SystemTray, StateMgr, antivirus program entries, and firewall program entries, very few others need to load and run.

Read the articles below to see if it applies to your computer problem with being slow to respond.
Slow Computer/browser? Check Here First; It May Not Be Malware
What to do if your Computer is running slowly
Help! My computer is slow!
50 Tips for a Super Fast PC
4 Ways to Speed Up Your Computer's Performance
It's not always malware: How to fix the top 10 Internet Explorer issues

If you decide that you want to stop the Optional Fixes in your startup, let me know and I will give you a list with instructions. You would be removing the program from your startup but you would not be removing the program itself.

Step 9

Please download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "Safe Mode" .
-- Post the log in your next reply.

Perform an anti-rootkit (ARK) scan with one of the following:
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  1. Disconnect from the Internet or physically unplug your Internet cable connection.
  2. Clean out your temporary files.
  3. Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  4. Temporarily disable your anti-virus and real-time anti-spyware protection.
  5. After starting the scan, do not use the computer until the scan has completed.
  6. When finished, enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.

Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

Step 10

Check to see if you have insecure applications with
Secunia Software Inspector. Secunia Software Inspector:
  1. Detects insecure versions of common/popular programs installed on your computer.
  2. Verifies that all Microsoft patches are applied.
  3. Assists you in updating, patching, and protecting your computer.
  4. Activates additional security features in Sun Java.
  5. Runs through your browser. No installation or download is required.
Step 11

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post:
  1. the list of file names and locations for any files that cannot be cleaned / deleted that were reported after you completed the online scans.
  2. a new HijackThis log
Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 mteele

mteele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 23 August 2010 - 10:44 PM

I'm having trouble with cleaning the host file. I try to do a Save As, but is says Access Denied. Here are the contents of the host file:

# Copyright © 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

I'll continue with the rest of the steps now.

#6 mteele

mteele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 26 August 2010 - 10:27 PM

I'm still here, I thought the problem was gone, but then it hit again, this time back to the Google redirecting. I'm going to try doing each step a little faster this time and then post my results.

#7 mteele

mteele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 27 August 2010 - 03:40 PM

Activescan log:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-08-27 16:39:01
PROTECTIONS: 1
MALWARE: 16
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Internet Security No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@mediaplex[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@apmebf[2].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@burstnet[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@www.burstbeacon[2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@server.iad.liveperson[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@server.iad.liveperson[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@statse.webtrendslive[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@overture[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@zedo[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@zedo[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\low\matthew_teele@go[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\users\matthew teele\appdata\roaming\microsoft\windows\cookies\matthew_teele@go[1].txt
03009106 W32/Xor-encoded.A Virus No 0 Yes No c:\users\matthew teele\appdata\local\temp\housecall\log\4a4ea3a1-3626-4a22-bcb3-86a0f1d90c45\backup\17747
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\users\matthew teele\desktop\malware tools\combofix.exe
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

#8 mteele

mteele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 27 August 2010 - 03:41 PM

BitDefender Online Scanner

Scan report generated at: Thu, Aug 26, 2010 - 23:43:05

Scan path: A:\;C:\;D:\;E:\;F:\;G:\;

Statistics

Time
01:32:59

Files
1806819

Folders
24870

Boot Sectors
0

Archives
20532

Packed Files
87859


Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
0




Engines Info

Virus Definitions
6273234

Engine build
AVCORE v2.1 Windows/i386 11.0.0.33 (Jun 18 2010)

Scan plugins
18

Archive plugins
44

Unpack plugins
10

E-mail plugins
6

System plugins
4




Scan Settings

First Action
Delete

Second Action
Prompt

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\ProgramData\Kaspersky Lab\AVP9\QB\25af4f9863c64bc6.klq=>(Quarantine-6)=>CORE/keygen.exe
Infected with: Trojan.Generic.4557428

C:\ProgramData\Kaspersky Lab\AVP9\QB\25af4f9863c64bc6.klq=>(Quarantine-6)=>CORE/keygen.exe
Delete failed





