Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant IE Pop-ups--CRxSk24Q.exe / Trojan Unruy / and possibly others


  • This topic is locked This topic is locked
25 replies to this topic

#1 rogerroger

rogerroger

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 22 December 2010 - 06:33 AM

Hi all. Hope you've been enjoying the holiday season!

Right now, I've been beset by pop-ups by an IE browser that I'm not using. CRxSk24Q.exe is malware that I've seen in my Task Manager but goes undetected by AVG and Spybot S&D. And Trojan Unruy is found by Windows Defender every twenty minutes or so and has to be removed.

Any help with this problem is greatly appreciated. :D


DDS Log:




DDS (Ver_10-12-12.02) - NTFSx86
Run by TONY at 23:29:06.18 on Tue 12/21/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1393 [GMT -8:00]

AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\lxdqcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.EXE
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain .exe
C:\Program Files\Synaptics\SynTP\SynTPStart .exe
C:\Program Files\Toshiba\FlashCards\TCrdMain .exe
C:\Program Files\Common Files\Java\Java Update\jusched .exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\ProgramData\CRxSk24Q.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Opera\opera.exe
C:\ProgramData\CRxSk24Q.exe
C:\ProgramData\CRxSk24Q.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\TONY\Desktop\dds.scr
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Juggler] c:\program files\juggler.v.0.5.3.0.exe\Juggler.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [StartupDelayer] "c:\program files\r2 studios\startup delayer\Startup Launcher GUI.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\tony\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-us.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-29 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-15 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-8 297752]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-11-12 7168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-29 21504]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]

=============== Created Last 30 ================

2010-12-22 04:37:46 80386 ----a-w- c:\progra~2\CRxSk24Q.exe
2010-12-21 00:16:26 515584 ----a-w- c:\program files\windows mail\wab.exe
2010-12-21 00:16:25 66048 ----a-w- c:\program files\windows mail\wabmig.exe
2010-12-21 00:16:25 33280 ----a-w- c:\program files\windows mail\wabfind.dll
2010-12-21 00:16:18 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-21 00:16:18 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-12-21 00:16:18 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-21 00:16:17 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-12-21 00:16:16 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-21 00:15:59 81920 ----a-w- c:\windows\system32\consent.exe
2010-12-21 00:15:29 834048 ----a-w- c:\windows\system32\wininet.dll
2010-12-21 00:15:13 389632 ----a-w- c:\windows\system32\html.iec
2010-12-21 00:15:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-21 00:14:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-21 00:13:04 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-21 00:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-21 00:12:54 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-21 00:12:53 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-21 00:12:50 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 00:12:48 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-12-20 23:10:07 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{64606ae3-636f-4e64-8f2e-dc14c6cc3c0f}\mpengine.dll
2010-12-18 07:11:41 -------- d-----w- c:\users\tony\appdata\local\Opera
2010-12-12 21:06:10 -------- d-----w- c:\windows\system32\RTCOM
2010-12-12 20:53:17 -------- d--h--w- c:\program files\Temp
2010-12-12 20:23:19 -------- d-----w- c:\users\tony\appdata\roaming\IObit
2010-12-12 20:22:26 -------- d-----w- c:\program files\IObit
2010-12-12 20:22:26 -------- d-----w- c:\progra~2\IObit
2010-12-11 05:35:10 -------- d-----w- c:\users\tony\appdata\local\Western_Digital
2010-12-11 05:34:45 -------- d-----w- c:\users\tony\appdata\roaming\Western Digital
2010-12-11 05:34:23 -------- d-----w- c:\progra~2\Western Digital
2010-12-11 05:32:28 -------- d-----w- c:\program files\Western Digital
2010-12-11 05:29:38 -------- d-----w- c:\users\tony\appdata\local\Western Digital
2010-12-10 06:13:49 644360 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll

==================== Find3M ====================

2010-12-12 21:04:53 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-12-01 01:23:52 553984 ----a-w- c:\windows\system32\RCoRes.dat
2010-11-30 02:48:26 1723536 ----a-w- c:\windows\system32\WavesGUILib.dll
2010-11-30 02:48:18 1439064 ----a-w- c:\windows\system32\MaxxAudioRealtek.dll
2010-11-24 22:24:40 3790440 ----a-w- c:\windows\system32\RtkAPO.dll
2010-11-24 22:24:40 1976936 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-11-22 19:39:10 469608 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-11-13 02:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-11 21:27:00 69224 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-11-08 15:31:30 78680 ----a-w- c:\windows\system32\RTEEL32A.dll
2010-11-08 15:31:30 359768 ----a-w- c:\windows\system32\RTEEP32A.dll
2010-11-08 15:31:28 64856 ----a-w- c:\windows\system32\RTEEG32A.dll
2010-11-08 15:31:28 295768 ----a-w- c:\windows\system32\RP3DHT32.dll
2010-11-08 15:31:28 295768 ----a-w- c:\windows\system32\RP3DAA32.dll
2010-11-08 15:31:28 170840 ----a-w- c:\windows\system32\RTEED32A.dll
2010-11-04 02:27:02 1084008 ----a-w- c:\windows\system32\RTSndMgr.cpl
2010-11-04 02:25:54 429160 ----a-w- c:\windows\system32\DTSSymmetryDLL.dll
2010-11-04 02:25:54 406120 ----a-w- c:\windows\system32\DTSVoiceClarityDLL.dll
2010-11-04 02:25:42 962664 ----a-w- c:\windows\system32\DTSS2HeadphoneDLL.dll
2010-11-04 02:25:42 291432 ----a-w- c:\windows\system32\DTSNeoPCDLL.dll
2010-11-04 02:25:42 224360 ----a-w- c:\windows\system32\DTSLimiterDLL.dll
2010-11-04 02:25:42 1132648 ----a-w- c:\windows\system32\DTSS2SpeakerDLL.dll
2010-11-04 02:25:30 107112 ----a-w- c:\windows\system32\DTSLFXAPO.dll
2010-11-04 02:25:30 107112 ----a-w- c:\windows\system32\DTSGFXAPO.dll
2010-11-04 02:25:30 106600 ----a-w- c:\windows\system32\DTSGFXAPONS.dll
2010-11-04 02:25:20 901224 ----a-w- c:\windows\system32\DTSBoostDLL.dll
2010-11-04 02:25:20 448616 ----a-w- c:\windows\system32\DTSBassEnhancementDLL.dll
2010-11-04 02:25:20 236648 ----a-w- c:\windows\system32\DTSGainCompensatorDLL.dll
2010-11-02 17:32:22 1705816 ----a-w- c:\windows\system32\R4EEP32A.dll
2010-11-02 17:32:16 96600 ----a-w- c:\windows\system32\R4EEL32A.dll
2010-11-02 17:32:10 61784 ----a-w- c:\windows\system32\R4EEG32A.dll
2010-11-02 17:32:04 341848 ----a-w- c:\windows\system32\R4EED32A.dll
2010-11-02 17:31:16 81240 ----a-w- c:\windows\system32\R4EEA32A.dll
2010-10-29 18:28:58 1558944 ----a-w- c:\windows\system32\FMAPO.dll
2010-10-28 18:46:10 1251944 ----a-w- c:\windows\RtlExUpd.dll
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-15 05:53:05 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-10-15 05:53:02 82432 ----a-w- c:\windows\system32\axaltocm.dll
2010-10-03 21:45:56 259928 ----a-w- c:\windows\system32\MaxxAudioAPO30.dll
2010-09-27 17:34:58 232792 ----a-w- c:\windows\system32\MaxxAudioAPO20.dll
2010-09-23 07:47:28 49016 ----a-w- c:\windows\system32\sirenacm.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HTS542520K9SA00 rev.BBDOC33P -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86914555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8691a7b0]; MOV EAX, [0x8691a82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82248962] -> \Device\Harddisk0\DR0[0x86279108]
3 CLASSPNP[0x8A9148B3] -> ntkrnlpa!IofCallDriver[0x82248962] -> [0x86B43728]
\Driver\atapi[0x86936F38] -> IRP_MJ_CREATE -> 0x86914555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskHitachi_HTS542520K9SA00_________________BBDOC33P#5&611cf43&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi -> 0x84b4a1e8
user != kernel MBR !!!
sectors 390721966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 23:32:53.07 ===============


Thanks again for for the help!

Attached Files


Edited by rogerroger, 22 December 2010 - 06:34 AM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:03:09 PM

Posted 30 December 2010 - 01:21 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 rogerroger

rogerroger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 03 January 2011 - 05:37 PM

Hi!
Any delay is totally understandable, especially considering that it's the holiday season. I'm just thankful that help might be possible.

Right now, the constant IE Pop-ups and CRxSk24Q.exe isn't seen in my task manager. Unfortunately, I think there is some form of malware inside my computer because yesterday I discovered that White Smoke Translator had been unknowingly downloaded onto my computer and my computer is also blocked from accessing my college's internet network because of detected malware.

This is the new DDS Log:


DDS (Ver_10-12-12.02) - NTFSx86
Run by TONY at 13:44:33.32 on Mon 01/03/2011
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.1563 [GMT -8:00]

AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Windows\system32\taskeng.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\lxdqcoms.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\igfxsrvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\TONY\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
uRun: [Juggler] c:\program files\juggler.v.0.5.3.0.exe\Juggler.exe
uRun: [{CE8CF614-25D0-B33D-7325-94A7C946A7A4}] c:\users\tony\appdata\roaming\laloa\alaxi.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] c:\program files\toshiba\flashcards\TCrdMain.exe
mRun: [MSConfig] "c:\windows\system32\msconfig.exe" /auto
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [NACAgentUI] c:\program files\cisco\cisco nac agent\NACAgentUI.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\tony\appdata\roaming\micros~1\windows\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\users\tony\appdata\roaming\microsoft\windows\start menu\programs\startup\OneNote Table Of Contents.onetoc2
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-us.cab
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D-4ABE-992D-C81140384044/igdtoolx.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-8 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-8 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-29 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-15 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-8 297752]
R2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe -service --> c:\windows\system32\lxdqcoms.exe -service [?]
R2 NACAgent;Cisco NAC Agent;c:\program files\cisco\cisco nac agent\NACAgent.exe [2010-2-5 742144]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-11-13 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-11-12 7168]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdqserv.exe [2008-2-27 94208]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-29 21504]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2009-2-13 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2011-01-03 17:01:21 -------- d-----w- c:\program files\whitesmoketoolbar
2010-12-25 18:19:57 -------- d-----w- c:\program files\Search Toolbar
2010-12-23 20:19:55 -------- d-----w- c:\users\tony\appdata\roaming\Amufy
2010-12-23 20:19:54 -------- d-----w- c:\users\tony\appdata\roaming\Laloa
2010-12-22 04:37:46 80386 ----a-w- c:\progra~2\CRxSk24Q.exe
2010-12-21 00:16:26 515584 ----a-w- c:\program files\windows mail\wab.exe
2010-12-21 00:16:25 66048 ----a-w- c:\program files\windows mail\wabmig.exe
2010-12-21 00:16:25 33280 ----a-w- c:\program files\windows mail\wabfind.dll
2010-12-21 00:16:18 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-21 00:16:18 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-12-21 00:16:18 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-21 00:16:17 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-12-21 00:16:16 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-21 00:15:59 81920 ----a-w- c:\windows\system32\consent.exe
2010-12-21 00:15:29 834048 ----a-w- c:\windows\system32\wininet.dll
2010-12-21 00:15:13 389632 ----a-w- c:\windows\system32\html.iec
2010-12-21 00:15:12 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-21 00:14:30 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-21 00:13:04 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2010-12-21 00:12:54 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-21 00:12:54 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-21 00:12:53 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-21 00:12:50 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 00:12:48 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-12-20 23:10:07 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{64606ae3-636f-4e64-8f2e-dc14c6cc3c0f}\mpengine.dll
2010-12-18 07:11:41 -------- d-----w- c:\users\tony\appdata\local\Opera
2010-12-12 21:06:10 -------- d-----w- c:\windows\system32\RTCOM
2010-12-12 20:53:17 -------- d--h--w- c:\program files\Temp
2010-12-12 20:23:19 -------- d-----w- c:\users\tony\appdata\roaming\IObit
2010-12-12 20:22:26 -------- d-----w- c:\program files\IObit
2010-12-12 20:22:26 -------- d-----w- c:\progra~2\IObit
2010-12-11 05:35:10 -------- d-----w- c:\users\tony\appdata\local\Western_Digital
2010-12-11 05:34:45 -------- d-----w- c:\users\tony\appdata\roaming\Western Digital
2010-12-11 05:34:23 -------- d-----w- c:\progra~2\Western Digital
2010-12-11 05:32:28 -------- d-----w- c:\program files\Western Digital
2010-12-11 05:29:38 -------- d-----w- c:\users\tony\appdata\local\Western Digital
2010-12-10 06:13:49 644360 ----a-w- c:\progra~2\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll

==================== Find3M ====================

2010-12-12 21:04:53 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-12-01 01:23:52 553984 ----a-w- c:\windows\system32\RCoRes.dat
2010-11-30 02:48:26 1723536 ----a-w- c:\windows\system32\WavesGUILib.dll
2010-11-30 02:48:18 1439064 ----a-w- c:\windows\system32\MaxxAudioRealtek.dll
2010-11-24 22:24:40 3790440 ----a-w- c:\windows\system32\RtkAPO.dll
2010-11-24 22:24:40 1976936 ----a-w- c:\windows\system32\RtkPgExt.dll
2010-11-22 19:39:10 469608 ----a-w- c:\windows\system32\RtkApoApi.dll
2010-11-13 02:53:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-11 21:27:00 69224 ----a-w- c:\windows\system32\RtkCoInst.dll
2010-11-08 15:31:30 78680 ----a-w- c:\windows\system32\RTEEL32A.dll
2010-11-08 15:31:30 359768 ----a-w- c:\windows\system32\RTEEP32A.dll
2010-11-08 15:31:28 64856 ----a-w- c:\windows\system32\RTEEG32A.dll
2010-11-08 15:31:28 295768 ----a-w- c:\windows\system32\RP3DHT32.dll
2010-11-08 15:31:28 295768 ----a-w- c:\windows\system32\RP3DAA32.dll
2010-11-08 15:31:28 170840 ----a-w- c:\windows\system32\RTEED32A.dll
2010-11-04 02:27:02 1084008 ----a-w- c:\windows\system32\RTSndMgr.cpl
2010-11-04 02:25:54 429160 ----a-w- c:\windows\system32\DTSSymmetryDLL.dll
2010-11-04 02:25:54 406120 ----a-w- c:\windows\system32\DTSVoiceClarityDLL.dll
2010-11-04 02:25:42 962664 ----a-w- c:\windows\system32\DTSS2HeadphoneDLL.dll
2010-11-04 02:25:42 291432 ----a-w- c:\windows\system32\DTSNeoPCDLL.dll
2010-11-04 02:25:42 224360 ----a-w- c:\windows\system32\DTSLimiterDLL.dll
2010-11-04 02:25:42 1132648 ----a-w- c:\windows\system32\DTSS2SpeakerDLL.dll
2010-11-04 02:25:30 107112 ----a-w- c:\windows\system32\DTSLFXAPO.dll
2010-11-04 02:25:30 107112 ----a-w- c:\windows\system32\DTSGFXAPO.dll
2010-11-04 02:25:30 106600 ----a-w- c:\windows\system32\DTSGFXAPONS.dll
2010-11-04 02:25:20 901224 ----a-w- c:\windows\system32\DTSBoostDLL.dll
2010-11-04 02:25:20 448616 ----a-w- c:\windows\system32\DTSBassEnhancementDLL.dll
2010-11-04 02:25:20 236648 ----a-w- c:\windows\system32\DTSGainCompensatorDLL.dll
2010-11-02 17:32:22 1705816 ----a-w- c:\windows\system32\R4EEP32A.dll
2010-11-02 17:32:16 96600 ----a-w- c:\windows\system32\R4EEL32A.dll
2010-11-02 17:32:10 61784 ----a-w- c:\windows\system32\R4EEG32A.dll
2010-11-02 17:32:04 341848 ----a-w- c:\windows\system32\R4EED32A.dll
2010-11-02 17:31:16 81240 ----a-w- c:\windows\system32\R4EEA32A.dll
2010-10-29 18:28:58 1558944 ----a-w- c:\windows\system32\FMAPO.dll
2010-10-28 18:46:10 1251944 ----a-w- c:\windows\RtlExUpd.dll
2010-10-19 18:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-15 05:53:05 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-10-15 05:53:02 82432 ----a-w- c:\windows\system32\axaltocm.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: Hitachi_HTS542520K9SA00 rev.BBDOC33P -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-4

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x868E6555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x868ec7b0]; MOV EAX, [0x868ec82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x82248962] -> \Device\Harddisk0\DR0[0x8634E9B8]
3 CLASSPNP[0x8A9128B3] -> ntkrnlpa!IofCallDriver[0x82248962] -> [0x86B0B2B0]
\Driver\atapi[0x866577A0] -> IRP_MJ_CREATE -> 0x868E6555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP2T0L0-4 -> \??\IDE#DiskHitachi_HTS542520K9SA00_________________BBDOC33P#5&611cf43&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi -> 0x859191e8
user != kernel MBR !!!
sectors 390721966 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 13:45:12.96 ===============

Also attached are the second DDS file and the GMER log.

Thanks again for the help!

Attached Files



#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 PM

Posted 03 January 2011 - 11:05 PM

Hello

My name is gringo and I will be Helping you from this point forward

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes unless I tell you so.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Here is the first thing I would like you to do.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 rogerroger

rogerroger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 January 2011 - 05:59 PM

Hi gringo.

When I try to run ComboFix, I get a blue screen and the error: IRQL_NOT_LESS_OR_EQUAL
Stop: 0x0000000A (0x00000016, 0x0000001B, 0x00000000, ox822F87B6)

Also, I tried running Windows Update and I got the error: Windows_Update 80072EFE. And, surprisingly, CRxSk24Q.exe reappeared on my computer. Note that this is after I tried running ComboFix and all my anti-virus software was off.

Hope this helps.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 PM

Posted 04 January 2011 - 07:05 PM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 rogerroger

rogerroger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 04 January 2011 - 10:35 PM

Hello again.

Here's the log from TDSSKiller:

