Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Results Redirecting Wildly


  • This topic is locked This topic is locked
25 replies to this topic

#1 jhut

jhut

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 11 December 2010 - 07:40 PM

In all my browsers (IE, FF, Chrome), search results in Google (and other search engines) redirect to other pages, most of which are trying to sell me knock-off anti-virus software, cell phones, or many other types of crap. I am not sure how this got into my system. All of a sudden, a few weeks back, it just magically started.

I tried doing a system restore to a time when I know my machine did not have this problem. But, this attempt failed; the issue persists.

Thank you for the help.

-Joseph


DDS (Ver_10-12-12.01) - NTFSx86
Run by eric at 18:08:46.46 on Sat 12/11/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3063.1869 [GMT -5:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Broadcom\BPowMon\BPowMon.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\eric\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Eula.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Users\eric\AppData\Local\CrossLoop\CrossLoopService.exe
C:\Users\eric\AppData\Local\CrossLoop\CrossLoopConnect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\eric\AppData\Roaming\Yuuguu\Yuuguu.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Users\eric\AppData\Local\CrossLoop\tvnserver.exe
C:\Users\eric\AppData\Local\CrossLoop\tvnserver.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\eric\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Google Update] "c:\users\eric\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [CrossLoop] "c:\users\eric\appdata\local\crossloop\CrossLoopConnect.exe" -ap=crossloop -port=5910 -udp=www.CrossLoop.com -webserver=server.crossloop.com -webservice=www.crossloop.com -startup=server -minimize
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\yuuguu.lnk - c:\users\eric\appdata\roaming\yuuguu\yuuguu.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} - hxxps://onbaseweb.omnicomfinance.com/appnet/activex/OBXWebSelect.cab
DPF: {7B5A802A-67CA-4A1B-8219-8929B3B23AFA} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXWebViewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXPopup.cab
DPF: {B9D9D0B5-EE16-4EB2-8CF3-DB96EBD31488} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXWebSelect.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {DD8C2124-117D-40AC-AAD3-EB9984A87B13} - hxxps://onbaseweb.omnicomfinance.com/appnet/activex/OBXWebViewer.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\eric\appdata\roaming\mozilla\firefox\profiles\524341cw.default\
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\eric\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-5-27 81920]
R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]
R2 CrossLoopService;CrossLoop Service;c:\users\eric\appdata\local\crossloop\CrossLoopService.exe [2010-12-11 560848]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2010-5-27 13336]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-5-27 273960]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-5-27 66592]
R3 tvnserver;TightVNC Server;c:\users\eric\appdata\local\crossloop\tvnserver.exe [2010-12-11 814080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-12 1343400]

=============== Created Last 30 ================

2010-12-11 22:50:30 -------- d-----w- c:\users\eric\appdata\roaming\Yuuguu
2010-12-11 22:33:43 26624 ----a-w- c:\windows\system32\VNCpm.dll
2010-12-11 22:33:40 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2010-12-11 22:33:40 20992 ----a-w- c:\windows\system32\vncmirror.dll
2010-12-11 22:33:40 -------- d-----w- c:\program files\RealVNC
2010-12-11 22:20:51 -------- d-----w- c:\users\eric\appdata\local\CrossLoop
2010-12-11 18:55:46 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{0f6d9ab1-44ac-41fa-b860-10abb20305be}\mpengine.dll
2010-12-11 05:12:53 -------- d-sh--w- c:\progra~2\IAQNPAAJQV
2010-12-11 05:12:53 -------- d-----w- c:\users\eric\appdata\roaming\Internet Antivirus 2011
2010-12-11 05:12:42 -------- d-----w- c:\progra~2\2ac15e
2010-12-09 20:54:59 -------- d-----w- c:\users\eric\appdata\local\Windows Live

==================== Find3M ====================

2010-10-19 15:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD16 rev.02.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87E62555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87e687b0]; MOV EAX, [0x87e6882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A80458] -> \Device\Harddisk0\DR0[0x87E41648]
3 CLASSPNP[0x8B57059E] -> ntkrnlpa!IofCallDriver[0x82A80458] -> [0x87EB1F08]
\Driver\iaStor[0x87E444E0] -> IRP_MJ_CREATE -> 0x87E62555
error: Read Access is denied.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600AAJS-75M0A0___________________02.03E02#4&2321f152&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 18:09:07.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:13 PM

Posted 19 December 2010 - 01:18 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 19 December 2010 - 07:38 PM

Hello, Gringo. Thank you for taking the time to help me. I look forward to working with you. The one DDS file is below, the other is attached, along with the RKUnHooker report.


DDS (Ver_10-12-12.02) - NTFSx86
Run by eric at 19:26:19.69 on Sun 12/19/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3063.2145 [GMT -5:00]

SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Broadcom\BPowMon\BPowMon.exe
C:\Users\eric\AppData\Local\CrossLoop\CrossLoopService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Users\eric\AppData\Local\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\eric\AppData\Local\CrossLoop\CrossLoopConnect.exe
C:\Users\eric\AppData\Roaming\Yuuguu\yuuguu.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wuauclt.exe
C:\Users\eric\AppData\Local\CrossLoop\tvnserver.exe
C:\Users\eric\AppData\Local\CrossLoop\tvnserver.exe
C:\Users\eric\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\eric\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\eric\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\eric\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\eric\Downloads\dds (1).scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Google Update] "c:\users\eric\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [CrossLoop] "c:\users\eric\appdata\local\crossloop\CrossLoopConnect.exe" -ap=crossloop -port=5910 -udp=www.CrossLoop.com -webserver=server.crossloop.com -webservice=www.crossloop.com -startup=server -minimize
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\eric\appdata\roaming\micros~1\windows\startm~1\programs\startup\yuuguu.lnk - c:\users\eric\appdata\roaming\yuuguu\yuuguu.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mif5ba~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif5ba~1\office12\REFIEBAR.DLL
DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} - hxxps://onbaseweb.omnicomfinance.com/appnet/activex/OBXWebSelect.cab
DPF: {7B5A802A-67CA-4A1B-8219-8929B3B23AFA} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXWebViewer.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXPopup.cab
DPF: {B9D9D0B5-EE16-4EB2-8CF3-DB96EBD31488} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXWebSelect.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {DD8C2124-117D-40AC-AAD3-EB9984A87B13} - hxxps://onbaseweb.omnicomfinance.com/appnet/activex/OBXWebViewer.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