#9 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:08 PM

Posted 30 August 2010 - 09:07 AM

Step 1

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).
Step 2

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.1.2) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#10 mteele

mteele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 30 August 2010 - 05:26 PM

GooredFix by jpshortstuff (03.07.10.1)
Log created at 18:26 on 30/08/2010 (Matthew Teele)
Firefox version [Unable to determine]

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files (x86)\Mozilla Firefox\extensions\
(none)

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
(Key not found)

-=E.O.F=-


2010/08/30 18:27:25.0419 TDSS rootkit removing tool 2.4.1.3 Aug 27 2010 08:53:42
2010/08/30 18:27:25.0419 ================================================================================
2010/08/30 18:27:25.0419 SystemInfo:
2010/08/30 18:27:25.0419
2010/08/30 18:27:25.0419 OS Version: 6.1.7600 ServicePack: 0.0
2010/08/30 18:27:25.0419 Product type: Workstation
2010/08/30 18:27:25.0419 ComputerName: MATTHEWTEELE-PC
2010/08/30 18:27:25.0435 UserName: Matthew Teele
2010/08/30 18:27:25.0435 Windows directory: C:\Windows
2010/08/30 18:27:25.0435 System windows directory: C:\Windows
2010/08/30 18:27:25.0435 Running under WOW64
2010/08/30 18:27:25.0435 Processor architecture: Intel x64
2010/08/30 18:27:25.0435 Number of processors: 4
2010/08/30 18:27:25.0435 Page size: 0x1000
2010/08/30 18:27:25.0435 Boot type: Normal boot
2010/08/30 18:27:25.0435 ================================================================================
2010/08/30 18:27:25.0435 Utility is running under WOW64, functionality is limited.
2010/08/30 18:27:56.0838 Initialize success
2010/08/30 18:28:13.0639 ================================================================================
2010/08/30 18:28:13.0639 Scan started
2010/08/30 18:28:13.0639 Mode: Manual;
2010/08/30 18:28:13.0639 ================================================================================
2010/08/30 18:28:13.0810 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/08/30 18:28:13.0826 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2010/08/30 18:28:13.0857 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/08/30 18:28:13.0873 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/08/30 18:28:13.0904 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2010/08/30 18:28:13.0920 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2010/08/30 18:28:13.0966 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2010/08/30 18:28:13.0982 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2010/08/30 18:28:14.0013 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2010/08/30 18:28:14.0029 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2010/08/30 18:28:14.0044 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2010/08/30 18:28:14.0060 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2010/08/30 18:28:14.0091 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2010/08/30 18:28:14.0107 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2010/08/30 18:28:14.0122 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2010/08/30 18:28:14.0154 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2010/08/30 18:28:14.0185 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2010/08/30 18:28:14.0200 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2010/08/30 18:28:14.0216 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/30 18:28:14.0232 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2010/08/30 18:28:14.0294 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2010/08/30 18:28:14.0310 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2010/08/30 18:28:14.0341 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2010/08/30 18:28:14.0388 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2010/08/30 18:28:14.0403 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/30 18:28:14.0419 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2010/08/30 18:28:14.0434 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2010/08/30 18:28:14.0466 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2010/08/30 18:28:14.0481 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2010/08/30 18:28:14.0512 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2010/08/30 18:28:14.0528 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2010/08/30 18:28:14.0544 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\Windows\system32\DRIVERS\BthEnum.sys
2010/08/30 18:28:14.0559 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/08/30 18:28:14.0590 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\Windows\system32\DRIVERS\bthpan.sys
2010/08/30 18:28:14.0606 BTHPORT (a51fa9d0e85d5adabef72e67f386309c) C:\Windows\system32\Drivers\BTHport.sys
2010/08/30 18:28:14.0637 BTHUSB (f740b9a16b2c06700f2130e19986bf3b) C:\Windows\system32\Drivers\BTHUSB.sys
2010/08/30 18:28:14.0653 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/30 18:28:14.0684 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/30 18:28:14.0700 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2010/08/30 18:28:14.0731 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2010/08/30 18:28:14.0793 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/08/30 18:28:14.0809 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2010/08/30 18:28:14.0840 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2010/08/30 18:28:14.0856 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2010/08/30 18:28:14.0871 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2010/08/30 18:28:14.0902 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2010/08/30 18:28:14.0965 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2010/08/30 18:28:14.0996 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2010/08/30 18:28:15.0012 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2010/08/30 18:28:15.0058 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2010/08/30 18:28:15.0090 DXGKrnl (ebce0b0924835f635f620d19f0529dce) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/30 18:28:15.0152 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2010/08/30 18:28:15.0230 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2010/08/30 18:28:15.0246 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2010/08/30 18:28:15.0292 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2010/08/30 18:28:15.0308 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2010/08/30 18:28:15.0339 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/30 18:28:15.0370 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2010/08/30 18:28:15.0402 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2010/08/30 18:28:15.0417 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/30 18:28:15.0433 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2010/08/30 18:28:15.0480 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2010/08/30 18:28:15.0495 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/30 18:28:15.0526 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