2011/01/04 19:10:24.0999 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/04 19:10:24.0999 ================================================================================
2011/01/04 19:10:24.0999 SystemInfo:
2011/01/04 19:10:24.0999
2011/01/04 19:10:24.0999 OS Version: 6.0.6002 ServicePack: 2.0
2011/01/04 19:10:24.0999 Product type: Workstation
2011/01/04 19:10:24.0999 ComputerName: TONY-PC
2011/01/04 19:10:24.0999 UserName: TONY
2011/01/04 19:10:24.0999 Windows directory: C:\Windows
2011/01/04 19:10:24.0999 System windows directory: C:\Windows
2011/01/04 19:10:24.0999 Processor architecture: Intel x86
2011/01/04 19:10:24.0999 Number of processors: 2
2011/01/04 19:10:24.0999 Page size: 0x1000
2011/01/04 19:10:24.0999 Boot type: Normal boot
2011/01/04 19:10:24.0999 ================================================================================
2011/01/04 19:10:40.0802 Initialize success
2011/01/04 19:10:44.0374 ================================================================================
2011/01/04 19:10:44.0374 Scan started
2011/01/04 19:10:44.0374 Mode: Manual;
2011/01/04 19:10:44.0374 ================================================================================
2011/01/04 19:10:46.0995 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/01/04 19:10:47.0759 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/01/04 19:10:48.0399 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/01/04 19:10:49.0366 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/01/04 19:10:50.0193 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/01/04 19:10:51.0519 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/01/04 19:10:53.0828 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/01/04 19:10:54.0155 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/01/04 19:10:54.0249 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/01/04 19:10:54.0592 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/01/04 19:10:54.0686 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/01/04 19:10:54.0764 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/01/04 19:10:54.0826 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/01/04 19:10:55.0029 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/01/04 19:10:55.0606 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/01/04 19:10:55.0902 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/01/04 19:10:56.0277 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/01/04 19:10:56.0511 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/01/04 19:10:56.0823 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\Windows\System32\Drivers\avgldx86.sys
2011/01/04 19:10:57.0182 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\Windows\System32\Drivers\avgmfx86.sys
2011/01/04 19:10:57.0431 AvgTdiX (92d8e1e8502e649b60e70074eb29c380) C:\Windows\System32\Drivers\avgtdix.sys
2011/01/04 19:10:57.0525 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/01/04 19:10:57.0712 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/01/04 19:10:57.0806 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/01/04 19:10:57.0899 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/01/04 19:10:58.0024 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/01/04 19:10:58.0118 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/01/04 19:10:58.0164 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/01/04 19:10:58.0258 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/01/04 19:10:58.0383 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/01/04 19:10:58.0523 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/01/04 19:10:58.0648 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/01/04 19:10:58.0804 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/01/04 19:10:58.0944 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/01/04 19:10:59.0116 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/01/04 19:10:59.0288 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/01/04 19:10:59.0475 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/01/04 19:10:59.0584 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/01/04 19:10:59.0693 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/01/04 19:11:00.0099 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/01/04 19:11:00.0317 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/01/04 19:11:00.0504 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/01/04 19:11:00.0926 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2011/01/04 19:11:01.0050 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/01/04 19:11:01.0175 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/01/04 19:11:01.0347 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/01/04 19:11:01.0893 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/01/04 19:11:02.0361 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/01/04 19:11:02.0673 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/01/04 19:11:02.0907 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/01/04 19:11:03.0141 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/01/04 19:11:03.0297 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/01/04 19:11:03.0390 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/01/04 19:11:03.0562 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/01/04 19:11:03.0734 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys
2011/01/04 19:11:03.0890 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/01/04 19:11:03.0999 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2011/01/04 19:11:04.0155 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/01/04 19:11:04.0342 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/01/04 19:11:04.0404 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/01/04 19:11:04.0529 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/01/04 19:11:04.0748 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/01/04 19:11:04.0872 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/01/04 19:11:04.0950 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/01/04 19:11:05.0028 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/01/04 19:11:05.0153 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/01/04 19:11:05.0325 igfx (038815297078d236d8cc064c295a74c6) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/01/04 19:11:05.0434 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/01/04 19:11:05.0652 IntcAzAudAddService (544fcaf4cf73c6ef6a83747cb9274177) C:\Windows\system32\drivers\RTKVHDA.sys
2011/01/04 19:11:05.0777 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/01/04 19:11:05.0840 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/01/04 19:11:06.0027 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/01/04 19:11:06.0120 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/01/04 19:11:06.0214 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/01/04 19:11:06.0401 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/01/04 19:11:06.0464 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/01/04 19:11:06.0635 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/01/04 19:11:06.0713 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/01/04 19:11:06.0822 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/01/04 19:11:06.0978 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/01/04 19:11:07.0072 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\drivers\kbdhid.sys
2011/01/04 19:11:07.0337 KR10I (e8ca038f51f7761bd6e3a3b0b8014263) C:\Windows\system32\drivers\kr10i.sys
2011/01/04 19:11:07.0400 KR10N (6a4adb9186dd0e114e623daf57e42b31) C:\Windows\system32\drivers\kr10n.sys
2011/01/04 19:11:07.0462 KR3NPXP (485e005cd51ff502fb16483eb4b69c17) C:\Windows\system32\drivers\kr3npxp.sys
2011/01/04 19:11:07.0712 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/01/04 19:11:07.0868 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/01/04 19:11:07.0961 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/01/04 19:11:08.0164 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/01/04 19:11:08.0289 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/01/04 19:11:08.0429 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/01/04 19:11:08.0570 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\Windows\system32\DRIVERS\mcdbus.sys
2011/01/04 19:11:08.0663 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/01/04 19:11:08.0866 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/01/04 19:11:09.0272 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/01/04 19:11:09.0381 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/01/04 19:11:09.0584 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/01/04 19:11:09.0833 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/01/04 19:11:09.0974 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/01/04 19:11:10.0052 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/01/04 19:11:10.0208 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/01/04 19:11:10.0317 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/01/04 19:11:10.0426 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/01/04 19:11:10.0800 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/01/04 19:11:10.0925 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/01/04 19:11:11.0003 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/01/04 19:11:11.0144 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/01/04 19:11:11.0362 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2011/01/04 19:11:11.0736 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/01/04 19:11:12.0064 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/01/04 19:11:12.0360 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/01/04 19:11:12.0766 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/01/04 19:11:12.0969 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/01/04 19:11:13.0031 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/01/04 19:11:13.0172 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/01/04 19:11:13.0234 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/01/04 19:11:13.0296 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/01/04 19:11:13.0406 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/01/04 19:11:13.0530 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/01/04 19:11:13.0655 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/01/04 19:11:13.0733 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/01/04 19:11:13.0842 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/01/04 19:11:13.0920 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/01/04 19:11:14.0030 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/01/04 19:11:14.0123 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/01/04 19:11:14.0232 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/01/04 19:11:14.0404 NETw4v32 (6522dd40a5f67ced020bd81b856613fb) C:\Windows\system32\DRIVERS\NETw4v32.sys
2011/01/04 19:11:14.0529 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/01/04 19:11:14.0591 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/01/04 19:11:14.0669 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/01/04 19:11:14.0810 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/01/04 19:11:14.0919 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/01/04 19:11:14.0981 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/01/04 19:11:15.0044 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/01/04 19:11:15.0168 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/01/04 19:11:15.0231 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/01/04 19:11:15.0449 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/01/04 19:11:15.0590 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/01/04 19:11:15.0668 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/01/04 19:11:15.0761 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/01/04 19:11:15.0855 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/01/04 19:11:15.0964 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2011/01/04 19:11:16.0042 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/01/04 19:11:16.0354 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/01/04 19:11:16.0604 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/01/04 19:11:16.0682 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/01/04 19:11:16.0838 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/01/04 19:11:16.0916 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\Windows\system32\Drivers\PxHelp20.sys
2011/01/04 19:11:17.0134 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/01/04 19:11:17.0493 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/01/04 19:11:17.0945 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/01/04 19:11:18.0132 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/01/04 19:11:18.0273 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/01/04 19:11:18.0413 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/01/04 19:11:18.0569 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/01/04 19:11:18.0850 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/01/04 19:11:19.0193 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/01/04 19:11:19.0427 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/01/04 19:11:19.0583 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/01/04 19:11:19.0926 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/01/04 19:11:20.0114 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/01/04 19:11:20.0223 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/01/04 19:11:20.0628 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
2011/01/04 19:11:20.0753 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/01/04 19:11:20.0847 Ser2pl (bdee4dcb4790f254528f1fd7bad213b3) C:\Windows\system32\DRIVERS\ser2pl.sys
2011/01/04 19:11:20.0972 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
2011/01/04 19:11:21.0065 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/01/04 19:11:21.0408 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/01/04 19:11:21.0596 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/01/04 19:11:21.0767 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/01/04 19:11:21.0986 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/01/04 19:11:22.0188 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/01/04 19:11:22.0360 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/01/04 19:11:22.0516 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/01/04 19:11:22.0594 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/01/04 19:11:22.0812 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/01/04 19:11:23.0093 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/01/04 19:11:23.0390 sptd (d390675b8ce45e5fb359338e5e649329) C:\Windows\system32\Drivers\sptd.sys
2011/01/04 19:11:23.0390 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: d390675b8ce45e5fb359338e5e649329
2011/01/04 19:11:23.0405 sptd - detected Locked file (1)
2011/01/04 19:11:23.0624 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/01/04 19:11:23.0967 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/01/04 19:11:24.0185 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/01/04 19:11:24.0435 StillCam (7a95b5deb594616f1693486b8161411e) C:\Windows\system32\DRIVERS\serscan.sys
2011/01/04 19:11:24.0762 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/01/04 19:11:24.0996 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/01/04 19:11:25.0137 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/01/04 19:11:25.0246 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/01/04 19:11:25.0355 SynTP (70534d1e4f9ac990536d5fb5b550b3de) C:\Windows\system32\DRIVERS\SynTP.sys
2011/01/04 19:11:25.0605 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/01/04 19:11:25.0932 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/01/04 19:11:26.0151 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/01/04 19:11:26.0276 tdcmdpst (1825bceb47bf41c5a9f0e44de82fc27a) C:\Windows\system32\DRIVERS\tdcmdpst.sys
2011/01/04 19:11:26.0432 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/01/04 19:11:26.0697 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/01/04 19:11:27.0196 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/01/04 19:11:27.0399 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/01/04 19:11:27.0695 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\Windows\system32\drivers\tifm21.sys
2011/01/04 19:11:28.0116 toshidpt (e362d54fd394999c4178936396664e57) C:\Windows\system32\drivers\Toshidpt.sys
2011/01/04 19:11:28.0584 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\Windows\system32\DRIVERS\tosporte.sys
2011/01/04 19:11:28.0865 Tosrfbd (eaeddb6c8bbe3e1b753753c2e847fecb) C:\Windows\system32\DRIVERS\tosrfbd.sys
2011/01/04 19:11:29.0271 tosrfbnp (90c8525bc578aaffe87c2d0ed4379e9e) C:\Windows\system32\Drivers\tosrfbnp.sys
2011/01/04 19:11:29.0676 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\Windows\system32\Drivers\tosrfcom.sys
2011/01/04 19:11:29.0957 Tosrfhid (7c807ba9660e2995cc0217a14a24094c) C:\Windows\system32\DRIVERS\Tosrfhid.sys
2011/01/04 19:11:30.0051 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\Windows\system32\DRIVERS\tosrfnds.sys
2011/01/04 19:11:30.0285 TosRfSnd (a4ce9572bc4ac8d329455059b43c5bea) C:\Windows\system32\drivers\tosrfsnd.sys
2011/01/04 19:11:30.0456 Tosrfusb (602818649c84eb774d6971da65f79cc8) C:\Windows\system32\DRIVERS\tosrfusb.sys
2011/01/04 19:11:30.0862 tos_sps32 (1ea5f27c29405bf49799feca77186da9) C:\Windows\system32\DRIVERS\tos_sps32.sys
2011/01/04 19:11:31.0034 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/01/04 19:11:31.0127 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/01/04 19:11:31.0252 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/01/04 19:11:31.0439 TVALZ (792a8b80f8188aba4b2be271583f3e46) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
2011/01/04 19:11:31.0564 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/01/04 19:11:31.0782 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/01/04 19:11:32.0157 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/01/04 19:11:32.0328 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/01/04 19:11:32.0718 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/01/04 19:11:32.0999 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/01/04 19:11:33.0280 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/01/04 19:11:33.0436 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\Windows\system32\Drivers\usbaapl.sys
2011/01/04 19:11:33.0545 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/01/04 19:11:33.0842 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/01/04 19:11:33.0998 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/01/04 19:11:34.0154 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/01/04 19:11:34.0278 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/01/04 19:11:34.0403 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/01/04 19:11:34.0622 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/01/04 19:11:34.0871 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/01/04 19:11:35.0043 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/01/04 19:11:35.0168 UVCFTR (3b929a72aaea96dc0150d3a6da268c89) C:\Windows\system32\Drivers\UVCFTR_S.SYS
2011/01/04 19:11:35.0261 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/01/04 19:11:35.0433 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/01/04 19:11:35.0745 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/01/04 19:11:36.0353 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/01/04 19:11:36.0462 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/01/04 19:11:36.0946 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/01/04 19:11:37.0336 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/01/04 19:11:37.0960 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/01/04 19:11:38.0522 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/01/04 19:11:38.0724 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/01/04 19:11:38.0880 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/01/04 19:11:38.0943 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/01/04 19:11:39.0536 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/01/04 19:11:39.0941 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
2011/01/04 19:11:40.0253 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/01/04 19:11:40.0643 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/01/04 19:11:40.0784 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/01/04 19:11:41.0002 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/01/04 19:11:41.0376 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/01/04 19:11:41.0985 yukonwlh (1dd951cf8a69fa2bea82f3e3a811fa95) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/01/04 19:11:42.0078 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/01/04 19:11:42.0094 ================================================================================
2011/01/04 19:11:42.0094 Scan finished
2011/01/04 19:11:42.0094 ================================================================================
2011/01/04 19:11:42.0094 Detected object count: 2
2011/01/04 19:12:04.0839 Locked file(sptd) - User select action: Skip
2011/01/04 19:12:05.0104 \HardDisk0 - will be cured after reboot
2011/01/04 19:12:05.0104 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/01/04 19:12:09.0706 Deinitialize success


Thanks muchly.