================= FIREFOX ===================

FF - ProfilePath - c:\users\eric\appdata\roaming\mozilla\firefox\profiles\524341cw.default\
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\users\eric\appdata\local\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext

============= SERVICES / DRIVERS ===============

R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-5-27 81920]
R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]
R2 CrossLoopService;CrossLoop Service;c:\users\eric\appdata\local\crossloop\CrossLoopService.exe [2010-12-11 560848]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2010-5-27 13336]
R3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-5-27 273960]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2010-5-27 66592]
R3 tvnserver;TightVNC Server;c:\users\eric\appdata\local\crossloop\tvnserver.exe [2010-12-11 814080]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-12 1343400]

=============== Created Last 30 ================

2010-12-11 22:50:30 -------- d-----w- c:\users\eric\appdata\roaming\Yuuguu
2010-12-11 22:33:43 26624 ----a-w- c:\windows\system32\VNCpm.dll
2010-12-11 22:33:40 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2010-12-11 22:33:40 20992 ----a-w- c:\windows\system32\vncmirror.dll
2010-12-11 22:33:40 -------- d-----w- c:\program files\RealVNC
2010-12-11 22:20:51 -------- d-----w- c:\users\eric\appdata\local\CrossLoop
2010-12-11 18:55:46 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{0f6d9ab1-44ac-41fa-b860-10abb20305be}\mpengine.dll
2010-12-11 05:12:53 -------- d-sh--w- c:\progra~2\IAQNPAAJQV
2010-12-11 05:12:53 -------- d-----w- c:\users\eric\appdata\roaming\Internet Antivirus 2011
2010-12-11 05:12:42 -------- d-----w- c:\progra~2\2ac15e
2010-12-09 20:54:59 -------- d-----w- c:\users\eric\appdata\local\Windows Live

==================== Find3M ====================

2010-10-19 15:41:44 222080 ----a-w- c:\windows\system32\MpSigStub.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7600 Disk: WDC_WD16 rev.02.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x87E5F555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x87e657b0]; MOV EAX, [0x87e6582c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82A3C458] -> \Device\Harddisk0\DR0[0x87E3E410]
3 CLASSPNP[0x8B59A59E] -> ntkrnlpa!IofCallDriver[0x82A3C458] -> [0x8814D438]
\Driver\iaStor[0x87E3E318] -> IRP_MJ_CREATE -> 0x87E5F555
error: Read Access is denied.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskWDC_WD1600AAJS-75M0A0___________________02.03E02#4&2321f152&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 19:26:40.12 ===============

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:13 PM

Posted 19 December 2010 - 07:52 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 19 December 2010 - 08:48 PM

Hello. I tried to run ComboFix but launching it causes the computer to reboot immediately. The screen becomes blue and indicates that "Windows shut down unexpectedly." Perhaps the malware is blocking combo fix from running.

-Joseph

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:13 PM

Posted 19 December 2010 - 09:54 PM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 19 December 2010 - 10:28 PM

Worm still on computer (Google results still incorrect). Result of scan:


