Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware redirects searches and other symptoms


  • This topic is locked This topic is locked
19 replies to this topic

#1 Sidius

Sidius

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 19 October 2010 - 11:42 PM

1. Firefox periodically opens up a second tab with some kind of junk page, or freezes up. Google searches also redirect to a junk page.
2. I get periodic "Generic Host Process for Win32 Services Error " messages (or something like that)
3. The sound stops working (I get a "no device installed" error)
4. The taskbar turns gray and the fonts change.

I've run malwarebytes and while on the first run they did detect a couple of things, the above problems persist. Thanks.


DDS (Ver_10-10-10.03) - NTFSx86
Run by Owner at 20:44:31.01 on Tue 10/19/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.49 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\125763~1\EE\AOLHOS~1.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\COMMON~1\AOL\125763~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.Sidius2000\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=13170&l=dis
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = hxxp://www.22teens.com/?
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uWinlogon: Shell=c:\documents and settings\owner.sidius2000\application data\hotfix.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Anti-Phishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Google Update] "c:\documents and settings\owner.sidius2000\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [{B7B0AB6A-BF15-B04C-F4E8-CC6985B33A69}] "c:\documents and settings\owner.sidius2000\application data\egoqe\axox.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10h_Plugin.exe -update plugin
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HostManager] c:\program files\common files\aol\1257638765\ee\AOLHostManager.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [OASClnt] c:\program files\mcafee.com\vso\oasclnt.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [MSKDetectorExe] c:\progra~1\mcafee\spamki~1\MSKDetct.exe /startup
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HBLiteSA] "c:\program files\hblite\bin\11.0.264.0\HBLiteSA.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\BigFix.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.sid\applic~1\mozilla\firefox\profiles\3dm4l8g2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=BTV5&o=10148&locale=en_US&q=
FF - plugin: c:\documents and settings\owner.sidius2000\application data\mozilla\firefox\profiles\3dm4l8g2.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\owner.sidius2000\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

============= SERVICES / DRIVERS ===============

R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2009-11-7 80640]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2009-11-7 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2009-11-7 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2009-11-7 122368]
R2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-7-22 91456]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2009-11-7 200576]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2009-11-7 114464]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2009-11-7 69692]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2009-11-7 245760]

=============== Created Last 30 ================

2010-10-13 05:42:25 156 ----a-w- c:\docume~1\owner~1.sid\applic~1\dsfsds.bat
2010-10-11 05:17:15 -------- d-----w- c:\docume~1\owner~1.sid\locals~1\applic~1\Ares
2010-10-07 04:05:53 -------- d-----w- c:\program files\iPod
2010-10-07 04:05:41 -------- d-----w- c:\program files\iTunes
2010-10-07 02:31:49 -------- d-----w- c:\program files\Bonjour
2010-10-05 05:44:14 -------- d-----w- c:\docume~1\owner~1.sid\locals~1\applic~1\AskToolbar
2010-10-05 04:02:20 -------- d-----w- c:\program files\Ask.com
2010-10-05 02:28:41 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-05 02:28:41 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-26 07:42:11 -------- d-----w- c:\program files\iPod(3)
2010-09-26 07:41:36 -------- d-----w- c:\program files\iTunes(3)
2010-09-26 07:33:55 -------- d-----w- c:\program files\QuickTime(2)
2010-09-26 07:29:06 -------- d-----w- c:\program files\Bonjour(2)
2010-09-22 03:17:45 -------- d-sh--w- C:\RECYCLER(2)

==================== Find3M ====================

2010-09-08 18:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 18:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-28 01:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe

============= FINISH: 20:46:30.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:43 PM

Posted 20 October 2010 - 01:55 AM

Hi, Sidius' :)

:welcome:

You may be infected with a backdoor trojan. I would suggest you backup your important documents before proceeding.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Sidius

Sidius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 20 October 2010 - 07:15 PM

Hello there, thanks for taking the time to help me out.

