Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting Links, possible infection


  • This topic is locked This topic is locked
26 replies to this topic

#1 Roburt

Roburt

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 12:06 AM

I can't be sure how an infection might have happened, as I am so very careful where I go on the web since building this custom rig. I have made a few changes to my machine since I have been noticing the redirects so I cannot pinpoint what change may have left me vurlnerable. I have created (but not posted per instructions) a HijackThis log and mulled over the entries trying to figure out where the issue might be, using the Internet as a resource but I cannot truly find decent answers telling me what to delete, what is good, what is bad, etc. One site will say the lines ending in "missing file" are okay while others say they are not...among other things.

Two things that stick out the most in my mind are:
1.) I had to patch my system to effectively use windowblinds (so I was lead to believe). Maybe this patch left me open to attacks?
2.) My girlfriend called me while I was at work once and said the computer was telling me I had five viruses. I was amazed and told her not to do anything. She said she clicked the button that said "click here to fix" and promises she then clicked cancel on the next pop up window. Upon getting home I saw that the screen she was looking at was actually a browser window made to look like an XP style "My Computer" window. I think she may have clicked beyond and is scared to say... (she is only allowed on facebook on this machine now until I teach her all I know of computers!)

I have ran various scans with no luck in finding anything. Occasional tracking cookies, the same 1 or 2.

Sorry for all the info, trying to be as thorough as possible.

Anyway, here are the logs. GMER will not work on my system as it is 64bit. I can only hope this will be a quick fix for both you all and me as well. Thank you in advance.



DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Robert at 22:41:11.15 on Fri 12/24/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.8190.6678 [GMT -6:00]

AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\PROGRA~2\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe
C:\PROGRA~2\Stardock\OBJECT~1\WINDOW~1\WBVista.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\EVGA Precision\EVGAPrecision.exe
C:\Program Files\ASUS\TurboV EVO\TurboVHELP.exe
C:\Windows\system32\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe
C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\WMPSideShowGadget.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Logitech\GamePanel Software\LGDevAgt.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDPop3.exe
C:\Program Files\Logitech\GamePanel Software\Applets\LCDMedia.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\EVGA Precision\Bundle\OSDServer\RTSS.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\taskhost.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\AUDIODG.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Robert\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://yahoo.com/
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20101102225905.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\PROGRA~2\mcafee\SITEAD~1\mcieplg.dll
uRun: [ShellName] regsvr32 /s /u "C:\Users\Robert\AppData\Local\Shell\ShellName.dll"
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
mRun: [HDAudDeck] C:\Program Files (x86)\VIA\VIAudioi\VDeck\VDeck.exe -r
mRun: [GrooveMonitor] "C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
StartupFolder: C:\Users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CurseClientStartup.ccip
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~2\McAfee\SITEAD~1\McIEPlg.dll
Notify: WBSrv - C:\PROGRA~2\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll
BHO-X64: McAfee Phishing Filter: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\MSKAPB~1.DLL
BHO-X64: McAfee Phishing Filter - No File
BHO-X64: scriptproxy: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101102225905.dll
BHO-X64: scriptproxy - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: McAfee SiteAdvisor BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
TB-X64: McAfee SiteAdvisor Toolbar: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll
mRun-x64: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
mRun-x64: [Launch LgDeviceAgent] "C:\Program Files\Logitech\GamePanel Software\LgDevAgt.exe"
mRun-x64: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
mRun-x64: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;C:\Windows\System32\drivers\mfehidk.sys [2010-4-14 529128]
R0 mfewfpk;McAfee Inc. mfewfpk;C:\Windows\System32\drivers\mfewfpk.sys [2010-7-2 283360]
R1 mfenlfk;McAfee NDIS Light Filter;C:\Windows\System32\drivers\mfenlfk.sys [2010-7-2 75032]
R1 MOBKFilter;MOBKFilter;C:\Windows\System32\drivers\MOBK.sys [2010-7-2 66040]
R2 AsSysCtrlService;ASUS System Control Service;C:\Program Files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2010-7-2 90112]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-7-2 355440]
R2 McMPFSvc;McAfee Personal Firewall Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-7-2 355440]
R2 McNaiAnn;McAfee VirusScan Announcer;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-7-2 355440]
R2 McProxy;McAfee Proxy Service;"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [2010-7-2 355440]
R2 McShield;McShield;C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe [2010-7-2 200056]
R2 mfefire;McAfee Firewall Core Service;C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe [2010-7-2 245352]
R2 mfevtp;McAfee Validation Trust Protection Service;C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-7-2 149032]
R2 MOBKbackup;McAfee Online Backup;C:\Program Files (x86)\McAfee Online Backup\MOBKbackup.exe [2010-4-13 231224]
R3 cfwids;McAfee Inc. cfwids;C:\Windows\System32\drivers\cfwids.sys [2010-7-2 62800]
R3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;C:\Windows\System32\drivers\LGBusEnum.sys [2009-11-23 22408]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;C:\Windows\System32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 mfeavfk;McAfee Inc. mfeavfk;C:\Windows\System32\drivers\mfeavfk.sys [2010-7-2 190136]
R3 mfefirek;McAfee Inc. mfefirek;C:\Windows\System32\drivers\mfefirek.sys [2010-7-2 441328]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\System32\drivers\nvhda64v.sys [2010-7-2 86120]
R3 RTCore64;RTCore64;C:\Program Files (x86)\EVGA Precision\RTCore64.sys [2010-11-3 14440]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2010-9-23 344680]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\System32\drivers\viahduaa.sys [2010-7-2 1222144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 mferkdet;McAfee Inc. mferkdet;C:\Windows\System32\drivers\mferkdet.sys [2010-7-2 94864]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\System32\drivers\usbaapl64.sys [2010-9-28 51712]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-7-2 1255736]

