Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: SEO Poisoning Campaign Targeting U.S. Midterm Election Keywords

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Various Viruses Have Me Under Attack!

Started by linter , Dec 10 2010 09:10 AM

This topic is locked

23 replies to this topic

#1 linter

Members
14 posts
OFFLINE

Local time:11:12 AM

Posted 10 December 2010 - 09:10 AM

Two days ago, I had the Whitesmoke virus and the Antivirus Action virus. This led to lots of blue screens and other bad behavior. I thought I got rid of the malware via Avast, Malwarebytes, etc., but yesterday my computer would crash randomly or run slow or the CPU would be working overtime. Firefox would randomly crash. I had to do some online banking, and was (unfortunately) able to sign on once, but FF soon crashed and I wasn't able to get back on. I did some brokerage business too, using my password of course. I ran and reran Avast, etc., and was told I was clean. But then this morning I see something new on the desktop called HDD Repair. Never seen that one before. I ran Malwarebytes again and found a few infections, which I cleaned. But I don't think I'm out of the woods yet, which is why I'm here. Attached and appended are the requested files, along with my last Malwarebytes file.

Update: actually, I'll have to attach the Ark.txt file later; I was running gmer and it'd been running for a long time, when suddenly I got the blue screen of death and everything shut down on me. Will try again and attach file if I'm successful.

Update 2: tried to run gmer again but it shut down w/ an unexpected error. unzipped the program again and tried again and got the blue screen. went to safe mode and tried again, no luck: got the unexpected error message and the program shut down. Arrrgggg! What can I do now?

At one point yesterday, I went to system restore and restored to four days ago, but that didn't seem to change much.

Also, while trying to get rid of Antivirus Action, a site said one thing to do was replace the hosts file (now supposedly corrupt) with one the site offered. I did that and now I'm getting that Host Processes for etc etc Has Stopped Working notice all the time. Related?

Thanks!

DDS (Ver_10-12-05.01) - NTFSx86
Run by Erik at 8:07:45.84 on Fri 12/10/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_16
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1910 [GMT -5:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Program Files\Glary Utilities\Integrator.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Brownie\BrStsWnd.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Brownie\brpjp04a.exe
C:\Program Files\Brownie\brpjp04a.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Program Files\ClipMate7\ClipMate.exe
C:\Windows\system32\wuauclt.exe
C:\Users\Erik\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.netflix.com/Queue?inqt=wn&lnkctr=queueTab-ELECTRONIC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagitBHO.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagitIEAddin.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: ClipMate ClipBar 7: {f60c63ce-52af-4915-aac9-f100fcde270f} - c:\progra~1\clipma~1\CLIPMA~1.DLL
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRunOnce: [BrStsWnd.exe] c:\program files\brownie\BrStsWnd.exe WindowsStartUpModel
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\windows\windowsmobile\INetRepl.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GoogleDesktopNetwork3.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/news?pz=1&zx=po7sdf-h1gwcy#changed|http://news.google.com/news?pz=1&zx=po7sdf-h1gwcy#-7065693423068381803
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\siber systems\ai roboform\firefox\components\rfproxy_31.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{4fd0131c-5156-4a4a-af5b-e04381314163}\components\WindowsLiveWriter.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{6ff1d3c4-61bc-4021-89b7-af8a8f784ebb}\components\snagitmozextension.dll
FF - component: c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc_fireftp.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {597DCCE7-94BC-4A06-AA12-8E2608F198EF} - c:\users\erik\appdata\local\{597dcce7-94bc-4a06-aa12-8e2608f198ef}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Extension: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\siber systems\ai roboform\Firefox
FF - Extension: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
FF - Extension: XULRunner: {597DCCE7-94BC-4A06-AA12-8E2608F198EF} - c:\users\erik\appdata\local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}
FF - Extension: Web Search Pro: {8B8A525A-CFCA-44cf-81C3-3969E6CB96E0} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{8B8A525A-CFCA-44cf-81C3-3969E6CB96E0}
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: Email This! Bookmarklet Extension: gmailthis@lazyrussian.com - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\gmailthis@lazyrussian.com
FF - Extension: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Extension: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
FF - Extension: Snagit Firefox Extension: {6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}
FF - Extension: Blog This in Windows Live Writer: {4fd0131c-5156-4a4a-af5b-e04381314163} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{4fd0131c-5156-4a4a-af5b-e04381314163}
FF - Extension: CookieSafe: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
FF - Extension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Extension: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Extension: SkipScreen: SkipScreen@SkipScreen - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\SkipScreen@SkipScreen
FF - Extension: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Extension: Download Youtube Videos +: video.downloader.plugin@ffpimp.com - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\video.downloader.plugin@ffpimp.com
FF - Extension: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}: {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} - c:\users\erik\appdata\roaming\mozilla\firefox\profiles\ww0egtnr.fixtest\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}
FF - Extension: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-15 11608]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-10-12 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 67656]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-15 55656]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2009-11-6 9472]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-15 185089]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\norton internet security\engine\16.0.0.125\ccsvchst.exe" /s "norton internet security" /m "c:\program files\norton internet security\engine\16.0.0.125\dimaster.dll" /prefetch:1 --> c:\program files\norton internet security\engine\16.0.0.125\ccSvcHst.exe [?]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-3-25 42368]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 12872]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-15 108289]
S4 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-4-22 193840]
S4 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-7-18 30192]
S4 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2009-10-19 309008]
S4 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-4-22 365952]