2010/08/30 18:28:15.0542 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2010/08/30 18:28:15.0573 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2010/08/30 18:28:15.0589 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2010/08/30 18:28:15.0620 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/30 18:28:15.0636 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/08/30 18:28:15.0651 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2010/08/30 18:28:15.0667 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2010/08/30 18:28:15.0698 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2010/08/30 18:28:15.0745 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2010/08/30 18:28:15.0776 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2010/08/30 18:28:15.0792 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2010/08/30 18:28:15.0807 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/30 18:28:15.0838 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2010/08/30 18:28:15.0870 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2010/08/30 18:28:15.0901 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2010/08/30 18:28:15.0916 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/30 18:28:15.0948 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/30 18:28:15.0979 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2010/08/30 18:28:15.0994 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2010/08/30 18:28:16.0026 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2010/08/30 18:28:16.0041 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2010/08/30 18:28:16.0057 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/30 18:28:16.0072 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/30 18:28:16.0104 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/08/30 18:28:16.0135 kl1 (db449f50e5141458eb58e64ffac4863f) C:\Windows\system32\DRIVERS\kl1.sys
2010/08/30 18:28:16.0150 KLBG (87200a8afe40532baa4d2b24a7ba0eea) C:\Windows\system32\DRIVERS\klbg.sys
2010/08/30 18:28:16.0166 KLIF (09bad645d3843669c281431c7df2db2e) C:\Windows\system32\DRIVERS\klif.sys
2010/08/30 18:28:16.0197 KLIM6 (630f22545379437737cf4172f09fe449) C:\Windows\system32\DRIVERS\klim6.sys
2010/08/30 18:28:16.0213 klmouflt (786791291939abb11f6d0f040da23912) C:\Windows\system32\DRIVERS\klmouflt.sys
2010/08/30 18:28:16.0228 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/30 18:28:16.0260 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
2010/08/30 18:28:16.0275 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2010/08/30 18:28:16.0322 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/30 18:28:16.0353 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2010/08/30 18:28:16.0384 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2010/08/30 18:28:16.0400 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2010/08/30 18:28:16.0416 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2010/08/30 18:28:16.0431 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2010/08/30 18:28:16.0462 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2010/08/30 18:28:16.0494 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2010/08/30 18:28:16.0509 MEMSWEEP2 (d70476ad02d6fd75282b196d3b58831d) C:\Windows\system32\DD25.tmp
2010/08/30 18:28:16.0540 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2010/08/30 18:28:16.0556 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/30 18:28:16.0572 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/30 18:28:16.0603 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2010/08/30 18:28:16.0618 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2010/08/30 18:28:16.0634 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2010/08/30 18:28:16.0665 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/30 18:28:16.0696 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2010/08/30 18:28:16.0712 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/30 18:28:16.0743 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/30 18:28:16.0759 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/30 18:28:16.0774 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2010/08/30 18:28:16.0806 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2010/08/30 18:28:16.0837 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2010/08/30 18:28:16.0852 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2010/08/30 18:28:16.0868 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2010/08/30 18:28:16.0915 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/30 18:28:16.0930 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/30 18:28:16.0946 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2010/08/30 18:28:16.0977 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2010/08/30 18:28:16.0993 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/30 18:28:17.0008 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2010/08/30 18:28:17.0040 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2010/08/30 18:28:17.0055 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2010/08/30 18:28:17.0086 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/30 18:28:17.0118 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2010/08/30 18:28:17.0149 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2010/08/30 18:28:17.0164 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/30 18:28:17.0196 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/30 18:28:17.0211 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/30 18:28:17.0227 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2010/08/30 18:28:17.0242 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/30 18:28:17.0274 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/30 18:28:17.0336 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2010/08/30 18:28:17.0352 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2010/08/30 18:28:17.0383 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/30 18:28:17.0430 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2010/08/30 18:28:17.0461 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2010/08/30 18:28:17.0648 nvlddmkm (aaf5559039e99d0cc22e25255f3dc06e) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/08/30 18:28:17.0742 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2010/08/30 18:28:17.0757 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2010/08/30 18:28:17.0788 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/08/30 18:28:17.0804 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/08/30 18:28:17.0851 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2010/08/30 18:28:17.0866 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2010/08/30 18:28:17.0898 pavboot (8a0f8a9580d9f2fc512a35d5709088a9) C:\Windows\system32\drivers\pavboot64.sys
2010/08/30 18:28:17.0898 pbfilter (55223eefabfdb84a926515febab50d9a) C:\Program Files\PeerBlock\pbfilter.sys