=============== Created Last 30 ================

2010-12-21 02:08:52 -------- d-----w- C:\Program Files (x86)\Vuze
2010-12-19 02:06:41 -------- d-----w- C:\Program Files\iPod
2010-12-19 02:06:40 -------- d-----w- C:\Program Files\iTunes
2010-12-19 02:06:40 -------- d-----w- C:\Program Files (x86)\iTunes
2010-12-19 02:02:46 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin7.dll
2010-12-19 02:02:46 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin6.dll
2010-12-19 02:02:46 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin5.dll
2010-12-19 02:02:46 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin4.dll
2010-12-19 02:02:46 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin3.dll
2010-12-19 02:02:46 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin2.dll
2010-12-19 02:02:46 159744 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\npqtplugin.dll
2010-12-16 05:02:59 395776 ----a-w- C:\Windows\System32\webio.dll
2010-12-06 23:33:51 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2010-12-06 23:33:51 -------- d-----w- C:\PROGRA~3\Spybot - Search & Destroy
2010-12-01 03:02:42 -------- d-----w- C:\Users\Robert\AppData\Roaming\Malwarebytes
2010-12-01 03:02:37 -------- d-----w- C:\PROGRA~3\Malwarebytes
2010-12-01 03:02:34 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2010-12-01 03:02:34 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2010-11-29 23:38:30 94208 ----a-w- C:\Windows\SysWow64\QuickTimeVR.qtx
2010-11-29 23:38:30 69632 ----a-w- C:\Windows\SysWow64\QuickTime.qts
2010-11-27 04:08:40 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2010-11-25 22:42:57 -------- d-----w- C:\Program Files (x86)\Common Files\Microsoft Games
2010-11-25 22:42:51 3767504 ----a-w- C:\Windows\System32\d3dx9_26.dll
2010-11-25 22:42:51 2297552 ----a-w- C:\Windows\SysWow64\d3dx9_26.dll
2010-11-25 22:23:43 -------- d-----w- C:\Program Files (x86)\Microsoft Games

==================== Find3M ====================

2010-11-14 02:22:00 332288 ----a-w- C:\Windows\System32\uxtheme.dll
2010-11-14 02:21:55 2851328 ----a-w- C:\Windows\System32\themeui.dll
2010-11-14 02:21:53 44544 ----a-w- C:\Windows\System32\themeservice.dll
2010-11-13 00:53:06 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2010-11-04 06:35:53 1194496 ----a-w- C:\Windows\System32\wininet.dll
2010-11-04 06:31:34 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-11-04 05:52:17 978944 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-11-04 05:48:36 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-11-04 05:16:14 482816 ----a-w- C:\Windows\System32\html.iec
2010-11-04 04:41:26 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-11-04 04:35:37 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-11-04 04:08:54 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2010-11-02 05:18:17 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2010-11-02 05:17:38 473600 ----a-w- C:\Windows\System32\taskcomp.dll
2010-11-02 05:17:38 1169408 ----a-w- C:\Windows\System32\taskschd.dll
2010-11-02 05:16:53 1114624 ----a-w- C:\Windows\System32\schedsvc.dll
2010-11-02 05:10:47 464384 ----a-w- C:\Windows\System32\taskeng.exe
2010-11-02 05:10:32 285696 ----a-w- C:\Windows\System32\schtasks.exe
2010-11-02 04:40:36 496128 ----a-w- C:\Windows\SysWow64\taskschd.dll
2010-11-02 04:40:36 305152 ----a-w- C:\Windows\SysWow64\taskcomp.dll
2010-11-02 04:34:44 192000 ----a-w- C:\Windows\SysWow64\taskeng.exe
2010-11-02 04:34:33 179712 ----a-w- C:\Windows\SysWow64\schtasks.exe
2010-10-27 05:06:22 2048 ----a-w- C:\Windows\System32\tzres.dll
2010-10-27 04:32:36 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2010-10-20 05:20:01 46080 ----a-w- C:\Windows\System32\atmlib.dll
2010-10-20 04:54:18 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2010-10-20 03:09:15 3124224 ----a-w- C:\Windows\System32\win32k.sys
2010-10-20 03:05:46 367104 ----a-w- C:\Windows\System32\atmfd.dll
2010-10-20 02:58:41 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2010-10-16 05:23:13 112000 ----a-w- C:\Windows\System32\consent.exe
2010-10-16 04:36:10 314368 ----a-w- C:\Windows\SysWow64\webio.dll
2010-10-14 03:28:54 9984 ----a-w- C:\Windows\System32\drivers\mfeclnk.sys
2010-10-14 03:28:54 94864 ----a-w- C:\Windows\System32\drivers\mferkdet.sys
2010-10-14 03:28:54 75032 ----a-w- C:\Windows\System32\drivers\mfenlfk.sys
2010-10-14 03:28:54 62800 ----a-w- C:\Windows\System32\drivers\cfwids.sys
2010-10-14 03:28:54 529128 ----a-w- C:\Windows\System32\drivers\mfehidk.sys
2010-10-14 03:28:54 441328 ----a-w- C:\Windows\System32\drivers\mfefirek.sys
2010-10-14 03:28:54 283360 ----a-w- C:\Windows\System32\drivers\mfewfpk.sys
2010-10-14 03:28:54 190136 ----a-w- C:\Windows\System32\drivers\mfeavfk.sys
2010-10-14 03:28:54 121248 ----a-w- C:\Windows\System32\drivers\mfeapfk.sys
2010-09-28 21:44:52 51712 ----a-w- C:\Windows\System32\drivers\usbaapl64.sys
2010-09-28 21:44:52 4184352 ----a-w- C:\Windows\System32\usbaaplrc.dll
2010-08-11 23:51:57 3439104 ----a-w- C:\Program Files\iRinger.exe

