Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

redirect


  • This topic is locked This topic is locked
23 replies to this topic

#1 rud

rud

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 05 October 2010 - 10:49 AM

It appears that my google searches have been hijacked. I am redirected to an advertisement. I have run Malwarebytes but problem persists. can anyone help me with this?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:39 AM, on 10/5/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:WindowsSYSTEM32taskeng.exe
C:Windowssystem32Dwm.exe
C:WindowsExplorer.EXE
C:Program FilesSynapticsSynTPSynTPEnh.exe
C:Program FilesLaunch ManagerOSDCtrl.exe
C:Program FilesLaunch ManagerWButton.exe
C:Program FilesPanda SecurityPanda Cloud AntivirusPSUNMain.exe
C:Program FilesZuneZuneLauncher.exe
C:Windowsehomeehtray.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Windowssystem32wbemunsecapp.exe
C:Windowsehomeehmsas.exe
C:Program FilesWindows DefenderMSASCui.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Windowssystem32wuauclt.exe
C:Windowssystem32SearchFilterHost.exe
C:UsersrudDownloadsHJTInstall.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://en.us.acer.yahoo.com
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant =
R0 - HKLMSoftwareMicrosoftInternet ExplorerSearch,CustomizeSearch =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll (file missing)
O4 - HKLM..Run: [SynTPEnh] C:Program FilesSynapticsSynTPSynTPEnh.exe
O4 - HKLM..Run: [LMgrOSD] "C:Program FilesLaunch ManagerOSDCtrl.exe"
O4 - HKLM..Run: [Wbutton] "C:Program FilesLaunch ManagerWbutton.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeQTTask.exe" -atboottime
O4 - HKLM..Run: [PSUNMain] "C:Program FilesPanda SecurityPanda Cloud AntivirusPSUNMain.exe" /Traybar
O4 - HKLM..Run: [Zune Launcher] "C:Program FilesZuneZuneLauncher.exe"
O4 - HKLM..Run: [Malwarebytes Anti-Malware (reboot)] "C:Program FilesMalwarebytes' Anti-Malwarembam.exe" /runcleanupscript
O4 - HKCU..Run: [ehTray.exe] C:WindowsehomeehTray.exe
O4 - HKCU..Run: [WMPNSCFG] C:Program FilesWindows Media PlayerWMPNSCFG.exe
O4 - HKUSS-1-5-19..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [Sidebar] %ProgramFiles%Windows SidebarSidebar.exe /detectMem (User 'NETWORK SERVICE')
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerControl Panel present
O8 - Extra context menu item: Add to Banner Ad Blocker - C:Program FilesKaspersky LabKaspersky Internet Security 2009ie_banner_deny.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2Office12REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...k.cab102118.cab
O20 - AppInit_DLLs: C:PROGRA~1KASPER~1KASPER~1mzvkbd.dll,C:PROGRA~1KASPER~1KASPER~1mzvkbd3.dll,C:PROGRA~1KASPER~1KASPER~1adialhk.dll,C:PROGRA~1KASPER~1KASPER~1kloehk.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:Windowssystem32agrsmsvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:Program FilesCommon FilesSymantec SharedccSvcHst.exe (file missing)
O23 - Service: FlipShare Service - Unknown owner - C:Program FilesFlip VideoFlipShareFlipShareService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:Program FilesCommon FilesLightScribeLSSrvc.exe
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:Program FilesCASharedComponentsCA_LICLogWatNT.exe
O23 - Service: MobilityService - Unknown owner - C:AcerMobility CenterMobilityService.exe (file missing)
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:Program FilesPanda SecurityPanda Cloud AntivirusPSANHost.exe
--
End of file - 5284 bytes

I am being redirected to advertisements in my google searches. I followed the instructions posted by admin for posting about this type of issue. I have attached the DDS logs below, but the computer shut down while performing the GMER scan. Can anyone offer guidance?

EDIT: Topics and posts merged ~BP

Attached Files


Edited by Budapest, 05 October 2010 - 04:07 PM.
Merged posts, moved from Win 7 to Malware Removal Logs ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:09:49 PM

Posted 12 October 2010 - 12:29 PM


Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 rud

rud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 12 October 2010 - 02:02 PM

Thanks Shannon,

I have attached the DDS logs, but GMER crashes my computer. I worked on clearing up my computer since my last post, so you may see a difference in the original DDS and those below. Hopefully things are looking better.


DDS (Ver_10-10-10.03) - NTFSx86
Run by rud at 14:45:27.12 on Tue 10/12/2010
Internet Explorer: 8.0.6001.18943
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1021.392 [GMT -4:00]

SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\WButton.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\lxeacoms.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\lxeaserv.exe
C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\rud\Downloads\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_Plugin.exe -update plugin
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [LMgrOSD] "c:\program files\launch manager\OSDCtrl.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [lxeamon.exe] "c:\program files\lexmark s300-s400 series\lxeamon.exe"
mRun: [EzPrint] "c:\program files\lexmark s300-s400 series\ezprint.exe"
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} - hxxp://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\rud\appdata\roaming\mozilla\firefox\profiles\7xj79rcd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-5-4 125960]
R2 LogWatch;Event Log Watch;c:\program files\ca\sharedcomponents\ca_lic\LogWatNT.exe [2005-2-23 53248]
R2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe -service --> c:\windows\system32\lxeacoms.exe -service [?]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxeaserv.exe [2010-10-11 98984]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-4-30 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-4-30 99336]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111112]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-5-12 111176]
S4 CA_LIC_CLNT;CA License Client;c:\program files\ca\sharedcomponents\ca_lic\lic98rmt.exe [2005-3-16 126976]
S4 WisLMSvc;WisLMSvc;c:\program files\launch manager\WisLMSvc.exe [2008-2-16 118784]

=============== Created Last 30 ================

2010-10-11 21:14:52 -------- d-----w- c:\progra~2\Ezprint
2010-10-11 21:14:28 -------- d-----w- c:\progra~2\Lx_cats
2010-10-11 21:09:33 157696 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\lxeadrpp.dll
2010-10-11 21:04:06 40960 ----a-w- c:\windows\system32\lxeavs.dll
2010-10-11 21:04:03 438272 ----a-w- c:\windows\system32\lxeacoin.dll
2010-10-11 21:03:52 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2010-10-11 21:03:51 86016 ----a-w- c:\windows\system32\lxeagcfg.dll
2010-10-11 21:03:49 294912 ----a-w- c:\windows\system32\lxeacui.dll
2010-10-11 21:03:49 110592 ----a-w- c:\windows\system32\lxeacuir.dll
2010-10-11 21:00:51 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2010-10-11 21:00:36 372736 ----a-w- c:\windows\system32\LXEAwupd.dll
2010-10-11 21:00:36 213672 ----a-w- c:\windows\system32\LXEAwupd.exe
2010-10-11 21:00:05 -------- d-----w- c:\program files\Lexmark
2010-10-11 20:56:08 23552 ----a-w- c:\windows\system32\LXEAsmr.dll
2010-10-11 20:56:08 -------- d-----w- c:\program files\Lexmark S300-S400 Series
2010-10-11 20:56:05 299008 ----a-w- c:\windows\system32\LXEAsm.dll
2010-10-08 15:39:13 6084944 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{859e7a59-9cbd-4e2d-a02b-153140f1cc31}\mpengine.dll
2010-10-08 15:08:38 -------- d-----w- c:\users\rud\appdata\local\temp
2010-10-08 15:08:02 -------- d-sh--w- C:\$RECYCLE.BIN
2010-10-06 22:13:32 98816 ----a-w- c:\windows\sed.exe
2010-10-06 22:13:32 77312 ----a-w- c:\windows\MBR.exe
2010-10-06 22:13:32 256512 ----a-w- c:\windows\PEV.exe
2010-10-06 22:13:32 161792 ----a-w- c:\windows\SWREG.exe
2010-10-05 21:32:01 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-05 21:31:47 -------- d-----w- c:\progra~2\Hitman Pro
2010-10-05 21:31:44 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-05 15:58:12 -------- d-----w- c:\program files\Trend Micro
2010-10-04 20:43:55 80896 ----a-w- c:\windows\system32\MSNP.ax
2010-10-04 20:43:55 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2010-10-04 20:43:50 293376 ----a-w- c:\windows\system32\psisdecd.dll
2010-10-04 20:43:49 428544 ----a-w- c:\windows\system32\EncDec.dll
2010-10-04 20:43:49 217088 ----a-w- c:\windows\system32\psisrndr.ax
2010-10-04 20:40:00 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-10-04 20:40:00 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-10-04 20:40:00 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-10-04 20:40:00 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-10-04 20:39:59 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-10-04 20:29:50 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-10-04 20:28:56 501760 ----a-w- c:\windows\system32\usp10.dll
2010-10-04 20:25:12 13312 ----a-w- c:\program files\internet explorer\iecompat.dll
2010-10-04 20:23:50 98192 ----a-w- c:\windows\system32\drivers\FWPKCLNT.SYS
2010-10-04 20:23:50 902032 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-10-04 20:23:50 595456 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2010-10-04 20:23:50 438272 ----a-w- c:\windows\system32\IKEEXT.DLL
2010-10-04 20:23:50 328704 ----a-w- c:\windows\system32\BFE.DLL
2010-10-04 20:23:50 220040 ----a-w- c:\windows\system32\drivers\netio.sys
2010-10-04 20:23:39 738816 ----a-w- c:\windows\system32\inetcomm.dll
2010-10-02 20:00:20 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-02 20:00:20 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-02 20:00:20 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-02 20:00:20 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-02 20:00:20 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-10-02 20:00:18 -------- d-----w- c:\users\rud\appdata\roaming\Simply Super Software
2010-10-02 20:00:18 -------- d-----w- c:\progra~2\Simply Super Software
2010-10-01 03:38:12 -------- d-----w- c:\users\rud\appdata\roaming\Malwarebytes
2010-10-01 03:38:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-01 03:37:59 -------- d-----w- c:\progra~2\Malwarebytes
2010-10-01 03:37:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-01 03:37:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-30 23:11:11 0 ----a-w- c:\users\rud\appdata\local\Akimikere.bin
2010-09-30 18:40:54 -------- d-----w- c:\users\rud\appdata\roaming\Dropbox

==================== Find3M ====================

2010-08-17 13:32:33 126464 ----a-w- c:\windows\system32\spoolsv.exe

============= FINISH: 14:47:12.72 ===============







UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-10-10.03)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume2
Install Date: 2/16/2008 10:37:42 AM
System Uptime: 10/10/2010 12:59:52 PM (50 hours ago)

Motherboard: Acer | | Myall2
Processor: Intel® Core™2 CPU T5600 @ 1.83GHz | U2E1 | 1833/166mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 70 GiB total, 20.116 GiB free.
D: is FIXED (NTFS) - 70 GiB total, 69.021 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0001
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0001
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0002
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0002
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0003
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0003
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0004
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0004
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft 6to4 Adapter
Device ID: ROOT\*6TO4MP\0005
Manufacturer: Microsoft
Name: 6TO4 Adapter
PNP Device ID: ROOT\*6TO4MP\0005
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0000
Manufacturer: Microsoft
Name: isatap.{0B445639-B454-43BF-A2FB-49D9E835E9DB}
PNP Device ID: ROOT\*ISATAP\0000
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0001
Manufacturer: Microsoft
Name: isatap.covad.net
PNP Device ID: ROOT\*ISATAP\0001
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0002
Manufacturer: Microsoft
Name: isatap.{0B445639-B454-43BF-A2FB-49D9E835E9DB}
PNP Device ID: ROOT\*ISATAP\0002
Service: tunnel

Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318}
Description: Microsoft ISATAP Adapter
Device ID: ROOT\*ISATAP\0003
Manufacturer: Microsoft
Name: isatap.nyc.rr.com
PNP Device ID: ROOT\*ISATAP\0003
Service: tunnel

Class GUID:
Description: Mass Storage Controller
Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_01071025&REV_00\4&2CABF08D&0&32F0
Manufacturer:
Name: Mass Storage Controller
PNP Device ID: PCI\VEN_104C&DEV_803B&SUBSYS_01071025&REV_00\4&2CABF08D&0&32F0
Service:

==== System Restore Points ===================

RP1055: 10/6/2010 6:52:17 PM - Windows Backup
RP1056: 10/7/2010 10:09:50 PM - Scheduled Checkpoint
RP1057: 10/8/2010 11:38:22 AM - Windows Update
RP1058: 10/9/2010 12:33:17 AM - Scheduled Checkpoint
RP1059: 10/10/2010 12:00:06 AM - Scheduled Checkpoint
RP1060: 10/10/2010 1:58:50 PM - Scheduled Checkpoint
RP1061: 10/11/2010 5:01:57 PM - Device Driver Package Install: Lexmark Imaging devices
RP1062: 10/11/2010 5:07:51 PM - Device Driver Package Install: Lexmark Inkjet Drivers Printers

==== Installed Programs ======================

3ivx MPEG-4 5.0.3 (remove only)
ABBYY FineReader 6.0 Sprint
Acer Registration
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player
Agere Systems HDA Modem
Apple Application Support
Apple Software Update
Bullzip PDF Printer 6.0.0.684
EPSON Printer Software
FlipShare
Google Earth
GPL Ghostscript Lite 8.63
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
iPod for Windows
Launch Manager V1.1.1.4
Lexmark Printable Web
Lexmark S300-S400 Series
LightScribe 1.4.136.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Works
Mozilla Firefox (3.6.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB973688)
muvee Plugin 1.0
NVIDIA Drivers
OGA Notifier 2.0.0048.0
Panda Cloud Antivirus
QuickTime
Realtek High Definition Audio Driver
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB2288953)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Synaptics Pointing Device Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb2291599)
VC 9.0 Runtime
Zune
Zune Language Pack (DE)
Zune Language Pack (ES)
Zune Language Pack (FR)
Zune Language Pack (IT)

==== Event Viewer Messages From Past Week ========

10/8/2010 8:37:58 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the RapiMgr service.
10/6/2010 9:30:43 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FlipShare Service service.
10/6/2010 8:06:02 PM, Error: EventLog [6008] - The previous system shutdown at 8:03:45 PM on 10/6/2010 was unexpected.
10/6/2010 6:15:29 PM, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
10/6/2010 11:06:53 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the ShellHWDetection service.
10/5/2010 11:28:02 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: mailKmd
10/5/2010 11:28:02 AM, Error: Service Control Manager [7000] - The MobilityService service failed to start due to the following error: The system cannot find the file specified.
10/5/2010 1:04:05 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
10/5/2010 1:03:54 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC Hotkey mailKmd NetBIOS netbt nsiproxy PSched PSINKNC RasAcd rdbss Smb spldr tdx Wanarpv6
10/5/2010 1:03:54 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 1:03:54 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 1:03:54 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/5/2010 1:03:54 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
10/5/2010 1:03:54 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
10/5/2010 1:03:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
10/5/2010 1:03:25 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/5/2010 1:03:24 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
10/5/2010 1:03:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/5/2010 1:03:12 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
10/5/2010 1:02:47 PM, Error: EventLog [6008] - The previous system shutdown at 1:00:30 PM on 10/5/2010 was unexpected.
10/11/2010 4:59:12 PM, Error: Service Control Manager [7030] - The lxea_device service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
10/10/2010 6:05:07 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.

==== End Of File ===========================


#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 13 October 2010 - 06:24 PM

Hello, rud.
My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.
  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!



Step 1

Scan With RKUnHooker
  • Please Rootkit Unhooker and save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

QUOTE
"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"




Step 2

Please download MBRCheck by ad_13 and save it to your desktop.

Double-click to run. A window will pop up. If it says 'non-standard' or 'infected' MBR code detected, please type 3 for Exit for now and press Enter.

It will save a logfile on your desktop that starts with MBR, then has the date, etc. Please copy and paste the contents of that log in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 rud

rud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 13 October 2010 - 06:42 PM

Thanks for the help. I have attached the RK report. Had to exit out of the MBR.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Acer
BIOS Manufacturer: Phoenix Technologies LTD
System Manufacturer: Acer
System Product Name: Aspire 9420
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 141):
0x81E11000 \SystemRoot\system32\ntkrnlpa.exe
0x821CA000 \SystemRoot\system32\hal.dll
0x80609000 \SystemRoot\system32\kdcom.dll
0x80610000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x80680000 \SystemRoot\system32\PSHED.dll
0x80691000 \SystemRoot\system32\BOOTVID.dll
0x80699000 \SystemRoot\system32\CLFS.SYS
0x806DA000 \SystemRoot\system32\CI.dll
0x85E0B000 \SystemRoot\system32\drivers\Wdf01000.sys
0x85E7C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x85E8A000 \SystemRoot\system32\drivers\acpi.sys
0x85ED0000 \SystemRoot\system32\drivers\WMILIB.SYS
0x85ED9000 \SystemRoot\system32\drivers\msisadrv.sys
0x85EE1000 \SystemRoot\system32\drivers\pci.sys
0x85F08000 \SystemRoot\System32\drivers\partmgr.sys
0x85F17000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x85F1A000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x85F24000 \SystemRoot\system32\drivers\volmgr.sys
0x85F33000 \SystemRoot\System32\drivers\volmgrx.sys
0x85F7D000 \SystemRoot\system32\drivers\intelide.sys
0x85F84000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x85F92000 \SystemRoot\system32\DRIVERS\pcmcia.sys
0x85FBF000 \SystemRoot\System32\drivers\mountmgr.sys
0x85FCF000 \SystemRoot\system32\drivers\atapi.sys
0x85FD7000 \SystemRoot\system32\drivers\ataport.SYS
0x807BA000 \SystemRoot\system32\drivers\fltmgr.sys
0x807EC000 \SystemRoot\system32\drivers\fileinfo.sys
0x86001000 \SystemRoot\System32\Drivers\ksecdd.sys
0x86072000 \SystemRoot\system32\drivers\ndis.sys
0x8617D000 \SystemRoot\system32\drivers\msrpc.sys
0x861A8000 \SystemRoot\system32\drivers\NETIO.SYS
0x8620C000 \SystemRoot\System32\drivers\tcpip.sys
0x862F6000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8640E000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8651E000 \SystemRoot\system32\drivers\volsnap.sys
0x86557000 \SystemRoot\System32\Drivers\spldr.sys
0x8655F000 \SystemRoot\System32\Drivers\mup.sys
0x8656E000 \SystemRoot\System32\drivers\ecache.sys
0x86595000 \SystemRoot\system32\drivers\disk.sys
0x865A6000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x865C7000 \SystemRoot\system32\drivers\crcdisk.sys
0x86400000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x86311000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x86320000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x8D80D000 \SystemRoot\system32\DRIVERS\nvlddmkm.sys
0x8DC50000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8DCEF000 \SystemRoot\System32\drivers\watchdog.sys
0x8DCFB000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8DD88000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8EC03000 \SystemRoot\system32\DRIVERS\NETw4v32.sys
0x8EE2A000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8EE35000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8EE73000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8EE82000 \SystemRoot\system32\DRIVERS\sdbus.sys
0x8EE9C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x8EEA0000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x8EEB3000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8EEBE000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x8EEE9000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8EEEB000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8EEF6000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8EF0E000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
0x8EF10000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0x8EF13000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8EF42000 \SystemRoot\system32\DRIVERS\storport.sys
0x8EF83000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8EF8E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8EFA5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8EFB0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8EFD3000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8EFE2000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8DD97000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8DDAC000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8EFF6000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8DDBC000 \SystemRoot\system32\DRIVERS\ks.sys
0x8DDE6000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8DDF0000 \SystemRoot\system32\DRIVERS\umbus.sys
0x86329000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8635E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x90606000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x90797000 \SystemRoot\system32\drivers\portcls.sys
0x907C4000 \SystemRoot\system32\drivers\drmk.sys
0x90E01000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0x90F1E000 \SystemRoot\system32\drivers\modem.sys
0x90F2B000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x90F34000 \SystemRoot\System32\Drivers\Null.SYS
0x90F3B000 \SystemRoot\System32\Drivers\Beep.SYS
0x90F4B000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x90F52000 \SystemRoot\System32\drivers\vga.sys
0x90F5E000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x90F7F000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x90F87000 \SystemRoot\system32\drivers\rdpencdd.sys
0x90F8F000 \SystemRoot\System32\Drivers\Msfs.SYS
0x90F9A000 \SystemRoot\System32\Drivers\Npfs.SYS
0x90FA8000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x90FB1000 \SystemRoot\system32\DRIVERS\tdx.sys
0x90FC7000 \SystemRoot\system32\DRIVERS\smb.sys
0x8636F000 \SystemRoot\system32\drivers\afd.sys
0x863B7000 \SystemRoot\System32\DRIVERS\netbt.sys
0x90FDB000 \SystemRoot\system32\DRIVERS\pacer.sys
0x90FF1000 \SystemRoot\system32\DRIVERS\netbios.sys
0x907E9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x95401000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9543D000 \SystemRoot\system32\DRIVERS\psinknc.sys
0x9545F000 \SystemRoot\system32\drivers\nsiproxy.sys
0x95469000 \SystemRoot\System32\Drivers\Hotkey.SYS
0x9546C000 \SystemRoot\System32\Drivers\dfsc.sys
0x95483000 \SystemRoot\System32\Drivers\fastfat.SYS
0x954AB000 \SystemRoot\System32\Drivers\crashdmp.sys
0x954B8000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x954C3000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x9BC40000 \SystemRoot\System32\win32k.sys
0x954CB000 \SystemRoot\System32\drivers\Dxapi.sys
0x954D5000 \SystemRoot\system32\DRIVERS\monitor.sys
0x9BE60000 \SystemRoot\System32\TSDDD.dll
0x9BE80000 \SystemRoot\System32\cdd.dll
0x954E4000 \SystemRoot\system32\drivers\luafv.sys
0x954FF000 \SystemRoot\system32\DRIVERS\PSINAflt.sys
0x95526000 \SystemRoot\system32\DRIVERS\PSINProt.sys
0x95544000 \SystemRoot\system32\DRIVERS\PSINFile.sys
0x9BE90000 \SystemRoot\System32\ATMFD.DLL
0x95560000 \SystemRoot\system32\DRIVERS\PSINProc.sys
0x9557E000 \SystemRoot\system32\drivers\WudfPf.sys
0x9EE04000 \SystemRoot\system32\drivers\spsys.sys
0x9EEB4000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x9EEC4000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9EEEE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9EEF8000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x9EF0B000 \SystemRoot\system32\drivers\HTTP.sys
0x9EF78000 \SystemRoot\System32\drivers\mpsdrv.sys
0x9EF8D000 \??\C:\Acer\Empowering Technology\eRecovery\int15.sys
0x9F605000 \SystemRoot\system32\drivers\peauth.sys
0x9F6E3000 \SystemRoot\System32\Drivers\secdrv.SYS
0x9F6ED000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x9F70A000 \SystemRoot\System32\drivers\tcpipreg.sys
0x9F716000 \SystemRoot\System32\DRIVERS\srv2.sys
0x9F73D000 \SystemRoot\System32\DRIVERS\srv.sys
0x9F78B000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x9F7A4000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x9F7AD000 \SystemRoot\System32\Drivers\Normandy.SYS
0x77000000 \Windows\System32\ntdll.dll

