Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Faux "protection" scan disables Hijack this, spybot s/d, etc.


  • This topic is locked This topic is locked
17 replies to this topic

#1 santoleri3

santoleri3

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 February 2011 - 12:00 AM

So... here it goes:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:33 PM, on 2/18/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\HijackThis\Santo.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:49362
O1 - Hosts: 64.34.212.70 www.google.com
O1 - Hosts: 64.34.212.70 google.com
O1 - Hosts: 64.34.212.70 google.com.au
O1 - Hosts: 64.34.212.70 www.google.com.au
O1 - Hosts: 64.34.212.70 google.be
O1 - Hosts: 64.34.212.70 www.google.be
O1 - Hosts: 64.34.212.70 google.com.br
O1 - Hosts: 64.34.212.70 www.google.com.br
O1 - Hosts: 64.34.212.70 google.ca
O1 - Hosts: 64.34.212.70 www.google.ca
O1 - Hosts: 64.34.212.70 google.ch
O1 - Hosts: 64.34.212.70 www.google.ch
O1 - Hosts: 64.34.212.70 google.de
O1 - Hosts: 64.34.212.70 www.google.de
O1 - Hosts: 64.34.212.70 google.dk
O1 - Hosts: 64.34.212.70 www.google.dk
O1 - Hosts: 64.34.212.70 google.fr
O1 - Hosts: 64.34.212.70 www.google.fr
O1 - Hosts: 64.34.212.70 google.ie
O1 - Hosts: 64.34.212.70 www.google.ie
O1 - Hosts: 64.34.212.70 google.it
O1 - Hosts: 64.34.212.70 www.google.it
O1 - Hosts: 64.34.212.70 google.co.jp
O1 - Hosts: 64.34.212.70 www.google.co.jp
O1 - Hosts: 64.34.212.70 google.nl
O1 - Hosts: 64.34.212.70 www.google.nl
O1 - Hosts: 64.34.212.70 google.no
O1 - Hosts: 64.34.212.70 www.google.no
O1 - Hosts: 64.34.212.70 google.co.nz
O1 - Hosts: 64.34.212.70 www.google.co.nz
O1 - Hosts: 64.34.212.70 google.pl
O1 - Hosts: 64.34.212.70 www.google.pl
O1 - Hosts: 64.34.212.70 google.se
O1 - Hosts: 64.34.212.70 www.google.se
O1 - Hosts: 64.34.212.70 google.co.uk
O1 - Hosts: 64.34.212.70 www.google.co.uk
O1 - Hosts: 64.34.212.70 google.co.za
O1 - Hosts: 64.34.212.70 www.google.co.za
O1 - Hosts: 64.34.212.70 www.google-analytics.com
O1 - Hosts: 64.34.212.70 www.bing.com
O1 - Hosts: 64.34.212.70 search.yahoo.com
O1 - Hosts: 64.34.212.70 www.search.yahoo.com
O1 - Hosts: 64.34.212.70 uk.search.yahoo.com
O1 - Hosts: 64.34.212.70 ca.search.yahoo.com
O1 - Hosts: 64.34.212.70 de.search.yahoo.com
O1 - Hosts: 64.34.212.70 fr.search.yahoo.com
O1 - Hosts: 64.34.212.70 au.search.yahoo.com
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [SelectRebates] C:\Program Files\SelectRebates\SelectRebates.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Smart Internet Protection 2011] "C:\Documents and Settings\All Users\Application Data\653777\SI653_2294.exe" /s /d
O4 - HKCU\..\Run: [wlutwwqx] C:\DOCUME~1\TEMP\LOCALS~1\Temp\xnlqikioa\xnmwjmdsikk.exe
O4 - HKCU\..\Run: [dhbejiid] C:\DOCUME~1\TEMP\LOCALS~1\Temp\oyftwirie\rrmxtltsikk.exe
O4 - HKCU\..\RunOnce: [kMaKpBi06504] C:\Documents and Settings\All Users\Application Data\kMaKpBi06504\kMaKpBi06504.exe
O4 - Global Startup: Evernote Clipper.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Evernote 4.0 - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O9 - Extra 'Tools' menuitem: @C:\Program Files\Evernote\Evernote\Resource.dll,-101 - {A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://C:\Program Files\Evernote\Evernote\EvernoteIE.dll/204 (file missing)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} -
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://fb.familylink.com/we_are_related/stream/core/lib/AurigmaImageUploader/ImageUploader5.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 9329 bytes

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:26 AM

Posted 19 February 2011 - 12:18 PM

Hello santoleri3,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

2.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

3.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 February 2011 - 09:47 PM

GMER results:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-02-19 21:46:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y080L0 rev.YAR41BW0
Running: 03lcuj3b.exe; Driver: C:\DOCUME~1\TEMP\LOCALS~1\Temp\uwddrpob.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion@Lnoqehukuhox 0x38 0x01 0x32 0x03 ...