============= FINISH: 22:41:55.74 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:27 PM

Posted 25 December 2010 - 12:21 AM

Hello

My name is gringo and I will be Helping you from this point forward

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes unless I tell you so.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.

If you have not done so please Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Here is the first thing I would like you to do.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Roburt

Roburt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 12:53 AM

I am posting this from my iPhone to let you know that:
Combofix ran.
Before doing so I disabled virus prot as best I could. Disabling all features. I knew however it would pop back up and it did.
That aside, combofix deleted one file, too fast to write it down.
Reboot, windows loads.
Preparing log report. Been here about 9 minutes.
In those 9 minutes, PEV.cfxxe stopped working. Mcafee popped up to let me know I wasn't protected. What to do from here? Combo again?

Edited by Roburt, 25 December 2010 - 12:55 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:27 PM

Posted 25 December 2010 - 01:03 AM

Hello

Mcafee should have been turned off - give it about ten more minutes if nothing happens restart the computer and try to run this program for me



tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Roburt

Roburt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 01:25 AM

TDSS killer said no infections...good news I hope. I forgot to mention, after disabling Mcafee manually, I also went to task manager and ended the process. It isn't in the tray anymore, but still keeps warning me I am not protected. Just an fyi.

TDSS killer log:
2010/12/25 00:20:17.0746 TDSS rootkit removing tool 2.4.12.0 Dec 16 2010 09:46:46
2010/12/25 00:20:17.0746 ================================================================================
2010/12/25 00:20:17.0746 SystemInfo:
2010/12/25 00:20:17.0746
2010/12/25 00:20:17.0746 OS Version: 6.1.7600 ServicePack: 0.0
2010/12/25 00:20:17.0746 Product type: Workstation
2010/12/25 00:20:17.0746 ComputerName: BOHEMIAN
2010/12/25 00:20:17.0747 UserName: Robert
2010/12/25 00:20:17.0747 Windows directory: C:\Windows
2010/12/25 00:20:17.0747 System windows directory: C:\Windows
2010/12/25 00:20:17.0747 Running under WOW64
2010/12/25 00:20:17.0747 Processor architecture: Intel x64
2010/12/25 00:20:17.0747 Number of processors: 4
2010/12/25 00:20:17.0747 Page size: 0x1000
2010/12/25 00:20:17.0747 Boot type: Normal boot
2010/12/25 00:20:17.0747 ================================================================================
2010/12/25 00:20:17.0747 Utility is running under WOW64
2010/12/25 00:20:19.0106 Initialize success
2010/12/25 00:20:31.0734 ================================================================================
2010/12/25 00:20:31.0734 Scan started
2010/12/25 00:20:31.0734 Mode: Manual;
2010/12/25 00:20:31.0734 ================================================================================
2010/12/25 00:20:45.0128 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2010/12/25 00:20:45.0975 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2010/12/25 00:20:46.0576 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2010/12/25 00:20:47.0047 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2010/12/25 00:20:47.0833 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2010/12/25 00:20:48.0329 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2010/12/25 00:20:48.0651 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2010/12/25 00:20:49.0074 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2010/12/25 00:20:49.0352 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2010/12/25 00:20:50.0003 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2010/12/25 00:20:50.0292 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2010/12/25 00:20:50.0514 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2010/12/25 00:20:50.0630 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2010/12/25 00:20:50.0947 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2010/12/25 00:20:51.0148 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2010/12/25 00:20:51.0476 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2010/12/25 00:20:51.0796 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2010/12/25 00:20:51.0965 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2010/12/25 00:20:52.0147 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/12/25 00:20:52.0412 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2010/12/25 00:20:52.0827 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2010/12/25 00:20:53.0089 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2010/12/25 00:20:53.0577 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2010/12/25 00:20:53.0802 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2010/12/25 00:20:54.0020 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2010/12/25 00:20:54.0141 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2010/12/25 00:20:54.0566 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2010/12/25 00:20:54.0659 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2010/12/25 00:20:54.0762 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2010/12/25 00:20:54.0832 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2010/12/25 00:20:55.0001 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2010/12/25 00:20:55.0177 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2010/12/25 00:20:55.0856 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/12/25 00:20:56.0333 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2010/12/25 00:20:56.0592 cfwids (e02c9cdb15f13de4eb2ff67660e62317) C:\Windows\system32\drivers\cfwids.sys