2010/12/19 22:22:47.0546 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/19 22:22:47.0546 ================================================================================
2010/12/19 22:22:47.0546 SystemInfo:
2010/12/19 22:22:47.0546
2010/12/19 22:22:47.0546 OS Version: 6.1.7600 ServicePack: 0.0
2010/12/19 22:22:47.0546 Product type: Workstation
2010/12/19 22:22:47.0546 ComputerName: ERIC-PC
2010/12/19 22:22:47.0546 UserName: eric
2010/12/19 22:22:47.0546 Windows directory: C:\Windows
2010/12/19 22:22:47.0546 System windows directory: C:\Windows
2010/12/19 22:22:47.0546 Processor architecture: Intel x86
2010/12/19 22:22:47.0546 Number of processors: 4
2010/12/19 22:22:47.0546 Page size: 0x1000
2010/12/19 22:22:47.0546 Boot type: Normal boot
2010/12/19 22:22:47.0546 ================================================================================
2010/12/19 22:22:47.0702 Initialize success
2010/12/19 22:22:54.0581 ================================================================================
2010/12/19 22:22:54.0581 Scan started
2010/12/19 22:22:54.0581 Mode: Manual;
2010/12/19 22:22:54.0581 ================================================================================
2010/12/19 22:22:54.0878 1394ohci (bf02f806c873abb04b197161e8e5a316) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/12/19 22:22:54.0940 ACPI (f0e07d144c8685b8774bc32fc8da4df0) C:\Windows\system32\DRIVERS\ACPI.sys
2010/12/19 22:22:54.0971 AcpiPmi (98d81ca942d19f7d9153b095162ac013) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/12/19 22:22:55.0018 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/12/19 22:22:55.0034 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
2010/12/19 22:22:55.0049 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
2010/12/19 22:22:55.0112 AFD (ddc040fdb01ef1712a6b13e52afb104c) C:\Windows\system32\drivers\afd.sys
2010/12/19 22:22:55.0143 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\DRIVERS\agp440.sys
2010/12/19 22:22:55.0190 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
2010/12/19 22:22:55.0237 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\DRIVERS\aliide.sys
2010/12/19 22:22:55.0252 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\DRIVERS\amdagp.sys
2010/12/19 22:22:55.0299 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\DRIVERS\amdide.sys
2010/12/19 22:22:55.0315 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
2010/12/19 22:22:55.0330 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
2010/12/19 22:22:55.0361 amdsata (2101a86c25c154f8314b24ef49d7fbc2) C:\Windows\system32\DRIVERS\amdsata.sys
2010/12/19 22:22:55.0393 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
2010/12/19 22:22:55.0408 amdxata (b81c2b5616f6420a9941ea093a92b150) C:\Windows\system32\DRIVERS\amdxata.sys
2010/12/19 22:22:55.0439 AppID (feb834c02ce1e84b6a38f953ca067706) C:\Windows\system32\drivers\appid.sys
2010/12/19 22:22:55.0455 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
2010/12/19 22:22:55.0486 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
2010/12/19 22:22:55.0533 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/19 22:22:55.0564 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\DRIVERS\atapi.sys
2010/12/19 22:22:55.0611 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
2010/12/19 22:22:55.0658 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
2010/12/19 22:22:55.0689 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
2010/12/19 22:22:55.0720 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
2010/12/19 22:22:55.0736 bowser (fcafaef6798d7b51ff029f99a9898961) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/19 22:22:55.0783 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2010/12/19 22:22:55.0798 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2010/12/19 22:22:55.0829 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
2010/12/19 22:22:55.0829 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
2010/12/19 22:22:55.0845 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
2010/12/19 22:22:55.0892 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
2010/12/19 22:22:55.0939 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/12/19 22:22:55.0970 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/19 22:22:56.0001 cdrom (ba6e70aa0e6091bc39de29477d866a77) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/19 22:22:56.0032 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
2010/12/19 22:22:56.0063 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
2010/12/19 22:22:56.0079 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/19 22:22:56.0095 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\DRIVERS\cmdide.sys
2010/12/19 22:22:56.0126 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys
2010/12/19 22:22:56.0141 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/19 22:22:56.0173 CompositeBus (f1724ba27e97d627f808fb0ba77a28a6) C:\Windows\system32\DRIVERS\CompositeBus.sys
2010/12/19 22:22:56.0204 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
2010/12/19 22:22:56.0251 dc3d (d81d50d922cfac42db905ad6c819fe32) C:\Windows\system32\DRIVERS\dc3d.sys
2010/12/19 22:22:56.0297 DfsC (8e09e52ee2e3ceb199ef3dd99cf9e3fb) C:\Windows\system32\Drivers\dfsc.sys
2010/12/19 22:22:56.0344 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
2010/12/19 22:22:56.0360 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
2010/12/19 22:22:56.0422 Dot4 (b5e479eb83707dd698f66953e922042c) C:\Windows\system32\DRIVERS\Dot4.sys
2010/12/19 22:22:56.0438 Dot4Print (c25fea07a8e7767e8b89ab96a3b96519) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2010/12/19 22:22:56.0453 dot4usb (cf491ff38d62143203c065260567e2f7) C:\Windows\system32\DRIVERS\dot4usb.sys
2010/12/19 22:22:56.0485 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
2010/12/19 22:22:56.0516 DXGKrnl (8b6c3464d7fac176500061dbfff42ad4) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/19 22:22:56.0609 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
2010/12/19 22:22:56.0703 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
2010/12/19 22:22:56.0734 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\DRIVERS\errdev.sys
2010/12/19 22:22:56.0765 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
2010/12/19 22:22:56.0781 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
2010/12/19 22:22:56.0797 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/19 22:22:56.0828 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
2010/12/19 22:22:56.0843 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
2010/12/19 22:22:56.0859 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/19 22:22:56.0890 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
2010/12/19 22:22:56.0921 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
2010/12/19 22:22:56.0937 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/19 22:22:56.0953 fvevol (dafbd9fe39197495aed6d51f3b85b5d2) C:\Windows\system32\DRIVERS\fvevol.sys
2010/12/19 22:22:56.0984 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
2010/12/19 22:22:57.0015 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
2010/12/19 22:22:57.0031 HDAudBus (717a2207fd6f13ad3e664c7d5a43c7bf) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/19 22:22:57.0062 HECI (a88485dc6a7136c10d9a6c7e38fdfe3c) C:\Windows\system32\DRIVERS\HECI.sys
2010/12/19 22:22:57.0077 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/12/19 22:22:57.0093 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
2010/12/19 22:22:57.0124 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
2010/12/19 22:22:57.0155 HidUsb (25072fb35ac90b25f9e4e3bacf774102) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/19 22:22:57.0187 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\DRIVERS\HpSAMD.sys