Processes (total 59):
0 System Idle Process
4 System
528 C:\Windows\System32\smss.exe
656 csrss.exe
696 C:\Windows\System32\wininit.exe
716 csrss.exe
748 C:\Windows\System32\services.exe
764 C:\Windows\System32\lsass.exe
772 C:\Windows\System32\lsm.exe
808 C:\Windows\System32\winlogon.exe
976 C:\Windows\System32\svchost.exe
1048 C:\Windows\System32\svchost.exe
1084 C:\Windows\System32\svchost.exe
1168 C:\Windows\System32\svchost.exe
1196 C:\Windows\System32\svchost.exe
1208 C:\Windows\System32\svchost.exe
1324 C:\Windows\System32\audiodg.exe
1348 C:\Windows\System32\svchost.exe
1364 C:\Windows\System32\SLsvc.exe
1524 C:\Windows\System32\svchost.exe
1780 C:\Windows\System32\spoolsv.exe
1804 C:\Windows\System32\svchost.exe
1892 C:\Windows\System32\agrsmsvc.exe
1908 C:\Windows\System32\svchost.exe
1928 C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
124 C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
264 C:\Windows\System32\lxeacoms.exe
228 C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
12 C:\Windows\System32\svchost.exe
1032 C:\Windows\System32\svchost.exe
1584 C:\Windows\System32\SearchIndexer.exe
2168 C:\Windows\System32\taskeng.exe
2828 unsecapp.exe
3092 WmiPrvSE.exe
3120 C:\Windows\System32\svchost.exe
3836 C:\Windows\System32\taskeng.exe
3800 C:\Windows\System32\dwm.exe
2744 C:\Windows\explorer.exe
2876 WmiPrvSE.exe
3144 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
632 C:\Program Files\Launch Manager\OSDCtrl.exe
3528 C:\Program Files\Launch Manager\WButton.exe
3700 C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
3572 C:\Windows\System32\wuauclt.exe
2588 C:\Program Files\Zune\ZuneLauncher.exe
1456 C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe
1508 C:\Program Files\Lexmark S300-S400 Series\ezprint.exe
3900 C:\Windows\RtHDVCpl.exe
704 C:\Program Files\Windows Media Player\wmpnscfg.exe
3808 C:\Windows\WINDOW~1\wmdcBase.exe
2232 C:\Windows\ehome\ehtray.exe
4040 C:\Program Files\Windows Media Player\wmpnetwk.exe
768 C:\Windows\ehome\ehmsas.exe
2560 C:\Windows\System32\wbem\unsecapp.exe
5772 C:\Program Files\Mozilla Firefox\firefox.exe
7112 RKUnhookerLE.EXE
6620 C:\Windows\System32\SearchProtocolHost.exe
6888 C:\Windows\System32\SearchFilterHost.exe
7180 C:\Users\rud\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`71167600 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`da15fc00 (NTFS)

PhysicalDrive0 Model Number: HitachiHTS541616J9SA00, Rev: SB4OC70P

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: DA67949D8E80AE4B877B861155C27C0550D2F7A3


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 rud

rud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 13 October 2010 - 08:17 PM

here is the rk unhooker.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6002 (Service Pack 2)
Number of processors #2
==============================================
>Drivers
==============================================
0x8D80D000 C:\Windows\system32\DRIVERS\nvlddmkm.sys 4468736 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 98.15 )
0x81E11000 C:\Windows\system32\ntkrnlpa.exe 3903488 bytes (Microsoft Corporation, NT Kernel & System)
0x81E11000 PnpManager 3903488 bytes
0x81E11000 RAW 3903488 bytes
0x81E11000 WMIxWDM 3903488 bytes
0x8EC03000 C:\Windows\system32\DRIVERS\NETw4v32.sys 2256896 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x9BC40000 Win32k 2109440 bytes
0x9BC40000 C:\Windows\System32\win32k.sys 2109440 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x90606000 C:\Windows\system32\drivers\RTKVHDA.sys 1642496 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x90E01000 C:\Windows\system32\DRIVERS\AGRSM.sys 1167360 bytes (Agere Systems, SoftModem Device Driver)
0x8640E000 C:\Windows\System32\Drivers\Ntfs.sys 1114112 bytes (Microsoft Corporation, NT File System Driver)
0x86072000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8620C000 C:\Windows\System32\drivers\tcpip.sys 958464 bytes (Microsoft Corporation, TCP/IP Driver)
0x806DA000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0x9F605000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x9EE04000 C:\Windows\system32\drivers\spsys.sys 720896 bytes (Microsoft Corporation, security processor)
0x8DC50000 C:\Windows\System32\drivers\dxgkrnl.sys 651264 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8DCFB000 C:\Windows\system32\DRIVERS\HDAudBus.sys 577536 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x86001000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x85E0B000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x80610000 C:\Windows\system32\mcupdate_GenuineIntel.dll 458752 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x9EF0B000 C:\Windows\system32\drivers\HTTP.sys 446464 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x9F73D000 C:\Windows\System32\DRIVERS\srv.sys 319488 bytes (Microsoft Corporation, Server driver)
0x9BE90000 C:\Windows\System32\ATMFD.DLL 311296 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x85F33000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8636F000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x85E8A000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x80699000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x8EF42000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x8EE35000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x95401000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x861A8000 C:\Windows\system32\drivers\NETIO.SYS 241664 bytes (Microsoft Corporation, Network I/O Subsystem)
0x8651E000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x86329000 C:\Windows\system32\DRIVERS\usbhub.sys 217088 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x821CA000 ACPI_HAL 208896 bytes
0x821CA000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x807BA000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x863B7000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8EF13000 C:\Windows\system32\DRIVERS\msiscsi.sys 192512 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x85F92000 C:\Windows\system32\DRIVERS\pcmcia.sys 184320 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0x90797000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8617D000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x8EEBE000 C:\Windows\system32\DRIVERS\SynTP.sys 176128 bytes (Synaptics, Inc., Synaptics Touchpad Driver)
0x8DDBC000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x9EEC4000 C:\Windows\system32\DRIVERS\nwifi.sys 172032 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x95483000 C:\Windows\System32\Drivers\fastfat.SYS 163840 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x8656E000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x85EE1000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x954FF000 C:\Windows\system32\DRIVERS\PSINAflt.sys 159744 bytes (Panda Security, S.L., PSINAflt Filter Driver for Vista32)
0x9F716000 C:\Windows\System32\DRIVERS\srv2.sys 159744 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x907C4000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x8EFB0000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9543D000 C:\Windows\system32\DRIVERS\psinknc.sys 139264 bytes (Panda Security, S.L., PSINKNC Kernel Controller for Vista32)
0x865A6000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x90F5E000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x85FD7000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x95560000 C:\Windows\system32\DRIVERS\PSINProc.sys 122880 bytes (Panda Security, S.L., PSINProc Filter Driver for Vista32)
0x95526000 C:\Windows\system32\DRIVERS\PSINProt.sys 122880 bytes (Panda Security, S.L., PSINProt for Vista32)
0x9F6ED000 C:\Windows\System32\DRIVERS\srvnet.sys 118784 bytes (Microsoft Corporation, Server Network driver)
0x95544000 C:\Windows\system32\DRIVERS\PSINFile.sys 114688 bytes (Panda Security, S.L., PSINFile Filter Driver for Vista32)
0x862F6000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x954E4000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x8EE82000 C:\Windows\system32\DRIVERS\sdbus.sys 106496 bytes (Microsoft Corporation, SecureDigital Bus Driver)
0x9557E000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x8EEF6000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9546C000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x8EF8E000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x9F78B000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x90FDB000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x90FB1000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x9EF78000 C:\Windows\System32\drivers\mpsdrv.sys 86016 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8DD97000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8EFE2000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x90FC7000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x8EEA0000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x9EEF8000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x907E9000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x86595000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x9EF8D000 C:\Acer\Empowering Technology\eRecovery\int15.sys 69632 bytes
0x8635E000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80680000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x807EC000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x9EEB4000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x85FBF000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x8DDAC000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x86311000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x954D5000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8655F000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x85F08000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x8EFD3000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x8DD88000 C:\Windows\system32\DRIVERS\Rtlh86.sys 61440 bytes (Realtek Corporation, Realtek 8101/8168/8169 NDIS6 32-bit Driver)
0x8EE73000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x85F24000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x9BE80000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x90FF1000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x90F9A000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x85F84000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x85E7C000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x954AB000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x90F1E000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x8DDF0000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x9F70A000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x90F52000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8DCEF000 C:\Windows\System32\drivers\watchdog.sys 49152 bytes (Microsoft Corporation, Watchdog Driver)
0x954B8000 C:\Windows\System32\Drivers\dump_dumpata.sys 45056 bytes
0x8EEB3000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x8EEEB000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x90F8F000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x8EFA5000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8EF83000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8EE2A000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x85F1A000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x954CB000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x8DDE6000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x9EEEE000 C:\Windows\system32\DRIVERS\ndisuio.sys 40960 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x9545F000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x9F6E3000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x9F7A4000 C:\Windows\system32\DRIVERS\asyncmac.sys 36864 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0x865C7000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x90F2B000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x9F7AD000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x90FA8000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9BE60000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x86400000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x86320000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x85ED0000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x85FCF000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80691000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x954C3000 C:\Windows\System32\Drivers\dump_atapi.sys 32768 bytes
0x85ED9000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x90F7F000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x90F87000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x86557000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x90F3B000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x90F4B000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x85F7D000 C:\Windows\system32\drivers\intelide.sys 28672 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0x80609000 C:\Windows\system32\kdcom.dll 28672 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x90F34000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x8EE9C000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x85F17000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x8EF10000 C:\Windows\SYSTEM32\DRIVERS\GEARAspiWDM.sys 12288 bytes (GEAR Software Inc., CD DVD Filter)
0x95469000 C:\Windows\System32\Drivers\Hotkey.SYS 12288 bytes
0x8EF0E000 C:\Windows\system32\DRIVERS\NTIDrvr.sys 8192 bytes (NewTech Infosystems, Inc., NTI CD-ROM Filter Driver)
0x8EFF6000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x8EEE9000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x69920000 Hidden Image-->System.Runtime.Serialization.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 1196032 bytes
0x71460000 Hidden Image-->System.ServiceModel.Web.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 143360 bytes
0x69A50000 Hidden Image-->System.Core.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 2375680 bytes
0x6F940000 Hidden Image-->System.Windows.Browser.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 380928 bytes
0x6C870000 Hidden Image-->System.Windows.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 4476928 bytes
0x69CA0000 Hidden Image-->mscorlib.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 6197248 bytes
0x6C7C0000 Hidden Image-->System.Net.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 659456 bytes
0x6CE10000 Hidden Image-->System.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 671744 bytes
0x6B4C0000 Hidden Image-->System.Xml.ni.dll [ EPROCESS 0x847196D8 ] PID: 6188, 847872 bytes

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 14 October 2010 - 05:28 PM

Hello, rud.