2010/12/25 00:20:56.0700 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2010/12/25 00:20:56.0821 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2010/12/25 00:20:57.0043 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/12/25 00:20:57.0080 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2010/12/25 00:20:57.0167 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2010/12/25 00:20:57.0352 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2010/12/25 00:20:57.0458 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2010/12/25 00:20:57.0555 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2010/12/25 00:20:57.0753 CSC (4a6173c2279b498cd8f57cae504564cb) C:\Windows\system32\drivers\csc.sys
2010/12/25 00:20:57.0886 dc3d (76e02db615a03801d698199a2bc4a06a) C:\Windows\system32\DRIVERS\dc3d.sys
2010/12/25 00:20:58.0069 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2010/12/25 00:20:58.0157 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2010/12/25 00:20:58.0306 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2010/12/25 00:20:58.0458 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2010/12/25 00:20:58.0727 DXGKrnl (ebce0b0924835f635f620d19f0529dce) C:\Windows\System32\drivers\dxgkrnl.sys
2010/12/25 00:20:59.0302 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2010/12/25 00:20:59.0619 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2010/12/25 00:20:59.0945 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2010/12/25 00:21:00.0260 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2010/12/25 00:21:00.0747 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2010/12/25 00:21:01.0381 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2010/12/25 00:21:01.0492 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2010/12/25 00:21:01.0560 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2010/12/25 00:21:01.0658 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/12/25 00:21:01.0812 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2010/12/25 00:21:01.0906 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2010/12/25 00:21:02.0011 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2010/12/25 00:21:02.0161 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
2010/12/25 00:21:02.0290 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2010/12/25 00:21:02.0451 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/12/25 00:21:02.0514 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2010/12/25 00:21:02.0742 HdAudAddService (6410f6f415b2a5a9037224c41da8bf12) C:\Windows\system32\drivers\HdAudio.sys
2010/12/25 00:21:02.0855 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/12/25 00:21:02.0893 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2010/12/25 00:21:02.0962 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2010/12/25 00:21:03.0022 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2010/12/25 00:21:03.0185 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2010/12/25 00:21:03.0294 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2010/12/25 00:21:03.0505 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2010/12/25 00:21:03.0566 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2010/12/25 00:21:03.0795 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/12/25 00:21:04.0533 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2010/12/25 00:21:04.0790 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2010/12/25 00:21:04.0844 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2010/12/25 00:21:04.0904 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2010/12/25 00:21:04.0972 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/12/25 00:21:05.0014 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2010/12/25 00:21:05.0100 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2010/12/25 00:21:05.0240 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2010/12/25 00:21:05.0278 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2010/12/25 00:21:05.0330 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/12/25 00:21:05.0447 JRAID (2224abc439d115a44edb5630a92c1d7e) C:\Windows\system32\DRIVERS\jraid.sys
2010/12/25 00:21:05.0483 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/12/25 00:21:05.0507 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2010/12/25 00:21:05.0557 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2010/12/25 00:21:05.0615 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
2010/12/25 00:21:05.0672 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2010/12/25 00:21:05.0779 LGBusEnum (fa529fb35694c24bf98a9ef67c1cd9d0) C:\Windows\system32\drivers\LGBusEnum.sys
2010/12/25 00:21:05.0888 LGVirHid (94b29ce153765e768f004fb3440be2b0) C:\Windows\system32\drivers\LGVirHid.sys
2010/12/25 00:21:05.0988 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2010/12/25 00:21:06.0135 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2010/12/25 00:21:06.0253 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2010/12/25 00:21:06.0324 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2010/12/25 00:21:06.0367 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2010/12/25 00:21:06.0439 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2010/12/25 00:21:06.0634 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2010/12/25 00:21:06.0717 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2010/12/25 00:21:06.0802 mfeapfk (c1556ca9695fcd6bbd23d75d402fd43d) C:\Windows\system32\drivers\mfeapfk.sys
2010/12/25 00:21:06.0880 mfeavfk (8857ee8b49f3338fc1fad476bfcca146) C:\Windows\system32\drivers\mfeavfk.sys
2010/12/25 00:21:07.0181 mfefirek (19c44295f6bf085c83352d48397f7870) C:\Windows\system32\drivers\mfefirek.sys
2010/12/25 00:21:07.0279 mfehidk (5f915e20ab56121c41c6bf9a91a83bda) C:\Windows\system32\drivers\mfehidk.sys
2010/12/25 00:21:07.0358 mfenlfk (23ae332e32ff615ca5e5224c8d91af11) C:\Windows\system32\DRIVERS\mfenlfk.sys
2010/12/25 00:21:07.0412 mferkdet (9c7a9273e345f8d653394b5c542bf86a) C:\Windows\system32\drivers\mferkdet.sys
2010/12/25 00:21:07.0527 mfewfpk (3140b2c56d7119ba314f68fc785683f0) C:\Windows\system32\drivers\mfewfpk.sys
2010/12/25 00:21:07.0624 MOBKFilter (3800c23d0d90c59aafcdefdc82b5c4af) C:\Windows\system32\DRIVERS\MOBK.sys