2010/12/19 22:22:57.0218 HTTP (c531c7fd9e8b62021112787c4e2c5a5a) C:\Windows\system32\drivers\HTTP.sys
2010/12/19 22:22:57.0233 hwpolicy (8305f33cde89ad6c7a0763ed0b5a8d42) C:\Windows\system32\drivers\hwpolicy.sys
2010/12/19 22:22:57.0265 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/19 22:22:57.0296 iaStor (26541a068572f650a2fa490726fe81be) C:\Windows\system32\DRIVERS\iaStor.sys
2010/12/19 22:22:57.0343 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\DRIVERS\iaStorV.sys
2010/12/19 22:22:57.0358 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
2010/12/19 22:22:57.0436 IntcAzAudAddService (5ceef2cccb4fe00d3ffbfeb12bcfa07f) C:\Windows\system32\drivers\RTKVHDA.sys
2010/12/19 22:22:57.0483 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\DRIVERS\intelide.sys
2010/12/19 22:22:57.0499 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/19 22:22:57.0514 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/19 22:22:57.0545 IPMIDRV (e4454b6c37d7ffd5649611f6496308a7) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2010/12/19 22:22:57.0561 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
2010/12/19 22:22:57.0577 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
2010/12/19 22:22:57.0608 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\DRIVERS\isapnp.sys
2010/12/19 22:22:57.0639 iScsiPrt (ed46c223ae46c6866ab77cdc41c404b7) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/19 22:22:57.0670 k57nd60x (7ea81534e80570bdf6ee4a4248bba4d6) C:\Windows\system32\DRIVERS\k57nd60x.sys
2010/12/19 22:22:57.0701 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/19 22:22:57.0733 kbdhid (3d9f0ebf350edcfd6498057301455964) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/19 22:22:57.0748 KSecDD (e36a061ec11b373826905b21be10948f) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/19 22:22:57.0779 KSecPkg (365c6154bbbc5377173f1ca7bfb6cc59) C:\Windows\system32\Drivers\ksecpkg.sys
2010/12/19 22:22:57.0873 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/19 22:22:57.0904 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
2010/12/19 22:22:57.0920 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
2010/12/19 22:22:57.0935 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2010/12/19 22:22:57.0951 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2010/12/19 22:22:57.0982 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
2010/12/19 22:22:57.0998 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
2010/12/19 22:22:58.0045 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
2010/12/19 22:22:58.0045 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
2010/12/19 22:22:58.0091 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/19 22:22:58.0107 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/19 22:22:58.0123 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/19 22:22:58.0138 mountmgr (921c18727c5920d6c0300736646931c2) C:\Windows\system32\drivers\mountmgr.sys
2010/12/19 22:22:58.0154 mpio (2af5997438c55fb79d33d015c30e1974) C:\Windows\system32\DRIVERS\mpio.sys
2010/12/19 22:22:58.0169 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/19 22:22:58.0201 MRxDAV (b1be47008d20e43da3adc37c24cdb89d) C:\Windows\system32\drivers\mrxdav.sys
2010/12/19 22:22:58.0232 mrxsmb (f1b6aa08497ea86ca6ef6f7a08b0bfb8) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/19 22:22:58.0247 mrxsmb10 (5613358b4050f46f5a9832da8050d6e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/19 22:22:58.0279 mrxsmb20 (25c9792778d80feb4c8201e62281bfdf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/19 22:22:58.0310 msahci (cb5d37e91135b0f15cee64d1f1ba5de5) C:\Windows\system32\DRIVERS\msahci.sys
2010/12/19 22:22:58.0325 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\DRIVERS\msdsm.sys
2010/12/19 22:22:58.0357 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
2010/12/19 22:22:58.0372 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
2010/12/19 22:22:58.0388 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\DRIVERS\msisadrv.sys
2010/12/19 22:22:58.0435 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/19 22:22:58.0450 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/19 22:22:58.0466 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
2010/12/19 22:22:58.0481 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
2010/12/19 22:22:58.0497 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/19 22:22:58.0513 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
2010/12/19 22:22:58.0528 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
2010/12/19 22:22:58.0544 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
2010/12/19 22:22:58.0575 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/19 22:22:58.0622 NDIS (23759d175a0a9baaf04d05047bc135a8) C:\Windows\system32\drivers\ndis.sys
2010/12/19 22:22:58.0653 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
2010/12/19 22:22:58.0684 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/19 22:22:58.0715 Ndisuio (b30ae7f2b6d7e343b0df32e6c08fce75) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/19 22:22:58.0731 NdisWan (267c415eadcbe53c9ca873dee39cf3a4) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/19 22:22:58.0747 NDProxy (af7e7c63dcef3f8772726f86039d6eb4) C:\Windows\system32\drivers\NDProxy.sys
2010/12/19 22:22:58.0762 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/19 22:22:58.0793 NetBT (dd52a733bf4ca5af84562a5e2f963b91) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/19 22:22:58.0840 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
2010/12/19 22:22:58.0856 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
2010/12/19 22:22:58.0871 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/19 22:22:58.0918 Ntfs (3795dcd21f740ee799fb7223234215af) C:\Windows\system32\drivers\Ntfs.sys
2010/12/19 22:22:58.0949 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
2010/12/19 22:22:58.0996 NVHDA (a82534d453425f5fee4b6a583fdcf3eb) C:\Windows\system32\drivers\nvhda32v.sys
2010/12/19 22:22:59.0152 nvlddmkm (a6e06d1ae86b4fd2cd4af1e5f2b8a241) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/12/19 22:22:59.0215 nvraid (3f3d04b1d08d43c16ea7963954ec768d) C:\Windows\system32\DRIVERS\nvraid.sys
2010/12/19 22:22:59.0230 nvstor (c99f251a5de63c6f129cf71933aced0f) C:\Windows\system32\DRIVERS\nvstor.sys
2010/12/19 22:22:59.0246 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/12/19 22:22:59.0277 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/19 22:22:59.0308 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
2010/12/19 22:22:59.0324 partmgr (ff4218952b51de44fe910953a3e686b9) C:\Windows\system32\drivers\partmgr.sys
2010/12/19 22:22:59.0339 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
2010/12/19 22:22:59.0371 pci (c858cb77c577780ecc456a892e7e7d0f) C:\Windows\system32\DRIVERS\pci.sys
2010/12/19 22:22:59.0386 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\DRIVERS\pciide.sys
2010/12/19 22:22:59.0402 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/12/19 22:22:59.0433 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
2010/12/19 22:22:59.0449 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
2010/12/19 22:22:59.0511 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/19 22:22:59.0527 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
2010/12/19 22:22:59.0573 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/19 22:22:59.0605 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\Windows\system32\Drivers\PxHelp20.sys
2010/12/19 22:22:59.0651 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
2010/12/19 22:22:59.0729 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
2010/12/19 22:22:59.0761 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/19 22:22:59.0792 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/19 22:22:59.0807 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