=============== Created Last 30 ================

2010-12-09 22:33:12 6273872 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{1ffaa17e-57cd-4910-9d40-1e7667c1333a}\mpengine.dll
2010-12-09 22:29:17 -------- d-----w- c:\users\erik\appdata\local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}
2010-12-08 22:36:25 -------- d-----w- c:\progra~2\Alwil Software
2010-12-08 02:40:42 -------- d-----w- C:\e1b9e42fb7fa4fa706b5
2010-12-07 23:47:48 -------- d-----w- c:\users\erik\appdata\roaming\4885F68A0E2DE955EB1258D19E55E3A2
2010-11-28 20:10:00 -------- d-----w- c:\program files\Search Toolbar
2010-11-24 13:58:58 -------- d-----w- c:\program files\Lame For Audacity
2010-11-23 23:05:21 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

==================== Find3M ====================

2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-13 13:56:41 8147456 ----a-w- c:\windows\system32\wmploc.DLL

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST9250315AS rev.0003HPM1 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86840555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x868467b0]; MOV EAX, [0x8684682c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E7C962] -> \Device\Harddisk0\DR0[0x8615B768]
3 CLASSPNP[0x805DE8B3] -> ntkrnlpa!IofCallDriver[0x81E7C962] -> [0x868A23A0]
\Driver\atapi[0x86567B18] -> IRP_MJ_CREATE -> 0x86840555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskST9250315AS_____________________________0003HPM1#5&3b0a2a42&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 8:08:54.61 ===============

Malwarebytes file:

Objects scanned: 385400
Time elapsed: 2 hour(s), 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\Users\Erik\AppData\Local\Z1auib.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Qnuyumafu (Trojan.Hiloti) -> Value: Qnuyumafu -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\erik\AppData\Local\Z1auib.dll (Trojan.Hiloti) -> Delete on reboot.
c:\Users\erik\AppData\Roaming\Adobe\plugs\KB660991.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\Users\erik\AppData\Roaming\Adobe\plugs\KB704640.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\erik\AppData\Local\temp\0.4145912403978068.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Note: When I rebooted the computer, I did get a message saying, error loading c:\Users\me\AppData\Local\Z1auib.dll

Attached Files

DDS.txt 21.35KB 1 downloads

Edited by linter, 10 December 2010 - 09:25 AM.

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Blind Faith

Malware Response Team
4,101 posts
OFFLINE

Gender:Female
Local time:07:12 PM

Posted 17 December 2010 - 08:23 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

Elle

Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro?

If I haven't replied in 48 hours, please feel free to send me a PM.

Posted Image

#3 linter

Topic Starter

Members
14 posts
OFFLINE

Local time:11:12 AM

Posted 18 December 2010 - 05:08 AM

actually, i gave up and went and bought a new computer. will reformat the hdd on the old one and use it as a back up. thanks anyway.

#4 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:12:12 PM

Posted 19 December 2010 - 12:58 AM

Hello

My name is gringo and I will be taking over from this point and untill we finish.

I can still clean this one if you want to so you don't lose anything on it .

Somethings to remember while we are working together.

Do not run any other tool untill instructed to do so!
Please Do not Attach logs or put in code boxes unless I tell you so.
Tell me about any problems that have occurred during the fix.
Tell me of any other symptoms you may be having as these can help also.
Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following
Log from Combofix
let me know of any problems you may have had
How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 linter

Topic Starter

Members
14 posts
OFFLINE

Local time:11:12 AM

Posted 19 December 2010 - 12:51 PM

i was unable to run combofix in regular boot mode; attempting to do so would lead the computer to shut down and restart. i booted into safe mode and loaded combofix but got a message that microsoft security essentials is still running. i loaded MSE and see that active protection is, in fact, turned off, with a big red x. combofix warned me not to continue but since mse seems to be not active, i decided to go ahead anyway. at one point, combofix said it had detected rootkit activity and needed to reboot. so, i attempted to reboot.

it rebooted in regular mode, then combofix loaded and started to do its thing. it ran through various processes then, at the end i guess, the computer shut down again with the same ol blue screen notice of failure.

have any further suggestions, since i can't seem to get combofix to run?

thanks!

#6 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:12:12 PM

Posted 19 December 2010 - 01:03 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 linter

Topic Starter

Members
14 posts
OFFLINE

Local time:11:12 AM

Posted 19 December 2010 - 01:17 PM

ok, that works. here's the text file. now what?

thakns again!!!