2010/10/20 16:55:18.0109 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2010/10/20 16:55:18.0109 ================================================================================
2010/10/20 16:55:18.0109 SystemInfo:
2010/10/20 16:55:18.0109
2010/10/20 16:55:18.0109 OS Version: 5.1.2600 ServicePack: 2.0
2010/10/20 16:55:18.0109 Product type: Workstation
2010/10/20 16:55:18.0109 ComputerName: SIDIUS2000
2010/10/20 16:55:18.0109 UserName: Owner
2010/10/20 16:55:18.0109 Windows directory: C:\WINDOWS
2010/10/20 16:55:18.0109 System windows directory: C:\WINDOWS
2010/10/20 16:55:18.0109 Processor architecture: Intel x86
2010/10/20 16:55:18.0109 Number of processors: 1
2010/10/20 16:55:18.0109 Page size: 0x1000
2010/10/20 16:55:18.0109 Boot type: Normal boot
2010/10/20 16:55:18.0109 ================================================================================
2010/10/20 16:55:19.0828 Initialize success
2010/10/20 16:55:28.0812 ================================================================================
2010/10/20 16:55:28.0812 Scan started
2010/10/20 16:55:28.0812 Mode: Manual;
2010/10/20 16:55:28.0812 ================================================================================
2010/10/20 16:55:40.0203 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/10/20 16:55:41.0328 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/20 16:55:42.0140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2010/10/20 16:55:42.0609 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/20 16:55:43.0328 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2010/10/20 16:55:43.0968 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/10/20 16:55:44.0750 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/10/20 16:55:45.0437 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/10/20 16:55:46.0156 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/10/20 16:55:46.0875 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/10/20 16:55:48.0031 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/20 16:55:49.0718 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/20 16:55:51.0031 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/10/20 16:55:51.0875 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/10/20 16:55:52.0828 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/10/20 16:55:53.0546 AmdK8 (e6a2299284013ec4de3419481a62069f) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/10/20 16:55:54.0328 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/10/20 16:55:54.0796 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/10/20 16:55:55.0375 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/10/20 16:55:55.0750 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/10/20 16:55:56.0359 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/10/20 16:55:56.0625 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2010/10/20 16:55:57.0390 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/20 16:55:57.0906 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/20 16:55:59.0125 ati2mtag (c8dc21751c5684a14ec075fdd2473719) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/20 16:56:00.0968 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/20 16:56:01.0500 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/20 16:56:02.0171 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/10/20 16:56:03.0468 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/20 16:56:06.0125 CAMCAUD (80eb55b615ed0f669a28a96fefd4603f) C:\WINDOWS\system32\drivers\camc6aud.sys
2010/10/20 16:56:07.0140 CAMCHALA (ad1d8debdb1df8682e374e0cd1638c1b) C:\WINDOWS\system32\drivers\camc6hal.sys
2010/10/20 16:56:08.0406 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/10/20 16:56:09.0890 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/20 16:56:11.0640 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/10/20 16:56:13.0046 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/20 16:56:13.0906 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/20 16:56:14.0562 Cdr4_xp (2552670e5fbcfdb540eeb426af39704d) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2010/10/20 16:56:15.0703 Cdralw2k (b761b10d6a541be69ea448a8429d30b0) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2010/10/20 16:56:16.0859 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/20 16:56:19.0218 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2010/10/20 16:56:21.0093 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/10/20 16:56:23.0125 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2010/10/20 16:56:25.0312 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/10/20 16:56:27.0109 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/10/20 16:56:28.0281 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/10/20 16:56:29.0109 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/20 16:56:31.0203 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/20 16:56:33.0937 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/10/20 16:56:35.0734 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/20 16:56:36.0468 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/20 16:56:37.0796 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/20 16:56:39.0250 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/20 16:56:40.0234 el575nd5 (23f6b9cf432f492ebbd8105d78cb008c) C:\WINDOWS\system32\DRIVERS\el575nd5.sys
2010/10/20 16:56:41.0421 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/20 16:56:41.0578 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2010/10/20 16:56:41.0687 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/20 16:56:42.0062 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/10/20 16:56:42.0218 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/10/20 16:56:42.0375 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/20 16:56:42.0421 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/20 16:56:42.0500 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/10/20 16:56:42.0578 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
2010/10/20 16:56:42.0671 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/20 16:56:42.0828 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/20 16:56:43.0562 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/10/20 16:56:44.0000 HSFHWATI (a32f20830996d61d862311f138870a0c) C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
2010/10/20 16:56:45.0796 HSF_DPV (822c60f2abee73a0e089230d94064f39) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2010/10/20 16:56:47.0296 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/20 16:56:48.0453 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/10/20 16:56:49.0187 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/10/20 16:56:50.0312 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/20 16:56:52.0125 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/20 16:56:53.0906 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/10/20 16:56:55.0296 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/20 16:56:57.0203 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/10/20 16:56:58.0921 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/20 16:57:00.0187 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/20 16:57:02.0015 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/20 16:57:03.0093 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/20 16:57:04.0531 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/20 16:57:05.0531 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/20 16:57:06.0640 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/20 16:57:07.0750 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/20 16:57:08.0562 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/20 16:57:09.0890 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2010/10/20 16:57:10.0328 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/10/20 16:57:11.0078 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/20 16:57:11.0906 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/20 16:57:12.0171 motmodem (54fee02961c70fd9d4d7e2f87afa23fa) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2010/10/20 16:57:12.0796 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/20 16:57:13.0265 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/20 16:57:14.0359 MPFIREWL (cd14c6ba703019944ace809834435659) C:\WINDOWS\system32\Drivers\MpFirewall.sys