2010/12/19 22:22:59.0823 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/19 22:22:59.0870 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/19 22:22:59.0901 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/19 22:22:59.0932 rdbss (835d7e81bf517a3b72384bdcc85e1ce6) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/19 22:22:59.0948 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
2010/12/19 22:22:59.0948 RDPCDD (1e016846895b15a99f9a176a05029075) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/19 22:22:59.0995 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/19 22:23:00.0010 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
2010/12/19 22:23:00.0010 RDPWD (801371ba9782282892d00aadb08ee367) C:\Windows\system32\drivers\RDPWD.sys
2010/12/19 22:23:00.0041 rdyboost (4ea225bf1cf05e158853f30a99ca29a7) C:\Windows\system32\drivers\rdyboost.sys
2010/12/19 22:23:00.0088 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/19 22:23:00.0119 sbp2port (34ee0c44b724e3e4ce2eff29126de5b5) C:\Windows\system32\DRIVERS\sbp2port.sys
2010/12/19 22:23:00.0135 scfilter (a95c54b2ac3cc9c73fcdf9e51a1d6b51) C:\Windows\system32\DRIVERS\scfilter.sys
2010/12/19 22:23:00.0182 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/12/19 22:23:00.0213 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
2010/12/19 22:23:00.0229 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
2010/12/19 22:23:00.0244 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
2010/12/19 22:23:00.0291 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\DRIVERS\sffdisk.sys
2010/12/19 22:23:00.0307 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2010/12/19 22:23:00.0338 sffp_sd (a0708bbd07d245c06ff9de549ca47185) C:\Windows\system32\DRIVERS\sffp_sd.sys
2010/12/19 22:23:00.0353 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/12/19 22:23:00.0369 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\DRIVERS\sisagp.sys
2010/12/19 22:23:00.0385 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2010/12/19 22:23:00.0400 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
2010/12/19 22:23:00.0431 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
2010/12/19 22:23:00.0463 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
2010/12/19 22:23:00.0509 srv (2dbedfb1853f06110ec2aa7f3213c89f) C:\Windows\system32\DRIVERS\srv.sys
2010/12/19 22:23:00.0556 srv2 (db37131d1027c50ea7ee21c8bb4536aa) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/19 22:23:00.0587 srvnet (f5980b74124db9233b33f86fc5ebbb4f) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/19 22:23:00.0619 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
2010/12/19 22:23:00.0650 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/19 22:23:00.0712 Tcpip (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\drivers\tcpip.sys
2010/12/19 22:23:00.0790 TCPIP6 (bb7f39c31c4a4417fd318e7cd184e225) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/19 22:23:00.0837 tcpipreg (e64444523add154f86567c469bc0b17f) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/19 22:23:00.0868 TDPIPE (1875c1490d99e70e449e3afae9fcbadf) C:\Windows\system32\drivers\tdpipe.sys
2010/12/19 22:23:00.0884 TDTCP (7551e91ea999ee9a8e9c331d5a9c31f3) C:\Windows\system32\drivers\tdtcp.sys
2010/12/19 22:23:00.0915 tdx (cb39e896a2a83702d1737bfd402b3542) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/19 22:23:00.0931 TermDD (c36f41ee20e6999dbf4b0425963268a5) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/19 22:23:00.0977 tssecsrv (98ae6fa07d12cb4ec5cf4a9bfa5f4242) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/19 22:23:01.0009 tunnel (3e461d890a97f9d4c168f5fda36e1d00) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/19 22:23:01.0055 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
2010/12/19 22:23:01.0087 udfs (eb0a7bd4d471ac3ce55564a4c55b9d8e) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/19 22:23:01.0133 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\DRIVERS\uliagpkx.sys
2010/12/19 22:23:01.0149 umbus (049b3a50b3d646baeeee9eec9b0668dc) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/19 22:23:01.0180 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
2010/12/19 22:23:01.0196 usbccgp (8455c4ed038efd09e99327f9d2d48ffa) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/19 22:23:01.0211 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\DRIVERS\usbcir.sys
2010/12/19 22:23:01.0243 usbehci (0eeedd78c2bedac75e8ed1ba8d77878b) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/19 22:23:01.0289 usbhub (ba50148445e5b2b3abdba208fc9b6fb5) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/19 22:23:01.0321 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys
2010/12/19 22:23:01.0352 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/19 22:23:01.0383 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
2010/12/19 22:23:01.0414 USBSTOR (d8889d56e0d27e57ed4591837fe71d27) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/19 22:23:01.0430 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/19 22:23:01.0477 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\DRIVERS\vdrvroot.sys
2010/12/19 22:23:01.0492 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/19 22:23:01.0508 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
2010/12/19 22:23:01.0539 vhdmp (3be6e1f3a4f1afec8cee0d7883f93583) C:\Windows\system32\DRIVERS\vhdmp.sys
2010/12/19 22:23:01.0570 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\DRIVERS\viaagp.sys
2010/12/19 22:23:01.0570 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
2010/12/19 22:23:01.0601 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\DRIVERS\viaide.sys
2010/12/19 22:23:01.0648 vncmirror (3b8f222b23917c041e4da29ccc57e7d0) C:\Windows\system32\DRIVERS\vncmirror.sys
2010/12/19 22:23:01.0679 volmgr (384e5a2aa49934295171e499f86ba6f3) C:\Windows\system32\DRIVERS\volmgr.sys
2010/12/19 22:23:01.0711 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
2010/12/19 22:23:01.0726 volsnap (58df9d2481a56edde167e51b334d44fd) C:\Windows\system32\DRIVERS\volsnap.sys
2010/12/19 22:23:01.0773 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
2010/12/19 22:23:01.0789 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\System32\drivers\vwifibus.sys
2010/12/19 22:23:01.0820 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
2010/12/19 22:23:01.0851 WANARP (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/19 22:23:01.0851 Wanarpv6 (692a712062146e96d28ba0b7d75de31b) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/19 22:23:01.0882 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
2010/12/19 22:23:01.0913 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/19 22:23:01.0945 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
2010/12/19 22:23:01.0976 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
2010/12/19 22:23:02.0023 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/19 22:23:02.0054 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/19 22:23:02.0101 WudfPf (a52494b107afc92ddca21f0b64f83376) C:\Windows\system32\drivers\WudfPf.sys
2010/12/19 22:23:02.0132 WUDFRd (90a541c607da0025ae75f0f3673945fe) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/19 22:23:02.0179 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/19 22:23:02.0194 ================================================================================
2010/12/19 22:23:02.0194 Scan finished
2010/12/19 22:23:02.0194 ================================================================================
2010/12/19 22:23:02.0194 Detected object count: 1
2010/12/19 22:23:37.0985 \HardDisk0 - will be cured after reboot
2010/12/19 22:23:37.0985 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/12/19 22:23:45.0489 Deinitialize success