---- EOF - GMER 1.0.15 ----

#4 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 February 2011 - 09:56 PM

tds killer found nothing, but here's the report:

2011/02/19 21:53:52.0703 0252 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/19 21:53:53.0015 0252 ================================================================================
2011/02/19 21:53:53.0015 0252 SystemInfo:
2011/02/19 21:53:53.0015 0252
2011/02/19 21:53:53.0015 0252 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/19 21:53:53.0015 0252 Product type: Workstation
2011/02/19 21:53:53.0015 0252 ComputerName: SANTOLERI
2011/02/19 21:53:53.0015 0252 UserName: Dominic Santoleri
2011/02/19 21:53:53.0015 0252 Windows directory: C:\WINDOWS
2011/02/19 21:53:53.0015 0252 System windows directory: C:\WINDOWS
2011/02/19 21:53:53.0015 0252 Processor architecture: Intel x86
2011/02/19 21:53:53.0015 0252 Number of processors: 2
2011/02/19 21:53:53.0015 0252 Page size: 0x1000
2011/02/19 21:53:53.0015 0252 Boot type: Safe boot with network
2011/02/19 21:53:53.0015 0252 ================================================================================
2011/02/19 21:53:53.0312 0252 Initialize success
2011/02/19 21:53:56.0234 2044 ================================================================================
2011/02/19 21:53:56.0234 2044 Scan started
2011/02/19 21:53:56.0234 2044 Mode: Manual;
2011/02/19 21:53:56.0234 2044 ================================================================================
2011/02/19 21:53:58.0031 2044 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
2011/02/19 21:53:58.0203 2044 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/19 21:53:58.0375 2044 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/19 21:53:58.0562 2044 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
2011/02/19 21:53:58.0718 2044 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/02/19 21:53:58.0859 2044 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/19 21:53:59.0015 2044 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/19 21:53:59.0187 2044 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys
2011/02/19 21:53:59.0312 2044 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
2011/02/19 21:53:59.0453 2044 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
2011/02/19 21:53:59.0625 2044 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
2011/02/19 21:53:59.0781 2044 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
2011/02/19 21:53:59.0984 2044 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
2011/02/19 21:54:00.0125 2044 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys
2011/02/19 21:54:00.0281 2044 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys
2011/02/19 21:54:00.0406 2044 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
2011/02/19 21:54:00.0562 2044 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
2011/02/19 21:54:00.0687 2044 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
2011/02/19 21:54:00.0812 2044 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
2011/02/19 21:54:01.0015 2044 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/19 21:54:01.0156 2044 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/19 21:54:01.0437 2044 atksgt (5b80e84af6b02ecab72dae9afee06309) C:\WINDOWS\system32\DRIVERS\atksgt.sys
2011/02/19 21:54:01.0640 2044 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/19 21:54:01.0796 2044 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/19 21:54:01.0953 2044 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/19 21:54:02.0156 2044 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
2011/02/19 21:54:02.0265 2044 bvrp_pci (c915a416f265149471d74e0815c928b2) C:\WINDOWS\system32\drivers\bvrp_pci.sys
2011/02/19 21:54:02.0625 2044 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
2011/02/19 21:54:02.0765 2044 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/19 21:54:02.0859 2044 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
2011/02/19 21:54:03.0000 2044 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/19 21:54:03.0109 2044 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/19 21:54:03.0281 2044 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/19 21:54:03.0640 2044 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
2011/02/19 21:54:03.0875 2044 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
2011/02/19 21:54:04.0046 2044 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
2011/02/19 21:54:04.0203 2044 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
2011/02/19 21:54:04.0593 2044 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/19 21:54:04.0828 2044 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/19 21:54:05.0015 2044 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/19 21:54:05.0140 2044 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/19 21:54:05.0265 2044 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/19 21:54:05.0484 2044 dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/02/19 21:54:05.0656 2044 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/02/19 21:54:05.0812 2044 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
2011/02/19 21:54:05.0968 2044 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/02/19 21:54:06.0140 2044 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
2011/02/19 21:54:06.0296 2044 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/19 21:54:06.0562 2044 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/02/19 21:54:06.0734 2044 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2011/02/19 21:54:06.0906 2044 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/19 21:54:07.0046 2044 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
2011/02/19 21:54:07.0265 2044 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/19 21:54:07.0453 2044 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/19 21:54:07.0609 2044 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/19 21:54:07.0781 2044 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/19 21:54:07.0953 2044 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/19 21:54:08.0140 2044 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/19 21:54:08.0343 2044 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/19 21:54:08.0515 2044 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/02/19 21:54:08.0703 2044 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/19 21:54:08.0890 2044 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/19 21:54:09.0109 2044 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
2011/02/19 21:54:09.0265 2044 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/19 21:54:09.0453 2044 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/02/19 21:54:09.0640 2044 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys
2011/02/19 21:54:09.0796 2044 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/19 21:54:09.0968 2044 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/02/19 21:54:10.0125 2044 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/02/19 21:54:10.0296 2044 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/02/19 21:54:10.0468 2044 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/02/19 21:54:10.0625 2044 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/02/19 21:54:10.0781 2044 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/02/19 21:54:10.0921 2044 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/02/19 21:54:11.0062 2044 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/02/19 21:54:11.0265 2044 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/02/19 21:54:11.0437 2044 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/02/19 21:54:11.0609 2044 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/19 21:54:11.0828 2044 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
2011/02/19 21:54:12.0046 2044 IntelC51 (8e51bf1696821a72656444e0fd5081a3) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/02/19 21:54:12.0250 2044 IntelC52 (331ce31882754000ca2afbf7bd480513) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/02/19 21:54:12.0437 2044 IntelC53 (8001fac548eb0285d0085f4eb53c1e3f) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/02/19 21:54:12.0609 2044 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys
2011/02/19 21:54:12.0765 2044 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/19 21:54:12.0953 2044 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/19 21:54:13.0078 2044 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/19 21:54:13.0250 2044 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/19 21:54:13.0359 2044 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/19 21:54:13.0515 2044 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/19 21:54:13.0671 2044 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/19 21:54:13.0843 2044 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/19 21:54:14.0015 2044 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/19 21:54:14.0187 2044 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/19 21:54:14.0359 2044 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/19 21:54:14.0718 2044 lirsgt (975b6cf65f44e95883f3855bae8cecaf) C:\WINDOWS\system32\DRIVERS\lirsgt.sys
