Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to access my files! Virus unknown!


  • This topic is locked This topic is locked
32 replies to this topic

#1 rsyma

rsyma

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 20 March 2011 - 11:31 PM

Hello! I was redirected here and hope someone can help me.

I am using Windows Vista 32 bit. On March 18th, 2011, a message popped up and I accidentally clicked it off before I could read it. I ran Malwarebyes and here was the log as follows:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6103

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/18/2011 10:33:36 PM
mbam-log-2011-03-18 (22-33-36).txt

Scan type: Quick scan
Objects scanned: 166712
Time elapsed: 20 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QiffIeqXNyJn (Trojan.FakeAlert) -> Value: QiffIeqXNyJn -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\qiffieqxnyjn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\tmp2500.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\-213E8.tmp (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
c:\Users\Owner\AppData\Local\Temp\1363E8.tmp (Trojan.Agent) -> Delete on reboot.


Malwarebytes then stated that 2 of the infections were not deleted. I rebooted and was unable to access any of my personal files, such as photos, music, etc. It says that all of my folders are empty. I received another message upon reboot:

CCPLG.XML:
Unable to find file (C:Program Files\Avira\AntiVir Desktop\ccplg.xml).

I cannot turn on my antivirus software.
I tried to update Malwarebytes and received this message:

An error has occured. Please report this error code to our support team.
PROGRAM_ERROR_UPDATING (5,0, CreateFile)
Access is denied.

I also ran RKill and here is what popped up:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/18/2011 at 22:09:59.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\ProgramData\QiffIeqXNyJn.exe
C:\Program Files\Real\RealUpgrade\RealUpgrade.exe


Rkill completed on 03/18/2011 at 22:10:57.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/18/2011 at 22:58:58.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:




Rkill completed on 03/18/2011 at 22:59:07.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 03/18/2011 at 23:12:10.


Processes terminated by Rkill or while it was running:


c:\Users\Owner\Desktop\My Documents\Support\rkill.exe


Rkill completed on 03/18/2011 at 23:12:15.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/19/2011 at 8:29:04.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\System32\grpconv.exe


Rkill completed on 03/19/2011 at 8:29:10.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/19/2011 at 17:37:45.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 03/19/2011 at 17:37:53.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/19/2011 at 18:41:03.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



--- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is:

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.


Rkill completed on 03/19/2011 at 18:41:09.

Other than that, the computer starts up fine, I am able to get online and open certain programs such as Word and Photoshop. I ran another scan on Malwarebytes and it is scanning all of my files that the computer says aren't there so I don't know what to do, I also have not lost any gigabytes on my C drive.
Please help! Any suggestions would be greatly appreciated!
Thank you!

DDS as follows:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Owner at 20:38:26.62 on Sun 03/20/2011
Internet Explorer: 8.0.6001.19019 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3032.1722 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LENOVO\HOTKEY\FNF5SVC.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
C:\Program Files\Sony\PMB\PMBDeviceInfoProvider.exe
C:\Program Files\Lenovo\PMDriver\PMSveH.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lenovo\PMDriver\PMHandler.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Lenovo\HOTKEY\TpWAudAp.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE
C:\Program Files\ThinkVantage\AMSG\Amsg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\VeriFaceIII\PManage.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Sony\PMB\PMBVolumeWatcher.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\ehome\ehmsas.exe
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Owner\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uDefault_Page_URL = hxxp://lenovo.live.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://lenovo.live.com
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80115
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80115
mURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1308.0\msneshellx.dll
BHO: : {d3d233d5-9f6d-436c-b6c7-e63f77503b30} - c:\progra~1\inboxt~1\Inbox.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1308.0\msneshellx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngin1.dll
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PMHandler] c:\progra~1\lenovo\pmdriver\PMHandler.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [TPWAUDAP] c:\program files\lenovo\hotkey\TpWAudAp.exe
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [LPManager] c:\progra~1\lenovo\lenovo~2\LPMGR.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatchTray10.exe"
mRun: [AMSG] c:\program files\thinkvantage\amsg\Amsg.exe /startup
mRun: [VeriFaceManager] c:\program files\lenovo\verifaceiii\PManage.exe
mRun: [hpqSRMon]
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [PMBVolumeWatcher] c:\program files\sony\pmb\PMBVolumeWatcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\magic-i.lnk - c:\program files\arcsoft\magic-i 3\Magic-i.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Trusted Zone: intuit.com\ttlc
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - c:\progra~1\inboxt~1\Inbox.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli ACGina
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\owner\appdata\roaming\mozilla\firefox\profiles\bxa1v8z4.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59636
FF - prefs.js: network.proxy.type - 0
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\bxa1v8z4.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll
FF - component: c:\users\owner\appdata\roaming\mozilla\firefox\profiles\bxa1v8z4.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\programdata\realarcade\npraclient.dll
FF - plugin: c:\programdata\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\users\owner\appdata\local\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\owner\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\mozilla firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: XULRunner: {7A4C2F82-0B49-4962-B288-F78D82C94FF7} - c:\users\owner\appdata\local\{7A4C2F82-0B49-4962-B288-F78D82C94FF7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - %profile%\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\owner\appdata\roaming\Move Networks
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 funfrm;funfrm;c:\windows\system32\drivers\funfrm.sys [2009-3-27 44544]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-19 13480]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-3-19 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-3-19 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-19 61960]
R2 FNF5SVC;Fn+F5 Service;c:\program files\lenovo\hotkey\FnF5svc.exe [2008-9-11 54560]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\sony\pmb\PMBDeviceInfoProvider.exe [2009-10-24 360224]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-1-10 993848]
R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-1-10 399416]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-9-11 53325]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-24 520192]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-15 24652]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-24 183808]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-3-27 112128]
R3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2009-3-27 97536]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2009-3-27 48192]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca1fd3411af270;Google Update Service (gupdate1ca1fd3411af270);c:\program files\google\update\GoogleUpdate.exe [2009-8-18 133104]
S2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\roxio\digital home 10\RoxioUpnpService10.exe [2008-4-25 362992]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-4-25 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-4-25 166384]
S2 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-24 360448]
S3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\roxio\digital home 10\RoxioUPnPRenderer10.exe [2008-4-25 313840]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-03-20 04:45:34 -------- d-----w- c:\users\owner\appdata\roaming\Avira
2011-03-20 04:38:51 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-20 04:38:51 -------- d-----w- c:\program files\Avira
2011-03-20 04:38:51 -------- d-----w- c:\progra~2\Avira
2011-03-20 04:10:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 04:10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 04:10:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 00:38:12 -------- d-----w- c:\users\owner\appdata\roaming\SUPERAntiSpyware.com
2011-03-20 00:38:12 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2011-03-20 00:37:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-19 06:10:32 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{d4b38b46-6ece-4c9b-bc6f-f3cf4d0516e3}\mpengine.dll
2011-03-19 00:19:27 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-12 22:30:45 -------- d-----w- c:\program files\iPod
2011-03-10 04:26:25 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-10 04:26:25 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-10 04:26:25 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-10 04:26:25 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-10 04:26:21 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-10 04:26:21 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 02:32:59 -------- d--h--w- c:\progra~2\lBaGhLe15406
2011-03-05 02:06:30 -------- d-----w- c:\program files\iTunes
2011-03-03 20:20:03 -------- d--h--w- c:\users\owner\appdata\local\Secunia PSI
2011-03-03 20:19:30 -------- d-----w- c:\program files\Secunia
.
==================== Find3M ====================
.
2011-02-18 22:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 23:11:20 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-01-24 22:53:36 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:32 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44:05 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44:03 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
2010-12-28 15:55:03 413696 ----a-w- c:\windows\system32\odbc32.dll
.
============= FINISH: 20:39:25.20 ===============