2010/10/20 16:57:15.0625 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/10/20 16:57:16.0281 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/20 16:57:16.0875 MRxSmb (5ddc9a1b2eb5a4bf010ce8c019a18c1f) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/20 16:57:17.0515 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/20 16:57:18.0031 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/20 16:57:18.0671 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/20 16:57:19.0093 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/20 16:57:19.0578 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/20 16:57:19.0796 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/20 16:57:20.0187 NaiAvFilter1 (affd46144d763d9046673dd2d012cff9) C:\WINDOWS\system32\drivers\naiavf5x.sys
2010/10/20 16:57:20.0890 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/20 16:57:21.0390 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/20 16:57:22.0031 Ndisuio (eefa1ce63805d2145978621be5c6d955) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/20 16:57:22.0281 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/20 16:57:22.0734 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/20 16:57:22.0890 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/20 16:57:23.0125 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/20 16:57:23.0953 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/10/20 16:57:24.0156 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/20 16:57:24.0781 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/20 16:57:25.0640 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/20 16:57:25.0812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/20 16:57:26.0093 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/20 16:57:26.0625 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/10/20 16:57:26.0765 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
2010/10/20 16:57:26.0906 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/20 16:57:27.0156 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/20 16:57:27.0203 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/20 16:57:27.0437 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/20 16:57:27.0500 Pcmcia (0357136150e9c341df6546aacafa4c0d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/20 16:57:27.0515 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pcmcia.sys. Real md5: 0357136150e9c341df6546aacafa4c0d, Fake md5: 14dd42a677bf91a926f04f2f9bf9b974
2010/10/20 16:57:27.0531 Pcmcia - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/10/20 16:57:27.0843 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/10/20 16:57:28.0156 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/10/20 16:57:28.0328 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/20 16:57:28.0468 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/20 16:57:28.0640 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/20 16:57:28.0765 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/20 16:57:29.0078 PxHelp20 (617accada2e0a0f43ec6030bbac49513) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/10/20 16:57:29.0234 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/10/20 16:57:29.0375 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/10/20 16:57:30.0062 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/10/20 16:57:30.0296 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/10/20 16:57:30.0750 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/10/20 16:57:31.0171 QWAVEDRV (2bb1d2baf3493362e5c1949c5f210d5f) C:\WINDOWS\system32\DRIVERS\qwavedrv.sys
2010/10/20 16:57:31.0328 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/20 16:57:31.0812 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/20 16:57:32.0015 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/20 16:57:32.0140 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/20 16:57:32.0765 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/20 16:57:32.0843 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/20 16:57:33.0062 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/20 16:57:33.0734 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/20 16:57:33.0906 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/20 16:57:34.0593 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2010/10/20 16:57:34.0796 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/20 16:57:34.0968 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
2010/10/20 16:57:35.0484 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/20 16:57:36.0031 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/10/20 16:57:36.0406 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/10/20 16:57:36.0937 speedfan (5d6401db90ec81b71f8e2c5c8f0fef23) C:\WINDOWS\system32\speedfan.sys
2010/10/20 16:57:37.0453 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/20 16:57:37.0781 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/20 16:57:38.0656 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/20 16:57:39.0578 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/20 16:57:39.0765 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/20 16:57:40.0203 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/20 16:57:40.0421 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/20 16:57:40.0531 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/20 16:57:40.0625 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/20 16:57:41.0171 SynTP (eb363ddfbe8b6d51003ccab29d93d744) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2010/10/20 16:57:41.0781 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/20 16:57:42.0828 Tcpip (0e66b538096a6529d1ac66e78eb0d5c8) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/20 16:57:44.0078 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/20 16:57:45.0000 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/20 16:57:45.0703 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/20 16:57:46.0875 tifm21 (9179e07503630d6fb2e4162ff0196191) C:\WINDOWS\system32\drivers\tifm21.sys
2010/10/20 16:57:48.0359 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/10/20 16:57:49.0562 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/20 16:57:51.0046 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/10/20 16:57:52.0187 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/10/20 16:57:53.0593 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/10/20 16:57:54.0937 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/20 16:57:56.0078 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/20 16:57:57.0437 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/20 16:57:58.0343 usbohci (bdfe799a8531bad8a5a985821fe78760) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/20 16:57:59.0781 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/10/20 16:58:00.0984 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/10/20 16:58:02.0250 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/20 16:58:03.0125 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/10/20 16:58:04.0328 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/10/20 16:58:05.0765 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/20 16:58:07.0078 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/20 16:58:08.0125 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/20 16:58:09.0171 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/10/20 16:58:10.0500 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/10/20 16:58:12.0921 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/20 16:58:14.0250 winachsf (5ea185425bfcbc2d4b96d673d8c4deaf) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2010/10/20 16:58:16.0062 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/10/20 16:58:17.0046 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/10/20 16:58:18.0718 yukonwxp (9a916f4354eef85c535dd792754edc1d) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
2010/10/20 16:58:19.0718 ================================================================================
2010/10/20 16:58:19.0718 Scan finished
2010/10/20 16:58:19.0718 ================================================================================
2010/10/20 16:58:20.0000 Detected object count: 1
2010/10/20 16:58:40.0796 Pcmcia (0357136150e9c341df6546aacafa4c0d) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2010/10/20 16:58:40.0796 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\pcmcia.sys. Real md5: 0357136150e9c341df6546aacafa4c0d, Fake md5: 14dd42a677bf91a926f04f2f9bf9b974
2010/10/20 16:59:04.0328 Backup copy found, using it..
2010/10/20 16:59:05.0312 C:\WINDOWS\system32\DRIVERS\pcmcia.sys - will be cured after reboot
2010/10/20 16:59:05.0312 Rootkit.Win32.TDSS.tdl3(Pcmcia) - User select action: Cure
2010/10/20 17:00:17.0328 Deinitialize success