Step 1

Next, please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 rud

rud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 14 October 2010 - 06:18 PM

Thanks Etavares. I have attached the log below.

ComboFix 10-10-12.03 - rud 10/14/2010 18:45:29.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1021.551 [GMT -4:00]
Running from: c:\users\rud\Downloads\ComboFix.exe
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-09-14 to 2010-10-14 )))))))))))))))))))))))))))))))
.

2010-10-14 22:54 . 2010-10-14 22:54 -------- d-----w- c:\users\rud\AppData\Local\temp
2010-10-14 22:54 . 2010-10-14 22:54 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-10-14 22:54 . 2010-10-14 22:54 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-12 23:47 . 2010-10-12 23:48 -------- d-----w- c:\windows\system32\ca-ES
2010-10-12 23:47 . 2010-10-12 23:48 -------- d-----w- c:\windows\system32\eu-ES
2010-10-12 23:47 . 2010-10-12 23:48 -------- d-----w- c:\windows\system32\vi-VN
2010-10-12 23:02 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{826ECE2B-B890-4E03-9B74-728FC42B8A08}\mpengine.dll
2010-10-11 21:14 . 2010-10-11 21:14 -------- d-----w- c:\programdata\Ezprint
2010-10-11 21:14 . 2010-10-12 19:18 -------- d-----w- c:\programdata\Lx_cats
2010-10-11 21:09 . 2009-11-04 13:14 157696 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxeadrpp.dll
2010-10-11 21:04 . 2008-03-05 02:55 40960 ----a-w- c:\windows\system32\lxeavs.dll
2010-10-11 21:04 . 2009-12-16 16:12 438272 ----a-w- c:\windows\system32\lxeacoin.dll
2010-10-11 21:03 . 2008-04-30 06:32 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2010-10-11 21:03 . 2009-11-09 07:59 86016 ----a-w- c:\windows\system32\lxeagcfg.dll
2010-10-11 21:03 . 2009-10-21 10:06 110592 ----a-w- c:\windows\system32\lxeacuir.dll
2010-10-11 21:03 . 2009-10-21 10:06 294912 ----a-w- c:\windows\system32\lxeacui.dll
2010-10-11 21:00 . 2010-10-11 21:01 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2010-10-11 21:00 . 2010-01-07 21:08 213672 ----a-w- c:\windows\system32\LXEAwupd.exe
2010-10-11 21:00 . 2009-04-23 13:35 372736 ----a-w- c:\windows\system32\LXEAwupd.dll
2010-10-11 21:00 . 2010-10-11 21:03 -------- d-----w- c:\program files\Lexmark
2010-10-11 20:56 . 2010-10-11 21:11 -------- d-----w- c:\program files\Lexmark S300-S400 Series
2010-10-11 20:56 . 2009-02-20 08:48 23552 ----a-w- c:\windows\system32\LXEAsmr.dll
2010-10-11 20:56 . 2009-02-20 08:48 299008 ----a-w- c:\windows\system32\LXEAsm.dll
2010-10-05 21:32 . 2010-10-06 22:39 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-05 21:31 . 2010-10-05 21:31 -------- d-----w- c:\programdata\Hitman Pro
2010-10-05 21:31 . 2010-10-05 21:31 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-05 15:58 . 2010-10-05 15:58 -------- d-----w- c:\program files\Trend Micro
2010-10-04 20:58 . 2010-10-04 20:58 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-10-04 20:40 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-10-04 20:40 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-10-04 20:40 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-10-04 20:40 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-10-04 20:39 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-10-04 20:29 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-10-04 20:28 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-10-04 20:25 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-10-04 20:23 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-10-04 20:23 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-10-02 20:00 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-02 20:00 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-02 20:00 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-02 20:00 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-10-02 20:00 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-02 20:00 . 2010-10-02 20:01 -------- d-----w- c:\users\rud\AppData\Roaming\Simply Super Software
2010-10-02 20:00 . 2010-10-02 20:00 -------- d-----w- c:\programdata\Simply Super Software
2010-10-01 03:38 . 2010-10-01 03:38 -------- d-----w- c:\users\rud\AppData\Roaming\Malwarebytes
2010-10-01 03:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-01 03:37 . 2010-10-01 03:37 -------- d-----w- c:\programdata\Malwarebytes
2010-10-01 03:37 . 2010-10-01 03:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-01 03:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-30 23:11 . 2010-09-30 23:11 0 ----a-w- c:\users\rud\AppData\Local\Akimikere.bin
2010-09-30 18:40 . 2010-10-01 03:05 -------- d-----w- c:\users\rud\AppData\Roaming\Dropbox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2006-08-29 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-11-09 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2010-05-05 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2010-05-05 148280]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo 1400 Series]
2006-10-11 08:01 143360 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIBUA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 21:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-01-10 19:34 200704 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-02-27 19:26 7770112 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-02-27 19:26 81920 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-02-27 19:26 90191 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2006-11-09 18:57 3784704 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2004-11-22 15:18 307200 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 20:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 18:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R1 mailKmd;mailKmd; [x]
R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [2010-01-07 98984]
R4 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe [2005-03-16 126976]
R4 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2006-11-18 118784]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2010-05-04 125960]
S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2005-02-23 53248]
S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe [2010-01-07 598696]
S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2010-04-30 136448]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2010-05-27 141384]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2010-04-30 99336]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2010-04-30 111112]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2010-05-12 111176]


--- Other Services/Drivers In Memory ---

*Deregistered* - Normandy

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\rud\AppData\Roaming\Mozilla\Firefox\Profiles\7xj79rcd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3751904282-2370917482-3426445026-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{278529DE-4E13-6A3B-6E0F-60AB7982E919}*]
@Allowed: (Read) (RestrictedCode)
"jakiiehemeieeiplggno"=hex:62,61,6f,62,00,00
"jakiiehemeieeiplggjn"=hex:62,61,6a,64,00,00
"iakhmghadhkllinbkl"=hex:6b,61,62,63,64,62,6a,6b,61,70,6e,6f,6a,61,6a,65,65,61,
6a,63,6f,6d,00,03

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(8028)
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
.
Completion time: 2010-10-14 18:57:00
ComboFix-quarantined-files.txt 2010-10-14 22:56
ComboFix2.txt 2010-10-08 15:08
ComboFix3.txt 2010-10-06 22:26

Pre-Run: 24,363,044,864 bytes free
Post-Run: 24,255,455,232 bytes free

- - End Of File - - CDE9B6D1C3BB1CE026981A29788D920D


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 15 October 2010 - 06:43 PM

Hello, rud.


Step 1

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
c:\users\rud\AppData\Local\Akimikere.bin
c:\windows\system32\mailkmd.sys
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
Driver::
mailkmd
RegNull::
[HKEY_USERS\S-1-5-21-3751904282-2370917482-3426445026-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{278529DE-4E13-6A3B-6E0F-60AB7982E919}*]
RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 rud

rud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 17 October 2010 - 06:30 PM

Thank you again. I have done as you instructed and pasted log below.

ComboFix 10-10-17.01 - rud 10/17/2010 19:06:42.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1021.421 [GMT -4:00]
Running from: c:\users\rud\Desktop\123.com.exe
Command switches used :: c:\users\rud\Desktop\CFScript.txt
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: BitDefender Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\rud\AppData\Local\Akimikere.bin"
"c:\windows\system32\mailkmd.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\rud\AppData\Local\Akimikere.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_mailKmd


((((((((((((((((((((((((( Files Created from 2010-09-17 to 2010-10-17 )))))))))))))))))))))))))))))))
.

2010-10-17 23:16 . 2010-10-17 23:20 -------- d-----w- c:\users\rud\AppData\Local\temp
2010-10-17 23:16 . 2010-10-17 23:16 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-10-17 23:16 . 2010-10-17 23:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-10-15 05:42 . 2010-09-09 22:52 6084944 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{4E0CCC5D-A1B8-4172-B0F4-29D56A7FCA29}\mpengine.dll
2010-10-14 22:43 . 2010-10-17 23:03 -------- d-----w- C:\ComboFix
2010-10-12 23:47 . 2010-10-12 23:48 -------- d-----w- c:\windows\system32\ca-ES
2010-10-12 23:47 . 2010-10-12 23:48 -------- d-----w- c:\windows\system32\eu-ES
2010-10-12 23:47 . 2010-10-12 23:48 -------- d-----w- c:\windows\system32\vi-VN
2010-10-11 21:14 . 2010-10-11 21:14 -------- d-----w- c:\programdata\Ezprint
2010-10-11 21:14 . 2010-10-12 19:18 -------- d-----w- c:\programdata\Lx_cats
2010-10-11 21:09 . 2009-11-04 13:14 157696 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lxeadrpp.dll
2010-10-11 21:04 . 2008-03-05 02:55 40960 ----a-w- c:\windows\system32\lxeavs.dll
2010-10-11 21:04 . 2009-12-16 16:12 438272 ----a-w- c:\windows\system32\lxeacoin.dll
2010-10-11 21:03 . 2008-04-30 06:32 983121 ----a-w- c:\windows\system32\lxk_gf.dll
2010-10-11 21:03 . 2009-11-09 07:59 86016 ----a-w- c:\windows\system32\lxeagcfg.dll
2010-10-11 21:03 . 2009-10-21 10:06 110592 ----a-w- c:\windows\system32\lxeacuir.dll
2010-10-11 21:03 . 2009-10-21 10:06 294912 ----a-w- c:\windows\system32\lxeacui.dll
2010-10-11 21:00 . 2010-10-11 21:01 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2010-10-11 21:00 . 2010-01-07 21:08 213672 ----a-w- c:\windows\system32\LXEAwupd.exe
2010-10-11 21:00 . 2009-04-23 13:35 372736 ----a-w- c:\windows\system32\LXEAwupd.dll
2010-10-11 21:00 . 2010-10-11 21:03 -------- d-----w- c:\program files\Lexmark
2010-10-11 20:56 . 2010-10-11 21:11 -------- d-----w- c:\program files\Lexmark S300-S400 Series
2010-10-11 20:56 . 2009-02-20 08:48 23552 ----a-w- c:\windows\system32\LXEAsmr.dll
2010-10-11 20:56 . 2009-02-20 08:48 299008 ----a-w- c:\windows\system32\LXEAsm.dll
2010-10-05 21:32 . 2010-10-06 22:39 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-10-05 21:31 . 2010-10-05 21:31 -------- d-----w- c:\programdata\Hitman Pro
2010-10-05 21:31 . 2010-10-05 21:31 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-10-05 15:58 . 2010-10-05 15:58 -------- d-----w- c:\program files\Trend Micro
2010-10-04 20:58 . 2010-10-04 20:58 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-10-04 20:40 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-10-04 20:40 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-10-04 20:40 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-10-04 20:40 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-10-04 20:39 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-10-04 20:29 . 2010-04-05 17:01 67072 ----a-w- c:\windows\system32\asycfilt.dll
2010-10-04 20:28 . 2010-04-16 16:46 502272 ----a-w- c:\windows\system32\usp10.dll
2010-10-04 20:25 . 2010-08-26 04:23 13312 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-10-04 20:23 . 2010-06-16 16:04 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-10-04 20:23 . 2010-05-27 20:08 739328 ----a-w- c:\windows\system32\inetcomm.dll
2010-10-02 20:00 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-10-02 20:00 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-10-02 20:00 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-10-02 20:00 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2010-10-02 20:00 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-10-02 20:00 . 2010-10-02 20:01 -------- d-----w- c:\users\rud\AppData\Roaming\Simply Super Software
2010-10-02 20:00 . 2010-10-02 20:00 -------- d-----w- c:\programdata\Simply Super Software
2010-10-01 03:38 . 2010-10-01 03:38 -------- d-----w- c:\users\rud\AppData\Roaming\Malwarebytes
2010-10-01 03:38 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-01 03:37 . 2010-10-01 03:37 -------- d-----w- c:\programdata\Malwarebytes
2010-10-01 03:37 . 2010-10-01 03:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-01 03:37 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-30 18:40 . 2010-10-01 03:05 -------- d-----w- c:\users\rud\AppData\Roaming\Dropbox