Any help will be greatly appreciated.

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:16 AM

Posted 26 March 2011 - 06:13 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 rsyma

rsyma
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 March 2011 - 07:12 PM

Hi, mOle!
I'm all ears! Show me the way!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:16 AM

Posted 26 March 2011 - 07:22 PM

Trojan FakeAlert isn't a very nice one. Can you first check we aren't dealing with anything else

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 rsyma

rsyma
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 26 March 2011 - 07:55 PM

Ok, done. It reported nothing found.
Here is the results:

2011/03/26 19:51:45.0942 5736 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/26 19:51:46.0469 5736 ================================================================================
2011/03/26 19:51:46.0469 5736 SystemInfo:
2011/03/26 19:51:46.0469 5736
2011/03/26 19:51:46.0469 5736 OS Version: 6.0.6002 ServicePack: 2.0
2011/03/26 19:51:46.0469 5736 Product type: Workstation
2011/03/26 19:51:46.0469 5736 ComputerName: OWNER-PC
2011/03/26 19:51:46.0470 5736 UserName: Owner
2011/03/26 19:51:46.0470 5736 Windows directory: C:\Windows
2011/03/26 19:51:46.0470 5736 System windows directory: C:\Windows
2011/03/26 19:51:46.0470 5736 Processor architecture: Intel x86
2011/03/26 19:51:46.0470 5736 Number of processors: 2
2011/03/26 19:51:46.0470 5736 Page size: 0x1000
2011/03/26 19:51:46.0470 5736 Boot type: Normal boot
2011/03/26 19:51:46.0470 5736 ================================================================================
2011/03/26 19:51:47.0291 5736 Initialize success
2011/03/26 19:52:00.0968 5740 ================================================================================
2011/03/26 19:52:00.0968 5740 Scan started
2011/03/26 19:52:00.0968 5740 Mode: Manual;
2011/03/26 19:52:00.0968 5740 ================================================================================
2011/03/26 19:52:02.0506 5740 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/03/26 19:52:02.0802 5740 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/03/26 19:52:03.0127 5740 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/03/26 19:52:03.0393 5740 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/03/26 19:52:03.0685 5740 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/03/26 19:52:04.0040 5740 Afc (fe3ea6e9afc1a78e6edca121e006afb7) C:\Windows\system32\drivers\Afc.sys
2011/03/26 19:52:04.0369 5740 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/03/26 19:52:04.0682 5740 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/03/26 19:52:04.0985 5740 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/03/26 19:52:05.0271 5740 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/03/26 19:52:05.0548 5740 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/03/26 19:52:05.0793 5740 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/03/26 19:52:06.0048 5740 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/03/26 19:52:06.0303 5740 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2011/03/26 19:52:06.0617 5740 ApfiltrService (0f83cb9bcb247869bcad28026b8f134b) C:\Windows\system32\DRIVERS\Apfiltr.sys
2011/03/26 19:52:06.0917 5740 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/03/26 19:52:07.0231 5740 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/03/26 19:52:07.0538 5740 ARCSOFTVIRTUALCAPTURE (f0b2bcc9d7c1fcb7ac4665c566536278) C:\Windows\system32\DRIVERS\ArcSoftVirtualCapture.sys
2011/03/26 19:52:07.0827 5740 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/03/26 19:52:08.0112 5740 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/03/26 19:52:08.0412 5740 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\Windows\system32\DRIVERS\avgntflt.sys
2011/03/26 19:52:08.0737 5740 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\Windows\system32\DRIVERS\avipbb.sys
2011/03/26 19:52:09.0044 5740 b57nd60x (f17463eddb3b6a988f939ff403e067c3) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/03/26 19:52:09.0404 5740 BCM43XX (36aec496ba179120305319d1086228fc) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/03/26 19:52:09.0717 5740 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/03/26 19:52:10.0018 5740 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/03/26 19:52:10.0330 5740 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/03/26 19:52:10.0618 5740 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/03/26 19:52:10.0895 5740 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/03/26 19:52:11.0174 5740 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/03/26 19:52:11.0419 5740 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/03/26 19:52:11.0696 5740 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/03/26 19:52:11.0940 5740 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/03/26 19:52:12.0240 5740 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/03/26 19:52:12.0563 5740 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/03/26 19:52:12.0828 5740 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/03/26 19:52:13.0085 5740 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/03/26 19:52:13.0310 5740 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/03/26 19:52:13.0650 5740 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/03/26 19:52:13.0929 5740 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/03/26 19:52:14.0230 5740 CnxtHdAudService (8b7a0ce6613f991359ff95212900396c) C:\Windows\system32\drivers\CHDRT32.sys
2011/03/26 19:52:14.0486 5740 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/03/26 19:52:14.0748 5740 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/03/26 19:52:15.0015 5740 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/03/26 19:52:15.0319 5740 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/03/26 19:52:15.0659 5740 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/03/26 19:52:15.0979 5740 DLABMFSM (5b149ccfe275f4de0b4b8ec6b9f6821e) C:\Windows\system32\DLA\DLABMFSM.SYS
2011/03/26 19:52:16.0266 5740 DLABOIOM (ad4cb3d783634c90a9d0ce360933a63c) C:\Windows\system32\DLA\DLABOIOM.SYS
2011/03/26 19:52:16.0558 5740 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\Windows\system32\Drivers\DLACDBHM.SYS
2011/03/26 19:52:16.0851 5740 DLADResM (93d03238cc3f0ee3c0b3985d110ec575) C:\Windows\system32\DLA\DLADResM.SYS
2011/03/26 19:52:16.0963 5740 DLAIFS_M (6a82f77c4a6f5235bf352f0028e2ef52) C:\Windows\system32\DLA\DLAIFS_M.SYS
2011/03/26 19:52:17.0238 5740 DLAOPIOM (0e6052c0ada37504896a847231a3907d) C:\Windows\system32\DLA\DLAOPIOM.SYS
2011/03/26 19:52:17.0535 5740 DLAPoolM (29670bb4e2b973c5b55a76107d4910b2) C:\Windows\system32\DLA\DLAPoolM.SYS
2011/03/26 19:52:17.0800 5740 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\Windows\system32\Drivers\DLARTL_M.SYS
2011/03/26 19:52:18.0102 5740 DLAUDFAM (6b087732b86c1d866d69dbbe463ea90a) C:\Windows\system32\DLA\DLAUDFAM.SYS
2011/03/26 19:52:18.0367 5740 DLAUDF_M (bbeecb95f2841ae4a3e3690d46d7153d) C:\Windows\system32\DLA\DLAUDF_M.SYS
2011/03/26 19:52:18.0678 5740 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2011/03/26 19:52:18.0978 5740 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/03/26 19:52:19.0198 5740 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/03/26 19:52:19.0480 5740 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/03/26 19:52:19.0765 5740 DRVMCDB (83106585494d5eb96f59187200c144bd) C:\Windows\system32\Drivers\DRVMCDB.SYS
2011/03/26 19:52:20.0020 5740 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\Windows\system32\Drivers\DRVNDDM.SYS
2011/03/26 19:52:20.0322 5740 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/03/26 19:52:20.0656 5740 e1express (908ed85b7806e8af3af5e9b74f7809d4) C:\Windows\system32\DRIVERS\e1e6032.sys