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000005c

Kernel Drivers (total 139):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806CE000 \WINDOWS\system32\hal.dll
0xF7B1E000 \WINDOWS\system32\KDCOM.DLL
0xF7A2E000 \WINDOWS\system32\BOOTVID.dll
0xF750B000 klmdb.sys
0xF74DD000 ACPI.sys
0xF7B20000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74CC000 pci.sys
0xF761E000 isapnp.sys
0xF762E000 ohci1394.sys
0xF763E000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7A32000 compbatt.sys
0xF7A36000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7BE6000 pciide.sys
0xF789E000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74AE000 tsk14.tmp
0xF764E000 MountMgr.sys
0xF748F000 ftdisk.sys
0xF7B2C000 dmload.sys
0xF7469000 dmio.sys
0xF7A3A000 ACPIEC.sys
0xF7BE7000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF78A6000 PartMgr.sys
0xF765E000 VolSnap.sys
0xF7451000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF7439000 atapi.sys
0xF76EE000 disk.sys
0xF76FE000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF73D5000 fltMgr.sys
0xF73C3000 sr.sys
0xF790E000 PxHelp20.sys
0xF73AC000 KSecDD.sys
0xF731F000 Ntfs.sys
0xF72F2000 NDIS.sys
0xF7B32000 speedfan.sys
0xF72D7000 Mup.sys
0xF7BE8000 giveio.sys
0xF779E000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF7AE2000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7091000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF707D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7044000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xF7976000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF7021000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF797E000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF77AE000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF77BE000 \SystemRoot\System32\Drivers\Cdr4_xp.SYS
0xF77CE000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF77DE000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6FFE000 \SystemRoot\system32\DRIVERS\ks.sys
0xF799E000 \SystemRoot\System32\Drivers\Cdralw2k.SYS
0xF79AE000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF77EE000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF79B6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6FD0000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7B36000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79C6000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF6F75000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
0xF77FE000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6F4D000 \SystemRoot\system32\drivers\tifm21.sys
0xF6F3C000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF6EE6000 \SystemRoot\system32\drivers\camc6hal.sys
0xF780E000 \SystemRoot\system32\drivers\camc6aud.sys
0xF6EC2000 \SystemRoot\system32\drivers\portcls.sys
0xF781E000 \SystemRoot\system32\drivers\drmk.sys
0xF6E91000 \SystemRoot\system32\DRIVERS\HSFHWATI.sys
0xF6D93000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF6CE7000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF79FE000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7CE3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF782E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B0E000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF6CD0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF783E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF784E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7A1E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF6CBF000 \SystemRoot\system32\DRIVERS\psched.sys
0xF785E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF792E000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF793E000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7946000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF6C8E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF786E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B3E000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6C5A000 \SystemRoot\system32\DRIVERS\update.sys
0xF71FF000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF787E000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF72B7000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B48000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7B4C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7D29000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B50000 \SystemRoot\System32\Drivers\Beep.SYS
0xF78BE000 \SystemRoot\System32\drivers\vga.sys
0xF7B54000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B58000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF78CE000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF78DE000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7A4A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF2BB7000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF2B5F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF2B4B000 \SystemRoot\System32\Drivers\MpFirewall.sys