2011/02/19 21:54:14.0921 2044 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2011/02/19 21:54:15.0187 2044 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/19 21:54:15.0312 2044 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/19 21:54:15.0453 2044 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/02/19 21:54:15.0593 2044 mohfilt (bdd406003c0c340cf6c5501165e83dcd) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/02/19 21:54:15.0750 2044 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/19 21:54:15.0937 2044 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/19 21:54:16.0093 2044 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/19 21:54:16.0265 2044 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
2011/02/19 21:54:16.0421 2044 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/19 21:54:16.0609 2044 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/19 21:54:16.0828 2044 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/19 21:54:17.0015 2044 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/19 21:54:17.0187 2044 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/19 21:54:17.0328 2044 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/19 21:54:17.0453 2044 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/19 21:54:17.0640 2044 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/19 21:54:17.0843 2044 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/19 21:54:18.0000 2044 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/19 21:54:18.0171 2044 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/19 21:54:18.0343 2044 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/19 21:54:18.0515 2044 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/19 21:54:18.0671 2044 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/19 21:54:18.0843 2044 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/19 21:54:19.0140 2044 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/19 21:54:19.0328 2044 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/19 21:54:19.0578 2044 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/19 21:54:19.0718 2044 nv (1aa2270491a46e90e454e143ea8ac775) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/02/19 21:54:19.0953 2044 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/19 21:54:20.0078 2044 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/19 21:54:20.0187 2044 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/02/19 21:54:20.0312 2044 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/02/19 21:54:20.0421 2044 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/19 21:54:20.0578 2044 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/19 21:54:20.0765 2044 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/19 21:54:20.0921 2044 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/19 21:54:21.0203 2044 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/19 21:54:21.0312 2044 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/19 21:54:21.0781 2044 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
2011/02/19 21:54:21.0906 2044 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
2011/02/19 21:54:22.0250 2044 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/19 21:54:22.0375 2044 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/02/19 21:54:22.0562 2044 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/19 21:54:22.0703 2044 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/19 21:54:22.0890 2044 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/02/19 21:54:23.0078 2044 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
2011/02/19 21:54:23.0218 2044 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
2011/02/19 21:54:23.0375 2044 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
2011/02/19 21:54:23.0515 2044 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
2011/02/19 21:54:23.0687 2044 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
2011/02/19 21:54:23.0843 2044 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/19 21:54:24.0015 2044 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/19 21:54:24.0218 2044 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/19 21:54:24.0375 2044 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/19 21:54:24.0515 2044 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/19 21:54:24.0640 2044 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/19 21:54:24.0812 2044 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/19 21:54:24.0968 2044 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/19 21:54:25.0140 2044 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/19 21:54:25.0500 2044 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/19 21:54:25.0687 2044 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/19 21:54:25.0812 2044 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/19 21:54:26.0015 2044 sfdrv01 (4c0d673281178cb496011a2e28571fc8) C:\WINDOWS\system32\drivers\sfdrv01.sys
2011/02/19 21:54:26.0140 2044 sfhlp02 (15be2b5e4dc5b8623cf167720682abc9) C:\WINDOWS\system32\drivers\sfhlp02.sys
2011/02/19 21:54:26.0281 2044 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/19 21:54:26.0453 2044 sfvfs02 (9ef50060cc7e6953bab83f2a42ccc421) C:\WINDOWS\system32\drivers\sfvfs02.sys
2011/02/19 21:54:26.0765 2044 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys
2011/02/19 21:54:26.0968 2044 smwdm (39f9595d2f6f7eb93f45a466789a6f49) C:\WINDOWS\system32\drivers\smwdm.sys
2011/02/19 21:54:27.0187 2044 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
2011/02/19 21:54:27.0359 2044 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/19 21:54:27.0531 2044 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/19 21:54:27.0703 2044 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/19 21:54:27.0937 2044 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/19 21:54:28.0093 2044 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/19 21:54:28.0312 2044 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
2011/02/19 21:54:28.0453 2044 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
2011/02/19 21:54:28.0562 2044 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
2011/02/19 21:54:28.0703 2044 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
2011/02/19 21:54:28.0812 2044 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/19 21:54:28.0968 2044 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/19 21:54:29.0156 2044 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/19 21:54:29.0328 2044 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/19 21:54:29.0484 2044 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/19 21:54:29.0718 2044 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
2011/02/19 21:54:29.0906 2044 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/19 21:54:30.0046 2044 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
2011/02/19 21:54:30.0218 2044 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/19 21:54:30.0453 2044 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/02/19 21:54:30.0609 2044 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/19 21:54:30.0781 2044 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/19 21:54:30.0921 2044 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/19 21:54:31.0031 2044 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/19 21:54:31.0187 2044 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/19 21:54:31.0343 2044 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/19 21:54:31.0500 2044 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/19 21:54:31.0671 2044 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/19 21:54:31.0859 2044 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys
2011/02/19 21:54:32.0000 2044 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
2011/02/19 21:54:32.0156 2044 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/19 21:54:32.0359 2044 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/19 21:54:32.0765 2044 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/19 21:54:33.0156 2044 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/02/19 21:54:33.0343 2044 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/19 21:54:33.0515 2044 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/19 21:54:33.0812 2044 ================================================================================
2011/02/19 21:54:33.0812 2044 Scan finished
2011/02/19 21:54:33.0812 2044 ================================================================================