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 PM

Posted 05 January 2011 - 06:31 AM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 rogerroger

rogerroger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 05 January 2011 - 06:47 PM

Here's the ComboFix report:


ComboFix 11-01-04.01 - TONY 01/05/2011 15:14:01.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3062.2575 [GMT -8:00]
Running from: c:\users\TONY\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Microsoft
c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\DivX\DivX Update\DivXUpdate.exe
c:\program files\Juggler.v.0.5.3.0.Exe
c:\program files\Juggler.v.0.5.3.0.Exe\Juggler .exe
c:\program files\Juggler.v.0.5.3.0.Exe\Juggler.exe
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynTPStart.exe
c:\program files\TOSHIBA\FlashCards\TCrdMain.exe
c:\program files\whitesmoketoolbar
c:\program files\whitesmoketoolbar\chrome\content\lib\about.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxpanel.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxpanelwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxprefwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\dtxwin.xul
c:\program files\whitesmoketoolbar\chrome\content\lib\emailnotifierproviders.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\external.js
c:\program files\whitesmoketoolbar\chrome\content\lib\neterror.xhtml
c:\program files\whitesmoketoolbar\chrome\content\lib\rsspreview.html
c:\program files\whitesmoketoolbar\chrome\content\lib\rsswin.xml
c:\program files\whitesmoketoolbar\chrome\content\lib\rsswin.xsl
c:\program files\whitesmoketoolbar\chrome\content\lib\vmncode.js
c:\program files\whitesmoketoolbar\chrome\content\lib\wmpstreamer.html
c:\program files\whitesmoketoolbar\chrome\content\modules\datastore.jsm
c:\program files\whitesmoketoolbar\chrome\content\neterror.xhtml
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\btn_search.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\bullet.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\field_bg.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\images\powered_by_yahoo.gif
c:\program files\whitesmoketoolbar\chrome\content\newtab\newtab.html
c:\program files\whitesmoketoolbar\chrome\content\preferences.xml
c:\program files\whitesmoketoolbar\chrome\content\toolbar.htm
c:\program files\whitesmoketoolbar\chrome\content\toolbar.xul
c:\program files\whitesmoketoolbar\chrome\content\vmncode.js
c:\program files\whitesmoketoolbar\chrome\content\vmnrsswin.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\css\twitter.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-login-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-login.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-submit.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\loginbg.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\refresh-over.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\refresh.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\throbber.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\twitter-logo48.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\twitter_top.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\jquery.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\scripts.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrow-grey.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-left.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-right.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\powered-by-youtube.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-disable.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-down.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-l.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-r.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\throbber.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\vid-bg.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\youtube.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\index.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery-1.3.2.min.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery.autocomplete.min.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\default.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\Thumbs.db
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\main.html
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\tb_icon.png
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.jsw
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.xml
c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget_version.txt
c:\program files\whitesmoketoolbar\chrome\data\dynamicElements\vmntoolbar.xsl
c:\program files\whitesmoketoolbar\chrome\data\rss\rss.xml
c:\program files\whitesmoketoolbar\chrome\data\search\engines.xml
c:\program files\whitesmoketoolbar\chrome\data\search\search.xsl
c:\program files\whitesmoketoolbar\chrome\data\weather\icons.xml
c:\program files\whitesmoketoolbar\chrome\skin\634017460871087500_png
c:\program files\whitesmoketoolbar\chrome\skin\about.gif
c:\program files\whitesmoketoolbar\chrome\skin\babylon_logo.png
c:\program files\whitesmoketoolbar\chrome\skin\bing_16x16.png
c:\program files\whitesmoketoolbar\chrome\skin\bing_searchicon_20x22_spaced_hover_png
c:\program files\whitesmoketoolbar\chrome\skin\bing_searchicon_20x22_spaced_png
c:\program files\whitesmoketoolbar\chrome\skin\blank_png
c:\program files\whitesmoketoolbar\chrome\skin\bluelite.gif
c:\program files\whitesmoketoolbar\chrome\skin\bluesky.gif
c:\program files\whitesmoketoolbar\chrome\skin\btn-search-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-search.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-settings-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-settings.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-widgets-over.png
c:\program files\whitesmoketoolbar\chrome\skin\btn-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\btn_settings.png
c:\program files\whitesmoketoolbar\chrome\skin\ca.png
c:\program files\whitesmoketoolbar\chrome\skin\checkMyText_png
c:\program files\whitesmoketoolbar\chrome\skin\checkMyText_png_png
c:\program files\whitesmoketoolbar\chrome\skin\dictionary.png
c:\program files\whitesmoketoolbar\chrome\skin\Dictionary_png
c:\program files\whitesmoketoolbar\chrome\skin\Dictionary_png_png
c:\program files\whitesmoketoolbar\chrome\skin\divider.png
c:\program files\whitesmoketoolbar\chrome\skin\downloadcom.png
c:\program files\whitesmoketoolbar\chrome\skin\dtxlogo.png
c:\program files\whitesmoketoolbar\chrome\skin\DTXWizard\skin\icon_library\Basics\folder.png
c:\program files\whitesmoketoolbar\chrome\skin\email.png
c:\program files\whitesmoketoolbar\chrome\skin\email_on.png
c:\program files\whitesmoketoolbar\chrome\skin\eteacher_png
c:\program files\whitesmoketoolbar\chrome\skin\facebook.png
c:\program files\whitesmoketoolbar\chrome\skin\feed_icon_png
c:\program files\whitesmoketoolbar\chrome\skin\feed_icon2_png
c:\program files\whitesmoketoolbar\chrome\skin\france_png
c:\program files\whitesmoketoolbar\chrome\skin\games.png
c:\program files\whitesmoketoolbar\chrome\skin\games_png
c:\program files\whitesmoketoolbar\chrome\skin\gamesIcon_png
c:\program files\whitesmoketoolbar\chrome\skin\graphred0.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred0_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred1.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred1_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred2.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred2_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred3.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred3_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred4.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred4_5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphred5.png
c:\program files\whitesmoketoolbar\chrome\skin\graphredna.png
c:\program files\whitesmoketoolbar\chrome\skin\grey.gif
c:\program files\whitesmoketoolbar\chrome\skin\ico-shield.png
c:\program files\whitesmoketoolbar\chrome\skin\images.png
c:\program files\whitesmoketoolbar\chrome\skin\italy_png
c:\program files\whitesmoketoolbar\chrome\skin\lib\add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\aol.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-dn.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-right-disabled.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-right.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-up.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-divider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-end.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-mdl_ff.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-start.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-divider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-end.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-mdl_ff.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-start.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\blank.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn-widgets-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btn_slider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnback-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnback-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnleft-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnleft-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnright-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\btnright-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\button-splitter-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\button-splitter-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\checkmark.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\chevron.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\collapse.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\comcast.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\dtx.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\edit-back-hot.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\edit-back.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\expand.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\found.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\gmail.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_cyan.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_lime.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_magenta.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_yellow.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\hotmail.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\ico-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\imap.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\lastsearch-thumb-back.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\loadingMid.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\lock.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\logo-separator.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\mailcom.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_bg-basic.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_separator_bar.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_separator_white.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitem-splitter.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemback-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemback-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemleft-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemleft-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemright-down-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemright-vista.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\modify.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\move.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\movetarget.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\panels.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupAbout.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupGames.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupRSS.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupWidgets.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\css\dialog.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\bg.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-search.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-wide-close-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-wide-close.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\default.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-off-l.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-off-r.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-on-l.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-on-r.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\transparent.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-mdl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-right-resize.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\main.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\scripts\defscript.js
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\footer.htm
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gamecategory.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gameData.js
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gameList.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\games.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gametype.xsl
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-dn.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-sml-drop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-sml.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-up.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrowr-bluew5.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-aboutbox.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-btnover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-pnl520x390.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-back.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-drag.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-moredetails.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-next-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-next.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-previous-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-previous.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bullet-orange.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\gamethumb-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\gamethumb2-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-calendar.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-download.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-joystick24.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-news24.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-tags.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-Add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-download.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-Info.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-shop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\menul-bgon.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\menul-bgover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\panel-botm-noscroll.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-bg-206.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-bg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-topwin.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-disable.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-disable.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\searchbox-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\star_x_grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\star_x_orange.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\TRUSTe_about.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-detailed-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-detailed-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-thumb-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-thumb-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets-square-16px.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets-square-24px.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\initHTML.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupGames.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupHTML.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupRSS.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupWidgets.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\scroll.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\pop.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\css\manager.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\css\slider.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\bg-pnl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\collapsed_button.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\expanded_button.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation-down.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-radio.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\music-note.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-pause-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-pause.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-play-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-play.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-bg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-buffer.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-busy.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-on.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-warning.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-design-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-design.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-on.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-0.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-1.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-2.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-3.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-mute.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\scrollbar-handle.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\scrollbar-track.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\slider.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\slideron.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\track.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\managerpanel.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\volumeslider.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\reload.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\remove.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rename.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\resize-box.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\rss.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rsschannelback.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\RSSLogo.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\rsstabdivider.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\scroll-left.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\scroll-right.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\search-go.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\search.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\text-ellipsis.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\throbber.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\toolbarsplitter.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\transparent_1px.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_02.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_03.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_04.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_06.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_07.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_08.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_09.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_10.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_11.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_12.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_13.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_14.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_15.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_16.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_18.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_19.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_20.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_21.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\close-hot.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\close-normal.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\loadingMid.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\proxy.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\template.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\template.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\templateFF.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\throbber.gif
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\cond999.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\icons.xml
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na-s.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na-t.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\weather.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\add.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\arrowr-bluew5.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue-whitebg.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\box-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\box-uncheck.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-greyover.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-delete.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm-over.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-check.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid-s.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\options-weather.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\over-blue.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\over-orange.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug2.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-checked.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-unchecked.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\searchbox-pnlbtm.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\weather-contour.png
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.css
c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.html
c:\program files\whitesmoketoolbar\chrome\skin\lib\yahoo.png
c:\program files\whitesmoketoolbar\chrome\skin\lichen.gif
c:\program files\whitesmoketoolbar\chrome\skin\logo-about.png
c:\program files\whitesmoketoolbar\chrome\skin\logo-over.png
c:\program files\whitesmoketoolbar\chrome\skin\logo-separator.png
c:\program files\whitesmoketoolbar\chrome\skin\logo.png
c:\program files\whitesmoketoolbar\chrome\skin\mail.png
c:\program files\whitesmoketoolbar\chrome\skin\menuseparatorback.gif
c:\program files\whitesmoketoolbar\chrome\skin\modify-save.png
c:\program files\whitesmoketoolbar\chrome\skin\modify.png
c:\program files\whitesmoketoolbar\chrome\skin\modifyhot.png
c:\program files\whitesmoketoolbar\chrome\skin\music.png
c:\program files\whitesmoketoolbar\chrome\skin\namespacetoolbar.css
c:\program files\whitesmoketoolbar\chrome\skin\networkIcons_png
c:\program files\whitesmoketoolbar\chrome\skin\news.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-main.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-search.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-weather.png
c:\program files\whitesmoketoolbar\chrome\skin\options\options-widgets.png
c:\program files\whitesmoketoolbar\chrome\skin\orange.gif
c:\program files\whitesmoketoolbar\chrome\skin\pixsy.png
c:\program files\whitesmoketoolbar\chrome\skin\protect-id.png
c:\program files\whitesmoketoolbar\chrome\skin\relatedlinks.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-collapse.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-delete.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-expand.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-feed.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder-remove.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder-rename.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-folder.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-found.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-reload.png
c:\program files\whitesmoketoolbar\chrome\skin\rss-subscribe.png
c:\program files\whitesmoketoolbar\chrome\skin\rss.png
c:\program files\whitesmoketoolbar\chrome\skin\rss_feed_icon_png
c:\program files\whitesmoketoolbar\chrome\skin\rssback.gif
c:\program files\whitesmoketoolbar\chrome\skin\rsstopback.gif
c:\program files\whitesmoketoolbar\chrome\skin\search-over.png
c:\program files\whitesmoketoolbar\chrome\skin\search.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-left.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-middle.png
c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-right.png
c:\program files\whitesmoketoolbar\chrome\skin\settings.png
c:\program files\whitesmoketoolbar\chrome\skin\shopping.png
c:\program files\whitesmoketoolbar\chrome\skin\siteinfo.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-bluelite.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-bluesky.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-grey.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-lichen.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-orange.png
c:\program files\whitesmoketoolbar\chrome\skin\skin-yellow.png
c:\program files\whitesmoketoolbar\chrome\skin\skin.xml
c:\program files\whitesmoketoolbar\chrome\skin\spain_png
c:\program files\whitesmoketoolbar\chrome\skin\technorati.png
c:\program files\whitesmoketoolbar\chrome\skin\throbber.gif
c:\program files\whitesmoketoolbar\chrome\skin\toolbarsplitter.png
c:\program files\whitesmoketoolbar\chrome\skin\translate.png
c:\program files\whitesmoketoolbar\chrome\skin\Translate_png
c:\program files\whitesmoketoolbar\chrome\skin\Translate_png_png
c:\program files\whitesmoketoolbar\chrome\skin\TRUSTe_about.png
c:\program files\whitesmoketoolbar\chrome\skin\TV_icon3_png
c:\program files\whitesmoketoolbar\chrome\skin\tvicon_png
c:\program files\whitesmoketoolbar\chrome\skin\tvIcons_png
c:\program files\whitesmoketoolbar\chrome\skin\usa_png
c:\program files\whitesmoketoolbar\chrome\skin\vmn.css
c:\program files\whitesmoketoolbar\chrome\skin\vmn.png
c:\program files\whitesmoketoolbar\chrome\skin\web.png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png2_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png3_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png4_png
c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png5_png
c:\program files\whitesmoketoolbar\chrome\skin\wikipedia.png
c:\program files\whitesmoketoolbar\chrome\skin\yahoosearch.png
c:\program files\whitesmoketoolbar\chrome\skin\yellow.gif
c:\program files\whitesmoketoolbar\chrome\skin\youtube.png
c:\program files\whitesmoketoolbar\chrome\skin\zoom.png
c:\program files\whitesmoketoolbar\components\windowmediator.js
c:\program files\whitesmoketoolbar\manifest.xml
c:\program files\whitesmoketoolbar\toolbar.xml
c:\program files\whitesmoketoolbar\uninstall.exe
c:\program files\whitesmoketoolbar\whitesmoketoolbar.dll
c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll
c:\program files\Windows Live\Messenger\msnmsgr.exe
c:\programdata\CRxSk24Q.exe
c:\users\TONY\AppData\Roaming\Laloa\alaxi.exe
c:\windows\Fonts\r7v2K2Dk.com
c:\windows\Tasks\At1.job