2011/03/26 19:52:20.0935 5740 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/03/26 19:52:21.0221 5740 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/03/26 19:52:21.0537 5740 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/03/26 19:52:21.0876 5740 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/03/26 19:52:22.0207 5740 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/03/26 19:52:22.0492 5740 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/03/26 19:52:22.0730 5740 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/03/26 19:52:23.0053 5740 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/03/26 19:52:23.0297 5740 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/03/26 19:52:23.0576 5740 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/03/26 19:52:23.0872 5740 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/03/26 19:52:24.0166 5740 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/03/26 19:52:24.0408 5740 funfrm (b3221fa06af0aca6d5d83717d573eb83) C:\Windows\system32\drivers\funfrm.sys
2011/03/26 19:52:24.0696 5740 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/03/26 19:52:24.0974 5740 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/03/26 19:52:25.0314 5740 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/03/26 19:52:25.0617 5740 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/03/26 19:52:25.0883 5740 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/03/26 19:52:26.0172 5740 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/03/26 19:52:26.0431 5740 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/03/26 19:52:26.0727 5740 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/03/26 19:52:27.0070 5740 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/03/26 19:52:27.0397 5740 HSF_DPV (fadd7095163cb3cb4073793ebb50fe75) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/03/26 19:52:27.0765 5740 HSXHWAZL (058783bedd17615d1fece09f77960436) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/03/26 19:52:28.0024 5740 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/03/26 19:52:28.0352 5740 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/03/26 19:52:28.0649 5740 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/03/26 19:52:28.0944 5740 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/03/26 19:52:29.0521 5740 igfx (8266ae06df974e5ba047b3e9e9e70b3f) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/03/26 19:52:29.0942 5740 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/03/26 19:52:30.0265 5740 IntcHdmiAddService (c7e7e43cbd34d3b0a0156b51b917dfcc) C:\Windows\system32\drivers\IntcHdmi.sys
2011/03/26 19:52:30.0541 5740 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/03/26 19:52:30.0842 5740 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/03/26 19:52:31.0142 5740 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/03/26 19:52:31.0554 5740 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/03/26 19:52:31.0822 5740 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/03/26 19:52:32.0093 5740 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/03/26 19:52:32.0346 5740 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/03/26 19:52:32.0628 5740 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/03/26 19:52:32.0868 5740 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/03/26 19:52:33.0168 5740 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/03/26 19:52:33.0471 5740 JMCR (a69a1b991824b98f744913555f665893) C:\Windows\system32\DRIVERS\jmcr.sys
2011/03/26 19:52:33.0705 5740 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/03/26 19:52:34.0003 5740 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2011/03/26 19:52:34.0287 5740 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/03/26 19:52:34.0618 5740 lenovo.smi (3c3f7f424e324c6971632c5de5ff458f) C:\Windows\system32\DRIVERS\smiif32.sys
2011/03/26 19:52:34.0880 5740 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/03/26 19:52:35.0168 5740 LPCFilter (31f74d5d47eea83e5e89447586917774) C:\Windows\system32\DRIVERS\LPCFilter.sys
2011/03/26 19:52:35.0426 5740 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/03/26 19:52:35.0716 5740 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/03/26 19:52:36.0028 5740 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/03/26 19:52:36.0317 5740 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/03/26 19:52:36.0875 5740 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/03/26 19:52:37.0474 5740 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/03/26 19:52:38.0152 5740 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/03/26 19:52:38.0716 5740 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/03/26 19:52:39.0161 5740 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/03/26 19:52:39.0388 5740 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/03/26 19:52:39.0707 5740 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/03/26 19:52:39.0960 5740 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/03/26 19:52:40.0251 5740 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/03/26 19:52:40.0502 5740 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/03/26 19:52:40.0805 5740 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/03/26 19:52:41.0045 5740 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/03/26 19:52:41.0302 5740 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/03/26 19:52:41.0583 5740 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/03/26 19:52:41.0830 5740 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/03/26 19:52:42.0108 5740 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2011/03/26 19:52:42.0366 5740 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/03/26 19:52:42.0687 5740 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/03/26 19:52:42.0958 5740 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/03/26 19:52:43.0263 5740 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/03/26 19:52:43.0563 5740 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/03/26 19:52:44.0028 5740 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/03/26 19:52:44.0258 5740 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/03/26 19:52:44.0534 5740 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/03/26 19:52:44.0782 5740 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/03/26 19:52:45.0041 5740 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/03/26 19:52:45.0306 5740 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/03/26 19:52:45.0613 5740 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/03/26 19:52:45.0910 5740 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/03/26 19:52:46.0213 5740 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/03/26 19:52:46.0484 5740 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/03/26 19:52:46.0761 5740 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/03/26 19:52:47.0058 5740 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/03/26 19:52:47.0331 5740 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/03/26 19:52:47.0640 5740 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/03/26 19:52:47.0912 5740 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/03/26 19:52:48.0206 5740 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/03/26 19:52:48.0493 5740 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/03/26 19:52:48.0816 5740 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/03/26 19:52:49.0227 5740 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
2011/03/26 19:52:49.0505 5740 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/03/26 19:52:49.0777 5740 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/03/26 19:52:50.0077 5740 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/03/26 19:52:50.0361 5740 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/03/26 19:52:50.0954 5740 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/03/26 19:52:51.0244 5740 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/03/26 19:52:51.0468 5740 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/03/26 19:52:51.0765 5740 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/03/26 19:52:52.0043 5740 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/03/26 19:52:52.0353 5740 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/03/26 19:52:52.0658 5740 pcmcia (b7c5a8769541900f6dfa6fe0c5e4d513) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/03/26 19:52:52.0959 5740 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/03/26 19:52:53.0507 5740 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/03/26 19:52:53.0779 5740 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/03/26 19:52:54.0079 5740 psadd (f8a25f1dd8b2c332cbc663e3579566e7) C:\Windows\system32\DRIVERS\psadd.sys