2010/12/19 13:07:02.0885 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/19 13:07:02.0885 ================================================================================
2010/12/19 13:07:02.0885 SystemInfo:
2010/12/19 13:07:02.0885
2010/12/19 13:07:02.0885 OS Version: 6.0.6002 ServicePack: 2.0
2010/12/19 13:07:02.0885 Product type: Workstation
2010/12/19 13:07:02.0885 ComputerName: ERIK-PC
2010/12/19 13:07:02.0885 UserName: Erik
2010/12/19 13:07:02.0885 Windows directory: C:\Windows
2010/12/19 13:07:02.0885 System windows directory: C:\Windows
2010/12/19 13:07:02.0885 Processor architecture: Intel x86
2010/12/19 13:07:02.0885 Number of processors: 2
2010/12/19 13:07:02.0885 Page size: 0x1000
2010/12/19 13:07:02.0885 Boot type: Normal boot
2010/12/19 13:07:02.0885 ================================================================================
2010/12/19 13:07:03.0540 Initialize success
2010/12/19 13:07:08.0158 ================================================================================
2010/12/19 13:07:08.0158 Scan started
2010/12/19 13:07:08.0158 Mode: Manual;
2010/12/19 13:07:08.0158 ================================================================================
2010/12/19 13:07:08.0158 ================================================================================
2010/12/19 13:07:08.0158 Scan started
2010/12/19 13:07:08.0158 Mode: Manual;
2010/12/19 13:07:08.0158 ================================================================================
2010/12/19 13:07:09.0858 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/19 13:07:09.0890 ================================================================================
2010/12/19 13:07:09.0890 Scan finished
2010/12/19 13:07:09.0890 ================================================================================
2010/12/19 13:07:09.0890 Scan interrupted by user!
2010/12/19 13:07:09.0890 Scan interrupted by user!
2010/12/19 13:07:09.0890 ================================================================================
2010/12/19 13:07:09.0890 Scan finished
2010/12/19 13:07:09.0890 ================================================================================
2010/12/19 13:07:45.0957 ================================================================================
2010/12/19 13:07:45.0957 Scan started
2010/12/19 13:07:45.0957 Mode: Manual;
2010/12/19 13:07:45.0957 ================================================================================
2010/12/19 13:07:47.0002 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2010/12/19 13:07:47.0408 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/12/19 13:07:47.0735 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/12/19 13:07:48.0234 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/12/19 13:07:48.0578 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/12/19 13:07:48.0983 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2010/12/19 13:07:49.0373 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/12/19 13:07:49.0670 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/12/19 13:07:50.0075 aliide (3d76fda1a10acc3dc84728f55c29b6d4) C:\Windows\system32\drivers\aliide.sys
2010/12/19 13:07:50.0450 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/12/19 13:07:50.0684 amdide (5b92e7839f5a1fbc1b39de67758ad6f8) C:\Windows\system32\drivers\amdide.sys
2010/12/19 13:07:51.0105 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/12/19 13:07:51.0464 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2010/12/19 13:07:52.0041 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/12/19 13:07:52.0368 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/12/19 13:07:52.0587 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/19 13:07:53.0039 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2010/12/19 13:07:53.0804 athr (02d34ac487df3da4e3f01874e61eb619) C:\Windows\system32\DRIVERS\athr.sys
2010/12/19 13:07:54.0162 avgio (6a646c46b9415e13095aa9b352040a7a) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/12/19 13:07:54.0584 avgntflt (91c8887520ee93b2fc7387687fd182cb) C:\Windows\system32\DRIVERS\avgntflt.sys
2010/12/19 13:07:54.0942 avipbb (452e382340bb0c5e694ed9d3625356d0) C:\Windows\system32\DRIVERS\avipbb.sys
2010/12/19 13:07:55.0364 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/12/19 13:07:55.0988 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/12/19 13:07:56.0268 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/19 13:07:56.0502 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/12/19 13:07:56.0908 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/12/19 13:07:57.0376 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/12/19 13:07:57.0844 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\Windows\system32\Drivers\BrSerIf.sys
2010/12/19 13:07:58.0484 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/12/19 13:07:59.0030 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/12/19 13:07:59.0420 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\Windows\system32\Drivers\BrUsbSer.sys
2010/12/19 13:07:59.0778 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/12/19 13:08:00.0558 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/19 13:08:01.0011 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/19 13:08:01.0338 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/12/19 13:08:01.0666 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2010/12/19 13:08:02.0118 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/19 13:08:02.0555 cmdide (d36372a6ea6805efbe8884d10772313f) C:\Windows\system32\drivers\cmdide.sys
2010/12/19 13:08:02.0727 CnxtHdAudService (1adf6f4852e7d7e2e8ac481bdb970586) C:\Windows\system32\drivers\CHDRT32.sys
2010/12/19 13:08:02.0992 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/19 13:08:03.0148 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/12/19 13:08:03.0195 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/12/19 13:08:03.0366 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2010/12/19 13:08:03.0507 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2010/12/19 13:08:03.0678 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/12/19 13:08:03.0819 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/19 13:08:04.0037 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/12/19 13:08:04.0224 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2010/12/19 13:08:04.0412 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/12/19 13:08:04.0583 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/12/19 13:08:04.0786 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2010/12/19 13:08:04.0911 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2010/12/19 13:08:05.0067 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/19 13:08:05.0238 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/12/19 13:08:05.0270 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/12/19 13:08:05.0379 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/19 13:08:05.0441 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2010/12/19 13:08:05.0597 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/19 13:08:05.0691 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/12/19 13:08:05.0925 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/12/19 13:08:05.0972 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/19 13:08:06.0096 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/12/19 13:08:06.0362 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/12/19 13:08:06.0892 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/19 13:08:07.0454 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/12/19 13:08:07.0984 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