2010/08/30 18:28:17.0929 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2010/08/30 18:28:17.0944 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2010/08/30 18:28:17.0976 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/08/30 18:28:17.0991 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2010/08/30 18:28:18.0022 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2010/08/30 18:28:18.0132 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/30 18:28:18.0147 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2010/08/30 18:28:18.0178 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/30 18:28:18.0225 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2010/08/30 18:28:18.0256 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2010/08/30 18:28:18.0288 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/30 18:28:18.0303 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/30 18:28:18.0319 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2010/08/30 18:28:18.0350 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/30 18:28:18.0381 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/30 18:28:18.0397 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/30 18:28:18.0428 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/30 18:28:18.0444 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2010/08/30 18:28:18.0475 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/30 18:28:18.0490 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/30 18:28:18.0522 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2010/08/30 18:28:18.0537 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2010/08/30 18:28:18.0568 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2010/08/30 18:28:18.0615 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\Windows\system32\DRIVERS\rfcomm.sys
2010/08/30 18:28:18.0662 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/30 18:28:18.0678 RTL8167 (abcb5a38a0d85bdf69b7877e1ad1eed5) C:\Windows\system32\DRIVERS\Rt64win7.sys
2010/08/30 18:28:19.0114 SASDIFSV (99df79c258b3342b6c8a5f802998de56) G:\Program Files\Malwarebytes' Anti-Malware\SASDIFSV64.SYS
2010/08/30 18:28:19.0177 SASKUTIL (2859c35c0651e8eb0d86d48e740388f2) G:\Program Files\Malwarebytes' Anti-Malware\SASKUTIL64.SYS
2010/08/30 18:28:19.0208 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2010/08/30 18:28:19.0255 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2010/08/30 18:28:19.0302 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2010/08/30 18:28:19.0348 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2010/08/30 18:28:19.0364 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2010/08/30 18:28:19.0380 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2010/08/30 18:28:19.0426 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2010/08/30 18:28:19.0442 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2010/08/30 18:28:19.0458 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
2010/08/30 18:28:19.0473 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/08/30 18:28:19.0520 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2010/08/30 18:28:19.0536 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2010/08/30 18:28:19.0551 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2010/08/30 18:28:19.0598 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2010/08/30 18:28:19.0645 srv (43067a65522eaec33d31a12d6fa8e3f4) C:\Windows\system32\DRIVERS\srv.sys
2010/08/30 18:28:19.0676 srv2 (03715cf9c30b563da35fc5f2b8f7b8e0) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/30 18:28:19.0707 srvnet (fbd09635227a8026c0f7790f604343c6) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/30 18:28:19.0738 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2010/08/30 18:28:19.0770 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/30 18:28:19.0863 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys
2010/08/30 18:28:19.0926 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/30 18:28:19.0957 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/30 18:28:19.0988 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2010/08/30 18:28:20.0004 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2010/08/30 18:28:20.0035 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/30 18:28:20.0050 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/30 18:28:20.0113 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/30 18:28:20.0144 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/30 18:28:20.0160 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2010/08/30 18:28:20.0175 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/30 18:28:20.0222 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2010/08/30 18:28:20.0238 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/30 18:28:20.0253 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2010/08/30 18:28:20.0284 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/30 18:28:20.0300 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2010/08/30 18:28:20.0331 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/30 18:28:20.0347 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/30 18:28:20.0378 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2010/08/30 18:28:20.0394 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2010/08/30 18:28:20.0409 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/30 18:28:20.0425 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/30 18:28:20.0472 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2010/08/30 18:28:20.0503 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/30 18:28:20.0518 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2010/08/30 18:28:20.0534 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2010/08/30 18:28:20.0565 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2010/08/30 18:28:20.0581 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2010/08/30 18:28:20.0596 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2010/08/30 18:28:20.0628 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2010/08/30 18:28:20.0659 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2010/08/30 18:28:20.0674 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
2010/08/30 18:28:20.0721 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2010/08/30 18:28:20.0737 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/30 18:28:20.0752 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/30 18:28:20.0815 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2010/08/30 18:28:20.0830 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/30 18:28:20.0924 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2010/08/30 18:28:20.0940 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2010/08/30 18:28:21.0018 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/08/30 18:28:21.0064 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/30 18:28:21.0142 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2010/08/30 18:28:21.0220 ================================================================================
2010/08/30 18:28:21.0220 Scan finished
2010/08/30 18:28:21.0220 ================================================================================