<pre>
c:\program files\Cisco\Cisco NAC Agent\NACAgentUI .exe --->c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe
c:\program files\Common Files\Java\Java Update\jusched .exe --->c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\DivX\DivX Update\DivXUpdate .exe --->c:\program files\DivX\DivX Update\DivXUpdate.exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe --->c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\program files\Synaptics\SynTP\SynTPStart .exe --->c:\program files\Synaptics\SynTP\SynTPStart.exe
</pre>
.
.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-05 23:09 . 2011-01-05 23:09 -------- d-----w- C:\32788R22FWJFW
2011-01-05 20:32 . 2010-11-10 04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D966654A-1B44-4816-A934-EE51C67CDA6B}\mpengine.dll
2010-12-24 23:51 . 2010-12-24 23:51 -------- d-----w- c:\windows\Sun
2010-12-23 20:19 . 2011-01-04 01:04 -------- d-----w- c:\users\TONY\AppData\Roaming\Amufy
2010-12-23 20:19 . 2011-01-05 23:22 -------- d-----w- c:\users\TONY\AppData\Roaming\Laloa
2010-12-23 20:19 . 2010-12-23 20:19 173568 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\sageim.exe
2010-12-21 00:44 . 2010-12-21 00:44 -------- d-----w- c:\program files\Opera
2010-12-21 00:16 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
2010-12-21 00:16 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
2010-12-21 00:16 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
2010-12-21 00:16 . 2010-11-04 18:56 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-21 00:16 . 2010-11-04 18:55 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-12-21 00:16 . 2010-11-04 18:55 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-21 00:16 . 2010-11-04 16:34 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-12-21 00:16 . 2010-11-04 18:55 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-21 00:15 . 2010-10-18 13:37 81920 ----a-w- c:\windows\system32\consent.exe
2010-12-21 00:15 . 2010-10-21 20:08 834048 ----a-w- c:\windows\system32\wininet.dll
2010-12-21 00:15 . 2010-10-21 18:30 389632 ----a-w- c:\windows\system32\html.iec
2010-12-21 00:15 . 2010-10-20 17:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-21 00:14 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-21 00:13 . 2010-11-03 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-12-21 00:12 . 2010-10-28 15:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-21 00:12 . 2010-10-28 13:27 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-21 00:12 . 2010-06-16 15:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-21 00:12 . 2010-10-18 13:31 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 00:12 . 2010-05-04 19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-12-18 07:11 . 2010-12-18 07:11 -------- d-----w- c:\users\TONY\AppData\Local\Opera
2010-12-12 21:06 . 2010-12-12 21:06 -------- d-----w- c:\windows\system32\RTCOM
2010-12-12 20:53 . 2010-12-12 21:07 -------- d--h--w- c:\program files\Temp
2010-12-12 20:23 . 2010-12-20 21:52 -------- d-----w- c:\users\TONY\AppData\Roaming\IObit
2010-12-12 20:22 . 2010-12-20 21:52 -------- d-----w- c:\program files\IObit
2010-12-12 20:22 . 2010-12-12 20:22 -------- d-----w- c:\programdata\IObit
2010-12-11 05:35 . 2010-12-11 05:35 -------- d-----w- c:\users\TONY\AppData\Local\Western_Digital
2010-12-11 05:34 . 2010-12-20 21:52 -------- d-----w- c:\users\TONY\AppData\Roaming\Western Digital
2010-12-11 05:34 . 2010-12-11 05:34 -------- d-----w- c:\programdata\Western Digital
2010-12-11 05:32 . 2010-12-11 05:32 -------- d-----w- c:\program files\Western Digital
2010-12-11 05:29 . 2010-12-11 05:29 -------- d-----w- c:\users\TONY\AppData\Local\Western Digital
2010-12-10 06:13 . 2010-12-10 06:13 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-12 21:04 . 2007-11-12 23:34 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-11-13 02:53 . 2010-04-20 06:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 18:41 . 2010-01-16 19:05 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-15 05:53 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-10-15 05:53 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
.
<pre>
c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI .exe
c:\program files\Toshiba\FlashCards\TCrdMain .exe
c:\program files\Toshiba\Power Saver\TPwrMain .exe
c:\program files\Toshiba\SmoothView\SmoothView .exe
c:\program files\Toshiba\TBS\HSON .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Juggler"="c:\program files\Juggler.v.0.5.3.0.Exe\Juggler.exe" [N/A]
"{CE8CF614-25D0-B33D-7325-94A7C946A7A4}"="c:\users\TONY\AppData\Roaming\Laloa\alaxi.exe" [N/A]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-16 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-11-30 9914984]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"TPwrMain"="%ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE" [N/A]
"HSON"="%ProgramFiles%\TOSHIBA\TBS\HSON.exe" [N/A]
"SmoothView"="%ProgramFiles%\Toshiba\SmoothView\SmoothView.exe" [N/A]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [N/A]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe" [2010-02-06 454400]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"<NO NAME>"="" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [N/A]

c:\users\TONY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-10-27 576000]
OneNote Table Of Contents.onetoc2 [2008-4-6 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-11-13 2057536]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
sageim.exe [2010-12-23 173568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^TONY^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\TONY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2009-03-12 17:55 342848 ----a-w- c:\users\TONY\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Camera Assistant Software]
2007-05-22 18:50 413696 ----a-w- c:\program files\Camera Assistant Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2008-03-27 15:04 107176 ----a-w- c:\program files\Lexmark Z2400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-12-11 04:52 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
c:\program files\iTunes\iTunesHelper.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdqmon.exe]
2008-03-27 15:04 656040 ----a-w- c:\program files\Lexmark Z2400 Series\lxdqmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
c:\program files\Windows Live\Messenger\msnmsgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBC_McciTrayApp]
c:\program files\AT&T\Self Support Tool\ATTTray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-12-11 18:56 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 CWMonitor;Symantec Crimeware Protection Driver;c:\program files\Common Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys [x]
R2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2008-02-27 594600]
R2 lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe [2009-04-28 94208]
R2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC Agent\NACAgent.exe [2010-02-06 742144]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\UP_date\PEDrv.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2009-02-13 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-15 685816]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