0xF2B2A000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7297000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF2B02000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7287000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF2AE0000 \SystemRoot\System32\drivers\afd.sys
0xF7277000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF2A15000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF29A6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7257000 \SystemRoot\System32\Drivers\Fips.SYS
0xF796E000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF2983000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xF296B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B5E000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF6C4A000 \SystemRoot\System32\drivers\Dxapi.sys
0xF79A6000 \SystemRoot\System32\watchdog.sys
0xBF9C1000 \SystemRoot\System32\drivers\dxg.sys
0xF7C8E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF9D3000 \SystemRoot\System32\ati2dvag.dll
0xBFA0F000 \SystemRoot\System32\ati2cqag.dll
0xBFA41000 \SystemRoot\System32\atikvmag.dll
0xBFA73000 \SystemRoot\System32\ati3duag.dll
0xBFCA7000 \SystemRoot\System32\ativvaxx.dll
0xF07E7000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xF07CB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xF0556000 \SystemRoot\system32\drivers\wdmaud.sys
0xF0663000 \SystemRoot\system32\drivers\sysaudio.sys
0xF02A4000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF0506000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7BDC000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xF000B000 \SystemRoot\System32\Drivers\HTTP.sys
0xEFE78000 \SystemRoot\system32\DRIVERS\srv.sys
0xEFED7000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xEFB8C000 \SystemRoot\system32\drivers\naiavf5x.sys
0xF798E000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xEF619000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xEF6C4000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 68):
0 System Idle Process
4 System
784 C:\WINDOWS\system32\smss.exe
840 csrss.exe
868 C:\WINDOWS\system32\winlogon.exe
912 C:\WINDOWS\system32\services.exe
924 C:\WINDOWS\system32\lsass.exe
1076 C:\WINDOWS\system32\ati2evxx.exe
1096 C:\WINDOWS\system32\svchost.exe
1192 svchost.exe
1248 C:\WINDOWS\system32\svchost.exe
1408 svchost.exe
1456 svchost.exe
1632 C:\WINDOWS\system32\WLTRYSVC.EXE
1676 C:\WINDOWS\system32\BCMWLTRY.EXE
1728 C:\WINDOWS\system32\spoolsv.exe
256 C:\WINDOWS\system32\ati2evxx.exe
344 C:\WINDOWS\explorer.exe
596 C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
656 C:\WINDOWS\ehome\ehtray.exe
664 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
708 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
720 C:\Program Files\Bonjour\mDNSResponder.exe
760 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
832 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
836 C:\WINDOWS\ehome\ehRecvr.exe
1404 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
1496 C:\WINDOWS\ehome\ehSched.exe
1568 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
1604 C:\WINDOWS\system32\svchost.exe
1616 C:\WINDOWS\system32\WLTRAY.EXE
1656 C:\Program Files\Java\jre6\bin\jqs.exe
1836 C:\Program Files\McAfee.com\VSO\oasclnt.exe
1860 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
1880 C:\Program Files\Common Files\AOL\1257638765\EE\AOLHostManager.exe
1916 C:\Program Files\McAfee.com\Agent\Mcdetect.exe
1960 C:\PROGRA~1\COMMON~1\AOL\125763~1\EE\AOLServiceHost.exe
2004 C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
2020 C:\PROGRA~1\McAfee.com\VSO\McShield.exe
180 C:\PROGRA~1\McAfee.com\VSO\mcvsshld.exe
124 C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
252 C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
200 C:\Program Files\Java\jre6\bin\jusched.exe
488 C:\Program Files\QuickTime\QTTask.exe
524 C:\PROGRA~1\McAfee.com\Agent\McTskshd.exe
1152 C:\Program Files\iTunes\iTunesHelper.exe
848 C:\Program Files\Windows Media Player\wmpnscfg.exe
888 C:\Program Files\Motorola\MotoConnectService\MotoConnectService.exe
1508 C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
2108 C:\Program Files\BigFix\BigFix.exe
2264 C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
2312 C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
2728 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
3064 C:\WINDOWS\ehome\RMSvc.exe
3092 svchost.exe
3156 C:\WINDOWS\system32\svchost.exe
3276 McrdSvc.exe
3360 wmpnetwk.exe
4044 C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
1372 C:\Program Files\iPod\bin\iPodService.exe
1296 C:\WINDOWS\system32\dllhost.exe
2780 C:\Program Files\Mozilla Firefox\firefox.exe
3452 wmiprvse.exe
3940 alg.exe
4052 C:\WINDOWS\system32\wuauclt.exe
3392 C:\WINDOWS\ehome\ehmsas.exe
604 C:\WINDOWS\system32\notepad.exe
3588 C:\Documents and Settings\Owner.Sidius2000\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`b5ce7a00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)
\\.\G: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: HTS541080G9AT00, Rev: MB4VA60A
PhysicalDrive1 Model Number: WD2500BMV External, Rev: 1.75