Edited by mteele, 30 August 2010 - 05:29 PM.


#11 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:08 PM

Posted 30 August 2010 - 05:35 PM

Please post a new HijackThis log. Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#12 mteele

mteele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 30 August 2010 - 10:09 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:09:12 PM, on 8/30/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10i_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\trend micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleepingcomputer.com/forums/topic339619.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - G:\Program Files\RoboForm\roboform.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - G:\Program Files\RoboForm\roboform.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: Customize Menu - file://G:\Program Files\RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://G:\Program Files\RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://G:\Program Files\RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://G:\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\Program Files\RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://G:\Program Files\RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://G:\Program Files\RoboForm\RoboFormComSavePass.html
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\Program Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://G:\Program Files\RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\Windows\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/...S/wlscctrl2.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6BB2089-163F-466B-812A-748096614DFD} (CAScanner Control) - http://cainternetsecurity.net/scanner/cascanner.cab
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~2\KASPER~1\KASPER~1\sbhook.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - G:\Program Files\Malwarebytes' Anti-Malware\SASCORE64.EXE
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9305 bytes


#13 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:08 PM

Posted 31 August 2010 - 08:12 AM

Did you install Superantispyware in MalwareBytes folder?

O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - G:\Program Files\Malwarebytes' Anti-Malware\SASCORE64.EXE
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#14 mteele

mteele
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 31 August 2010 - 08:29 AM

I may have, I typically install programs off my main local C drive. I will check when I get home from work & get back with you.

#15 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:03:08 PM

Posted 31 August 2010 - 08:37 AM

Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users