AddRemove-llro - c:\program files\Lightside - Legend Ragnarok\uninstall.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
AddRemove-View32 - c:\program files\ProFantasy\CC3View\UNINST.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-05 15:22
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000\Software\G*e*n*i*e*"!\FM Genie Scout 10]
"GameDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football Manager 2010\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football Manager 2010"
"SaveDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football Manager 2010\\"
"HistoryDir"="c:\\Users\\TONY\\Desktop\\fm_genie_scout_10_rc2\\FM Genie Scout 10\\History Points"
"LangDB"=""
"LastSaveGame"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football Manager 2010\\games\\usetj.fm"
"Language"="English"
"LoadLangDB"=dword:00000000
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:0000006f
"UniqueID"="94-8600-E62F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000\Software\G*e*n*i*e*"!\FM Genie Scout 2009 XE]
"GameDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football Manager 2009\\games"
"ShortlistDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football Manager 2009\\shortlists"
"ScreenshotsDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football Manager 2009"
"SaveDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football Manager 2009\\"
"HistoryDir"="c:\\Users\\TONY\\Desktop\\fm_genie_scout_2009_xe_209\\FM Genie Scout 2009 XE\\History Points"
"LangDB"=""
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000000
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="94-8600-E62F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* m*p*4*\OpenWithList]
@Class="Shell"
"a"="firefox.exe"
"MRUList"="ba"
"b"="zplayer.exe"

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.* m*p*4*\OpenWithProgids]
"?mp4_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000_Classes\ m*p*4*_*a*u*t*o*_*f*i*l*e*\shell]
@="open"

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000_Classes\ m*p*4*_*a*u*t*o*_*f*i*l*e*\shell\open]
@="&Open"
"FriendlyAppName"="Zoom Player"

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000_Classes\ m*p*4*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="\"c:\\Program Files\\Combined Community Codec Pack\\Zoom Player\\zplayer.exe\" \"%L\""
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-01-05 15:25:55
ComboFix-quarantined-files.txt 2011-01-05 23:25

Pre-Run: 24,681,287,680 bytes free
Post-Run: 25,543,720,960 bytes free

- - End Of File - - 44813FE9A43EB9DB5BF8F14746EFCAF1

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 PM

Posted 05 January 2011 - 07:26 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 rogerroger

rogerroger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 05 January 2011 - 11:39 PM

Here's the TDSSKiller Log:

2011/01/05 21:01:49.0576 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2011/01/05 21:01:49.0576 ================================================================================
2011/01/05 21:01:49.0576 SystemInfo:
2011/01/05 21:01:49.0576
2011/01/05 21:01:49.0576 OS Version: 6.0.6002 ServicePack: 2.0
2011/01/05 21:01:49.0576 Product type: Workstation
2011/01/05 21:01:49.0576 ComputerName: TONY-PC
2011/01/05 21:01:49.0576 UserName: TONY
2011/01/05 21:01:49.0591 Windows directory: C:\Windows
2011/01/05 21:01:49.0591 System windows directory: C:\Windows
2011/01/05 21:01:49.0591 Processor architecture: Intel x86
2011/01/05 21:01:49.0591 Number of processors: 2
2011/01/05 21:01:49.0591 Page size: 0x1000
2011/01/05 21:01:49.0591 Boot type: Normal boot
2011/01/05 21:01:49.0591 ================================================================================
2011/01/05 21:01:56.0705 Initialize success
2011/01/05 21:02:12.0835 ================================================================================
2011/01/05 21:02:12.0835 Scan started
2011/01/05 21:02:12.0835 Mode: Manual;
2011/01/05 21:02:12.0835 ================================================================================
2011/01/05 21:02:14.0037 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/01/05 21:02:14.0411 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/01/05 21:02:14.0863 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/01/05 21:02:15.0409 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/01/05 21:02:15.0924 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/01/05 21:02:16.0564 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/01/05 21:02:16.0954 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/01/05 21:02:17.0125 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/01/05 21:02:17.0188 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/01/05 21:02:17.0625 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/01/05 21:02:17.0983 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/01/05 21:02:18.0670 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/01/05 21:02:18.0873 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/01/05 21:02:19.0029 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/01/05 21:02:19.0341 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/01/05 21:02:19.0668 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/01/05 21:02:19.0902 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/01/05 21:02:19.0996 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/01/05 21:02:20.0604 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/01/05 21:02:21.0275 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/01/05 21:02:21.0681 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/01/05 21:02:22.0164 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/01/05 21:02:23.0022 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/01/05 21:02:24.0067 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/01/05 21:02:24.0379 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/01/05 21:02:24.0957 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/01/05 21:02:25.0066 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/01/05 21:02:25.0830 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/01/05 21:02:26.0095 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/01/05 21:02:26.0751 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/01/05 21:02:26.0985 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/01/05 21:02:27.0156 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/01/05 21:02:27.0624 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/01/05 21:02:28.0045 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/01/05 21:02:28.0779 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/01/05 21:02:29.0028 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/01/05 21:02:29.0949 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/01/05 21:02:30.0229 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/01/05 21:02:30.0729 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/01/05 21:02:31.0165 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2011/01/05 21:02:31.0758 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/01/05 21:02:32.0039 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/01/05 21:02:32.0335 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/01/05 21:02:32.0632 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/01/05 21:02:33.0084 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/01/05 21:02:33.0318 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/01/05 21:02:33.0739 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/01/05 21:02:34.0098 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/01/05 21:02:34.0675 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/01/05 21:02:35.0081 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/01/05 21:02:35.0440 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/01/05 21:02:36.0111 FwLnk (cbc22823628544735625b280665e434e) C:\Windows\system32\DRIVERS\FwLnk.sys
2011/01/05 21:02:36.0469 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/01/05 21:02:37.0109 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
2011/01/05 21:02:37.0546 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/01/05 21:02:38.0107 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/01/05 21:02:38.0622 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/01/05 21:02:39.0137 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/01/05 21:02:39.0699 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/01/05 21:02:40.0260 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/01/05 21:02:40.0837 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/01/05 21:02:41.0181 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/01/05 21:02:41.0742 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/01/05 21:02:42.0366 igfx (038815297078d236d8cc064c295a74c6) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/01/05 21:02:42.0865 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/01/05 21:02:43.0396 IntcAzAudAddService (544fcaf4cf73c6ef6a83747cb9274177) C:\Windows\system32\drivers\RTKVHDA.sys
2011/01/05 21:02:43.0801 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/01/05 21:02:44.0238 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/01/05 21:02:45.0049 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/01/05 21:02:45.0361 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/01/05 21:02:45.0502 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/01/05 21:02:46.0157 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/01/05 21:02:46.0422 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/01/05 21:02:47.0171 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/01/05 21:02:47.0452 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/01/05 21:02:47.0842 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/01/05 21:02:48.0357 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/01/05 21:02:48.0809 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\drivers\kbdhid.sys
2011/01/05 21:02:49.0386 KR10I (e8ca038f51f7761bd6e3a3b0b8014263) C:\Windows\system32\drivers\kr10i.sys
2011/01/05 21:02:49.0932 KR10N (6a4adb9186dd0e114e623daf57e42b31) C:\Windows\system32\drivers\kr10n.sys
2011/01/05 21:02:50.0244 KR3NPXP (485e005cd51ff502fb16483eb4b69c17) C:\Windows\system32\drivers\kr3npxp.sys
2011/01/05 21:02:50.0603 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/01/05 21:02:51.0289 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/01/05 21:02:51.0570 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/01/05 21:02:52.0319 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/01/05 21:02:52.0803 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/01/05 21:02:53.0349 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/01/05 21:02:53.0661 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\Windows\system32\DRIVERS\mcdbus.sys
2011/01/05 21:02:54.0035 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/01/05 21:02:54.0456 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/01/05 21:02:54.0784 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/01/05 21:02:55.0252 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/01/05 21:02:55.0470 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/01/05 21:02:55.0564 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/01/05 21:02:55.0907 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/01/05 21:02:56.0157 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/01/05 21:02:56.0375 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/01/05 21:02:56.0484 MREMP50 (80b2ec735495823ae5771a5f603e73bd) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/01/05 21:02:56.0562 MRESP50 (37d7c22f7e26da90e2d2d260e5d27846) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/01/05 21:02:56.0749 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/01/05 21:02:56.0905 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/01/05 21:02:56.0999 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/01/05 21:02:57.0061 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/01/05 21:02:57.0233 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2011/01/05 21:02:57.0342 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/01/05 21:02:57.0529 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/01/05 21:02:57.0607 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/01/05 21:02:58.0075 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/01/05 21:02:58.0216 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/01/05 21:02:58.0481 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/01/05 21:02:58.0668 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/01/05 21:02:59.0121 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/01/05 21:02:59.0495 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/01/05 21:03:00.0072 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/01/05 21:03:00.0400 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/01/05 21:03:00.0712 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/01/05 21:03:00.0930 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/01/05 21:03:01.0258 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/01/05 21:03:01.0554 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/01/05 21:03:01.0695 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/01/05 21:03:01.0882 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/01/05 21:03:02.0272 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/01/05 21:03:02.0631 NETw4v32 (6522dd40a5f67ced020bd81b856613fb) C:\Windows\system32\DRIVERS\NETw4v32.sys
2011/01/05 21:03:03.0145 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/01/05 21:03:03.0457 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/01/05 21:03:03.0645 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/01/05 21:03:04.0409 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/01/05 21:03:04.0799 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/01/05 21:03:05.0298 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/01/05 21:03:05.0548 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/01/05 21:03:05.0688 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/01/05 21:03:06.0109 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/01/05 21:03:06.0733 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/01/05 21:03:07.0264 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/01/05 21:03:07.0513 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/01/05 21:03:07.0591 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/01/05 21:03:07.0841 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/01/05 21:03:07.0966 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2011/01/05 21:03:08.0449 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/01/05 21:03:09.0027 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/01/05 21:03:09.0541 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/01/05 21:03:09.0713 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/01/05 21:03:10.0212 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/01/05 21:03:10.0555 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\Windows\system32\Drivers\PxHelp20.sys
2011/01/05 21:03:10.0992 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/01/05 21:03:11.0538 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/01/05 21:03:11.0788 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/01/05 21:03:12.0318 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/01/05 21:03:12.0708 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/01/05 21:03:13.0005 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/01/05 21:03:13.0582 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/01/05 21:03:13.0831 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/01/05 21:03:14.0565 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/01/05 21:03:14.0923 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/01/05 21:03:15.0173 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/01/05 21:03:15.0282 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/01/05 21:03:15.0781 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/01/05 21:03:16.0702 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/01/05 21:03:17.0295 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
2011/01/05 21:03:17.0887 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/01/05 21:03:18.0106 Ser2pl (bdee4dcb4790f254528f1fd7bad213b3) C:\Windows\system32\DRIVERS\ser2pl.sys
2011/01/05 21:03:18.0387 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
2011/01/05 21:03:18.0589 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/01/05 21:03:18.0933 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/01/05 21:03:19.0494 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/01/05 21:03:19.0837 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/01/05 21:03:19.0931 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/01/05 21:03:20.0056 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/01/05 21:03:20.0196 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/01/05 21:03:20.0290 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/01/05 21:03:20.0368 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/01/05 21:03:20.0617 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/01/05 21:03:20.0711 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/01/05 21:03:20.0992 sptd (d390675b8ce45e5fb359338e5e649329) C:\Windows\system32\Drivers\sptd.sys
2011/01/05 21:03:20.0992 Suspicious file (NoAccess): C:\Windows\system32\Drivers\sptd.sys. md5: d390675b8ce45e5fb359338e5e649329
2011/01/05 21:03:21.0007 sptd - detected Locked file (1)
2011/01/05 21:03:21.0756 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/01/05 21:03:21.0959 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/01/05 21:03:22.0567 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/01/05 21:03:23.0394 StillCam (7a95b5deb594616f1693486b8161411e) C:\Windows\system32\DRIVERS\serscan.sys
2011/01/05 21:03:24.0003 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/01/05 21:03:24.0549 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/01/05 21:03:24.0845 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/01/05 21:03:24.0970 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/01/05 21:03:25.0329 SynTP (70534d1e4f9ac990536d5fb5b550b3de) C:\Windows\system32\DRIVERS\SynTP.sys
2011/01/05 21:03:26.0639 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/01/05 21:03:27.0403 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/01/05 21:03:27.0918 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/01/05 21:03:28.0714 tdcmdpst (1825bceb47bf41c5a9f0e44de82fc27a) C:\Windows\system32\DRIVERS\tdcmdpst.sys
2011/01/05 21:03:29.0322 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/01/05 21:03:29.0556 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/01/05 21:03:29.0853 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/01/05 21:03:30.0211 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/01/05 21:03:30.0633 tifm21 (e4c85c291ddb3dc5e4a2f227ca465ba6) C:\Windows\system32\drivers\tifm21.sys
2011/01/05 21:03:31.0069 toshidpt (e362d54fd394999c4178936396664e57) C:\Windows\system32\drivers\Toshidpt.sys
2011/01/05 21:03:31.0225 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\Windows\system32\DRIVERS\tosporte.sys
2011/01/05 21:03:31.0912 Tosrfbd (eaeddb6c8bbe3e1b753753c2e847fecb) C:\Windows\system32\DRIVERS\tosrfbd.sys
2011/01/05 21:03:32.0099 tosrfbnp (90c8525bc578aaffe87c2d0ed4379e9e) C:\Windows\system32\Drivers\tosrfbnp.sys
2011/01/05 21:03:32.0224 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\Windows\system32\Drivers\tosrfcom.sys
2011/01/05 21:03:32.0676 Tosrfhid (7c807ba9660e2995cc0217a14a24094c) C:\Windows\system32\DRIVERS\Tosrfhid.sys
2011/01/05 21:03:32.0941 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\Windows\system32\DRIVERS\tosrfnds.sys
2011/01/05 21:03:33.0019 TosRfSnd (a4ce9572bc4ac8d329455059b43c5bea) C:\Windows\system32\drivers\tosrfsnd.sys
2011/01/05 21:03:33.0519 Tosrfusb (602818649c84eb774d6971da65f79cc8) C:\Windows\system32\DRIVERS\tosrfusb.sys
2011/01/05 21:03:33.0955 tos_sps32 (1ea5f27c29405bf49799feca77186da9) C:\Windows\system32\DRIVERS\tos_sps32.sys
2011/01/05 21:03:34.0189 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/01/05 21:03:34.0517 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/01/05 21:03:34.0767 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/01/05 21:03:34.0938 TVALZ (792a8b80f8188aba4b2be271583f3e46) C:\Windows\system32\DRIVERS\TVALZ_O.SYS
2011/01/05 21:03:35.0188 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/01/05 21:03:35.0484 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/01/05 21:03:35.0999 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/01/05 21:03:36.0233 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/01/05 21:03:37.0138 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/01/05 21:03:38.0027 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/01/05 21:03:38.0386 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/01/05 21:03:38.0916 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\Windows\system32\Drivers\usbaapl.sys
2011/01/05 21:03:39.0291 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/01/05 21:03:39.0353 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/01/05 21:03:39.0525 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/01/05 21:03:39.0618 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/01/05 21:03:39.0696 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/01/05 21:03:39.0837 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/01/05 21:03:39.0961 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/01/05 21:03:40.0445 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/01/05 21:03:40.0819 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/01/05 21:03:40.0929 UVCFTR (3b929a72aaea96dc0150d3a6da268c89) C:\Windows\system32\Drivers\UVCFTR_S.SYS
2011/01/05 21:03:41.0007 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/01/05 21:03:41.0053 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/01/05 21:03:41.0194 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/01/05 21:03:41.0272 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/01/05 21:03:41.0334 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/01/05 21:03:41.0459 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/01/05 21:03:41.0584 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/01/05 21:03:41.0740 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/01/05 21:03:41.0865 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/01/05 21:03:41.0990 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/01/05 21:03:42.0115 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/01/05 21:03:42.0161 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/01/05 21:03:42.0302 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/01/05 21:03:42.0380 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
2011/01/05 21:03:42.0536 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/01/05 21:03:42.0770 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/01/05 21:03:42.0895 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/01/05 21:03:42.0957 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/01/05 21:03:43.0129 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/01/05 21:03:43.0222 yukonwlh (1dd951cf8a69fa2bea82f3e3a811fa95) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/01/05 21:03:43.0425 ================================================================================
2011/01/05 21:03:43.0425 Scan finished
2011/01/05 21:03:43.0425 ================================================================================
2011/01/05 21:03:43.0456 Detected object count: 1
2011/01/05 21:04:01.0749 Locked file(sptd) - User select action: Skip
2011/01/05 21:04:12.0053 Deinitialize success