2010/12/25 00:21:07.0988 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2010/12/25 00:21:08.0117 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2010/12/25 00:21:08.0205 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2010/12/25 00:21:08.0302 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2010/12/25 00:21:08.0392 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2010/12/25 00:21:08.0449 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2010/12/25 00:21:08.0514 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2010/12/25 00:21:08.0589 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2010/12/25 00:21:08.0646 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/12/25 00:21:08.0694 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/12/25 00:21:08.0751 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/12/25 00:21:08.0803 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2010/12/25 00:21:08.0888 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2010/12/25 00:21:08.0957 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2010/12/25 00:21:09.0042 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2010/12/25 00:21:09.0071 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2010/12/25 00:21:09.0171 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2010/12/25 00:21:09.0207 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/12/25 00:21:09.0227 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2010/12/25 00:21:09.0270 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2010/12/25 00:21:09.0327 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/12/25 00:21:09.0363 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2010/12/25 00:21:09.0384 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2010/12/25 00:21:09.0452 MTsensor (19b006b181e3875fd254f7b67acf1e7c) C:\Windows\system32\DRIVERS\ASACPI.sys
2010/12/25 00:21:09.0497 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2010/12/25 00:21:09.0579 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2010/12/25 00:21:09.0725 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2010/12/25 00:21:09.0974 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2010/12/25 00:21:10.0338 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/12/25 00:21:10.0764 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/12/25 00:21:11.0058 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/12/25 00:21:11.0386 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2010/12/25 00:21:11.0771 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2010/12/25 00:21:12.0213 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2010/12/25 00:21:12.0903 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2010/12/25 00:21:13.0018 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2010/12/25 00:21:13.0176 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2010/12/25 00:21:13.0504 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2010/12/25 00:21:13.0689 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2010/12/25 00:21:14.0140 NVHDA (cddd4478757288df4bb1494bfd084259) C:\Windows\system32\drivers\nvhda64v.sys
2010/12/25 00:21:16.0361 nvlddmkm (e55cab397f77d5208db18a78b1b7c0d5) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2010/12/25 00:21:16.0712 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2010/12/25 00:21:17.0070 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2010/12/25 00:21:17.0500 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2010/12/25 00:21:17.0678 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/12/25 00:21:18.0058 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2010/12/25 00:21:18.0298 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2010/12/25 00:21:18.0711 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2010/12/25 00:21:19.0042 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2010/12/25 00:21:19.0394 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/12/25 00:21:19.0610 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2010/12/25 00:21:20.0247 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2010/12/25 00:21:20.0447 Point64 (b8d8ec78b0f9ed8e220506181274f3d3) C:\Windows\system32\DRIVERS\point64.sys
2010/12/25 00:21:20.0512 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2010/12/25 00:21:20.0585 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2010/12/25 00:21:20.0780 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2010/12/25 00:21:21.0273 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2010/12/25 00:21:21.0634 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2010/12/25 00:21:21.0981 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2010/12/25 00:21:22.0307 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2010/12/25 00:21:22.0656 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2010/12/25 00:21:23.0191 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/12/25 00:21:23.0296 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/12/25 00:21:23.0408 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2010/12/25 00:21:23.0488 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2010/12/25 00:21:23.0546 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2010/12/25 00:21:23.0643 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/12/25 00:21:24.0003 RDPDR (9706b84dbabfc4b4ca46c5a82b14dfa3) C:\Windows\system32\drivers\rdpdr.sys
2010/12/25 00:21:24.0313 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2010/12/25 00:21:24.0706 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2010/12/25 00:21:24.0817 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2010/12/25 00:21:24.0980 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2010/12/25 00:21:25.0393 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2010/12/25 00:21:25.0609 RTCore64 (b994110f069d197222508a724d8afdac) C:\Program Files (x86)\EVGA Precision\RTCore64.sys
2010/12/25 00:21:26.0202 RTL8167 (4b42bc58294e83a6a92ec8b88c14c4a3) C:\Windows\system32\DRIVERS\Rt64win7.sys