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:13 PM

Posted 20 December 2010 - 04:32 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 20 December 2010 - 12:19 PM

Hey Gringo, I am not alongside the computer at the moment, and won't be until Thursday evening, at which point I will do these safe mode steps and get back to you with the results.

Until then, have a great week.
-Joseph

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:13 PM

Posted 20 December 2010 - 07:12 PM

Ok thanks for letting me know

12/23
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:13 PM

Posted 23 December 2010 - 12:09 AM

:thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 24 December 2010 - 02:40 AM

Upon arriving home to test the computer tonight, it appears to be working fine - all search results in all browsers are resolving correctly.

Just to be on the safe side, I ran combo fix in normal mode. Results below. Let me know if there's anything else I should do to the system. Thank you.


ComboFix 10-12-23.05 - eric 12/24/2010 2:32.1.4 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3063.2146 [GMT -5:00]
Running from: c:\users\eric\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\eric\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.tmp
c:\users\eric\AppData\Roaming\Microsoft\Windows\Recent\delfile.tmp
c:\users\eric\AppData\Roaming\Microsoft\Windows\Recent\exec.tmp
c:\users\eric\AppData\Roaming\Microsoft\Windows\Recent\gid.tmp
c:\users\eric\AppData\Roaming\Microsoft\Windows\Recent\grid.tmp
c:\users\eric\AppData\Roaming\Microsoft\Windows\Recent\runddl.tmp

.
((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2010-12-24 07:34 . 2010-12-24 07:35 -------- d-----w- c:\users\eric\AppData\Local\temp
2010-12-24 07:34 . 2010-12-24 07:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-24 07:24 . 2010-11-16 17:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B0B3FD49-9B83-40B6-8614-E7415F9E9CB7}\mpengine.dll
2010-12-21 23:09 . 2010-12-21 23:09 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\13689af21cba1642c\InstallManager_WLE_WLE.exe
2010-12-21 23:08 . 2010-12-21 23:08 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\c8e44c81cba1641f\MeshBetaRemover.exe
2010-12-21 23:08 . 2010-12-21 23:08 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\68a2a771cba16418\DSETUP.dll
2010-12-21 23:08 . 2010-12-21 23:08 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\68a2a771cba16418\DXSETUP.exe
2010-12-21 23:08 . 2010-12-21 23:08 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\68a2a771cba16418\dsetup32.dll
2010-12-21 23:08 . 2010-12-21 23:08 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\628920c1cba16417\DSETUP.dll
2010-12-21 23:08 . 2010-12-21 23:08 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\628920c1cba16417\DXSETUP.exe
2010-12-21 23:08 . 2010-12-21 23:08 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\628920c1cba16417\dsetup32.dll
2010-12-21 23:08 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-12-21 23:08 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll
2010-12-21 23:08 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-12-21 06:33 . 2010-12-21 06:33 -------- d-----w- c:\users\eric\AppData\Local\Diagnostics
2010-12-20 16:20 . 2010-12-20 16:20 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-12-20 16:19 . 2010-12-20 16:19 -------- d-----w- c:\program files\Common Files\xing shared
2010-12-20 16:19 . 2010-12-20 16:19 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-20 16:19 . 2010-12-20 16:19 -------- d-----w- c:\program files\real
2010-12-20 05:22 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-12-20 05:22 . 2010-10-20 04:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-20 05:22 . 2010-10-20 03:00 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-12-20 05:22 . 2010-10-20 02:58 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-12-20 05:22 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-12-20 05:22 . 2010-10-16 04:41 101760 ----a-w- c:\windows\system32\consent.exe
2010-12-20 05:22 . 2010-10-16 04:36 314368 ----a-w- c:\windows\system32\webio.dll
2010-12-18 22:11 . 2010-12-18 22:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-12-11 22:50 . 2010-12-21 06:35 -------- d-----w- c:\users\eric\AppData\Roaming\Yuuguu
2010-12-11 22:33 . 2010-06-14 16:02 26624 ----a-w- c:\windows\system32\VNCpm.dll
2010-12-11 22:33 . 2010-12-11 22:33 -------- d-----w- c:\program files\RealVNC
2010-12-11 22:33 . 2010-06-14 16:02 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2010-12-11 22:33 . 2010-06-14 16:02 20992 ----a-w- c:\windows\system32\vncmirror.dll
2010-12-11 22:20 . 2010-12-20 16:03 -------- d-----w- c:\users\eric\AppData\Local\CrossLoop
2010-12-11 05:12 . 2010-12-11 19:52 -------- d-sh--w- c:\programdata\IAQNPAAJQV
2010-12-11 05:12 . 2010-12-11 19:52 -------- d-----w- c:\users\eric\AppData\Roaming\Internet Antivirus 2011
2010-12-11 05:12 . 2010-12-11 19:52 -------- d-----w- c:\programdata\2ac15e
2010-12-09 20:54 . 2010-12-09 20:54 -------- d-----w- c:\users\eric\AppData\Local\Windows Live
2010-12-04 00:02 . 2010-12-04 00:02 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2010-06-12 18:00 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\eric\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-06-12 136176]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CrossLoop"="c:\users\eric\AppData\Local\CrossLoop\CrossLoopConnect.exe" [2010-08-18 1183744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-19 7711264]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2009-11-12 203776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2010-12-20 274608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]