2011/03/26 19:52:54.0373 5740 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/03/26 19:52:54.0644 5740 PSI (d24dfd16a1e2a76034df5aa18125c35d) C:\Windows\system32\DRIVERS\psi_mf.sys
2011/03/26 19:52:54.0900 5740 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
2011/03/26 19:52:55.0221 5740 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/03/26 19:52:55.0579 5740 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/03/26 19:52:55.0877 5740 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/03/26 19:52:56.0110 5740 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/03/26 19:52:56.0399 5740 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/03/26 19:52:56.0688 5740 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/03/26 19:52:56.0916 5740 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/03/26 19:52:57.0147 5740 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/03/26 19:52:57.0452 5740 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/03/26 19:52:57.0714 5740 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/03/26 19:52:57.0984 5740 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/03/26 19:52:58.0250 5740 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/03/26 19:52:58.0581 5740 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/03/26 19:52:58.0708 5740 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/03/26 19:52:58.0765 5740 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/03/26 19:52:59.0058 5740 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/03/26 19:52:59.0351 5740 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2011/03/26 19:52:59.0647 5740 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/03/26 19:52:59.0958 5740 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/03/26 19:53:00.0193 5740 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/03/26 19:53:00.0444 5740 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/03/26 19:53:00.0725 5740 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/03/26 19:53:00.0980 5740 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/03/26 19:53:01.0220 5740 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/03/26 19:53:01.0453 5740 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/03/26 19:53:01.0720 5740 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/03/26 19:53:01.0976 5740 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/03/26 19:53:02.0221 5740 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/03/26 19:53:02.0482 5740 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/03/26 19:53:02.0743 5740 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/03/26 19:53:03.0048 5740 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/03/26 19:53:03.0343 5740 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/03/26 19:53:03.0640 5740 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/03/26 19:53:03.0942 5740 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\Windows\system32\DRIVERS\ssmdrv.sys
2011/03/26 19:53:04.0230 5740 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/03/26 19:53:04.0487 5740 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/03/26 19:53:04.0763 5740 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/03/26 19:53:05.0018 5740 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/03/26 19:53:05.0326 5740 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/03/26 19:53:05.0625 5740 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/03/26 19:53:05.0894 5740 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/03/26 19:53:06.0172 5740 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/03/26 19:53:06.0428 5740 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/03/26 19:53:06.0685 5740 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/03/26 19:53:06.0979 5740 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/03/26 19:53:07.0338 5740 TPM (cb258c2f726f1be73c507022be33ebb3) C:\Windows\system32\drivers\tpm.sys
2011/03/26 19:53:07.0627 5740 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/03/26 19:53:07.0882 5740 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/03/26 19:53:08.0109 5740 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/03/26 19:53:08.0437 5740 tvtfilter (49258a02a1e8d304ed88b0f1c56b1738) C:\Windows\system32\DRIVERS\tvtfilter.sys
2011/03/26 19:53:08.0671 5740 TVTI2C (7e66dda1ef146bfc3a6e36e08e036602) C:\Windows\system32\DRIVERS\Tvti2c.sys
2011/03/26 19:53:08.0938 5740 tvtumon (fc4d5a1ea9d736907cb547085248199f) C:\Windows\system32\DRIVERS\tvtumon.sys
2011/03/26 19:53:09.0251 5740 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/03/26 19:53:09.0501 5740 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/03/26 19:53:09.0795 5740 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/03/26 19:53:10.0055 5740 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/03/26 19:53:10.0289 5740 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/03/26 19:53:10.0569 5740 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/03/26 19:53:10.0852 5740 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/03/26 19:53:11.0182 5740 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\Windows\system32\Drivers\usbaapl.sys
2011/03/26 19:53:11.0482 5740 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
2011/03/26 19:53:11.0778 5740 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/03/26 19:53:12.0077 5740 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/03/26 19:53:12.0371 5740 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/03/26 19:53:12.0653 5740 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/03/26 19:53:12.0897 5740 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/03/26 19:53:13.0149 5740 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/03/26 19:53:13.0375 5740 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/03/26 19:53:13.0627 5740 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/03/26 19:53:13.0851 5740 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/03/26 19:53:14.0072 5740 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/03/26 19:53:14.0380 5740 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/03/26 19:53:14.0517 5740 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/03/26 19:53:14.0773 5740 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/03/26 19:53:15.0052 5740 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/03/26 19:53:15.0297 5740 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/03/26 19:53:15.0563 5740 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/03/26 19:53:15.0787 5740 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/03/26 19:53:16.0077 5740 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/03/26 19:53:16.0332 5740 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/03/26 19:53:16.0608 5740 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/03/26 19:53:16.0868 5740 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/26 19:53:16.0913 5740 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/26 19:53:17.0152 5740 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/03/26 19:53:17.0395 5740 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/03/26 19:53:17.0706 5740 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys
2011/03/26 19:53:18.0002 5740 winachsf (bb9cbaf6ac20452b245c324f1f50ee81) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/03/26 19:53:18.0416 5740 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/03/26 19:53:18.0737 5740 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/03/26 19:53:19.0039 5740 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/03/26 19:53:19.0292 5740 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2011/03/26 19:53:19.0393 5740 ================================================================================
2011/03/26 19:53:19.0393 5740 Scan finished
2011/03/26 19:53:19.0393 5740 ================================================================================