2010/12/25 00:21:26.0445 s3cap (88af6e02ab19df7fd07ecdf9c91e9af6) C:\Windows\system32\DRIVERS\vms3cap.sys
2010/12/25 00:21:26.0599 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2010/12/25 00:21:26.0665 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2010/12/25 00:21:26.0750 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2010/12/25 00:21:26.0871 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2010/12/25 00:21:27.0274 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2010/12/25 00:21:27.0912 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2010/12/25 00:21:28.0380 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2010/12/25 00:21:28.0938 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2010/12/25 00:21:29.0267 sffp_sd (178298f767fe638c9fedcbdef58bb5e4) C:\Windows\system32\DRIVERS\sffp_sd.sys
2010/12/25 00:21:29.0763 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/12/25 00:21:30.0337 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2010/12/25 00:21:30.0681 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2010/12/25 00:21:31.0134 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2010/12/25 00:21:31.0574 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2010/12/25 00:21:32.0048 srv (de6f5658da951c4bc8e498570b5b0d5f) C:\Windows\system32\DRIVERS\srv.sys
2010/12/25 00:21:32.0567 srv2 (4d33d59c0b930c523d29f9bd40cda9d2) C:\Windows\system32\DRIVERS\srv2.sys
2010/12/25 00:21:33.0032 srvnet (5a663fd67049267bc5c3f3279e631ffb) C:\Windows\system32\DRIVERS\srvnet.sys
2010/12/25 00:21:33.0454 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2010/12/25 00:21:33.0884 storflt (ffd7a6f15b14234b5b0e5d49e7961895) C:\Windows\system32\DRIVERS\vmstorfl.sys
2010/12/25 00:21:34.0300 storvsc (8fccbefc5c440b3c23454656e551b09a) C:\Windows\system32\DRIVERS\storvsc.sys
2010/12/25 00:21:34.0720 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2010/12/25 00:21:35.0493 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys
2010/12/25 00:21:36.0168 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys
2010/12/25 00:21:36.0513 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2010/12/25 00:21:36.0817 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2010/12/25 00:21:37.0193 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2010/12/25 00:21:37.0619 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2010/12/25 00:21:38.0034 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2010/12/25 00:21:38.0439 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/12/25 00:21:38.0742 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2010/12/25 00:21:39.0175 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2010/12/25 00:21:39.0869 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2010/12/25 00:21:40.0223 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2010/12/25 00:21:40.0298 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2010/12/25 00:21:40.0390 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2010/12/25 00:21:40.0496 USBAAPL64 (f724b03c3dfaacf08d17d38bf3333583) C:\Windows\system32\Drivers\usbaapl64.sys
2010/12/25 00:21:40.0595 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/12/25 00:21:40.0954 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2010/12/25 00:21:41.0286 usbehci (2ea4aff7be7eb4632e3aa8595b0803b5) C:\Windows\system32\DRIVERS\usbehci.sys
2010/12/25 00:21:41.0655 usbhub (4c9042b8df86c1e8e6240c218b99b39b) C:\Windows\system32\DRIVERS\usbhub.sys
2010/12/25 00:21:41.0995 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2010/12/25 00:21:42.0317 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2010/12/25 00:21:42.0770 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/12/25 00:21:43.0071 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/12/25 00:21:43.0568 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2010/12/25 00:21:43.0947 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/12/25 00:21:44.0354 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2010/12/25 00:21:44.0976 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2010/12/25 00:21:45.0497 VIAHdAudAddService (627270f2103d41086bab9675a3315dab) C:\Windows\system32\drivers\viahduaa.sys
2010/12/25 00:21:45.0605 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2010/12/25 00:21:45.0707 vmbus (1501699d7eda984abc4155a7da5738d1) C:\Windows\system32\DRIVERS\vmbus.sys
2010/12/25 00:21:45.0874 VMBusHID (ae10c35761889e65a6f7176937c5592c) C:\Windows\system32\DRIVERS\VMBusHID.sys
2010/12/25 00:21:46.0184 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2010/12/25 00:21:46.0572 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2010/12/25 00:21:47.0046 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2010/12/25 00:21:47.0478 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2010/12/25 00:21:47.0752 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
2010/12/25 00:21:48.0089 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2010/12/25 00:21:48.0550 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/25 00:21:48.0617 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2010/12/25 00:21:48.0913 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2010/12/25 00:21:49.0400 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2010/12/25 00:21:49.0730 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2010/12/25 00:21:50.0099 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2010/12/25 00:21:50.0579 WinUsb (817eaff5d38674edd7713b9dfb8e9791) C:\Windows\system32\DRIVERS\WinUsb.sys
2010/12/25 00:21:50.0981 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/12/25 00:21:51.0376 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2010/12/25 00:21:51.0683 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2010/12/25 00:21:52.0059 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/12/25 00:21:52.0220 ================================================================================
2010/12/25 00:21:52.0220 Scan finished
2010/12/25 00:21:52.0220 ================================================================================