#5 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 19 February 2011 - 10:20 PM

Combofix is warning me that Smart Internet Protection 2011 is running, that it could disrupt combofix, and I should proceed at my own risk. I can't seem to locate Smart Internet Protection 2011; I'll wait for your response before I proceed.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:26 AM

Posted 20 February 2011 - 02:33 AM

Hello,

Go ahead and proceed Smart internet Protection is a rogue antispyware and is part of the malware on your machine.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 20 February 2011 - 10:03 AM

Here's the Combofix log...

ComboFix 11-02-19.02 - Dominic Santoleri 02/20/2011 3:16.12.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.814 [GMT -5:00]
Running from: c:\documents and settings\TEMP\Desktop\Downloads\ComboFix.exe
AV: Smart Internet Protection 2011 *Enabled/Updated* {3C45DF48-AA29-4A53-A7E0-12A96C5F2341}
FW: Smart Internet Protection 2011 *Enabled* {67B3EEE6-8A38-4C80-B9AB-D59DBA426CA0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\kMaKpBi06504
c:\documents and settings\All Users\Application Data\kMaKpBi06504\kMaKpBi06504
c:\documents and settings\All Users\Application Data\kMaKpBi06504\kMaKpBi06504.exe
c:\documents and settings\Angela Santoleri\Local Settings\Application Data\{1FF8E9E7-60F4-4F9C-A381-C37868AA0861}
c:\documents and settings\Angela Santoleri\Local Settings\Application Data\{1FF8E9E7-60F4-4F9C-A381-C37868AA0861}\chrome.manifest
c:\documents and settings\Angela Santoleri\Local Settings\Application Data\{1FF8E9E7-60F4-4F9C-A381-C37868AA0861}\chrome\content\_cfg.js
c:\documents and settings\Angela Santoleri\Local Settings\Application Data\{1FF8E9E7-60F4-4F9C-A381-C37868AA0861}\chrome\content\overlay.xul
c:\documents and settings\Angela Santoleri\Local Settings\Application Data\{1FF8E9E7-60F4-4F9C-A381-C37868AA0861}\install.rdf
c:\documents and settings\TEMP\Application Data\Microsoft\Internet Explorer\Quick Launch\Smart Internet Protection 2011.lnk
c:\documents and settings\TEMP\Application Data\Smart Internet Protection 2011
c:\documents and settings\TEMP\Application Data\Smart Internet Protection 2011\cookies.sqlite
c:\documents and settings\TEMP\Application Data\Smart Internet Protection 2011\Instructions.ini
c:\documents and settings\TEMP\Recent\cb.exe
c:\documents and settings\TEMP\Recent\CLSV.exe
c:\documents and settings\TEMP\Recent\CLSV.tmp
c:\documents and settings\TEMP\Recent\DBOLE.exe
c:\documents and settings\TEMP\Recent\ddv.drv
c:\documents and settings\TEMP\Recent\eb.exe
c:\documents and settings\TEMP\Recent\eb.sys
c:\documents and settings\TEMP\Recent\energy.dll
c:\documents and settings\TEMP\Recent\exec.drv
c:\documents and settings\TEMP\Recent\fan.exe
c:\documents and settings\TEMP\Recent\fix.drv
c:\documents and settings\TEMP\Recent\gid.exe
c:\documents and settings\TEMP\Recent\grid.dll
c:\documents and settings\TEMP\Recent\grid.exe
c:\documents and settings\TEMP\Recent\kernel32.drv
c:\documents and settings\TEMP\Recent\kernel32.exe
c:\documents and settings\TEMP\Recent\kernel32.sys
c:\documents and settings\TEMP\Recent\pal.drv
c:\documents and settings\TEMP\Recent\pal.tmp
c:\documents and settings\TEMP\Recent\PE.drv
c:\documents and settings\TEMP\Recent\runddlkey.exe
c:\documents and settings\TEMP\Recent\sld.drv
c:\documents and settings\TEMP\Recent\SM.exe
c:\documents and settings\TEMP\Recent\SM.tmp
c:\documents and settings\TEMP\Recent\snl2w.sys
c:\documents and settings\TEMP\Recent\std.tmp
c:\documents and settings\TEMP\Recent\tempdoc.exe
c:\documents and settings\TEMP\Recent\tjd.dll
c:\documents and settings\TEMP\Recent\tjd.tmp
c:\documents and settings\TEMP\Start Menu\Programs\Smart Internet Protection 2011.lnk
c:\documents and settings\TEMP\Start Menu\Smart Internet Protection 2011.lnk
c:\windows\elivazijuq.dll
c:\windows\ifezuyoc.dll
c:\windows\ifidiruvupo.dll
c:\windows\iwivepasuyax.dll
c:\windows\uimshet.dll

.
((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
.