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:16 AM

Posted 27 March 2011 - 04:09 AM

Okay so let's go after it

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Now please run MBAM again to see if anything is still hanging around

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
Posted Image
m0le is a proud member of UNITE

#7 rsyma

rsyma
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 28 March 2011 - 10:31 PM

Ok, Combofix ran and malwarebytes ran as well. Still having the same problem. My file folders say they are empty, but malwarebytes scans all empty files and shows they are there! What next? lol!

Here is the combo fix log:

ComboFix 11-03-28.01 - Owner 03/28/2011 14:47:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3032.1950 [GMT -5:00]
Running from: c:\users\Owner\Desktop\comfix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Common Files\Uninstall
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\users\Owner\AppData\Local\{7A4C2F82-0B49-4962-B288-F78D82C94FF7}
c:\users\Owner\AppData\Local\{7A4C2F82-0B49-4962-B288-F78D82C94FF7}\chrome.manifest
c:\users\Owner\AppData\Local\{7A4C2F82-0B49-4962-B288-F78D82C94FF7}\chrome\content\_cfg.js
c:\users\Owner\AppData\Local\{7A4C2F82-0B49-4962-B288-F78D82C94FF7}\chrome\content\overlay.xul
c:\users\Owner\AppData\Local\{7A4C2F82-0B49-4962-B288-F78D82C94FF7}\install.rdf
c:\users\Owner\Desktop\Music\Clan of Xymox\2003- Clan of Xymox - Farewell\_desktop.ini
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.2.inf
c:\windows\system32\CBUTTON.OCX
c:\windows\system32\Thumbs.db
Q:\Autorun.inf
S:\AUTORUN.INF
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
2011-03-28 19:59 . 2011-03-28 19:59 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-20 04:45 . 2011-03-20 04:45 -------- d-----w- c:\users\Owner\AppData\Roaming\Avira
2011-03-20 04:38 . 2011-03-20 04:38 -------- d-----w- c:\programdata\Avira
2011-03-20 04:38 . 2011-03-20 04:38 -------- d-----w- c:\program files\Avira
2011-03-20 04:38 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-20 04:38 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-20 04:10 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 04:10 . 2011-03-20 04:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 04:10 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 00:38 . 2011-03-20 00:38 -------- d-----w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2011-03-20 00:38 . 2011-03-20 00:38 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-03-20 00:37 . 2011-03-20 00:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-19 06:10 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D4B38B46-6ECE-4C9B-BC6F-F3CF4D0516E3}\mpengine.dll
2011-03-19 00:19 . 2011-03-19 00:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-12 22:30 . 2011-03-12 22:30 -------- d-----w- c:\program files\iPod
2011-03-10 04:26 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-10 04:26 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-10 04:26 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-10 04:26 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-10 04:26 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-10 04:26 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 02:32 . 2011-03-09 02:52 -------- d--h--w- c:\programdata\lBaGhLe15406
2011-03-05 02:06 . 2011-03-19 05:23 -------- d-----w- c:\program files\iTunes
2011-03-03 20:20 . 2011-03-03 20:20 -------- d--h--w- c:\users\Owner\AppData\Local\Secunia PSI
2011-03-03 20:19 . 2011-03-03 20:19 -------- d-----w- c:\program files\Secunia
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 22:36 . 2011-02-18 22:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-02-18 22:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-06 07:42 . 2011-02-06 07:42 0 ---ha-w- c:\users\Owner\AppData\Local\Skoqefijoci.bin
2011-02-02 23:11 . 2009-10-02 18:30 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-01-24 22:53 . 2011-01-24 22:53 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-01-20 16:37 . 2011-02-10 13:22 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-10 13:22 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-10 13:22 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-10 13:22 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08 . 2011-02-10 13:22 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-10 13:22 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07 . 2011-02-10 13:22 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-10 13:22 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-10 13:22 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-10 13:22 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-10 13:22 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-10 13:22 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-10 13:22 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-10 13:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-10 13:22 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-10 13:22 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-10 13:22 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-10 13:22 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-10 13:22 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-10 13:22 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-10 13:22 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-10 13:22 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-10 13:22 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-10 13:22 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-10 13:22 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-10 13:22 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-10 13:22 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-10 13:22 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-10 13:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-10 13:18 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-10 13:20 2039808 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-20 03:49 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin1.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-03-20 03:49 3911776 ----a-w- c:\program files\Vuze_Remote\tbVuz1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-20 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin1.dll" [2011-03-20 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-20 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-03-27 15:51 241752 ----a-w- c:\windows\System32\IcnOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2008-09-23 83240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2008-12-20 449088]
"VeriFaceManager"="c:\program files\Lenovo\VeriFaceIII\PManage.exe" [2009-03-27 323584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-01 274608]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-03-24 599328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-8-28 113664]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2010-9-30 530944]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca1fd3411af270;Google Update Service (gupdate1ca1fd3411af270);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-18 133104]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-04-25 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-04-25 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-04-25 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-04-25 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 funfrm;funfrm; [x]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2008-03-14 54560]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-25 183808]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-18 07:12]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-18 07:12]
.
2011-03-21 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2008-09-25 19:52]
.
2011-02-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
2010-12-18 c:\windows\Tasks\User_Feed_Synchronization-{A4324344-6112-4716-BD84-921C4A63691B}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\bxa1v8z4.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59636
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - %profile%\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Owner\AppData\Roaming\Move Networks
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-hpqSRMon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 18:33
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2666899873-3529781444-1133689576-1003\Software\SecuROM\License information*]
"datasecu"=hex:12,41,36,a5,bb,53,26,05,9d,cc,45,56,fa,50,38,bc,d5,92,32,e2,83,
37,33,0b,33,93,6b,f4,8a,6a,8a,15,21,93,ea,da,b7,59,ec,f4,1a,60,1c,4e,b3,9a,\
"rkeysecu"=hex:2c,09,03,98,c0,41,c0,6c,61,46,3b,a4,fe,dc,70,5a
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3632)
c:\windows\system32\IcnOvrly.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\ArcSoft\Magic-i 3\uMgiSvr.exe
c:\program files\Lenovo\PMDriver\PMSveH.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Lenovo\PMDriver\PMHandler.exe
c:\program files\Lenovo\LenovoCare\LPMGR.EXE
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-03-28 18:38:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-28 23:38
.
Pre-Run: 35,665,289,216 bytes free
Post-Run: 35,825,967,104 bytes free
.
- - End Of File - - 7FBBBCA80A5A9DD9B817459ABBEAE7DE