2010/12/19 13:08:08.0624 HSF_DPV (cc267848cb3508e72762be65734e764d) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2010/12/19 13:08:09.0092 HSXHWAZL (a2882945cc4b6e3e4e9e825590438888) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2010/12/19 13:08:10.0059 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2010/12/19 13:08:10.0652 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/12/19 13:08:11.0338 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/19 13:08:11.0728 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/12/19 13:08:12.0695 igfx (f1f52f4b4dd7cb8b47570690363f1b28) C:\Windows\system32\DRIVERS\igdkmd32.sys
2010/12/19 13:08:13.0179 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/12/19 13:08:13.0538 IntcHdmiAddService (c7e7e43cbd34d3b0a0156b51b917dfcc) C:\Windows\system32\drivers\IntcHdmi.sys
2010/12/19 13:08:14.0068 intelide (dd512a049bd7b4bce8a83554c5eff2c1) C:\Windows\system32\drivers\intelide.sys
2010/12/19 13:08:14.0271 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/19 13:08:14.0458 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/19 13:08:14.0536 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/12/19 13:08:14.0583 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/12/19 13:08:14.0692 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/12/19 13:08:14.0864 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/12/19 13:08:14.0895 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/19 13:08:15.0004 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/12/19 13:08:15.0035 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/12/19 13:08:15.0082 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/19 13:08:15.0222 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2010/12/19 13:08:15.0269 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/19 13:08:15.0472 LHidFilt (8b30311241f97b35167afe68d79e8530) C:\Windows\system32\DRIVERS\LHidFilt.Sys
2010/12/19 13:08:15.0628 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/19 13:08:15.0768 LMouFilt (48d7422a6c4eec886b56ac534cfa3acf) C:\Windows\system32\DRIVERS\LMouFilt.Sys
2010/12/19 13:08:15.0831 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/12/19 13:08:15.0940 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/12/19 13:08:16.0049 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/12/19 13:08:16.0158 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/12/19 13:08:16.0330 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2010/12/19 13:08:16.0486 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/12/19 13:08:16.0642 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/12/19 13:08:16.0767 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/12/19 13:08:16.0923 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/19 13:08:17.0079 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\Windows\system32\DRIVERS\motccgp.sys
2010/12/19 13:08:17.0110 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\Windows\system32\DRIVERS\motccgpfl.sys
2010/12/19 13:08:17.0266 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motmodem.sys
2010/12/19 13:08:17.0422 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motport.sys
2010/12/19 13:08:17.0484 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/19 13:08:17.0547 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/19 13:08:17.0625 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/12/19 13:08:17.0765 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\Windows\system32\DRIVERS\MpFilter.sys
2010/12/19 13:08:18.0374 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/12/19 13:08:19.0076 MpNWMon (aeb186afff5d9cfed823c15d846aac3b) C:\Windows\system32\DRIVERS\MpNWMon.sys
2010/12/19 13:08:19.0934 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/19 13:08:20.0636 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/12/19 13:08:21.0353 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/19 13:08:21.0806 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/19 13:08:22.0570 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/19 13:08:22.0882 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/19 13:08:23.0350 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2010/12/19 13:08:23.0787 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/12/19 13:08:24.0692 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/12/19 13:08:25.0269 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/12/19 13:08:25.0643 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/19 13:08:25.0908 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/19 13:08:26.0205 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/12/19 13:08:26.0626 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2010/12/19 13:08:26.0938 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/19 13:08:27.0328 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/12/19 13:08:27.0765 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2010/12/19 13:08:28.0139 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/19 13:08:28.0592 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2010/12/19 13:08:28.0982 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/19 13:08:29.0465 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/19 13:08:29.0933 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/19 13:08:30.0183 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/12/19 13:08:30.0557 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/19 13:08:30.0885 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/19 13:08:31.0571 NETw3v32 (35d5458d9a1b26b2005abffbf4c1c5e7) C:\Windows\system32\DRIVERS\NETw3v32.sys
2010/12/19 13:08:31.0914 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/12/19 13:08:32.0242 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2010/12/19 13:08:32.0710 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/19 13:08:33.0303 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2010/12/19 13:08:33.0708 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/12/19 13:08:34.0020 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/12/19 13:08:34.0504 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/12/19 13:08:34.0894 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/12/19 13:08:35.0284 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/12/19 13:08:36.0126 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/19 13:08:36.0532 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/12/19 13:08:36.0860 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2010/12/19 13:08:37.0203 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/12/19 13:08:37.0671 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2010/12/19 13:08:38.0045 pciide (1d8b3d8df8eb7fcf2f0ac02f9f947802) C:\Windows\system32\drivers\pciide.sys
2010/12/19 13:08:38.0513 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2010/12/19 13:08:39.0028 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/12/19 13:08:39.0371 pnetmdm (da19e3401f39c10df193be029c7e7bba) C:\Windows\system32\DRIVERS\pnetmdm.sys