2011-02-19 13:41 . 2011-02-19 13:41 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\{A5681F0B-4A32-476B-814D-A713642A6034}
2011-02-17 01:27 . 2011-02-17 01:27 -------- d-sh--w- c:\documents and settings\Angela Santoleri\IECompatCache
2011-02-17 00:52 . 2011-02-17 00:52 -------- d-sh--w- c:\documents and settings\Angela Santoleri\PrivacIE
2011-02-16 09:05 . 2011-02-16 09:05 -------- d-----w- c:\documents and settings\Angela Santoleri\Local Settings\Application Data\Evernote
2011-02-15 20:23 . 2011-02-15 20:23 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SIHHVRQP
2011-02-13 04:25 . 2011-02-16 06:37 -------- d-----w- c:\documents and settings\TEMP\Application Data\skypePM
2011-02-13 04:21 . 2011-02-16 08:58 -------- d-----w- c:\documents and settings\TEMP\Application Data\Skype
2011-02-13 04:21 . 2011-02-13 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-02-13 03:34 . 2011-02-13 03:34 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Temp
2011-01-28 05:01 . 2011-01-28 05:01 -------- d-----w- c:\program files\Bonjour
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll
2011-01-21 09:55 . 2010-09-23 19:42 95672 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-29 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-08-29 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-08-29 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-08-29 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2002-08-29 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-10 21:17 . 2010-12-10 21:17 0 ----a-w- c:\documents and settings\TEMP\ntuser.tmp
2010-12-09 15:15 . 2002-08-29 11:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-08-29 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 1980-01-01 06:00 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 1980-01-01 06:00 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((( SnapShot_2011-02-16_09.27.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-10 22:27 . 2011-02-20 03:13 13881 c:\windows\Lzizej.dat
- 2004-04-06 17:46 . 2009-02-10 22:14 69120 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 69120 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 35328 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 35328 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 30208 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 30208 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 11264 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 11264 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 28160 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 28160 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 73216 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 73216 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 22528 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 22528 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2011-01-28 05:13 . 2011-01-28 05:13 380928 c:\windows\Installer\{AAD47011-8518-4608-9656-951DA35B587B}\iTunesIco.exe
+ 2011-01-28 05:13 . 2011-02-17 08:49 380928 c:\windows\Installer\{AAD47011-8518-4608-9656-951DA35B587B}\iTunesIco.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 104960 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 104960 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 155136 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 155136 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SelectRebates"="c:\program files\SelectRebates\SelectRebates.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Dgeluc"="c:\windows\ifidiruvupo.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Evernote Clipper.lnk - c:\windows\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico [2011-2-15 293950]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\Buena Vista Interactive\\Tron 2.0\\Lithtech.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dr Pepper Football 1.00.05\\DrPepperFootball.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2011-02-20 c:\windows\Tasks\User_Feed_Synchronization-{1ACBD8B1-DF06-43C9-AE60-8706BCAB9502}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:49362
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\3xvhqd82.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XUL Cache: {BA65BE90-5DE6-4419-81FA-C2020534E05E} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{BA65BE90-5DE6-4419-81FA-C2020534E05E}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {A5681F0B-4A32-476B-814D-A713642A6034} - c:\documents and settings\TEMP\Local Settings\Application Data\{A5681F0B-4A32-476B-814D-A713642A6034}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Glue: {D2A6A719-7CBC-4594-85FD-C36AD881424F} - %profile%\extensions\{D2A6A719-7CBC-4594-85FD-C36AD881424F}
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: SOE Web Installer: {000F1EA4-5E08-4564-A29B-29076F63A37A} - %profile%\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Skype - c:\program files\Skype\Phone\Skype.exe
HKCU-Run-Smart Internet Protection 2011 - c:\documents and settings\All Users\Application Data\653777\SI653_2294.exe
HKCU-Run-Bcejerezuqah - c:\windows\uimshet.dll
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-20 03:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion*Cqona]
"Lnoqehukuhox"=hex:38,01,32,03,36,05,45,07,4e,09,32,0b,4a,0d,4c,0f,29,11,2a,13,
55,15,24,17,2c,19,29,1b,24,1d,5a,1f,19,21,60,23,10,25,64,27,1a,29,6c,2b,68,\
.
Completion time: 2011-02-20 03:31:13
ComboFix-quarantined-files.txt 2011-02-20 08:30
ComboFix2.txt 2011-02-16 09:30
ComboFix3.txt 2010-09-26 07:27
ComboFix4.txt 2009-08-15 18:04
ComboFix5.txt 2011-02-20 08:09

Pre-Run: 3,534,643,200 bytes free
Post-Run: 3,709,308,928 bytes free

- - End Of File - - 773D2640A247E76D29DFD393FB95106E

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:26 AM

Posted 20 February 2011 - 02:24 PM

Hello,

Things look pretty good. Lets do some final checking.


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Folder::
c:\documents and settings\All Users\Application Data\SIHHVRQP

DDS::
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:49362

Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.



Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 20 February 2011 - 03:26 PM

Here is the newest combofix log:

ComboFix 11-02-19.02 - Dominic Santoleri 02/20/2011 15:08:34.13.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.815 [GMT -5:00]
Running from: c:\documents and settings\TEMP\Desktop\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\TEMP\Desktop\Downloads\CFScript.txt
AV: Smart Internet Protection 2011 *Enabled/Updated* {3C45DF48-AA29-4A53-A7E0-12A96C5F2341}
FW: Smart Internet Protection 2011 *Enabled* {67B3EEE6-8A38-4C80-B9AB-D59DBA426CA0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\SIHHVRQP
c:\documents and settings\All Users\Application Data\SIHHVRQP\SIPNZJZDDP.cfg
c:\documents and settings\TEMP\Local Settings\Application Data\{A5681F0B-4A32-476B-814D-A713642A6034}
c:\documents and settings\TEMP\Local Settings\Application Data\{A5681F0B-4A32-476B-814D-A713642A6034}\chrome.manifest
c:\documents and settings\TEMP\Local Settings\Application Data\{A5681F0B-4A32-476B-814D-A713642A6034}\chrome\content\_cfg.js
c:\documents and settings\TEMP\Local Settings\Application Data\{A5681F0B-4A32-476B-814D-A713642A6034}\chrome\content\overlay.xul
c:\documents and settings\TEMP\Local Settings\Application Data\{A5681F0B-4A32-476B-814D-A713642A6034}\install.rdf

.
((((((((((((((((((((((((( Files Created from 2011-01-20 to 2011-02-20 )))))))))))))))))))))))))))))))
.