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Gateway MBR code detected
SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD
232 GB \\.\PhysicalDrive1 RE: Unknown MBR code
SHA1: CE7DBBBEE43059700485C7835F4E1ED6D2FADB1C


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:43 PM

Posted 20 October 2010 - 09:32 PM

There is a second drive in that computer. Is this drive for storage or does it contain an active Operating System?

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Sidius

Sidius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 20 October 2010 - 11:09 PM

It's a storage device.

ComboFix 10-10-20.01 - Owner 10/20/2010 20:47:31.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.124 [GMT -7:00]
Running from: c:\documents and settings\Owner.Sidius2000\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.Sidius2000\Application Data\Egoqe
c:\documents and settings\Owner.Sidius2000\Application Data\Egoqe\axox.exe

.
((((((((((((((((((((((((( Files Created from 2010-09-21 to 2010-10-21 )))))))))))))))))))))))))))))))
.

2010-10-05 04:02 . 2010-10-05 04:05 -------- d-----w- c:\program files\Ask.com
2010-10-05 02:28 . 2010-10-05 02:28 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-05 02:23 . 2010-10-07 02:52 -------- d-----w- c:\program files\QuickTime
2010-09-22 03:17 . 2010-10-05 02:25 -------- d-----w- C:\RECYCLER(2)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-09-02 21:56 1175944 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-09-02 1175944]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner.Sidius2000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-29 135664]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"HostManager"="c:\program files\Common Files\AOL\1257638765\EE\AOLHostManager.exe" [2004-11-03 125528]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-19 79448]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-29 344064]
"VSOCheckTask"="c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-09 151552]
"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [2005-08-12 53248]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-07-02 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2005-08-26 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-13 1121792]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-08-10 163840]
"MPFExe"="c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe" [2005-09-28 999424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-05 149280]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-02-18 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
doyfev.exe [2010-10-10 139264]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
gegia.exe [2010-10-10 139264]

c:\documents and settings\MCX1\Start Menu\Programs\Startup\
ozuc.exe [2010-10-10 139264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\BigFix.exe [2009-11-7 1742384]
Extender Resource Monitor.lnk - c:\windows\ehome\RMSysTry.exe [2005-10-20 18432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1257638765\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"40410:TCP"= 40410:TCP:bittorrent
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

R2 MotoConnect Service;MotoConnect Service;c:\program files\Motorola\MotoConnectService\MotoConnectService.exe [7/22/2010 6:09 PM 91456]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [11/7/2009 12:21 PM 200576]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [11/7/2009 12:17 PM 69692]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2010-10-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2273730632-831104416-3591569352-1006Core.job
- c:\documents and settings\Owner.Sidius2000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-29 03:59]

2010-10-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2273730632-831104416-3591569352-1006UA.job
- c:\documents and settings\Owner.Sidius2000\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-29 03:59]