2010/12/19 13:08:39.0839 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/19 13:08:40.0089 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2010/12/19 13:08:40.0432 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/19 13:08:41.0056 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/12/19 13:08:41.0462 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/12/19 13:08:41.0758 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/19 13:08:42.0039 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/19 13:08:42.0429 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/19 13:08:42.0897 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/19 13:08:43.0287 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/19 13:08:43.0802 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/19 13:08:44.0067 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/19 13:08:44.0597 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2010/12/19 13:08:45.0128 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/19 13:08:45.0424 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2010/12/19 13:08:45.0970 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2010/12/19 13:08:46.0360 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/19 13:08:46.0828 RTL8169 (125c504a34d0a2e152517e342e7e432c) C:\Windows\system32\DRIVERS\Rtlh86.sys
2010/12/19 13:08:47.0202 RTSTOR (8dab5975b5c7923d61506a48e251dbad) C:\Windows\system32\drivers\RTSTOR.SYS
2010/12/19 13:08:47.0483 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/19 13:08:47.0592 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2010/12/19 13:08:47.0655 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
2010/12/19 13:08:48.0123 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/12/19 13:08:48.0700 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2010/12/19 13:08:49.0043 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/19 13:08:49.0246 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2010/12/19 13:08:49.0964 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2010/12/19 13:08:50.0229 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/12/19 13:08:50.0447 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/12/19 13:08:50.0822 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/12/19 13:08:51.0118 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/12/19 13:08:51.0492 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2010/12/19 13:08:51.0726 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/12/19 13:08:52.0070 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/12/19 13:08:52.0460 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/12/19 13:08:52.0709 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2010/12/19 13:08:53.0240 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/12/19 13:08:53.0957 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2010/12/19 13:08:54.0300 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/19 13:08:54.0597 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/19 13:08:54.0924 ssmdrv (654dfea96bc82b4acda4f37e5e4a3bbf) C:\Windows\system32\DRIVERS\ssmdrv.sys
2010/12/19 13:08:55.0127 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
2010/12/19 13:08:55.0174 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/19 13:08:55.0221 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/12/19 13:08:55.0346 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/12/19 13:08:55.0502 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/12/19 13:08:55.0673 SynTP (6bef3acd6ee22eec55b68699e8aace09) C:\Windows\system32\DRIVERS\SynTP.sys
2010/12/19 13:08:55.0798 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2010/12/19 13:08:55.0954 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/19 13:08:56.0001 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/19 13:08:56.0094 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/12/19 13:08:56.0110 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/12/19 13:08:56.0235 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/19 13:08:56.0344 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/19 13:08:56.0500 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/19 13:08:56.0656 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/12/19 13:08:56.0781 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/19 13:08:56.0906 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/12/19 13:08:57.0030 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/19 13:08:57.0171 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/12/19 13:08:57.0296 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/12/19 13:08:57.0420 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/12/19 13:08:57.0545 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/12/19 13:08:57.0654 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/19 13:08:57.0732 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/19 13:08:57.0857 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/12/19 13:08:57.0998 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/19 13:08:58.0060 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/19 13:08:58.0107 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/12/19 13:08:58.0216 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/19 13:08:58.0372 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2010/12/19 13:08:58.0434 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/19 13:08:58.0575 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/19 13:08:58.0746 usb_rndisx (35c9095fa7076466afbfc5b9ec4b779e) C:\Windows\system32\DRIVERS\usb8023x.sys
2010/12/19 13:08:59.0277 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/19 13:08:59.0698 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/12/19 13:09:00.0306 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/12/19 13:09:00.0759 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/12/19 13:09:01.0149 viaide (ea1aa6e3abb3c194feba12a46de8cf2c) C:\Windows\system32\drivers\viaide.sys
2010/12/19 13:09:01.0617 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/12/19 13:09:02.0210 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2010/12/19 13:09:02.0724 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2010/12/19 13:09:03.0192 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/12/19 13:09:03.0770 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/12/19 13:09:04.0238 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/19 13:09:04.0284 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/19 13:09:04.0721 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/12/19 13:09:05.0361 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/19 13:09:05.0938 winachsf (0acd399f5db3df1b58903cf4949ab5a8) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2010/12/19 13:09:06.0328 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/19 13:09:06.0749 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/12/19 13:09:07.0233 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/19 13:09:07.0638 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/19 13:09:08.0138 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2010/12/19 13:09:08.0543 yukonwlh (7d1f3b131d503ef43ee594b5a2b9b427) C:\Windows\system32\DRIVERS\yk60x86.sys
2010/12/19 13:09:08.0652 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/19 13:09:08.0684 ================================================================================
2010/12/19 13:09:08.0684 Scan finished
2010/12/19 13:09:08.0684 ================================================================================
2010/12/19 13:09:08.0715 Detected object count: 1
2010/12/19 13:09:38.0870 \HardDisk0 - will be cured after reboot
2010/12/19 13:09:38.0870 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/19 13:09:59.0618 Deinitialize success