TDSS didn't find anything. But, when I turned on Windows Defender (after having disabled it for ComboFix), it detected Trojan Unruy still on my computer. Also, the IE pop-ups that had previously disappeared before the new year have begun again. And the computer shows notices that say hik116.exe has stopped working--a program I don't recognize and that a Google search says is malware.

Hope this helps.

Edited by rogerroger, 06 January 2011 - 12:13 AM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 PM

Posted 06 January 2011 - 05:55 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

RenV::
c:\program files\r2 Studios\Startup Delayer\Startup Launcher GUI .exe
c:\program files\Toshiba\FlashCards\TCrdMain .exe
c:\program files\Toshiba\Power Saver\TPwrMain .exe
c:\program files\Toshiba\SmoothView\SmoothView .exe
c:\program files\Toshiba\TBS\HSON .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe

Folder::
c:\program files\Search Toolbar


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 rogerroger

rogerroger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 06 January 2011 - 07:08 PM

Hey gringo,

Here's the newest ComboFix log:


ComboFix 11-01-04.01 - TONY 01/06/2011 13:25:27.1.2 - x86
Microsoft® Windows Vista™ Home Premium
6.0.6002.2.1252.1.1033.18.3062.2018 [GMT -8:00]
Running from: c:\users\TONY\Desktop\ComboFix.exe
Command switches used :: c:\users\TONY\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions
)))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\CRxSk24Q.exe
c:\programdata\CRxSk24Q.exe_
c:\users\TONY\AppData\Roaming\Laloa\alaxi.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-06 to 2011-01-06
)))))))))))))))))))))))))))))))
.

2011-01-06 21:33 . 2011-01-06
21:33 -------- d-----w- c:\users\TONY\AppData\Local\temp
2011-01-06 21:33 . 2011-01-06
21:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-01-05 20:32 . 2010-11-10
04:33 6273872 ----a-w- c:\programdata\Microsoft\Windows
Defender\Definition
Updates\{D966654A-1B44-4816-A934-EE51C67CDA6B}\mpengine.dll
2010-12-24 23:51 . 2010-12-24 23:51 -------- d-----w- c:\windows\Sun
2010-12-23 20:19 . 2011-01-04
01:04 -------- d-----w- c:\users\TONY\AppData\Roaming\Amufy
2010-12-23 20:19 . 2011-01-05
23:22 -------- d-----w- c:\users\TONY\AppData\Roaming\Laloa
2010-12-23 20:19 . 2010-12-23
20:19 173568 ----a-w- c:\users\Default\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\StartUp\sageim.exe
2010-12-21 00:44 . 2010-12-21 00:44 -------- d-----w- c:\program files\Opera
2010-12-21 00:16 . 2010-10-12 13:41 515584 ----a-w- c:\program
files\Windows Mail\wab.exe
2010-12-21 00:16 . 2010-10-12 15:53 33280 ----a-w- c:\program
files\Windows Mail\wabfind.dll
2010-12-21 00:16 . 2010-10-12 13:41 66048 ----a-w- c:\program
files\Windows Mail\wabmig.exe
2010-12-21 00:16 . 2010-11-04
18:56 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2010-12-21 00:16 . 2010-11-04
18:55 352768 ----a-w- c:\windows\system32\taskschd.dll
2010-12-21 00:16 . 2010-11-04
18:55 601600 ----a-w- c:\windows\system32\schedsvc.dll
2010-12-21 00:16 . 2010-11-04
16:34 171520 ----a-w- c:\windows\system32\taskeng.exe
2010-12-21 00:16 . 2010-11-04
18:55 270336 ----a-w- c:\windows\system32\taskcomp.dll
2010-12-21 00:15 . 2010-10-18
13:37 81920 ----a-w- c:\windows\system32\consent.exe
2010-12-21 00:15 . 2010-10-21
20:08 834048 ----a-w- c:\windows\system32\wininet.dll
2010-12-21 00:15 . 2010-10-21
18:30 389632 ----a-w- c:\windows\system32\html.iec
2010-12-21 00:15 . 2010-10-20
17:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-21 00:14 . 2010-10-28
13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2010-12-21 00:13 . 2010-11-03 10:51 2409784 ----a-w- c:\program
files\Windows Mail\OESpamFilter.dat
2010-12-21 00:12 . 2010-10-28
15:44 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-12-21 00:12 . 2010-10-28
13:27 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-21 00:12 . 2010-06-16
15:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2010-12-21 00:12 . 2010-10-18
13:31 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 00:12 . 2010-05-04
19:13 231424 ----a-w- c:\windows\system32\msshsq.dll
2010-12-18 07:11 . 2010-12-18
07:11 -------- d-----w- c:\users\TONY\AppData\Local\Opera
2010-12-12 21:06 . 2010-12-12
21:06 -------- d-----w- c:\windows\system32\RTCOM
2010-12-12 20:53 . 2010-12-12 21:07 -------- d--h--w- c:\program files\Temp
2010-12-12 20:23 . 2010-12-20
21:52 -------- d-----w- c:\users\TONY\AppData\Roaming\IObit
2010-12-12 20:22 . 2010-12-20 21:52 -------- d-----w- c:\program files\IObit
2010-12-12 20:22 . 2010-12-12 20:22 -------- d-----w- c:\programdata\IObit
2010-12-11 05:35 . 2010-12-11
05:35 -------- d-----w- c:\users\TONY\AppData\Local\Western_Digital
2010-12-11 05:34 . 2010-12-20
21:52 -------- d-----w- c:\users\TONY\AppData\Roaming\Western Digital
2010-12-11 05:34 . 2010-12-11
05:34 -------- d-----w- c:\programdata\Western Digital
2010-12-11 05:32 . 2010-12-11 05:32 -------- d-----w- c:\program
files\Western Digital
2010-12-11 05:29 . 2010-12-11
05:29 -------- d-----w- c:\users\TONY\AppData\Local\Western Digital
2010-12-10 06:13 . 2010-12-10
06:13 644360 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report
))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-12 21:04 . 2007-11-12 23:34 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-11-13 02:53 . 2010-04-20
06:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-19 18:41 . 2010-01-16
19:05 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-10-15 05:53 . 2006-11-02
10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2010-10-15 05:53 . 2006-11-02
10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-08-16 167368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2010-11-30
9914984]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15
102400]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe"
[2007-05-23 538744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14
1348904]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java
Update\jusched.exe" [2010-05-14 248552]
"NACAgentUI"="c:\program files\Cisco\Cisco NAC Agent\NACAgentUI.exe"
[2010-02-06 454400]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe"
[2010-09-16 1164584]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe"
[2010-09-23 4240760]