And the results of the malwarebytes scan:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6199

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

3/28/2011 10:04:34 PM
mbam-log-2011-03-28 (22-04-34).txt

Scan type: Full scan (C:\|Q:\|S:\|)
Objects scanned: 408456
Time elapsed: 3 hour(s), 19 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Awaiting next line of attack!
Thanks!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:16 AM

Posted 29 March 2011 - 05:33 PM

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\users\Owner\AppData\Local\Skoqefijoci.bin

Driver::
funfrm


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Finally please visit ESET and scan using their online facility

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
If no log is generated that means nothing was found. Please let me know if this happens.
Posted Image
m0le is a proud member of UNITE

#9 rsyma

rsyma
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 29 March 2011 - 11:07 PM

Ok, here are the results from ComboFix:

ComboFix 11-03-29.03 - Owner 03/29/2011 19:01:33.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3032.1886 [GMT -5:00]
Running from: c:\users\Owner\Desktop\comfix.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Owner\AppData\Local\Skoqefijoci.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Owner\AppData\Local\Skoqefijoci.bin
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_funfrm
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-30 00:09 . 2011-03-30 00:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-20 04:45 . 2011-03-20 04:45 -------- d-----w- c:\users\Owner\AppData\Roaming\Avira
2011-03-20 04:38 . 2011-03-20 04:38 -------- d-----w- c:\programdata\Avira
2011-03-20 04:38 . 2011-03-20 04:38 -------- d-----w- c:\program files\Avira
2011-03-20 04:38 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-20 04:38 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-20 04:10 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-20 04:10 . 2011-03-20 04:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-20 04:10 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-20 00:38 . 2011-03-20 00:38 -------- d-----w- c:\users\Owner\AppData\Roaming\SUPERAntiSpyware.com
2011-03-20 00:38 . 2011-03-20 00:38 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-03-20 00:37 . 2011-03-20 00:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-19 06:10 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D4B38B46-6ECE-4C9B-BC6F-F3CF4D0516E3}\mpengine.dll
2011-03-19 00:19 . 2011-03-19 00:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-12 22:30 . 2011-03-12 22:30 -------- d-----w- c:\program files\iPod
2011-03-10 04:26 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-10 04:26 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-10 04:26 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-10 04:26 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-10 04:26 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-10 04:26 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 02:32 . 2011-03-09 02:52 -------- d--h--w- c:\programdata\lBaGhLe15406
2011-03-05 02:06 . 2011-03-19 05:23 -------- d-----w- c:\program files\iTunes
2011-03-03 20:20 . 2011-03-03 20:20 -------- d--h--w- c:\users\Owner\AppData\Local\Secunia PSI
2011-03-03 20:19 . 2011-03-03 20:19 -------- d-----w- c:\program files\Secunia
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 22:36 . 2011-02-18 22:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-18 22:36 . 2011-02-18 22:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-02 23:11 . 2009-10-02 18:30 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2011-01-24 22:53 . 2011-01-24 22:53 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-01-20 16:37 . 2011-02-10 13:22 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-10 13:22 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-10 13:22 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-10 13:22 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08 . 2011-02-10 13:22 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-10 13:22 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07 . 2011-02-10 13:22 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-10 13:22 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-10 13:22 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-10 13:22 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-10 13:22 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-10 13:22 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-10 13:22 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-10 13:22 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-10 13:22 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-10 13:22 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-10 13:22 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-10 13:22 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-02-10 13:22 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-10 13:22 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-10 13:22 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-10 13:22 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-10 13:22 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-10 13:22 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-10 13:22 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-10 13:22 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-02-10 13:22 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-02-10 13:22 797184 ----a-w- c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-02-10 13:18 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-10 13:18 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-10 13:20 2039808 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-20 03:49 3911776 ----a-w- c:\program files\ConduitEngine\ConduitEngin1.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