#8 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:12:12 PM

Posted 19 December 2010 - 01:31 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

I know you tried it before but I want you to try now that we have removed the rootkit.

I have to go out but will be back on later tonight

Boot into Safe Mode

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 linter

Topic Starter

Members
14 posts
OFFLINE

Local time:11:12 AM

Posted 19 December 2010 - 03:48 PM

cool. combo fix worked that time. didn't even ask me to reboot, nor did it reboot itself. here's the log. thanks for your continued assistance!!!!

p.s. although the log says MSE was enabled, it was not, and i don't know why CF says it is ...

ComboFix 10-12-18.02 - Erik 12/19/2010 15:31:59.3.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.2477 [GMT -5:00]
Running from: c:\users\Erik\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Microsoft Security Essentials *Enabled/Outdated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Microsoft Security Essentials *Enabled/Outdated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\users\Erik\AppData\Local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}
c:\users\Erik\AppData\Local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}\chrome.manifest
c:\users\Erik\AppData\Local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}\chrome\content\_cfg.js
c:\users\Erik\AppData\Local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}\chrome\content\overlay.xul
c:\users\Erik\AppData\Local\{597DCCE7-94BC-4A06-AA12-8E2608F198EF}\install.rdf
c:\users\Erik\AppData\Roaming\4885F68A0E2DE955EB1258D19E55E3A2
c:\users\Erik\AppData\Roaming\4885F68A0E2DE955EB1258D19E55E3A2\enemies-names.txt
c:\users\Erik\AppData\Roaming\Adobe\AdobeUpdate .exe
c:\users\Erik\AppData\Roaming\Adobe\plugs

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-11-19 to 2010-12-19 )))))))))))))))))))))))))))))))
.

2010-12-19 20:40 . 2010-12-19 20:41 -------- d-----w- c:\users\Erik\AppData\Local\temp
2010-12-19 20:40 . 2010-12-19 20:40 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-12-19 20:40 . 2010-12-19 20:40 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-09 22:33 . 2010-11-16 17:01 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1FFAA17E-57CD-4910-9D40-1E7667C1333A}\mpengine.dll
2010-12-08 22:36 . 2010-12-08 22:36 -------- d-----w- c:\programdata\Alwil Software
2010-12-08 22:36 . 2010-12-08 22:36 -------- d-----w- c:\program files\Alwil Software
2010-12-08 02:40 . 2010-12-08 02:40 -------- d-----w- C:\e1b9e42fb7fa4fa706b5
2010-11-24 13:58 . 2010-11-24 13:58 -------- d-----w- c:\program files\Lame For Audacity
2010-11-23 23:05 . 2010-11-26 15:40 -------- d-----w- c:\users\Erik\AppData\Roaming\Audacity
2010-11-23 23:05 . 2010-11-23 23:05 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2009-09-28 23:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2009-09-28 23:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-10 04:33 . 2010-11-05 15:48 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-19 20:51 . 2009-10-03 13:37 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2010-11-04 12:28 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{213838EC-9C98-418E-861F-FEFE62283CC7}\mpengine.dll
2009-07-18 14:01 . 2009-07-18 14:01 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 16:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-09 2424560]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Callcentric Softphone.lnk]
backup=c:\windows\pss\Callcentric Softphone.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snagit 9.lnk]
backup=c:\windows\pss\Snagit 9.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Stickies.lnk]
backup=c:\windows\pss\Stickies.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ePrompter.lnk]
backup=c:\windows\pss\ePrompter.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
backup=c:\windows\pss\PdaNet Desktop.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerMenu.lnk]
backup=c:\windows\pss\PowerMenu.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^texter.exe - Shortcut.lnk]
backup=c:\windows\pss\texter.exe - Shortcut.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^WordWeb Pro.lnk]
backup=c:\windows\pss\WordWeb Pro.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
backup=c:\windows\pss\Yahoo! Widgets.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 17:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-02-10 16:03 745472 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsWnd]
2008-01-08 13:28 864256 ------w- c:\program files\Brownie\BrStsWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClipMate7]
2009-01-31 14:00 3760424 ----a-w- c:\program files\ClipMate7\ClipMate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-10-30 20:05 77824 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-07-18 14:01 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-07-10 22:27 170520 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 14:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51 488752 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-07-10 22:27 150040 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
2009-09-29 01:32 1241872 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-12-19 03:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 17:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-07-10 22:27 145944 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-08-01 23:14 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-09-24 00:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
2009-02-21 08:18 4333568 ----a-w- c:\program files\Rainlendar2\Rainlendar2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2009-07-15 20:24 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 17:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-31 19:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-08-28 14:32 1557800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-11-20 00:21 328056 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 13:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-05-01 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-06-30 67656]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-19 23680]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
R3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-05-01 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R4 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-07-18 30192]
R4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2009-09-29 309008]
R4 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-11-04 01:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.netflix.com/Queue?inqt=wn&lnkctr=queueTab-ELECTRONIC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\ww0egtnr.fixtest\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Web Search Pro: {8B8A525A-CFCA-44cf-81C3-3969E6CB96E0} - %profile%\extensions\{8B8A525A-CFCA-44cf-81C3-3969E6CB96E0}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Email This! Bookmarklet Extension: gmailthis@lazyrussian.com - %profile%\extensions\gmailthis@lazyrussian.com
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
FF - Ext: Snagit Firefox Extension: {6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB} - %profile%\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}
FF - Ext: Blog This in Windows Live Writer: {4fd0131c-5156-4a4a-af5b-e04381314163} - %profile%\extensions\{4fd0131c-5156-4a4a-af5b-e04381314163}
FF - Ext: CookieSafe: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD} - %profile%\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Download Youtube Videos +: video.downloader.plugin@ffpimp.com - %profile%\extensions\video.downloader.plugin@ffpimp.com
FF - Ext: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}: {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} - %profile%\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKLM-Run-SynTPEnh - %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-Acronis Scheduler2 Service - c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
MSConfigStartUp-Google Update - c:\users\Erik\AppData\Local\Google\Update\GoogleUpdate.exe
MSConfigStartUp-TrueImageMonitor - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-19 15:41
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"Licence0"="REMOVED"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-12-19 15:43:10
ComboFix-quarantined-files.txt 2010-12-19 20:42
ComboFix2.txt 2009-10-23 10:07