2011-02-17 01:27 . 2011-02-17 01:27 -------- d-sh--w- c:\documents and settings\Angela Santoleri\IECompatCache
2011-02-17 00:52 . 2011-02-17 00:52 -------- d-sh--w- c:\documents and settings\Angela Santoleri\PrivacIE
2011-02-16 09:05 . 2011-02-16 09:05 -------- d-----w- c:\documents and settings\Angela Santoleri\Local Settings\Application Data\Evernote
2011-02-13 04:25 . 2011-02-16 06:37 -------- d-----w- c:\documents and settings\TEMP\Application Data\skypePM
2011-02-13 04:21 . 2011-02-16 08:58 -------- d-----w- c:\documents and settings\TEMP\Application Data\Skype
2011-02-13 04:21 . 2011-02-13 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-02-13 03:34 . 2011-02-13 03:34 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Temp
2011-01-28 05:01 . 2011-01-28 05:01 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-29 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-08-29 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-08-29 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-08-29 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2002-08-29 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-10 21:17 . 2010-12-10 21:17 0 ----a-w- c:\documents and settings\TEMP\ntuser.tmp
2010-12-09 15:15 . 2002-08-29 11:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-08-29 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 1980-01-01 06:00 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 1980-01-01 06:00 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((( SnapShot_2011-02-16_09.27.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-10 22:27 . 2011-02-20 03:13 13881 c:\windows\Lzizej.dat
- 2004-04-06 17:46 . 2009-02-10 22:14 69120 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 69120 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 35328 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 35328 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 30208 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 30208 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 11264 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 11264 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 28160 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 28160 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 73216 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 73216 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 22528 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 22528 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2011-01-28 05:13 . 2011-01-28 05:13 380928 c:\windows\Installer\{AAD47011-8518-4608-9656-951DA35B587B}\iTunesIco.exe
+ 2011-01-28 05:13 . 2011-02-17 08:49 380928 c:\windows\Installer\{AAD47011-8518-4608-9656-951DA35B587B}\iTunesIco.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 104960 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 104960 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 155136 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 155136 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SelectRebates"="c:\program files\SelectRebates\SelectRebates.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Dgeluc"="c:\windows\ifidiruvupo.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Evernote Clipper.lnk - c:\windows\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico [2011-2-15 293950]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\Buena Vista Interactive\\Tron 2.0\\Lithtech.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dr Pepper Football 1.00.05\\DrPepperFootball.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2011-02-20 c:\windows\Tasks\User_Feed_Synchronization-{1ACBD8B1-DF06-43C9-AE60-8706BCAB9502}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\3xvhqd82.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XUL Cache: {BA65BE90-5DE6-4419-81FA-C2020534E05E} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{BA65BE90-5DE6-4419-81FA-C2020534E05E}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Glue: {D2A6A719-7CBC-4594-85FD-C36AD881424F} - %profile%\extensions\{D2A6A719-7CBC-4594-85FD-C36AD881424F}
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: SOE Web Installer: {000F1EA4-5E08-4564-A29B-29076F63A37A} - %profile%\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-20 15:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion*Cqona]
"Lnoqehukuhox"=hex:38,01,32,03,36,05,45,07,4e,09,32,0b,4a,0d,4c,0f,29,11,2a,13,
55,15,24,17,2c,19,29,1b,24,1d,5a,1f,19,21,60,23,10,25,64,27,1a,29,6c,2b,68,\
.
Completion time: 2011-02-20 15:19:11
ComboFix-quarantined-files.txt 2011-02-20 20:19
ComboFix2.txt 2011-02-20 08:31
ComboFix3.txt 2011-02-16 09:30
ComboFix4.txt 2010-09-26 07:27
ComboFix5.txt 2011-02-20 19:53

Pre-Run: 3,669,938,176 bytes free
Post-Run: 3,657,166,848 bytes free

- - End Of File - - 4E5B21C620664C59F86E6DBAB799F47A

#10 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 20 February 2011 - 03:55 PM

...and Malwarebytes Log...

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5823

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/20/2011 3:53:44 PM
mbam-log-2011-02-20 (15-53-44).txt

Scan type: Quick scan
Objects scanned: 207465
Time elapsed: 7 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\g043oqxanu (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\documents and settings\default user\local settings\application data\windows server\pbmigw.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#11 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 20 February 2011 - 08:01 PM