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:27 PM

Posted 25 December 2010 - 02:08 AM

That is very good news


Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Roburt

Roburt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 07:18 AM

My apologies... I fell asleep!

Currently in safe mode (on mobile phone right now). Combofix is running. Will post in a moment. I'm assuming I save the file and restart the system normally to post it here.

#8 Roburt

Roburt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 07:34 AM

Same problem as before with combo. This time it didn't restart or find anything like last time but PEV.cfxxe stopped working and again mcafee reminded me I'm not protected. Maybe those "programs" (at least mcafee) are causing it to hang...

Going to wait longer than before for the log. 30 minutes maybe. I don't feel I should really do anything until this is fixed.

#9 Roburt

Roburt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 08:08 AM

Ok, got the log! I will be disconnecting from the Internet and await your response. I should have gone forward while I had you but once I hit the bed I was out..! Santa didn't bring me a magic fix either. :wink:

ComboFix 10-12-24.01 - Robert 12/25/2010 6:17.2.4 - x64 MINIMAL
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.8190.6966 [GMT -6:00]
Running from: c:\users\Robert\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\users\Robert\AppData\Local\Temp\A81A.tmp

.
((((((((((((((((((((((((( Files Created from 2010-11-25 to 2010-12-25 )))))))))))))))))))))))))))))))
.

2010-12-25 12:21 . 2010-12-25 12:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-12-21 02:08 . 2010-12-21 02:09 -------- d-----w- c:\program files (x86)\Vuze
2010-12-19 02:06 . 2010-12-19 02:06 -------- d-----w- c:\program files\iPod
2010-12-19 02:06 . 2010-12-19 02:06 -------- d-----w- c:\program files\iTunes
2010-12-19 02:06 . 2010-12-19 02:06 -------- d-----w- c:\program files (x86)\iTunes
2010-12-19 02:02 . 2010-12-19 02:02 -------- d-----w- c:\program files (x86)\QuickTime
2010-12-16 05:03 . 2010-10-27 04:32 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2010-12-16 05:03 . 2010-11-02 04:40 496128 ----a-w- c:\windows\SysWow64\taskschd.dll
2010-12-16 05:03 . 2010-11-02 04:40 305152 ----a-w- c:\windows\SysWow64\taskcomp.dll
2010-12-16 05:03 . 2010-11-02 04:34 192000 ----a-w- c:\windows\SysWow64\taskeng.exe
2010-12-16 05:03 . 2010-11-02 04:34 179712 ----a-w- c:\windows\SysWow64\schtasks.exe
2010-12-16 05:03 . 2010-10-20 04:54 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2010-12-16 05:03 . 2010-10-20 02:58 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
2010-12-06 23:33 . 2010-12-06 23:50 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-12-06 23:33 . 2010-12-06 23:36 -------- d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-12-01 03:02 . 2010-12-01 03:02 -------- d-----w- c:\users\Robert\AppData\Roaming\Malwarebytes
2010-12-01 03:02 . 2010-12-01 03:02 -------- d-----w- c:\programdata\Malwarebytes
2010-12-01 03:02 . 2010-12-01 03:48 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2010-11-29 23:38 . 2010-11-29 23:38 94208 ----a-w- c:\windows\SysWow64\QuickTimeVR.qtx
2010-11-29 23:38 . 2010-11-29 23:38 69632 ----a-w- c:\windows\SysWow64\QuickTime.qts
2010-11-27 04:08 . 2010-11-27 04:08 -------- d-----w- c:\program files (x86)\MSXML 4.0
2010-11-25 22:42 . 2010-11-25 22:42 -------- d-----w- c:\program files (x86)\Common Files\Microsoft Games
2010-11-25 22:42 . 2005-05-26 21:34 2297552 ----a-w- c:\windows\SysWow64\d3dx9_26.dll
2010-11-25 22:23 . 2010-11-25 22:23 -------- d-----w- c:\program files (x86)\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-13 00:53 . 2010-09-23 20:58 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2010-10-30 04:12 . 2010-08-25 02:36 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2010-10-30 04:11 . 2010-08-25 02:36 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup-2\markup.dll
2010-10-30 04:11 . 2010-08-25 02:35 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM-2\StartResources.dll
2010-10-30 04:11 . 2010-08-25 02:35 588096 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2010-10-21 22:33 . 2010-07-06 19:55 737072 ----a-w- c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore\Microsoft.MediaCenter.Sports.UI.dll
2010-10-21 22:33 . 2010-07-06 19:55 4277016 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2010-10-21 22:33 . 2010-07-06 19:55 42776 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2010-08-11 23:51 . 2010-08-11 23:51 3439104 ----a-w- c:\program files\iRinger.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShellName"="c:\users\Robert\AppData\Local\Shell\ShellName.dll" [2010-08-04 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1484856]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"HDAudDeck"="c:\program files (x86)\VIA\VIAudioi\VDeck\VDeck.exe" [2009-07-24 2245120]
"GrooveMonitor"="c:\program files (x86)\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"AppleSyncNotifier"="c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Robert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
CurseClientStartup.ccip [2010-10-12 0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2010-06-07 19:10 534832 ----a-w- c:\progra~2\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 AsUpIO;AsUpIO;SysWow64\drivers\AsUpIO.sys [x]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-14 75032]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-14 66040]
R2 AsSysCtrlService;ASUS System Control Service;c:\program files (x86)\ASUS\AsSysCtrlService\1.00.02\AsSysCtrlService.exe [2009-08-19 90112]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 355440]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-14 245352]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-14 149032]
R2 MOBKbackup;McAfee Online Backup;c:\program files (x86)\McAfee Online Backup\MOBKbackup.exe [2010-04-14 231224]
R3 ALSysIO;ALSysIO;c:\users\Robert\AppData\Local\Temp\ALSysIO64.sys [x]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-14 62800]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 51600]
R3 LGVirHid;Logitech Gamepanel Virtual HID Device Driver;c:\windows\system32\drivers\LGVirHid.sys [2009-11-23 16008]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-14 441328]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-14 94864]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [2010-01-28 86120]
R3 RTCore64;RTCore64;c:\program files (x86)\EVGA Precision\RTCore64.sys [2010-11-03 14440]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-06-23 344680]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-09-28 51712]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-07-10 1222144]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-07-02 1255736]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-14 283360]
S3 LGBusEnum;Logitech GamePanel Virtual Bus Enumerator Driver;c:\windows\system32\drivers\LGBusEnum.sys [2009-11-23 22408]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2010-07-21 45456]