2010-10-21 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-09-02 21:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=13170&l=dis
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = hxxp://www.22teens.com/?
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.Sidius2000\Application Data\Mozilla\Firefox\Profiles\3dm4l8g2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2269050&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://supertoolbar.ask.com/redirect?client=ff&src=kw&tb=BTV5&o=10148&locale=en_US&q=
FF - plugin: c:\documents and settings\Owner.Sidius2000\Application Data\Mozilla\Firefox\Profiles\3dm4l8g2.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner.Sidius2000\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-{B7B0AB6A-BF15-B04C-F4E8-CC6985B33A69} - c:\documents and settings\Owner.Sidius2000\Application Data\Egoqe\axox.exe
HKLM-Run-HBLiteSA - c:\program files\HBLite\bin\11.0.264.0\HBLiteSA.exe
SafeBoot-klmdb.sys
AddRemove-Ares - c:\program files\Ares\uninstall.exe
AddRemove-Frontline Registry Cleaner1.25 - c:\program files\Frontline Registry Cleaner\uninstall.exe
AddRemove-HBLiteSA - c:\program files\HBLite\bin\11.0.264.0\HBLiteUninstaller.exe
AddRemove-QueryExplorer - c:\program files\QueryExplorer\uninstall.exe
AddRemove-ShopperReportsSA - c:\program files\ShopperReports3\bin\3.0.497.0\ShopperReportsUninstaller.exe


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-10-20 21:01:23
ComboFix-quarantined-files.txt 2010-10-21 04:01

Pre-Run: 3,252,535,296 bytes free
Post-Run: 4,950,917,120 bytes free

- - End Of File - - D36A86DA099DAD69C39D1973770BBD73

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:43 PM

Posted 21 October 2010 - 02:34 PM

Please remove Ask.com toolbar. It comes bundled with other applications and acts as malware.

Download the enclosed file and save it next to Combofix.

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

If the upload is not done automatically, Combofix will create a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

Edited by JSntgRvr, 22 October 2010 - 12:22 AM.
typo

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Sidius

Sidius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 22 October 2010 - 12:13 AM

File has been uploaded automatically.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:43 PM

Posted 22 October 2010 - 12:20 AM

Lets check for remnants.

Posted Image Please download Malwarebytes' Anti-Malware from Here. Never download Malwarebytes' Anti-Malware from other sources.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instructions below under Upgrading Java, to download and install the latest version.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following are checked
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java :
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21 .
  • Click the JDK 6 Update 21 (JDK or JRE) "Download JRE" button to the right.
  • Select your Platform, Register and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation ( jre-6u21-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586.exe and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Sidius

Sidius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 22 October 2010 - 02:03 AM

Everytime I try to run the scan from Kaspersky I get this "Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program."

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:43 PM

Posted 22 October 2010 - 08:46 AM

As an alternate method, use the Eset Online Scanner.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Sidius

Sidius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 22 October 2010 - 08:10 PM

Wow I had no idea I was this badly infected.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4907