2011-03-20 03:49 3911776 ----a-w- c:\program files\Vuze_Remote\tbVuz1.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ba14329e-9550-4989-b3f2-9732e92d17cc}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-20 3911776]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngin1.dll" [2011-03-20 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BA14329E-9550-4989-B3F2-9732E92D17CC}"= "c:\program files\Vuze_Remote\tbVuz1.dll" [2011-03-20 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{ba14329e-9550-4989-b3f2-9732e92d17cc}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2009-03-27 15:51 241752 ----a-w- c:\windows\System32\IcnOvrly.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-18 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-03-16 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMHandler"="c:\progra~1\Lenovo\PMDriver\PMHandler.exe" [2008-09-23 83240]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"TPFNF7"="c:\program files\Lenovo\NPDIRECT\TPFNF7SP.exe" [2008-07-30 60192]
"TPWAUDAP"="c:\program files\Lenovo\HOTKEY\TpWAudAp.exe" [2008-03-11 54560]
"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-05-24 487424]
"LPManager"="c:\progra~1\Lenovo\LENOVO~2\LPMGR.exe" [2007-04-26 120368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatchTray10.exe" [2008-04-25 244208]
"AMSG"="c:\program files\ThinkVantage\AMSG\Amsg.exe" [2008-12-20 449088]
"VeriFaceManager"="c:\program files\Lenovo\VeriFaceIII\PManage.exe" [2009-03-27 323584]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2010-12-01 274608]
"PMBVolumeWatcher"="c:\program files\Sony\PMB\PMBVolumeWatcher.exe" [2010-03-24 599328]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-08-26 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-08-26 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-08-26 170520]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-8-28 113664]
Magic-i.lnk - c:\program files\ArcSoft\Magic-i 3\Magic-i.exe [2010-9-30 530944]
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-1-10 291896]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-07-11 48192]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1ca1fd3411af270;Google Update Service (gupdate1ca1fd3411af270);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-18 133104]
R2 Roxio Upnp Server 10;Roxio Upnp Server 10;c:\program files\Roxio\Digital Home 10\RoxioUpnpService10.exe [2008-04-25 362992]
R2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe [2008-04-25 309744]
R2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe [2008-04-25 166384]
R2 SessionLauncher;SessionLauncher;c:\users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe [x]
R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-10-09 360448]
R3 Roxio UPnP Renderer 10;Roxio UPnP Renderer 10;c:\program files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe [2008-04-25 313840]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 FNF5SVC;Fn+F5 Service;c:\program files\LENOVO\HOTKEY\FNF5SVC.exe [2008-03-14 54560]
S2 PMBDeviceInfoProvider;PMBDeviceInfoProvider;c:\program files\Sony\PMB\PMBDeviceInfoProvider.exe [2009-10-24 360224]
S2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\PSIA.exe [2011-01-10 993848]
S2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [2011-01-10 399416]
S2 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-24 520192]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-25 183808]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2008-08-07 97536]
S3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-09-01 15544]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-18 07:12]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-18 07:12]
.
2011-03-21 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks\OBC.exe [2008-09-25 19:52]
.
2011-02-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PCDR5\pcdr5cuiw32.exe [2008-12-12 23:32]
.
2010-12-18 c:\windows\Tasks\User_Feed_Synchronization-{A4324344-6112-4716-BD84-921C4A63691B}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\bxa1v8z4.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?ilc=1
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59636
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - %profile%\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\users\Owner\AppData\Roaming\Move Networks
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-29 19:16
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2666899873-3529781444-1133689576-1003\Software\SecuROM\License information*]
"datasecu"=hex:12,41,36,a5,bb,53,26,05,9d,cc,45,56,fa,50,38,bc,d5,92,32,e2,83,
37,33,0b,33,93,6b,f4,8a,6a,8a,15,21,93,ea,da,b7,59,ec,f4,1a,60,1c,4e,b3,9a,\
"rkeysecu"=hex:2c,09,03,98,c0,41,c0,6c,61,46,3b,a4,fe,dc,70,5a
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4572)
c:\windows\system32\IcnOvrly.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLANExt.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\ArcSoft\Magic-i 3\uMgiSvr.exe
c:\program files\Lenovo\PMDriver\PMSveH.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\program files\Lenovo\System Update\SUService.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Lenovo\PMDriver\PMHandler.exe
c:\program files\Lenovo\LenovoCare\LPMGR.EXE
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Apoint2K\Apntex.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\windows\ehome\mcupdate.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-03-29 19:24:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-30 00:24
ComboFix2.txt 2011-03-28 23:38
.
Pre-Run: 36,345,806,848 bytes free
Post-Run: 36,006,068,224 bytes free
.
- - End Of File - - 0300D7C3D371F8B99D3302B4C68C1CA7




And the ESET scan results:

C:\Users\Owner\Downloads\SmitfraudFix.exe multiple threats deleted - quarantined


Had downloaded Smitfraud, but have never used it. Still having same problem. Even when I click on properties for the folders that say they are empty I get info that the files are there,, for example my music folder says there are almost 64 gigs in the folder, yet when I open the folder it states that the folder is empty, lol!

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:16 AM

Posted 30 March 2011 - 05:11 PM

It can't be that the files are hidden could it?

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Posted Image
m0le is a proud member of UNITE

#11 rsyma

rsyma
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 30 March 2011 - 06:07 PM

Ok, looks like that has my files back, the folders that had disappeared are now back and files are now back, they are a different shade, though (the icons), they have like a transparent look to them. The folders still state that they are empty, but the files are there. There are also a few new icons on the desktop as well, 2 of them say, desktop.ini, one says ~WRL1457.temp, and ~WRL0686.temp. Not too sure what those are. Still wondering how those files vanished in the first place!