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 3816248 ----a-w- c:\program files (x86)\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2010-07-21 2327952]
"Launch LgDeviceAgent"="c:\program files\Logitech\GamePanel Software\LgDevAgt.exe" [2010-08-03 415816]
"Launch LCDMon"="c:\program files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2010-08-03 2412616]
"Launch LGDCore"="c:\program files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2010-08-03 4725320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://yahoo.com/
mStart Page = hxxp://www.comcast.net/
mLocal Page = c:\windows\SysWOW64\blank.htm
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

Wow6432Node-HKLM-RunOnce-<NO NAME> - (no file)


.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2767624829-4169514343-3723780584-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3b,d8,84,eb,7e,b3,79,79,86,f8,e5,cd,ac,14,7c,a0,63,1c,b0,a9,2e,72,36,
72,19,7b,ad,7f,f5,11,7b,85,c3,ea,10,13,8b,a3,6f,26,ac,a3,d6,18,4d,84,58,b4,\
"??"=hex:7d,c7,33,42,8b,fe,ab,c4,88,be,8a,0e,39,46,61,7c

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10l.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-12-25 06:53:13
ComboFix-quarantined-files.txt 2010-12-25 12:53

Pre-Run: 390,955,753,472 bytes free
Post-Run: 390,495,256,576 bytes free

- - End Of File - - 6BC3A34694324BC88A724DD023C86EF8

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:27 PM

Posted 25 December 2010 - 12:56 PM

Merry Christmas

You are still getting redirected??


Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Roburt

Roburt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 12:57 PM

Hard to say. It happened infrequently really. That said should I still run the router test?

#12 Roburt

Roburt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 01:04 PM

I ran it anyway :busy:

Maybe the one thing combofix found was the problem. I could always resume my normal activity and message you if things begin going wrong again after 5 days.


Server: cns.s3woodstock.ga.atlanta.comcast.net
Address: 68.87.68.166

Name: yahoo.com
Addresses: 98.137.149.56
209.191.122.70
67.195.160.76
69.147.125.65
72.30.2.43


Pinging google.com [74.125.67.104] with 32 bytes of data:
Reply from 74.125.67.104: bytes=32 time=39ms TTL=53
Reply from 74.125.67.104: bytes=32 time=40ms TTL=53

Ping statistics for 74.125.67.104:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 39ms, Maximum = 40ms, Average = 39ms

Pinging yahoo.com [67.195.160.76] with 32 bytes of data:
Reply from 67.195.160.76: bytes=32 time=43ms TTL=50
Reply from 67.195.160.76: bytes=32 time=47ms TTL=50

Ping statistics for 67.195.160.76:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 43ms, Maximum = 47ms, Average = 45ms
===========================================================================
Interface List
11...90 e6 ba 15 ba 22 ......Realtek PCIe GBE Family Controller
1...........................Software Loopback Interface 1
12...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.2 266
192.168.0.2 255.255.255.255 On-link 192.168.0.2 266
192.168.0.255 255.255.255.255 On-link 192.168.0.2 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.2 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.2 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 58 ::/0 On-link
1 306 ::1/128 On-link
12 58 2001::/32 On-link
12 306 2001:0:4137:9e76:87:2ec3:b4be:386f/128
On-link
12 306 fe80::/64 On-link
12 306 fe80::87:2ec3:b4be:386f/128
On-link
1 306 ff00::/8 On-link
12 306 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:27 PM

Posted 25 December 2010 - 01:04 PM

yes go ahead and still run it
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Roburt

Roburt
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 25 December 2010 - 01:06 PM

Saying it happened "infrequently" may not have been a good word to use. Maybe...1 out of 7 links. Not to mention IE hangups and crashes a couple times a day.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:27 PM

Posted 25 December 2010 - 01:08 PM

Hello

we still have some work to do so if they do come back just let me know

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 9.4.1

and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users