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Malware Icon]
@="{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}"
[HKEY_CLASSES_ROOT\CLSID\{F5D1CF73-C196-48F8-AAAC-B9181E22B4E6}]
2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Panda Suspect Icon]
@="{9AE343CB-BA45-4618-AF6A-0230EE6FC793}"
[HKEY_CLASSES_ROOT\CLSID\{9AE343CB-BA45-4618-AF6A-0230EE6FC793}]
2010-05-14 19:04 320832 ----a-w- c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2006-08-29 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2006-11-09 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"PSUNMain"="c:\program files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" [2010-05-14 406848]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"lxeamon.exe"="c:\program files\Lexmark S300-S400 Series\lxeamon.exe" [2010-05-05 770728]
"EzPrint"="c:\program files\Lexmark S300-S400 Series\ezprint.exe" [2010-05-05 148280]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
2007-02-02 19:24 3383296 ----a-w- c:\program files\Acer Registration\ACE1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo 1400 Series]
2006-10-11 08:01 143360 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIBUA.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchAp]
2005-07-25 21:36 32768 ----a-w- c:\program files\Launch Manager\LaunchAp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2007-01-10 19:34 200704 ----a-w- c:\program files\Launch Manager\HotkeyApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-02-27 19:26 7770112 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-02-27 19:26 81920 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-02-27 19:26 90191 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2006-11-09 18:57 3784704 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2004-11-22 15:18 307200 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2007-05-31 20:21 648072 ----a-w- c:\windows\WindowsMobile\wmdcBase.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
2010-01-07 18:38 158448 ----a-w- c:\program files\Zune\ZuneLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

R2 lxeaCATSCustConnectService;lxeaCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxeaserv.exe [2010-01-07 98984]
R4 CA_LIC_CLNT;CA License Client;c:\program files\CA\SharedComponents\CA_LIC\\lic98rmt.exe [2005-03-16 126976]
R4 WisLMSvc;WisLMSvc;c:\program files\Launch Manager\WisLMSvc.exe [2006-11-18 118784]
S1 PSINKNC;PSINKNC;c:\windows\system32\DRIVERS\psinknc.sys [2010-05-04 125960]
S2 LogWatch;Event Log Watch;c:\program files\CA\SharedComponents\CA_LIC\LogWatNT.exe [2005-02-23 53248]
S2 lxea_device;lxea_device;c:\windows\system32\lxeacoms.exe [2010-01-07 598696]
S2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\Panda Security\Panda Cloud Antivirus\PSANHost.exe [2010-04-30 136448]
S2 PSINAflt;PSINAflt;c:\windows\system32\DRIVERS\PSINAflt.sys [2010-05-27 141384]
S2 PSINFile;PSINFile;c:\windows\system32\DRIVERS\PSINFile.sys [2010-04-30 99336]
S2 PSINProc;PSINProc;c:\windows\system32\DRIVERS\PSINProc.sys [2010-04-30 111112]
S2 PSINProt;PSINProt;c:\windows\system32\DRIVERS\PSINProt.sys [2010-05-12 111176]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\rud\AppData\Roaming\Mozilla\Firefox\Profiles\7xj79rcd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(892)
c:\program files\Panda Security\Panda Cloud Antivirus\PSUNShell.DLL
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCGP.dll
c:\program files\Panda Security\Panda Cloud Antivirus\PSNCIPC.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\agrsmsvc.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-10-17 19:25:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-17 23:25
ComboFix2.txt 2010-10-14 22:57
ComboFix3.txt 2010-10-08 15:08
ComboFix4.txt 2010-10-06 22:26

Pre-Run: 23,277,199,360 bytes free
Post-Run: 22,646,505,472 bytes free

- - End Of File - - F033ED8F36DC58305A67B907123D91AF


#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 18 October 2010 - 05:32 PM

Are you still getting redirected? If so, with IE, FF or both?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 rud

rud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 18 October 2010 - 05:39 PM

no more redirects. thanks for the help. combofix log looks good?

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 19 October 2010 - 05:04 PM

Hello, rud.
Looks better. Let's close a security hole and get a second opinion.

Thanks!



Step 1

You are using and outdated version of Adobe Reader. Adobe has since been updated and the update closes many security holes and provides new features.

First, uninstall earlier versions of Adobe Reader.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all versions of Adobe Reader.
  • Check (highlight) any item with Adobe Reader in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Adobe Reader version.

Please download the latest version from:
http://get.adobe.com/reader/

And install it. Once installed, launch it, select Help --> Check for Updates and install any updates.


You may also try the free Foxit PDF reader if you prefer:
http://www.foxitsoftware.com/pdf/reader/



Step 2

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



Step 3

Please go to the Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Note: Kaspersky online scan may take time to complete, please be patient.



Step 4

Please post a fresh OTL Quick Scan in your reply.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 rud

rud
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:09:49 PM

Posted 19 October 2010 - 11:48 PM

swaped out adobe reader for foxit. Kaspersky online scan came up empty. attached the mbam and otl logs below. hope things are looking clean. thanks again for the help.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4734

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

10/19/2010 6:37:00 PM
mbam-log-2010-10-19 (18-37-00).txt

Scan type: Quick scan
Objects scanned: 150111
Time elapsed: 7 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



OTL REPORTS ---------

OTL logfile created on: 10/20/2010 12:34:23 AM - Run 1
OTL by OldTimer - Version 3.2.16.0 Folder = C:\Users\rud\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,021.00 Mb Total Physical Memory | 347.00 Mb Available Physical Memory | 34.00% Memory free
3.00 Gb Paging File | 1.00 Gb Available in Paging File | 40.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.64 Gb Total Space | 20.39 Gb Free Space | 29.28% Space Free | Partition Type: NTFS
Drive D: | 69.64 Gb Total Space | 69.02 Gb Free Space | 99.11% Space Free | Partition Type: NTFS

Computer Name: RUD-PC | User Name: rud | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days

========== Processes (SafeList) ==========

PRC - [2010/10/20 00:33:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\rud\Downloads\OTL.exe
PRC - [2010/10/19 18:44:04 | 000,139,264 | ---- | M] (Kaspersky Lab.) -- C:\Users\rud\AppData\Local\temp\jkos-rud\binaries\ScanningProcess.exe
PRC - [2010/10/19 18:41:46 | 000,023,328 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jp2launcher.exe
PRC - [2010/10/19 18:41:45 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\java.exe
PRC - [2010/09/16 18:42:55 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/05/14 12:59:44 | 000,455,944 | ---- | M] () -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
PRC - [2010/04/30 13:47:30 | 000,136,448 | ---- | M] (Panda Security, S.L.) -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
PRC - [2010/01/07 17:08:22 | 000,598,696 | ---- | M] ( ) -- C:\Windows\System32\lxeacoms.exe
PRC - [2009/04/11 02:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/19 03:38:38 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2006/10/05 17:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2005/02/23 15:56:14 | 000,053,248 | ---- | M] (Computer Associates) -- C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe


========== Modules (SafeList) ==========

MOD - [2010/10/20 00:33:40 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Users\rud\Downloads\OTL.exe
MOD - [2009/04/11 02:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2008/01/19 03:33:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)
SRV - File not found [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
SRV - [2010/05/14 12:59:44 | 000,455,944 | ---- | M] () [Auto | Running] -- C:\Program Files\Flip Video\FlipShare\FlipShareService.exe -- (FlipShare Service)
SRV - [2010/04/30 13:47:30 | 000,136,448 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe -- (NanoServiceMain)
SRV - [2010/01/07 17:08:22 | 000,598,696 | ---- | M] ( ) [Auto | Running] -- C:\Windows\System32\lxeacoms.exe -- (lxea_device)
SRV - [2010/01/07 17:08:16 | 000,098,984 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\spool\DRIVERS\W32X86\3\\lxeaserv.exe -- (lxeaCATSCustConnectService)
SRV - [2010/01/07 14:38:18 | 000,447,216 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ZuneWlanCfgSvc.exe -- (ZuneWlanCfgSvc)
SRV - [2010/01/07 14:38:08 | 005,950,704 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Zune\ZuneNss.exe -- (ZuneNetworkSvc)
SRV - [2008/01/19 03:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/05/31 16:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 16:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2007/01/31 22:18:42 | 000,053,248 | ---- | M] (Acer Inc.) [Disabled | Stopped] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService)
SRV - [2006/11/18 00:45:26 | 000,118,784 | ---- | M] (Wistron Corp.) [Disabled | Stopped] -- C:\Program Files\Launch Manager\WisLMSvc.exe -- (WisLMSvc)
SRV - [2006/10/05 17:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2005/03/16 13:35:38 | 000,126,976 | ---- | M] (Computer Associates International Inc.) [Disabled | Stopped] -- C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe -- (CA_LIC_CLNT)
SRV - [2005/02/23 15:56:14 | 000,053,248 | ---- | M] (Computer Associates) [Auto | Running] -- C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe -- (LogWatch)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\rud\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
DRV - [2010/05/27 18:39:34 | 000,141,384 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PSINAflt.sys -- (PSINAflt)
DRV - [2010/05/12 10:57:46 | 000,111,176 | ---- | M] (Panda Security, S.L.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\PSINProt.sys -- (PSINProt)
DRV - [2010/05/04 08:36:06 | 000,125,960 | ---- | M] (Panda Security, S.L.) [Kernel | System | Running] -- C:\Windows\System32\drivers\PSINKNC.sys -- (PSINKNC)
DRV - [2010/04/30 13:46:12 | 000,111,112 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\PSINProc.sys -- (PSINProc)
DRV - [2010/04/30 13:46:10 | 000,099,336 | ---- | M] (Panda Security, S.L.) [File_System | Auto | Running] -- C:\Windows\System32\drivers\PSINFile.sys -- (PSINFile)
DRV - [2009/04/11 00:42:52 | 000,031,616 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (winusb)
DRV - [2007/03/26 20:36:25 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2007/03/09 17:56:04 | 001,163,616 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2007/02/27 15:26:00 | 004,465,184 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/02/25 09:14:00 | 002,216,448 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw4v32.sys -- (NETw4v32) Intel®
DRV - [2006/12/07 22:12:02 | 000,076,584 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15)
DRV - [2006/11/08 23:09:24 | 001,647,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/11/02 05:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 05:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 05:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 05:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 05:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 05:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 05:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 05:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 05:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 05:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 05:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 05:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 05:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 05:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 05:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 05:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 05:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 05:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 05:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 05:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 05:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 05:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 05:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 05:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 05:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 05:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 05:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 05:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 05:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 05:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 05:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 05:49:30 | 000,017,512 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2006/11/02 05:49:28 | 000,016,488 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2006/11/02 05:49:20 | 000,014,952 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2006/11/02 04:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 04:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 04:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 04:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 04:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 04:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 03:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 03:30:56 | 000,044,544 | ---- | M] (Realtek Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2006/11/02 03:30:54 | 001,781,760 | ---- | M] (Intel® Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2006/11/02 03:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/11/02 03:30:52 | 000,467,456 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2006/10/23 15:17:32 | 000,179,896 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)
DRV - [2006/10/18 22:10:57 | 001,380,864 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\igdkmd32.sys -- (ialm)
DRV - [2006/07/06 17:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2003/04/28 15:27:06 | 000,009,867 | ---- | M] () [Kernel | System | Running] -- C:\Windows\System32\drivers\HOTKEY.sys -- (Hotkey)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.bing.com [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Yahoo! Search
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {d40f5e7b-d2cf-4856-b441-cc613eeffbe3}:1.48.3
FF - prefs.js..extensions.enabledItems: {b41cb5f0-2e52-11de-8c30-0800200c9a66}:2.1
FF - prefs.js..extensions.enabledItems: info@djzig.com:1.2.0
FF - prefs.js..network.proxy.no_proxies_on: "*.local"

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/09/16 18:42:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/10/19 18:42:13 | 000,000,000 | ---D | M]