c:\users\eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yuuguu.lnk - c:\users\eric\AppData\Roaming\Yuuguu\yuuguu.exe [2010-10-22 481416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 tvnserver;TightVNC Server;c:\users\eric\AppData\Local\CrossLoop\tvnserver.exe [2010-07-21 814080]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-12 1343400]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 79168]
S2 CrossLoopService;CrossLoop Service;c:\users\eric\AppData\Local\CrossLoop\CrossLoopService.exe [2010-08-18 560848]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-04-17 22416]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-08-21 273960]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]

.
Contents of the 'Scheduled Tasks' folder

2010-12-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-905248480-378474080-890895196-1001Core.job
- c:\users\eric\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-12 18:10]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-905248480-378474080-890895196-1001UA.job
- c:\users\eric\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-12 18:10]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} - hxxps://onbaseweb.omnicomfinance.com/appnet/activex/OBXWebSelect.cab
DPF: {7B5A802A-67CA-4A1B-8219-8929B3B23AFA} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXWebViewer.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXPopup.cab
DPF: {B9D9D0B5-EE16-4EB2-8CF3-DB96EBD31488} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXWebSelect.cab
DPF: {DD8C2124-117D-40AC-AAD3-EB9984A87B13} - hxxps://onbaseweb.omnicomfinance.com/appnet/activex/OBXWebViewer.cab
FF - ProfilePath - c:\users\eric\AppData\Roaming\Mozilla\Firefox\Profiles\524341cw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-24 02:35:50
ComboFix-quarantined-files.txt 2010-12-24 07:35

Pre-Run: 120,561,532,928 bytes free
Post-Run: 122,057,228,288 bytes free

- - End Of File - - 66AAB56ABFB5799EE0A8DE92EFCD875C

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:13 PM

Posted 24 December 2010 - 03:49 AM

I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Folder::
c:\users\eric\AppData\Roaming\Internet Antivirus 2011
c:\programdata\IAQNPAAJQV
c:\programdata\2ac15e


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 jhut

jhut
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:13 PM

Posted 25 December 2010 - 01:28 AM

Scan has completed. Computer is running normally - no search results redirecting. Result of ComboFix Log Is below.

ComboFix 10-12-24.01 - eric 12/24/2010 15:24:01.2.4 - x86
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3063.1965 [GMT -5:00]
Running from: c:\users\eric\Downloads\ComboFix.exe
Command switches used :: c:\users\eric\Downloads\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\2ac15e
c:\programdata\2ac15e\IAV.ico
c:\programdata\2ac15e\sqlite3.dll
c:\programdata\IAQNPAAJQV
c:\users\eric\AppData\Roaming\Internet Antivirus 2011
c:\users\eric\AppData\Roaming\Internet Antivirus 2011\cookies.sqlite

.
((((((((((((((((((((((((( Files Created from 2010-11-24 to 2010-12-24 )))))))))))))))))))))))))))))))
.