C:\QooBox\Quarantine\C\cleansweep.exe\cleansweep.exe.vir a variant of Win32/Spy.SpyEye.AN trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\653777\2884.mof.vir Win32/RogueAV.A trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\653777\SI653_2294.exe.vir Win32/Adware.VirusAlarmPro application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Application Data\kMaKpBi06504\kMaKpBi06504.exe.vir a variant of Win32/Kryptik.KUE trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\Documents and Settings\LocalService\Local Settings\Application Data\Windows Server\pbmigw.dll.vir Win32/Bamital.AM trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\pbmigw.dll.vir Win32/Bamital.AM trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\Program Files\outlook\p.zip.vir Win32/TrojanDropper.VB.NAI trojan deleted - quarantined
C:\QooBox\Quarantine\C\WINDOWS\afojeroyoka.dll.vir a variant of Win32/Cimag.DV trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\admoedpp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ahtn.htm.vir probably a variant of Win32/TrojanDownloader.Agent.GYLVINT trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ameuyf.dll.vir a variant of Win32/Adware.SuperJuan.A application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aqplwkbs.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bbbwetqr.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bgfqormn.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bjnuache.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bnxyocct.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bsiobs.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cbXNhGay.dll_old.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cbXQgEUL.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cfllligu.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cfqrnjek.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cgfjrs.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dfpxkyfd.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dhpqkxvu.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dnehksyy.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dpspbeyh.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dqkysw.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\EgMloUtv.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\EgMloUtv.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\eqixxyrf.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ewkhxjmr.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ffkuz.dll.vir Win32/BHO.NLI trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\frmwrk32.exe.vir Win32/TrojanDownloader.FakeAlert.VY trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\guxxrayh.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hetxjoeo.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hfkivoft.dll.vir Win32/Adware.AdMedia application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hjisxunv.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hkahktpx.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hqiasrta.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hyarxxug.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hyebpspd.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\IEFilter.dll.vir probably a variant of Win32/Spy.Small.IMNKBZH trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\iifffdAt.dll.vir Win32/Adware.Virtumonde.FP application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\innqiojj.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jediwice.dll.vir a variant of Win32/Adware.Virtumonde.NEB application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\JikUEfhk.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jkkKcBtS.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jmbrqc.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jmmpmfrq.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jxtpgnkn.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kkbonfgu.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kkxnytcr.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kopcgkla.dll.vir a variant of Win32/Adware.SuperJuan.A application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kwsxtc.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\leestapr.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ljJdApNh.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mbodocgj.dll.vir a variant of Win32/Adware.Virtumonde.NEB application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mlJDtutu.dll_old.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\msiconf.exe.vir Win32/TrojanDownloader.FakeAlert.TF trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ngxphvyd.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nkngptxj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\nmroqfgb.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ntdll64.exe.vir Win32/FakeInit.A trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\odjknwog.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\opulxrps.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pac.txt.vir probably a variant of Win32/TrojanDownloader.Agent.JXCMRQU trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\passab.dll.vir Win32/Adware.SuperJuan application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pbhgkalv.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pnrydxps.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ppdeomda.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\prunnet.exe.vir Win32/VB.NUJ trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pstfrrnv.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pwmwraee.dll.vir Win32/Adware.AdMedia application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qrfmpmmj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qtxgkglt.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qwakuveq.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rcflndbl.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rctynxkk.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rddmkgow.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqrbqkrt.dll.vir a variant of Win32/Adware.SuperJuan.A application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rqtewbbb.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\senekabvmroell.dll.vir Win32/Agent.ORL trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\senekaecxduyqx.dll.vir Win32/Agent.ORL trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\senekamepbfjxj.dll.vir a variant of Win32/Kryptik.BDA trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sgqlbw.dll.vir a variant of Win32/Adware.SuperJuan.A application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\StBcKkkj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\StBcKkkj.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sthehkxm.dll.vir a variant of Win32/Adware.SuperJuan.B application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sushch.dll.vir a variant of Win32/Adware.Virtumonde.NEB application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tAdfffii.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tAdfffii.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tlgkgxtq.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tsumcyqc.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ugfnobkk.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ujaxeaqx.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\userinit.exe.vir Win32/FakeInit.A trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ututDJlm.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uxpxlsqj.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vlakghbp.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vnrrftsp.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtUolMgE.dll_old.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\warning.gif.vir Win32/TrojanDownloader.FakeAlert.ACR trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wogkmddr.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xpblplic.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xptkhakh.dll.vir Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yaGhNXbc.ini.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\yaGhNXbc.ini2.vir Win32/Adware.Virtumonde.NEO application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ynlxxqxd.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ysuqvjhb.dll.vir a variant of Win32/Adware.Virtumonde application cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\drivers\seneka.sys.vir Win32/Agent.ORV trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\drivers\senekakxrlgwoc.sys.vir Win32/Agent.ORV trojan cleaned by deleting - quarantined
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vntiho01\vntiho011065.exe.vir Win32/TrojanDownloader.VB.AWJ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0065351.mof Win32/RogueAV.A trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0065357.exe Win32/Adware.VirusAlarmPro application cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0065363.dll a variant of Win32/Cimag.DV trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP223\A0071359.dll a variant of Win32/Cimag.AQ trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP223\A0074651.exe a variant of Win32/Kryptik.KUE trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP223\A0074837.dll Win32/Bamital.AM trojan cleaned by deleting - quarantined

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:26 AM

Posted 20 February 2011 - 08:17 PM

Hello,

Almost finished up just a few things left.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

SecCenter::
AV: Smart Internet Protection 2011 *Enabled/Updated* {3C45DF48-AA29-4A53-A7E0-12A96C5F2341}
FW: Smart Internet Protection 2011 *Enabled* {67B3EEE6-8A38-4C80-B9AB-D59DBA426CA0}

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please update MalwareBytes and run a Full Scan. We like to see all 0's

Things to include in your next reply::
Combofix.txt
MBAM log
How is your Computer running now?

Edited by fireman4it, 21 February 2011 - 12:18 AM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 20 February 2011 - 10:39 PM

ComboFix 11-02-19.02 - Dominic Santoleri 02/20/2011 21:46:18.14.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1279.792 [GMT -5:00]
Running from: c:\documents and settings\TEMP\Desktop\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\TEMP\Desktop\Downloads\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2011-01-21 to 2011-02-21 )))))))))))))))))))))))))))))))
.

2011-02-20 21:19 . 2011-02-20 21:19 -------- d-----w- c:\program files\ESET
2011-02-20 20:31 . 2011-02-20 20:31 -------- d-----w- c:\documents and settings\TEMP\Application Data\Malwarebytes
2011-02-20 20:31 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-02-20 20:31 . 2011-02-20 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-20 20:31 . 2011-02-20 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-20 20:31 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-02-17 01:27 . 2011-02-17 01:27 -------- d-sh--w- c:\documents and settings\Angela Santoleri\IECompatCache
2011-02-17 00:52 . 2011-02-17 00:52 -------- d-sh--w- c:\documents and settings\Angela Santoleri\PrivacIE
2011-02-16 09:05 . 2011-02-16 09:05 -------- d-----w- c:\documents and settings\Angela Santoleri\Local Settings\Application Data\Evernote
2011-02-13 04:25 . 2011-02-16 06:37 -------- d-----w- c:\documents and settings\TEMP\Application Data\skypePM
2011-02-13 04:21 . 2011-02-16 08:58 -------- d-----w- c:\documents and settings\TEMP\Application Data\Skype
2011-02-13 04:21 . 2011-02-13 04:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2011-02-13 03:34 . 2011-02-13 03:34 -------- d-----w- c:\documents and settings\TEMP\Local Settings\Application Data\Temp
2011-01-28 05:01 . 2011-01-28 05:01 -------- d-----w- c:\program files\Bonjour