[2010/07/31 13:51:47 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Mozilla\Extensions
[2010/07/31 13:51:47 | 000,000,000 | ---D | M] (No name found) -- C:\Users\rud\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/10/17 19:38:44 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Mozilla\Firefox\Profiles\7xj79rcd.default\extensions
[2010/03/17 10:50:15 | 000,000,000 | ---D | M] (Black Stratini) -- C:\Users\rud\AppData\Roaming\Mozilla\Firefox\Profiles\7xj79rcd.default\extensions\{b41cb5f0-2e52-11de-8c30-0800200c9a66}
[2010/08/18 13:18:17 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\rud\AppData\Roaming\Mozilla\Firefox\Profiles\7xj79rcd.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/10/04 15:23:48 | 000,000,000 | ---D | M] (No name found) -- C:\Users\rud\AppData\Roaming\Mozilla\Firefox\Profiles\7xj79rcd.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
[2010/10/09 19:39:02 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Mozilla\Firefox\Profiles\7xj79rcd.default\extensions\info@djzig.com
[2010/10/19 18:42:43 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/10/19 18:42:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/10/19 18:41:48 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/10/19 18:25:25 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010/10/17 19:19:38 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No CLSID value found.
O2 - BHO: (Lexmark Printable Web) - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll ()
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
O4 - HKLM..\Run: [EzPrint] C:\Program Files\Lexmark S300-S400 Series\ezprint.exe ()
O4 - HKLM..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe ()
O4 - HKLM..\Run: [lxeamon.exe] C:\Program Files\Lexmark S300-S400 Series\lxeamon.exe ()
O4 - HKLM..\Run: [PSUNMain] C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe (Panda Security, S.L.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Wbutton] C:\Program Files\Launch Manager\Wbutton.exe ()
O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdcBase.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Zune Launcher] C:\Program Files\Zune\ZuneLauncher.exe (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Security present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\ZOOM present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} http://zone.msn.com/bingame/zpagames/zpa_txhe.cab79352.cab (MSN Games – Texas Holdem Poker)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.251.129 167.206.251.130
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\rud\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\rud\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/20 15:53:02 | 000,000,074 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/10/19 18:43:05 | 000,000,000 | ---D | C] -- C:\ProgramData\Sun
[2010/10/19 18:43:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/10/19 18:41:35 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2010/10/19 18:26:53 | 000,000,000 | ---D | C] -- C:\Users\rud\AppData\Roaming\Foxit Software
[2010/10/19 18:26:31 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010/10/17 19:25:53 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2010/10/17 19:25:53 | 000,000,000 | ---D | C] -- C:\Users\rud\AppData\Local\temp
[2010/10/17 19:19:43 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2010/10/17 19:04:01 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2010/10/14 18:43:43 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/10/12 19:47:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN
[2010/10/12 19:47:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES
[2010/10/12 19:47:43 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES
[2010/10/11 17:14:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Ezprint
[2010/10/11 17:14:28 | 000,000,000 | ---D | C] -- C:\ProgramData\Lx_cats
[2010/10/11 17:04:03 | 000,438,272 | ---- | C] ( ) -- C:\Windows\System32\lxeacoin.dll
[2010/10/11 17:00:51 | 000,000,000 | ---D | C] -- C:\Program Files\Abbyy FineReader 6.0 Sprint
[2010/10/11 17:00:05 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark
[2010/10/11 16:59:39 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark Toolbar
[2010/10/11 16:59:29 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark Printable Web
[2010/10/11 16:59:08 | 001,048,576 | ---- | C] ( ) -- C:\Windows\System32\lxeaserv.dll
[2010/10/11 16:59:08 | 000,847,872 | ---- | C] ( ) -- C:\Windows\System32\lxeausb1.dll
[2010/10/11 16:59:08 | 000,364,544 | ---- | C] ( ) -- C:\Windows\System32\lxeainpa.dll
[2010/10/11 16:59:08 | 000,356,352 | ---- | C] ( ) -- C:\Windows\System32\LXEAhcp.dll
[2010/10/11 16:59:08 | 000,344,064 | ---- | C] ( ) -- C:\Windows\System32\lxeaiesc.dll
[2010/10/11 16:59:07 | 000,643,072 | ---- | C] ( ) -- C:\Windows\System32\lxeapmui.dll
[2010/10/11 16:59:07 | 000,577,536 | ---- | C] ( ) -- C:\Windows\System32\lxealmpm.dll
[2010/10/11 16:59:06 | 000,688,128 | ---- | C] ( ) -- C:\Windows\System32\lxeahbn3.dll
[2010/10/11 16:59:06 | 000,324,264 | ---- | C] ( ) -- C:\Windows\System32\lxeaih.exe
[2010/10/11 16:59:04 | 000,802,816 | ---- | C] ( ) -- C:\Windows\System32\lxeacomc.dll
[2010/10/11 16:59:04 | 000,598,696 | ---- | C] ( ) -- C:\Windows\System32\lxeacoms.exe
[2010/10/11 16:59:04 | 000,373,416 | ---- | C] ( ) -- C:\Windows\System32\lxeacfg.exe
[2010/10/11 16:59:04 | 000,372,736 | ---- | C] ( ) -- C:\Windows\System32\lxeacomm.dll
[2010/10/11 16:56:08 | 000,000,000 | ---D | C] -- C:\Program Files\Lexmark S300-S400 Series
[2010/10/06 18:13:32 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2010/10/06 18:13:32 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2010/10/06 18:13:32 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2010/10/06 17:51:16 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/10/06 17:48:15 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/10/05 17:31:47 | 000,000,000 | ---D | C] -- C:\ProgramData\Hitman Pro
[2010/10/05 17:31:44 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/10/05 11:58:12 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/10/04 16:58:42 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2010/10/02 16:00:22 | 000,000,000 | ---D | C] -- C:\Users\rud\Documents\Simply Super Software
[2010/10/02 16:00:18 | 000,000,000 | ---D | C] -- C:\Users\rud\AppData\Roaming\Simply Super Software
[2010/10/02 16:00:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Simply Super Software
[2010/09/30 23:38:12 | 000,000,000 | ---D | C] -- C:\Users\rud\AppData\Roaming\Malwarebytes
[2010/09/30 23:38:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/09/30 23:37:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/09/30 23:37:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/09/30 23:37:58 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/30 14:42:34 | 000,000,000 | R--D | C] -- C:\Users\rud\Documents\My Dropbox
[2010/09/30 14:40:54 | 000,000,000 | ---D | C] -- C:\Users\rud\AppData\Roaming\Dropbox
[2010/09/27 21:59:25 | 000,000,000 | -HSD | C] -- C:\Users\Public\Documents\MCE Logs
[2010/08/21 19:00:29 | 000,000,000 | ---D | C] -- C:\ProgramData\NVIDIA
[2010/08/10 17:10:11 | 000,000,000 | ---D | C] -- C:\Users\rud\Desktop\mixituppets
[2010/07/31 13:51:40 | 000,000,000 | ---D | C] -- C:\Users\rud\AppData\Roaming\Thunderbird
[2010/07/31 13:51:40 | 000,000,000 | ---D | C] -- C:\Users\rud\AppData\Local\Thunderbird
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/10/19 22:52:36 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2010/10/19 22:52:36 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2010/10/19 20:30:31 | 000,002,645 | ---- | M] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Cloud Antivirus (3).lnk
[2010/10/19 20:01:49 | 000,002,793 | ---- | M] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Cloud Antivirus (4).lnk
[2010/10/19 18:26:37 | 000,001,051 | ---- | M] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2010/10/19 18:26:37 | 000,001,027 | ---- | M] () -- C:\Users\Public\Desktop\Foxit Reader.lnk
[2010/10/19 14:54:31 | 002,937,779 | ---- | M] () -- C:\Users\rud\Desktop\2 - Journey to Icky-Poo.pdf
[2010/10/19 14:53:53 | 000,995,964 | ---- | M] () -- C:\Users\rud\Desktop\1 - Tony Treatment.pdf
[2010/10/19 14:50:16 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/10/18 22:44:36 | 000,002,793 | ---- | M] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Cloud Antivirus (2).lnk
[2010/10/18 22:44:21 | 000,002,793 | ---- | M] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Cloud Antivirus.lnk
[2010/10/17 19:25:20 | 000,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/10/17 19:25:20 | 000,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/10/17 19:19:38 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/10/17 19:19:05 | 1071,833,088 | -HS- | M] () -- C:\hiberfil.sys
[2010/10/15 10:46:00 | 000,071,825 | ---- | M] () -- C:\Users\rud\Desktop\Thanks for Your Order.pdf
[2010/10/12 19:53:01 | 001,725,544 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/10/12 14:53:58 | 189,139,946 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/10/11 17:11:17 | 000,197,708 | ---- | M] () -- C:\Windows\System32\LexFiles.ulf
[2010/10/06 18:39:59 | 000,016,968 | ---- | M] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/10/06 17:15:52 | 000,000,000 | ---- | M] () -- C:\Users\rud\defogger_reenable
[2010/10/06 16:34:29 | 000,050,176 | ---- | M] () -- C:\Users\rud\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/10/02 15:22:04 | 000,012,931 | ---- | M] () -- C:\Users\rud\AppData\Roaming\nvModes.001
[2010/09/30 23:38:03 | 000,000,822 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/30 22:08:53 | 000,000,120 | ---- | M] () -- C:\Users\rud\AppData\Local\Sgacite.dat
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/19 20:01:49 | 000,002,793 | ---- | C] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Cloud Antivirus (4).lnk
[2010/10/19 19:46:15 | 000,002,645 | ---- | C] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Cloud Antivirus (3).lnk
[2010/10/19 18:26:37 | 000,001,051 | ---- | C] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2010/10/19 18:26:37 | 000,001,027 | ---- | C] () -- C:\Users\Public\Desktop\Foxit Reader.lnk
[2010/10/19 14:54:31 | 002,937,779 | ---- | C] () -- C:\Users\rud\Desktop\2 - Journey to Icky-Poo.pdf
[2010/10/19 14:53:52 | 000,995,964 | ---- | C] () -- C:\Users\rud\Desktop\1 - Tony Treatment.pdf
[2010/10/18 22:44:36 | 000,002,793 | ---- | C] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Cloud Antivirus (2).lnk
[2010/10/18 22:44:21 | 000,002,793 | ---- | C] () -- C:\Users\rud\Application Data\Microsoft\Internet Explorer\Quick Launch\Panda Cloud Antivirus.lnk
[2010/10/15 10:46:00 | 000,071,825 | ---- | C] () -- C:\Users\rud\Desktop\Thanks for Your Order.pdf
[2010/10/12 15:17:35 | 000,001,116 | ---- | C] () -- C:\ProgramData\lxeaJSW.log
[2010/10/11 17:14:51 | 000,000,252 | ---- | C] () -- C:\ProgramData\FastPics.log
[2010/10/11 17:04:06 | 000,040,960 | ---- | C] () -- C:\Windows\System32\lxeavs.dll
[2010/10/11 17:03:52 | 000,065,106 | ---- | C] () -- C:\Windows\System32\lxeaprpr.chm
[2010/10/11 17:03:51 | 000,086,016 | ---- | C] () -- C:\Windows\System32\lxeagcfg.dll
[2010/10/11 17:03:49 | 000,294,912 | ---- | C] () -- C:\Windows\System32\lxeacui.dll
[2010/10/11 17:03:49 | 000,110,592 | ---- | C] () -- C:\Windows\System32\lxeacuir.dll
[2010/10/11 17:03:49 | 000,008,694 | ---- | C] () -- C:\Windows\System32\lxeacommuilogo_rtl.bmp
[2010/10/11 17:03:48 | 000,008,694 | ---- | C] () -- C:\Windows\System32\lxeacommuilogo.bmp
[2010/10/11 17:03:37 | 000,001,247 | ---- | C] () -- C:\ProgramData\lxeascan.log
[2010/10/11 16:59:25 | 000,000,044 | -H-- | C] () -- C:\Windows\System32\lxearwrd.ini
[2010/10/11 16:59:09 | 000,331,776 | ---- | C] () -- C:\Windows\System32\LXEAinst.dll
[2010/10/11 16:59:09 | 000,197,708 | ---- | C] () -- C:\Windows\System32\LexFiles.ulf
[2010/10/11 16:59:06 | 000,323,584 | ---- | C] () -- C:\Windows\System32\lxeains.dll
[2010/10/11 16:59:06 | 000,262,144 | ---- | C] () -- C:\Windows\System32\lxeainsb.dll
[2010/10/11 16:59:06 | 000,106,496 | ---- | C] () -- C:\Windows\System32\lxeainsr.dll
[2010/10/11 16:59:06 | 000,057,344 | ---- | C] () -- C:\Windows\System32\lxeajswr.dll
[2010/10/11 16:59:05 | 000,253,952 | ---- | C] () -- C:\Windows\System32\lxeacu.dll
[2010/10/11 16:59:05 | 000,208,896 | ---- | C] () -- C:\Windows\System32\lxeagrd.dll
[2010/10/11 16:59:05 | 000,090,112 | ---- | C] () -- C:\Windows\System32\lxeacub.dll
[2010/10/11 16:59:05 | 000,036,864 | ---- | C] () -- C:\Windows\System32\lxeacur.dll
[2010/10/11 16:59:03 | 000,002,106 | ---- | C] () -- C:\Windows\System32\lxea.loc
[2010/10/11 16:57:01 | 000,000,000 | ---- | C] () -- C:\ProgramData\LxWbGwLog.log
[2010/10/11 16:57:01 | 000,000,000 | ---- | C] () -- C:\ProgramData\cmn_upld.log
[2010/10/11 16:56:32 | 000,000,000 | ---- | C] () -- C:\ProgramData\UpdaterLog.txt
[2010/10/11 16:56:08 | 000,023,552 | ---- | C] () -- C:\Windows\System32\LXEAsmr.dll
[2010/10/11 16:56:05 | 000,299,008 | ---- | C] () -- C:\Windows\System32\LXEAsm.dll
[2010/10/06 18:13:32 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2010/10/06 18:13:32 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2010/10/06 18:13:32 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2010/10/06 18:13:32 | 000,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2010/10/06 18:13:32 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2010/10/06 17:15:52 | 000,000,000 | ---- | C] () -- C:\Users\rud\defogger_reenable
[2010/10/05 17:32:01 | 000,016,968 | ---- | C] () -- C:\Windows\System32\drivers\hitmanpro35.sys
[2010/10/05 13:06:29 | 1071,833,088 | -HS- | C] () -- C:\hiberfil.sys
[2010/10/05 13:02:07 | 189,139,946 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/10/02 16:00:20 | 000,162,304 | ---- | C] () -- C:\Windows\System32\ztvunrar36.dll
[2010/10/02 16:00:20 | 000,153,088 | ---- | C] () -- C:\Windows\System32\unrar3.dll
[2010/10/02 16:00:20 | 000,077,312 | ---- | C] () -- C:\Windows\System32\ztvunace26.dll
[2010/10/02 16:00:20 | 000,075,264 | ---- | C] () -- C:\Windows\System32\unacev2.dll
[2010/09/30 23:38:03 | 000,000,822 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/30 19:11:10 | 000,000,120 | ---- | C] () -- C:\Users\rud\AppData\Local\Sgacite.dat
[2009/09/18 06:53:32 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/16 20:25:37 | 000,000,168 | ---- | C] () -- C:\Windows\AvDetected.ini
[2008/10/06 16:31:17 | 000,000,008 | ---- | C] () -- C:\Users\rud\AppData\Local\.mpid
[2008/09/09 18:21:54 | 000,000,680 | ---- | C] () -- C:\Users\rud\AppData\Local\d3d9caps.dat
[2008/03/27 22:47:12 | 000,000,834 | ---- | C] () -- C:\Windows\DNAPrinters.ini
[2008/03/27 21:56:27 | 000,012,931 | ---- | C] () -- C:\Users\rud\AppData\Roaming\nvModes.dat
[2008/03/27 21:56:27 | 000,012,931 | ---- | C] () -- C:\Users\rud\AppData\Roaming\nvModes.001
[2008/03/27 19:52:22 | 000,050,176 | ---- | C] () -- C:\Users\rud\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/19 02:33:34 | 000,446,352 | ---- | C] () -- C:\Windows\System32\OpenQuicktimeLib.dll
[2008/02/16 11:58:17 | 000,076,584 | ---- | C] () -- C:\Windows\System32\drivers\int15.sys
[2008/02/16 11:58:17 | 000,015,656 | ---- | C] () -- C:\Windows\System32\drivers\int15_64.sys
[2008/02/16 11:56:56 | 000,009,867 | ---- | C] () -- C:\Windows\System32\drivers\HOTKEY.sys
[2007/03/26 22:59:25 | 000,001,024 | RH-- | C] () -- C:\Windows\System32\NTIBUN4.dll
[2007/03/26 22:43:10 | 000,743,424 | R--- | C] () -- C:\Windows\libxml2.dll
[2007/03/26 22:41:29 | 000,872,448 | R--- | C] () -- C:\Windows\iconv.dll
[2007/03/26 20:35:55 | 000,198,144 | ---- | C] () -- C:\Windows\System32\_psisdecd.dll
[2007/03/20 16:44:02 | 000,000,566 | ---- | C] () -- C:\Windows\System32\SP7302.ini
[2006/12/02 14:32:24 | 000,000,042 | ---- | C] () -- C:\Windows\PreLaunch.ini
[2006/12/02 14:32:22 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2006/11/02 08:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 06:25:21 | 000,061,440 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 03:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2001/12/26 18:12:30 | 000,065,536 | ---- | C] () -- C:\Windows\System32\multiplex_vcd.dll
[2001/09/04 01:46:38 | 000,110,592 | ---- | C] () -- C:\Windows\System32\Hmpg12.dll
[2001/07/30 18:33:56 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC.dll
[2001/07/24 00:04:36 | 000,118,784 | ---- | C] () -- C:\Windows\System32\HMPV2_ENC_MMX.dll

========== LOP Check ==========

[2008/03/27 19:31:54 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Acer
[2009/08/05 12:25:21 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\BitDefender
[2009/04/01 00:42:14 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Bullzip
[2010/09/30 23:05:05 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Dropbox
[2010/10/19 18:26:53 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Foxit Software
[2008/10/03 23:47:40 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\funkitron
[2009/03/11 12:14:07 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\GetRightToGo
[2008/03/27 19:31:53 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Leadertech
[2010/02/12 00:57:01 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Panda Security
[2010/02/10 22:55:01 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\QuickScan
[2010/10/02 16:01:00 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Simply Super Software
[2010/06/25 10:34:24 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\SurfSecret Privacy Suite
[2010/07/31 13:51:45 | 000,000,000 | ---D | M] -- C:\Users\rud\AppData\Roaming\Thunderbird
[2010/10/17 19:17:07 | 000,032,586 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 182 bytes -> C:\ProgramData\TEMP:41BB3EDE
@Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:69BC9FC7
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:D1B5B4F1
@Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:213583D4
@Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:38020A20
@Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:288A91F8

< End of report >


OTL Extras logfile created on: 10/20/2010 12:34:23 AM - Run 1
OTL by OldTimer - Version 3.2.16.0 Folder = C:\Users\rud\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18943)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,021.00 Mb Total Physical Memory | 347.00 Mb Available Physical Memory | 34.00% Memory free
3.00 Gb Paging File | 1.00 Gb Available in Paging File | 40.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 69.64 Gb Total Space | 20.39 Gb Free Space | 29.28% Space Free | Partition Type: NTFS
Drive D: | 69.64 Gb Total Space | 69.02 Gb Free Space | 99.11% Space Free | Partition Type: NTFS