Pre-Run: 103,717,404,672 bytes free
Post-Run: 103,763,218,432 bytes free

- - End Of File - - E21D5293E3C26E120AA22C6490A47C26

#10 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:12:12 PM

Posted 19 December 2010 - 05:56 PM

Hello

How are thimgs doing now?

I would ike to see a report that combofix makes.

extra combofix report

push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
please copy and past the following into the box

C:\Qoobox\Add-Remove Programs.txt

click ok

copy and paste the report into this topic for me to review

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 linter

Topic Starter

Members
14 posts
OFFLINE

Local time:11:12 AM

Posted 19 December 2010 - 06:17 PM

what i appended above is the latest CF run, done in safe mode. i'm running it in regular mode now and will post the results, as asked for in your latest post, when it's done, in a few minutes ... thanks again~

Edited by linter, 19 December 2010 - 06:30 PM.

#12 linter

Topic Starter

Members
14 posts
OFFLINE

Local time:11:12 AM

Posted 19 December 2010 - 06:32 PM

okay, i tried that and got the following response: "illegal operation attempted on a registry key that has been marked for deletion."

meanwhile, for what it's worth, here's a CF log from a run done during a regular boot.

thanks~

--------

ComboFix 10-12-18.02 - Erik 12/19/2010 18:17:25.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.2037 [GMT -5:00]
Running from: c:\users\Erik\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: Microsoft Security Essentials *Enabled/Outdated* {BF5CEBDC-F2D3-7540-343C-F0CE11FD6E66}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Microsoft Security Essentials *Enabled/Outdated* {043D0A38-D4E9-7ACE-0E8C-CBBC6A7A24DB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-11-19 to 2010-12-19 )))))))))))))))))))))))))))))))
.