2010-12-24 20:26 . 2010-12-24 20:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-24 07:24 . 2010-11-16 17:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{B0B3FD49-9B83-40B6-8614-E7415F9E9CB7}\mpengine.dll
2010-12-21 23:09 . 2010-12-21 23:09 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\13689af21cba1642c\InstallManager_WLE_WLE.exe
2010-12-21 23:08 . 2010-12-21 23:08 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\c8e44c81cba1641f\MeshBetaRemover.exe
2010-12-21 23:08 . 2010-12-21 23:08 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\68a2a771cba16418\DSETUP.dll
2010-12-21 23:08 . 2010-12-21 23:08 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\68a2a771cba16418\DXSETUP.exe
2010-12-21 23:08 . 2010-12-21 23:08 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\68a2a771cba16418\dsetup32.dll
2010-12-21 23:08 . 2010-12-21 23:08 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\628920c1cba16417\DSETUP.dll
2010-12-21 23:08 . 2010-12-21 23:08 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\628920c1cba16417\DXSETUP.exe
2010-12-21 23:08 . 2010-12-21 23:08 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\628920c1cba16417\dsetup32.dll
2010-12-21 23:08 . 2010-05-23 10:11 196608 ----a-w- c:\windows\system32\mfreadwrite.dll
2010-12-21 23:08 . 2010-05-23 10:11 3181568 ----a-w- c:\windows\system32\mf.dll
2010-12-21 23:08 . 2010-05-23 10:15 1619456 ----a-w- c:\windows\system32\WMVDECOD.DLL
2010-12-21 06:33 . 2010-12-21 06:33 -------- d-----w- c:\users\eric\AppData\Local\Diagnostics
2010-12-20 16:20 . 2010-12-20 16:20 11776 ----a-w- c:\program files\Mozilla Firefox\plugins\nprjplug.dll
2010-12-20 16:19 . 2010-12-20 16:19 -------- d-----w- c:\program files\Common Files\xing shared
2010-12-20 16:19 . 2010-12-20 16:19 100352 ----a-w- c:\program files\Mozilla Firefox\plugins\nprpjplug.dll
2010-12-20 16:19 . 2010-12-20 16:19 -------- d-----w- c:\program files\real
2010-12-20 05:22 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-12-20 05:22 . 2010-10-20 04:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-20 05:22 . 2010-10-20 03:00 2327552 ----a-w- c:\windows\system32\win32k.sys
2010-12-20 05:22 . 2010-10-20 02:58 294400 ----a-w- c:\windows\system32\atmfd.dll
2010-12-20 05:22 . 2010-10-19 08:10 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2010-12-20 05:22 . 2010-10-16 04:41 101760 ----a-w- c:\windows\system32\consent.exe
2010-12-20 05:22 . 2010-10-16 04:36 314368 ----a-w- c:\windows\system32\webio.dll
2010-12-18 22:11 . 2010-12-18 22:11 -------- d-----w- c:\program files\Common Files\Adobe
2010-12-11 22:50 . 2010-12-21 06:35 -------- d-----w- c:\users\eric\AppData\Roaming\Yuuguu
2010-12-11 22:33 . 2010-06-14 16:02 26624 ----a-w- c:\windows\system32\VNCpm.dll
2010-12-11 22:33 . 2010-12-11 22:33 -------- d-----w- c:\program files\RealVNC
2010-12-11 22:33 . 2010-06-14 16:02 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2010-12-11 22:33 . 2010-06-14 16:02 20992 ----a-w- c:\windows\system32\vncmirror.dll
2010-12-11 22:20 . 2010-12-20 16:03 -------- d-----w- c:\users\eric\AppData\Local\CrossLoop
2010-12-09 20:54 . 2010-12-09 20:54 -------- d-----w- c:\users\eric\AppData\Local\Windows Live
2010-12-04 00:02 . 2010-12-04 00:02 -------- d-----w- c:\windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 15:41 . 2010-06-12 18:00 222080 ------w- c:\windows\system32\MpSigStub.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\eric\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-06-12 136176]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"CrossLoop"="c:\users\eric\AppData\Local\CrossLoop\CrossLoopConnect.exe" [2010-08-18 1183744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-08-19 7711264]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2009-11-12 203776]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2010-12-20 274608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]

c:\users\eric\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Yuuguu.lnk - c:\users\eric\AppData\Roaming\Yuuguu\yuuguu.exe [2010-10-22 481416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 tvnserver;TightVNC Server;c:\users\eric\AppData\Local\CrossLoop\tvnserver.exe [2010-07-21 814080]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-12 1343400]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 79168]
S2 CrossLoopService;CrossLoop Service;c:\users\eric\AppData\Local\CrossLoop\CrossLoopService.exe [2010-08-18 560848]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-04-17 22416]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-08-21 273960]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-08-21 66592]

.
Contents of the 'Scheduled Tasks' folder

2010-12-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-905248480-378474080-890895196-1001Core.job
- c:\users\eric\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-12 18:10]

2010-12-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-905248480-378474080-890895196-1001UA.job
- c:\users\eric\AppData\Local\Google\Update\GoogleUpdate.exe [2010-06-12 18:10]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MIF5BA~1\Office12\EXCEL.EXE/3000
DPF: {4592C0F5-3382-44C6-9F79-BEA2CCBDA2EA} - hxxps://onbaseweb.omnicomfinance.com/appnet/activex/OBXWebSelect.cab
DPF: {7B5A802A-67CA-4A1B-8219-8929B3B23AFA} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXWebViewer.cab
DPF: {93D532DD-85FC-4A92-8254-8DB5437D8690} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXPopup.cab
DPF: {B9D9D0B5-EE16-4EB2-8CF3-DB96EBD31488} - hxxps://onbaseweb.omnicomfinance.com/AppNet/activex/OBXWebSelect.cab
DPF: {DD8C2124-117D-40AC-AAD3-EB9984A87B13} - hxxps://onbaseweb.omnicomfinance.com/appnet/activex/OBXWebViewer.cab
FF - ProfilePath - c:\users\eric\AppData\Roaming\Mozilla\Firefox\Profiles\524341cw.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-24 15:27:17
ComboFix-quarantined-files.txt 2010-12-24 20:27
ComboFix2.txt 2010-12-24 07:35

Pre-Run: 121,746,034,688 bytes free
Post-Run: 121,699,942,400 bytes free

- - End Of File - - B6376510C0B8A125C9E57E2573483D9D

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:13 PM

Posted 25 December 2010 - 02:10 AM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users