Computer Name: RUD-PC | User Name: rud | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 90 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{D2E4084B-1A97-4DD7-AAF8-48404F1E7BA6}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{02B8634F-6D6E-4B1D-92C7-4EFDD50409C6}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{09A8E1AC-4580-4A9A-9473-9742AD2C5574}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{0A679AC4-3E9E-4DDD-8F4C-938EA472BD9A}" = protocol=6 | dir=in | app=c:\users\rud\appdata\roaming\dropbox\bin\dropbox.exe |
"{0C15667E-02A0-4979-84D8-0E40BB499470}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{1080DAA2-1261-4DE9-A713-213C1754E3AC}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{11331153-A65D-4271-AFB3-BCD2EBD51B81}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{1138D3F3-6D01-4741-BB3B-0BC2C164F0D0}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{17C1AFA9-ED6A-41D2-860C-FD707516887F}" = protocol=17 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{19F0E605-0CFF-4D8C-A1A1-CD4B32EBDA33}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{1A8E0820-A84A-437E-9342-FF1E22A9AEA5}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{1DDB5363-F354-4F9E-9135-F56D47EECF3D}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{222FC693-93DC-4E2B-A073-381F6D84DC07}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{2EA58DD6-516C-4EB1-ACCD-E7C935A429E2}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{39728D63-C3A3-44D3-85A4-D8B20B061346}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{3CED33D7-91BA-495C-A663-96027C09AFFC}" = dir=in | app=c:\windows\system32\lxeacoms.exe |
"{41C17658-ECAB-49B2-9AE4-3796DD554166}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{4475C9D3-F009-49B7-8AC2-CD4BE51763F9}" = protocol=17 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{5023D946-E8E6-4556-B5AB-80A2FA1A078F}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{502F18AD-EFA0-4573-BB85-C3082EA27C0F}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5141AB16-7931-42B2-8283-513850CAFF61}" = protocol=17 | dir=in | app=c:\program files\aim6\aim6.exe |
"{5AA4C5A9-EABB-4B32-81B2-5E959544D3BC}" = dir=in | app=c:\windows\system32\lxeacoms.exe |
"{5B3A2A89-CB93-41AE-BF5C-1DBEDE80609F}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{5C6B1CF4-BFD3-4F15-92EA-C0C8EBBC8F9F}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{5FFB5720-8AA3-48F4-97A3-987EC0F436CA}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{6718E290-8671-4963-B08B-C596557BF8AE}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{74AA431F-A366-435E-92E3-5F60C42F9B75}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{78A5A80A-8F01-4BBD-81D0-F64053752288}" = dir=in | app=c:\windows\system32\lxeacoms.exe |
"{86BBF5B2-1CAE-4AB8-BA83-6B633C36D672}" = protocol=6 | dir=in | app=c:\program files\abbyy finereader 6.0 sprint\scan\scanman6.exe |
"{8B0BAE63-3977-47BB-9954-3E3DEAE33F7F}" = dir=in | app=c:\windows\system32\lxeacoms.exe |
"{972B3A04-F60C-4DC4-9C69-CB68F639FB36}" = protocol=6 | dir=in | app=c:\program files\common files\aol\loader\aolload.exe |
"{9765F9D4-2AFF-4DA3-88E8-CE368A66A63A}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{9956E333-9B4C-4A1E-A2DE-E9F67E343C1E}" = protocol=6 | dir=in | app=c:\program files\aim6\aim6.exe |
"{A3EDD657-66B4-483E-9031-0E4653CDA3E0}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{B3F1A51F-AB7F-450E-9FD5-F76A83030602}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{B982E1CE-7C73-4F7C-92C3-89A5F8029544}" = protocol=6 | dir=in | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{C45D91D3-22CA-47E5-B829-39F9CE5AA69C}" = protocol=6 | dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\mce deluxe suite.exe |
"{C967E0D5-39B2-4016-84F4-ABFB3DBB45C7}" = protocol=17 | dir=in | app=c:\program files\acer arcade deluxe\acer arcade deluxe\mce deluxe suite.exe |
"{D0BF4646-17AB-46EC-BD4E-701A3996791F}" = protocol=17 | dir=in | app=c:\users\rud\appdata\roaming\dropbox\bin\dropbox.exe |
"{D16067FC-CDFC-44E5-8C58-7B0F90971AA9}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{D6AD0DBE-DA78-4B86-ADB8-AE524569E685}" = protocol=17 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{DAD2D8C4-20D9-4BC0-B2E7-AB747FD39891}" = protocol=6 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{DFC7A967-FB7A-47B3-AEA9-E6C0229A38E2}" = protocol=6 | dir=out | svc=wcescomm | app=%systemroot%\system32\svchost.exe |
"{E0419B71-51A2-422A-810F-FD5E2B0FF8B1}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{E317C427-AFEA-4FA2-AB1D-F8D1FA8AE882}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{E3929F34-9435-49DC-BEB3-92FA3F74088F}" = protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"TCP Query User{2CC49250-985F-4445-9227-CAA1954A6CBC}C:\program files\java\jre6\bin\java.exe" = protocol=6 | dir=in | app=c:\program files\java\jre6\bin\java.exe |
"UDP Query User{1AAE2EAB-7BB5-4464-8805-9396739D433C}C:\program files\java\jre6\bin\java.exe" = protocol=17 | dir=in | app=c:\program files\java\jre6\bin\java.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0076E1AC-9E7B-4B9F-A62A-4CC9511AD8E3}" = Zune Language Pack (FR)
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}" = Google Earth
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{370BCBBA-67D7-4535-ADCD-58CD1C8DEC99}" = Zune Language Pack (DE)
"{40EC6323-497B-44DA-8A88-74578622D9B3}" = Zune Language Pack (IT)
"{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{82CA0A0C-A3EC-4167-B694-909205B2EDEC}" = muvee Plugin 1.0
"{888FFC82-688D-46AB-A776-B417885432B6}" = Zune
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_PROR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_PROR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_PROR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_PROR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_PROR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}" = Microsoft Office Professional 2007
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-0014-0000-0000-0000000FF1CE}_PROR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A87B11AC-4344-4E5D-8B12-8F471A87DAD9}" = LightScribe 1.4.136.1
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B1C0D829-FE30-059E-E93F-CDC7A48235C0}" = FlipShare
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0846526-66DD-4DC9-A02C-98F9A2806812}" = Launch Manager V1.1.1.4
"{D2C5E510-BE6D-42CC-9F61-E4F939078474}" = Lexmark Printable Web
"{EE4ACABF-531E-419A-9225-B8E0FA4955AF}" = Zune Language Pack (ES)
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{FEB2D0CA-9912-4AA1-8FBE-CFD852F9F1FC}" = Panda Cloud Antivirus
"3ivx MPEG-4 5.0.3" = 3ivx MPEG-4 5.0.3 (remove only)
"Acer Registration" = Acer Registration
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"Bullzip PDF Printer_is1" = Bullzip PDF Printer 6.0.0.684
"EPSON Printer and Utilities" = EPSON Printer Software
"Foxit Reader" = Foxit Reader
"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.63
"InstallShield_{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows
"Lexmark S300-S400 Series" = Lexmark S300-S400 Series
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"NVIDIA Drivers" = NVIDIA Drivers
"Panda Cloud Antivirus" = Panda Cloud Antivirus
"PROR" = Microsoft Office Professional 2007 Trial
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Zune" = Zune

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/6/2010 8:06:32 PM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/7/2010 8:15:57 PM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/8/2010 11:13:10 AM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/10/2010 1:04:02 PM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/12/2010 2:55:31 PM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/12/2010 7:57:27 PM | Computer Name = rud-PC | Source = ESENT | ID = 215
Description = WinMail (3520) WindowsMail0: The backup has been stopped because it
was halted by the client or the connection with the client failed.

Error - 10/12/2010 7:59:04 PM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/14/2010 7:12:02 PM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/17/2010 6:54:17 PM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

Error - 10/17/2010 7:25:13 PM | Computer Name = rud-PC | Source = Microsoft-Windows-CAPI2 | ID = 131083
Description =

[ Media Center Events ]
Error - 4/17/2008 9:06:55 PM | Computer Name = rud-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 5/26/2008 1:29:36 PM | Computer Name = rud-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 5/26/2008 4:31:23 PM | Computer Name = rud-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 6/12/2008 6:42:41 PM | Computer Name = rud-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package MCESpotlight.

Error - 7/30/2008 1:39:06 PM | Computer Name = rud-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 8/16/2009 9:33:15 PM | Computer Name = rud-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

Error - 10/7/2009 2:09:47 PM | Computer Name = rud-PC | Source = MCUpdate | ID = 0
Description = DownloadPackgeTask.SubTasksComplete: failed downloading package SportsSchedule.

[ System Events ]
Error - 10/17/2010 7:16:10 PM | Computer Name = rud-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 10/17/2010 7:16:34 PM | Computer Name = rud-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 10/17/2010 7:19:31 PM | Computer Name = rud-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 10/17/2010 7:19:31 PM | Computer Name = rud-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 10/17/2010 7:19:31 PM | Computer Name = rud-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 10/17/2010 8:19:09 PM | Computer Name = rud-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 10/17/2010 8:33:39 PM | Computer Name = rud-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 10/17/2010 8:33:43 PM | Computer Name = rud-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 10/17/2010 8:33:47 PM | Computer Name = rud-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.

Error - 10/17/2010 8:33:51 PM | Computer Name = rud-PC | Source = disk | ID = 262151
Description = The device, \Device\Harddisk0\DR0, has a bad block.


< End of report >

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 20 October 2010 - 05:32 PM

Hello, rud.
We're almost done.



Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 22 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 22 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u22-windows-i586-p.exe to install the newest version.



Step 2

We need run an OTL Script
  • Please download OTL from one of the following mirrors if you do not still have it.
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Paste the following code under the Custom Scans/Fixes box at the bottom. Do not include the word "Code".
    :OTL
    SRV - File not found [Auto | Stopped] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService)
    SRV - File not found [Auto | Stopped] -- c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\usbaapl.sys -- (USBAAPL)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\rud\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\blbdrive.sys -- (blbdrive)
    O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No CLSID value found.
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    @Alternate Data Stream - 182 bytes -> C:\ProgramData\TEMP:41BB3EDE
    @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:69BC9FC7
    @Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:D1B5B4F1
    @Alternate Data Stream - 116 bytes -> C:\ProgramData\TEMP:213583D4
    @Alternate Data Stream - 112 bytes -> C:\ProgramData\TEMP:38020A20
    @Alternate Data Stream - 101 bytes -> C:\ProgramData\TEMP:288A91F8
    :files
    C:\Users\rud\AppData\Local\Sgacite.dat
    
    
  • Click the Run Fix button at the top.
  • let the program run unhindered and reboot when it is done.
  • You will get a log when it is done, please post that in your reply.
  • Please then create a new OTL report....
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • A report will open, copy and paste it in a reply here.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users