2010-12-19 23:24 . 2010-12-19 23:24 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-12-19 23:24 . 2010-12-19 23:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-19 20:43 . 2010-12-19 23:24 -------- d-----w- c:\users\Erik\AppData\Local\temp
2010-12-09 22:33 . 2010-11-16 17:01 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{1FFAA17E-57CD-4910-9D40-1E7667C1333A}\mpengine.dll
2010-12-08 22:36 . 2010-12-08 22:36 -------- d-----w- c:\programdata\Alwil Software
2010-12-08 22:36 . 2010-12-08 22:36 -------- d-----w- c:\program files\Alwil Software
2010-12-08 02:40 . 2010-12-08 02:40 -------- d-----w- C:\e1b9e42fb7fa4fa706b5
2010-11-24 13:58 . 2010-11-24 13:58 -------- d-----w- c:\program files\Lame For Audacity
2010-11-23 23:05 . 2010-11-26 15:40 -------- d-----w- c:\users\Erik\AppData\Roaming\Audacity
2010-11-23 23:05 . 2010-11-23 23:05 -------- d-----w- c:\program files\Audacity 1.3 Beta (Unicode)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 22:42 . 2009-09-28 23:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 22:42 . 2009-09-28 23:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-10 04:33 . 2010-11-05 15:48 6273872 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-19 20:51 . 2009-10-03 13:37 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-07 23:21 . 2010-11-04 12:28 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{213838EC-9C98-418E-861F-FEFE62283CC7}\mpengine.dll
2009-07-18 14:01 . 2009-07-18 14:01 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-18 16:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-12-09 2424560]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 149280]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-12 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-12 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-12-19 76304]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-5-21 275768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Callcentric Softphone.lnk]
backup=c:\windows\pss\Callcentric Softphone.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snagit 9.lnk]
backup=c:\windows\pss\Snagit 9.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Stickies.lnk]
backup=c:\windows\pss\Stickies.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^ePrompter.lnk]
backup=c:\windows\pss\ePrompter.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
backup=c:\windows\pss\PdaNet Desktop.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerMenu.lnk]
backup=c:\windows\pss\PowerMenu.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^texter.exe - Shortcut.lnk]
backup=c:\windows\pss\texter.exe - Shortcut.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^WordWeb Pro.lnk]
backup=c:\windows\pss\WordWeb Pro.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Erik^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
backup=c:\windows\pss\Yahoo! Widgets.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2009-03-02 17:08 209153 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2009-02-10 16:03 745472 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrStsWnd]
2008-01-08 13:28 864256 ------w- c:\program files\Brownie\BrStsWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ClipMate7]
2009-01-31 14:00 3760424 ----a-w- c:\program files\ClipMate7\ClipMate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-10-30 20:05 77824 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2009-07-18 14:01 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-07-10 22:27 170520 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
2008-10-09 14:58 75008 ----a-w- c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2008-04-15 21:51 488752 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-07-10 22:27 150040 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IObit Security 360]
2009-09-29 01:32 1241872 ----a-w- c:\program files\IObit\IObit Security 360\is360tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2008-12-19 03:42 76304 ----a-w- c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
2008-06-09 17:16 2363392 ----a-w- c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-07-10 22:27 145944 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-08-01 23:14 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2008-09-24 00:21 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]
2009-02-21 08:18 4333568 ----a-w- c:\program files\Rainlendar2\Rainlendar2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2009-07-15 20:24 160592 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
2007-09-02 17:58 495616 ----a-w- c:\program files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-07-31 19:23 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2009-08-28 14:32 1557800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-11-20 00:21 328056 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 13:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [x]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-19 23680]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-05-01 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R4 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R4 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-07-18 30192]
R4 IS360service;IS360service;c:\program files\IObit\IObit Security 360\IS360srv.exe [2009-09-29 309008]
R4 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-05-01 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-06-30 67656]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-26 42368]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\DRIVERS\pnetmdm.sys [2006-09-28 9472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPService REG_MULTI_SZ HPSLPSVC
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-12-19 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2010-11-04 01:55]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.netflix.com/Queue?inqt=wn&lnkctr=queueTab-ELECTRONIC
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\users\Erik\AppData\Roaming\Mozilla\Firefox\Profiles\ww0egtnr.fixtest\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: AI Roboform Toolbar for Firefox: {22119944-ED35-4ab1-910B-E619EA06A115} - c:\program files\Siber Systems\AI RoboForm\Firefox
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - Ext: Web Search Pro: {8B8A525A-CFCA-44cf-81C3-3969E6CB96E0} - %profile%\extensions\{8B8A525A-CFCA-44cf-81C3-3969E6CB96E0}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Email This! Bookmarklet Extension: gmailthis@lazyrussian.com - %profile%\extensions\gmailthis@lazyrussian.com
FF - Ext: FireFTP: {a7c6cf7f-112c-4500-a7ea-39801a327e5f} - %profile%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
FF - Ext: IE Tab: {77b819fa-95ad-4f2c-ac7c-486b356188a9} - %profile%\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
FF - Ext: Snagit Firefox Extension: {6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB} - %profile%\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}
FF - Ext: Blog This in Windows Live Writer: {4fd0131c-5156-4a4a-af5b-e04381314163} - %profile%\extensions\{4fd0131c-5156-4a4a-af5b-e04381314163}
FF - Ext: CookieSafe: {9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD} - %profile%\extensions\{9D23D0AA-D8F5-11DA-B3FC-0928ABF316DD}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: SkipScreen: SkipScreen@SkipScreen - %profile%\extensions\SkipScreen@SkipScreen
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Download Youtube Videos +: video.downloader.plugin@ffpimp.com - %profile%\extensions\video.downloader.plugin@ffpimp.com
FF - Ext: <?xmlversion=1.0?><RDF xmlns=http://www.w3.org/1999/02/22-rdf-syntax-ns# xmlns:em=http://www.mozilla.org/2004/em-rdf#><Description about=urn:mozilla:install-manifest><em:id>{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}: {b9bfaf1c-a63f-47cd-8b9a-29526ced9060} - %profile%\extensions\{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}
FF - Ext: HP Smart Web Printing: smartwebprinting@hp.com - c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-19 18:24
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Environment*]
"Licence0"="REMOVED"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(608)
c:\progra~1\CLIPMA~1\CLIPMA~1.DLL
.
Completion time: 2010-12-19 18:26:42
ComboFix-quarantined-files.txt 2010-12-19 23:26
ComboFix2.txt 2010-12-19 20:43
ComboFix3.txt 2009-10-23 10:07

Pre-Run: 100,600,246,272 bytes free
Post-Run: 100,642,996,224 bytes free

- - End Of File - - E80BC845777887188FAAFFCD67A18FDB

#13 gringo_pr

Bleepin Gringo

Malware Response Team
136,772 posts
OFFLINE

Gender:Male
Location:Puerto rico
Local time:12:12 PM

Posted 19 December 2010 - 07:21 PM

very good - let me have the report I have asked for in your next post please

Gringo

<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 linter

Topic Starter

Members
14 posts
OFFLINE

Local time:11:12 AM

Posted 19 December 2010 - 07:33 PM

um, well, like i said, i *can't* give you that report. if i could i would but when i run the command you gave me, this is what i get in return:

"illegal operation attempted on a registry key that has been marked for deletion."

and that's as far as i get. in other words: NO report.

thanks.