c:\users\TONY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-10-27 576000]
OneNote Table Of Contents.onetoc2 [2008-4-6 3656]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive
Manager\WDDMStatus.exe [2009-11-13 2057536]

c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\
sageim.exe [2010-12-23 173568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start
Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start
Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start
Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP
Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^TONY^AppData^Roaming^Microsoft^Windows^Start
Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\TONY\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\BitTorrent DNA]
2009-03-12 17:55 342848 ----a-w- c:\users\TONY\Program Files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\Camera Assistant Software]
2007-05-22 18:50 413696 ----a-w- c:\program files\Camera Assistant
Software for Toshiba\traybar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\EzPrint]
2008-03-27 15:04 107176 ----a-w- c:\program files\Lexmark Z2400
Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP
Software Update]
2006-12-11 04:52 49152 ----a-w- c:\program files\HP\HP Software
Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\lxdqmon.exe]
2008-03-27 15:04 656040 ----a-w- c:\program files\Lexmark Z2400
Series\lxdqmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\msnmsgr]
2010-09-23 07:47 4240760 ----a-w- c:\program files\Windows
Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-01-26 23:31 2144088 ------w- c:\program files\Spybot - Search &
Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared
tools\msconfig\startupreg\TkBellExe]
2008-12-11 18:56 185872 ----a-w- c:\program files\Common
Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security
center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN
v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
[2010-03-18 130384]
R2 CWMonitor;Symantec Crimeware Protection Driver;c:\program files\Common
Files\Symantec Shared\coShared\CW\1.5\CO_Mon.sys [x]
R2
lxdqCATSCustConnectService;lxdqCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe
[2009-04-28 94208]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\UP_date\PEDrv.sys [x]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys
[2009-02-13 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache
4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
[2010-03-18 753504]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-02-15 685816]
S2 lxdq_device;lxdq_device;c:\windows\system32\lxdqcoms.exe [2008-02-27
594600]
S2 NACAgent;Cisco NAC Agent;c:\program files\Cisco\Cisco NAC
Agent\NACAgent.exe [2010-02-06 742144]
S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western
Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [2009-11-13 110592]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program
files\Western Digital\WD SmartWare\Front
Parlor\WDSmartWareBackgroundService.exe [2009-06-16 20480]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Juggler - c:\program files\Juggler.v.0.5.3.0.Exe\Juggler.exe
HKCU-Run-{CE8CF614-25D0-B33D-7325-94A7C946A7A4} -
c:\users\TONY\AppData\Roaming\Laloa\alaxi.exe
HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - %ProgramFiles%\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-SBC_McciTrayApp - c:\program files\AT&T\Self Support
Tool\ATTTray.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2011-01-06 13:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000\Software\G*e*n*i*e*"!\FM
Genie Scout 10]
"GameDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football
Manager 2010\\games"
"ShortlistDir"=""
"ScreenshotsDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football
Manager 2010"
"SaveDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football
Manager 2010\\"
"HistoryDir"="c:\\Users\\TONY\\Desktop\\fm_genie_scout_10_rc2\\FM Genie
Scout 10\\History Points"
"LangDB"=""
"LastSaveGame"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football
Manager 2010\\games\\usetj.fm"
"Language"="English"
"LoadLangDB"=dword:00000000
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Steklo Black"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:0000006f
"UniqueID"="94-8600-E62F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000\Software\G*e*n*i*e*"!\FM
Genie Scout 2009 XE]
"GameDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football
Manager 2009\\games"
"ShortlistDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football
Manager 2009\\shortlists"
"ScreenshotsDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football
Manager 2009"
"SaveDir"="c:\\Users\\TONY\\Documents\\Sports Interactive\\Football
Manager 2009\\"
"HistoryDir"="c:\\Users\\TONY\\Desktop\\fm_genie_scout_2009_xe_209\\FM
Genie Scout 2009 XE\\History Points"
"LangDB"=""
"LastSaveGame"=""
"Language"="English"
"LoadLangDB"=dword:00000000
"CompressHistoryPoints"=dword:00000000
"HighlightedAttributes"=dword:00000000
"MinCondition"=dword:00000050
"GraphStep"=dword:00000000
"SkinName"="Champions League"
"LastUpdateCheck"=dword:00000000
"HighQualityGUI"=dword:00000001
"AutomaticallyUpdateCheck"=dword:00000001
"AdvancedGeneration"=dword:00000000
"TranslateStaffSkills"=dword:00000001
"TranslatePlayerSkills"=dword:00000001
"TranslatePositions"=dword:00000001
"ShowHistory"=dword:00000001
"Version"=dword:00000067
"UniqueID"="94-8600-E62F"
"UseProxy"=dword:00000000
"ProxyHost"=""
"ProxyPort"=""
"UseAuthentication"=dword:00000000
"UserName"=""
"UserPassword"=""
"Currency"=dword:00000056

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*
m*p*4*\OpenWithList]
@Class="Shell"
"a"="firefox.exe"
"MRUList"="ba"
"b"="zplayer.exe"

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*
m*p*4*\OpenWithProgids]
"?mp4_auto_file"=hex(0):

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000_Classes\
m*p*4*_*a*u*t*o*_*f*i*l*e*\shell]
@="open"

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000_Classes\
m*p*4*_*a*u*t*o*_*f*i*l*e*\shell\open]
@="&Open"
"FriendlyAppName"="Zoom Player"

[HKEY_USERS\S-1-5-21-270148995-1806615551-3892916511-1000_Classes\
m*p*4*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@="\"c:\\Program Files\\Combined Community Codec Pack\\Zoom
Player\\zplayer.exe\" \"%L\""
DUMPHIVE0.003 (REGF)

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-01-06 13:35:32
ComboFix-quarantined-files.txt 2011-01-06 21:35
ComboFix2.txt 2011-01-05 23:25

Pre-Run: 21,866,344,448 bytes free
Post-Run: 21,831,774,208 bytes free

- - End Of File - - D077524DF2CDB2BB54CDCF961BD69974


With that finished, I haven't had anything out of the ordinary happen with my computer and I haven't seen any unusual processes under Task Manager. Thank you so much!

But is there anything I can do to double-check and make sure there's no malware still hidden on my computer?

All the best,
rogerroger

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:09 PM

Posted 06 January 2011 - 07:17 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8.1.2
Java™ 6 Update 2


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 rogerroger

rogerroger
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:11:09 AM

Posted 07 January 2011 - 06:44 PM

Hey hey.

Here's the MBAM Log:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

1/6/2011 8:39:25 PM
mbam-log-2011-01-06 (20-39-25).txt

Scan type: Quick scan
Objects scanned: 146009
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low
Rights\ElevationPolicy\{52794457-af6c-4c50-9def-f2e24f4c8889}
(PUP.WhiteSmoke) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:14:39 PM, on 1/7/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe


And here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:14:39 PM, on 1/7/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Cisco\Cisco NAC Agent\NACAgentUI.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter -
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program
Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program
Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program
Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [SynTPStart] C:\Program
Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [00TCrdMain] C:\Program
Files\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NACAgentUI] C:\Program Files\Cisco\Cisco NAC
Agent\NACAgentUI.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX
Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON
Tools\daemon.exe" -lang 1033
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows
Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows
Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - .DEFAULT User Startup: sageim.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: WDDMStatus.lnk = C:\Program Files\Western Digital\WD
SmartWare\WD Drive Manager\WDDMStatus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre6\bin\npjpi160_23.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre6\bin\npjpi160_23.dll
O9 - Extra button: @C:\Program Files\Windows
Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 -
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows
Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows
Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 -
{219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows
Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote -
{2670000A-7350-4f3c-8081-5663EE0C6C49} -
C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
- http://gfx2.hotmail.com/mail/w3/pr01/resources/VistaMSNPUplden-us.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection
Class) -
http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
- http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon -
{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere
Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel
Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program
Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel
32\IDriverT.exe
O23 - Service: lxdqCATSCustConnectService - Lexmark International, Inc. -
C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxdqserv.exe
O23 - Service: lxdq_device - - C:\Windows\system32\lxdqcoms.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program
Files\Common Files\Motive\McciCMService.exe
O23 - Service: Cisco NAC Agent (NACAgent) - Cisco Systems, Inc. -
C:\Program Files\Cisco\Cisco NAC Agent\NACAgent.exe
O23 - Service: pinger - Unknown owner - C:\TOSHIBA\IVP\ISM\pinger.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel
Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Swupdtmr - Unknown owner -
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA
Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA
Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation -
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION -
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems,
Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WD SmartWare Drive Manager (WDDMService) - WDC - C:\Program
Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD SmartWare Background Service
(WDSmartWareBackgroundService) - Memeo - C:\Program Files\Western
Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

--
End of file - 8083 bytes


The computer hasn't been doing anything unusual.

Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users