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:16 AM

Posted 30 March 2011 - 06:25 PM

Desktop.ini is usually hidden so let's go back and hide it.

1. Open the Windows Explorer
2. Click on Organize and then on Folder and search options
3. Go to the tab View and scroll down.
4. Check the option Hide protected operating system files and click on Apply
Posted Image
m0le is a proud member of UNITE

#13 rsyma

rsyma
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 30 March 2011 - 07:50 PM

Ok, done, I guess everything is sorta back to normal besides the weird icon shades which I don't understand why they appear that way. Thanks for much for your help!

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:16 AM

Posted 31 March 2011 - 05:45 PM

:thumbup2:
Posted Image
m0le is a proud member of UNITE

#15 rsyma

rsyma
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:16 PM

Posted 02 April 2011 - 08:18 PM

Ok, thought I was out of the woods, but more problems have developed! I think I am getting the virus through Java somehow! My files keep disappearing like before, now something with internet explorer is happening and there are ads playing in the background on my desktop! I never use explorer, only firefox! My desktop background is now black, I have unhidden my files, now I keep getting "internet explorer script error" pop ups every 10-15 minutes and radio ads! Then I was infected with Windows Recovery! Ran Superantispyware, here is what it found:

Trojan.Agent/Gen-FakeAlert[GPA]
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\E.EXE

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\RARSFX1\NIRD\IEXPLORE.EXE
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\RARSFX2\NIRD\IEXPLORE.EXE
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\RARSFX3\NIRD\IEXPLORE.EXE
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\RARSFX4\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\RARSFX1\PROCS\EXPLORER.EXE
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\RARSFX2\PROCS\EXPLORER.EXE
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\RARSFX3\PROCS\EXPLORER.EXE
C:\USERS\OWNER\APPDATA\LOCAL\TEMP\RARSFX4\PROCS\EXPLORER.EXE

Ran rkill, it still states access denied before it runs for some reason, here is the log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/18/2011 at 22:09:59.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\ProgramData\QiffIeqXNyJn.exe
C:\Program Files\Real\RealUpgrade\RealUpgrade.exe


Rkill completed on 03/18/2011 at 22:10:57.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/18/2011 at 22:58:58.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:




Rkill completed on 03/18/2011 at 22:59:07.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 03/18/2011 at 23:12:10.


Processes terminated by Rkill or while it was running:


c:\Users\Owner\Desktop\My Documents\Support\rkill.exe


Rkill completed on 03/18/2011 at 23:12:15.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/19/2011 at 8:29:04.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\System32\grpconv.exe


Rkill completed on 03/19/2011 at 8:29:10.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/19/2011 at 17:37:45.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 03/19/2011 at 17:37:53.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/19/2011 at 18:41:03.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



--- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is:

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.


Rkill completed on 03/19/2011 at 18:41:09.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/19/2011 at 18:46:21.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 03/19/2011 at 18:46:28.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/19/2011 at 22:52:19.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\ProgramData\Google\Google Toolbar\Update\GoogleToolbarInstaller_updater_signed.exe
C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_C8CBFED7F00D3A8C.exe


Rkill completed on 03/19/2011 at 22:52:26.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/23/2011 at 12:26:10.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe


Rkill completed on 03/23/2011 at 12:26:18.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/24/2011 at 18:02:57.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 03/24/2011 at 18:04:01.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/24/2011 at 18:05:01.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Program Files\Mozilla Firefox\plugin-container.exe


Rkill completed on 03/24/2011 at 18:05:15.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/24/2011 at 18:06:19.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 03/24/2011 at 18:06:32.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/30/2011 at 15:12:58.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe


Rkill completed on 03/30/2011 at 15:13:04.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/01/2011 at 21:21:02.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/01/2011 at 21:21:32.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Users\Owner\Desktop\Virus\Destroyer\eXplorer.exe
C:\Users\Owner\Desktop\Virus\Destroyer\eXplorer.exe


Rkill completed on 04/01/2011 at 21:21:58.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/01/2011 at 22:18:45.
Operating System: Windows Vista ™ Home Premium


Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/01/2011 at 22:36:40.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\system32\attrib.exe
C:\Windows\system32\attrib.exe
C:\Users\Owner\Desktop\Virus\Destroyer\eXplorer.exe
C:\Users\Owner\Desktop\Virus\Destroyer\eXplorer.exe
C:\Windows\system32\attrib.exe
C:\Windows\system32\attrib.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\runonce.exe


Rkill completed on 04/01/2011 at 22:36:48.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/01/2011 at 22:38:02.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\system32\attrib.exe
C:\Windows\system32\attrib.exe
C:\Users\Owner\Desktop\Virus\Destroyer\eXplorer.exe
C:\Users\Owner\Desktop\Virus\Destroyer\eXplorer.exe
C:\Windows\system32\attrib.exe
C:\Windows\system32\attrib.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\runonce.exe


Rkill completed on 04/01/2011 at 22:38:07.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/02/2011 at 16:14:36.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\system32\attrib.exe
C:\Windows\system32\attrib.exe
C:\Users\Owner\Desktop\Virus\Destroyer\eXplorer.exe
C:\Users\Owner\Desktop\Virus\Destroyer\eXplorer.exe
C:\Windows\system32\attrib.exe
C:\Windows\system32\attrib.exe


Rkill completed on 04/02/2011 at 16:14:42.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/02/2011 at 16:33:46.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Windows\system32\RacAgent.exe


Rkill completed on 04/02/2011 at 16:34:43.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/02/2011 at 16:35:55.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:



Rkill completed on 04/02/2011 at 16:36:00.


Ran Malwarebytes and it came up with nothing:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6249

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

4/2/2011 8:07:05 PM
mbam-log-2011-04-02 (20-07-05).txt

Scan type: Full scan (C:\|Q:\|S:\|)
Objects scanned: 409511
Time elapsed: 3 hour(s), 30 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users