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2002-08-29 11:00 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2002-08-29 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2002-08-29 11:00 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2002-08-29 11:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2004-02-06 22:05 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2002-08-29 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2002-08-29 11:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2002-08-29 11:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2010-12-10 21:17 . 2010-12-10 21:17 0 ----a-w- c:\documents and settings\TEMP\ntuser.tmp
2010-12-09 15:15 . 2002-08-29 11:00 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2002-08-29 11:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 1980-01-01 06:00 2148864 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 1980-01-01 06:00 2027008 ------w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

((((((((((((((((((((((((((((( SnapShot_2011-02-16_09.27.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-20 20:56 . 2011-02-20 20:56 16384 c:\windows\temp\Perflib_Perfdata_628.dat
+ 2010-12-10 22:27 . 2011-02-20 03:13 13881 c:\windows\Lzizej.dat
- 2004-04-06 17:46 . 2009-02-10 22:14 69120 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 69120 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 35328 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 35328 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 30208 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 30208 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 11264 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 11264 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 28160 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 28160 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 73216 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 73216 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 22528 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 22528 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2011-01-28 05:13 . 2011-01-28 05:13 380928 c:\windows\Installer\{AAD47011-8518-4608-9656-951DA35B587B}\iTunesIco.exe
+ 2011-01-28 05:13 . 2011-02-17 08:49 380928 c:\windows\Installer\{AAD47011-8518-4608-9656-951DA35B587B}\iTunesIco.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 104960 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 104960 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2004-04-06 17:46 . 2011-02-16 14:46 155136 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\accicons.exe
- 2004-04-06 17:46 . 2009-02-10 22:14 155136 c:\windows\Installer\{00030409-78E1-11D2-B60F-006097C998E7}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"SelectRebates"="c:\program files\SelectRebates\SelectRebates.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"Dgeluc"="c:\windows\ifidiruvupo.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Evernote Clipper.lnk - c:\windows\Installer\{F761359C-9CED-45AE-9A51-9D6605CD55C4}\Evernote.ico [2011-2-15 293950]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™ II\\game.dat"=
"c:\\Program Files\\Electronic Arts\\The Lord of the Rings, The Rise of the Witch-king\\game.dat"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrA.exe"=
"c:\\WINDOWS\\SYSTEM32\\PnkBstrB.exe"=
"c:\\Program Files\\Buena Vista Interactive\\Tron 2.0\\Lithtech.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Dr Pepper Football 1.00.05\\DrPepperFootball.exe"=


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2011-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2011-02-21 c:\windows\Tasks\User_Feed_Synchronization-{1ACBD8B1-DF06-43C9-AE60-8706BCAB9502}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
IE: Add to Evernote 4.0 - c:\program files\Evernote\Evernote\EvernoteIE.dll/204
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{A95fe080-8f5d-11d2-a20b-00aa003c157a} - res://c:\program files\Evernote\Evernote\EvernoteIE.dll/204
FF - ProfilePath - c:\documents and settings\TEMP\Application Data\Mozilla\Firefox\Profiles\3xvhqd82.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/?ref=hp
FF - prefs.js: network.proxy.type - 1
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: XUL Cache: {BA65BE90-5DE6-4419-81FA-C2020534E05E} - c:\windows\system32\config\systemprofile\Local Settings\Application Data\{BA65BE90-5DE6-4419-81FA-C2020534E05E}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Glue: {D2A6A719-7CBC-4594-85FD-C36AD881424F} - %profile%\extensions\{D2A6A719-7CBC-4594-85FD-C36AD881424F}
FF - Ext: Firefox Sync: {340c2bbc-ce74-4362-90b5-7c26312808ef} - %profile%\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: SOE Web Installer: {000F1EA4-5E08-4564-A29B-29076F63A37A} - %profile%\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}
FF - Ext: Battlefield Heroes Updater: battlefieldheroespatcher@ea.com - %profile%\extensions\battlefieldheroespatcher@ea.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-20 21:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion*Cqona]
"Lnoqehukuhox"=hex:38,01,32,03,36,05,45,07,4e,09,32,0b,4a,0d,4c,0f,29,11,2a,13,
55,15,24,17,2c,19,29,1b,24,1d,5a,1f,19,21,60,23,10,25,64,27,1a,29,6c,2b,68,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-20 21:59:15
ComboFix-quarantined-files.txt 2011-02-21 02:59
ComboFix2.txt 2011-02-20 20:19
ComboFix3.txt 2011-02-20 08:31
ComboFix4.txt 2011-02-16 09:30
ComboFix5.txt 2011-02-21 02:38

Pre-Run: 3,501,051,904 bytes free
Post-Run: 3,486,822,400 bytes free

- - End Of File - - 7B12F91145C8F5DC07E36FA72D92608D

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:26 AM

Posted 21 February 2011 - 12:21 AM

Hello,

I still need to see if Malwarebytes was all 0's. also, How is your computer running now? Any signs or symptoms of malware.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 santoleri3

santoleri3
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 21 February 2011 - 08:21 AM

I didn't get to run the scan until late, it is still scanning. I'm not getting hijacked anymore, and I'm not running in safe mode anymore, but everything is slow...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users