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

10/21/2010 11:17:02 PM
mbam-log-2010-10-21 (23-17-02).txt

Scan type: Quick scan
Objects scanned: 167870
Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 70
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\hbliteax.info (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbliteax.info.1 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbliteax.userprofiles (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbliteax.userprofiles.1 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.asyncreporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.asyncreporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.cntntdic (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.cntntdic.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.cntntdisp (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.cntntdisp.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.dwnldr (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.dwnldr.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.hbguru (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.hbguru.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.kopff (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.kopff.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.mozillanvgtntrpr (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.mozillanvgtntrpr.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.mozillapsexecuter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.mozillapsexecuter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reportdata (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reportdata.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.scopes (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.scopes.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.stock (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.stock.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggerimmidiate (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggerimmidiate.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggerimmidiateorrandomts (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggerimmidiateorrandomts.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggeronceinday (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.triggeronceinday.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{21ba420e-161c-413a-b21e-4e42ae1f4226} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{30b15818-e110-4527-9c05-46ace5a3460d} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{453db0c5-f41c-4d97-8dd6-cc72ecd5f699} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4afc07d0-59bb-46b8-b097-1a46e88eef71} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{618aad04-921f-44c2-be38-c0818af69861} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6511ce4c-4722-40d0-ad3d-4afa2f50978a} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5d2ed96-62f9-4c2c-956d-e425b1f67337} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b86d82bf-d39f-439a-a07c-43eddc6f6ea6} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d3a412e8-1e4b-47d2-9b12-f88291f5afbb} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da6305b9-0869-4235-8c1d-533a65e639e5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f8b4ec8a-2407-4be0-aee2-0f430d65a90d} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{0d82acd6-a652-4496-a298-2bde705f4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025e484-d4b0-441a-9f0b-69063bd679ce} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258b35c-05b8-4c0e-9525-9bccc70f8f2d} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a89256ad-ec17-4a83-bef5-4b8bc4f39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4d1ec4ca-4b92-4324-b8f8-c9a6ed06a8ae} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4e674574-3f0b-491d-8ae3-f90b43a34fd6} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{acc62306-9a63-4864-bd2f-c8825d2d7ea6} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6f098504-cdb1-420f-a2e6-ddc0b835fedf} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4d1ec4ca-4b92-4324-b8f8-c9a6ed06a8ae} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{4e674574-3f0b-491d-8ae3-f90b43a34fd6} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{89f88394-3828-4d03-a0cf-8203604c3da6} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{d4233f04-1789-483c-a137-731e8f113dd5} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ufuvaacjbdlnccgd (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\BRNstIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\CmndFF.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\mozillaps.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\Pltfrm.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\hblitesa (Adware.HotBar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShopperReports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\HBLite (Adware.HotBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\QueryExplorer (Adware.QueryExplorer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShopperReports3 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{b7b0ab6a-bf15-b04c-f4e8-cc6985b33a69} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\hblite@hblite.com (Adware.HotBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\shopperreports@shopperreports.com (ShopperReports) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Start Menu\Programs\ShopperReports (Adware.ShopperReports) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ufuvaacjbdlnccgd.exe (Adware.Adrotator) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ShopperReports\About Us.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ShopperReports\Customer Support.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\ShopperReports\ShopperReports Uninstall Instructions.lnk (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.Sidius2000\Application Data\dsfsds.bat (Malware.Trace) -> Quarantined and deleted successfully.


C:\Documents and Settings\Default User\Start Menu\Programs\Startup\obere.exe Win32/Spy.Zbot.ZR trojan cleaned by deleting - quarantined
C:\Documents and Settings\Owner.Sidius2000\Application Data\869F81E2A0FA241E82DCEE0CF8AEC241\setupupdater0000.exe Win32/Adware.AntimalwareDoctor application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\Owner.Sidius2000\Application Data\Egoqe\axox.exe.vir Win32/Spy.Zbot.ZR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP70\A0245036.sys Win32/Olmarik.ZC trojan cleaned - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP76\A0300058.exe a variant of Win32/Kryptik.GOD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP77\A0300990.exe a variant of Win32/Kryptik.GOD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP80\A0313243.exe a variant of Win32/Kryptik.GOD trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP80\A0313254.dll probably a variant of Win32/TrojanProxy.Agent.KSIVPSE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP83\A0320263.exe probably a variant of Win32/Adware.FakeMSE.D application cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP83\A0321366.exe probably a variant of Win32/Adware.180Solutions application cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP83\A0321367.dll a variant of Win32/Adware.HotBar.E application cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP83\A0321369.exe Win32/Adware.HotBar.E application deleted - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP83\A0324298.exe probably a variant of Win32/Adware.FakeMSE.D application cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP83\A0325538.exe probably a variant of Win32/Adware.HotBar.G application cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP83\A0325557.exe Win32/Spy.Zbot.ZR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP88\A0328904.exe Win32/Spy.Zbot.ZR trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A0427B73-25B8-43D0-92D4-F22E7758340C}\RP88\A0328905.exe Win32/Adware.AntimalwareDoctor application cleaned by deleting - quarantined
C:\WINDOWS\system32\mstsinst.dll a variant of Win32/Kryptik.EFC trojan cleaned by deleting - quarantined

Edited by Sidius, 22 October 2010 - 08:25 PM.


#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:43 PM

Posted 22 October 2010 - 09:17 PM

Were you able to perform the Eset Online scan?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Sidius

Sidius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 22 October 2010 - 09:19 PM

yes

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,562 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:01:43 PM

Posted 22 October 2010 - 09:19 PM

Disregard, I see it after the MBAM report. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Sidius

Sidius
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 22 October 2010 - 09:23 PM

it's running smoothly, with no problems.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users