Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS Infection?


  • This topic is locked This topic is locked
28 replies to this topic

#1 ajsnowflake

ajsnowflake

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 20 April 2011 - 07:44 PM

Greetings,

Windows7 - 32bit

I had been infected with "Windows Fix Disc" and went through the initial steps at "virus-removal/remove-windowsfixdisk"

Rkill seems to work correctly.

While attempting to run though the TDSS portion the TDSS (kaspersky) removal tool will not run (upon clicking "yes" to allow it to make changes to the computer no program runs).

Malwarebytes is able to run and update and now comes up clean when a full scan is run. The first time it was run it did find issues and removed them.

Links in Google continue to redirect to junk sites... and I am reviving random "script error" popups for various changing URL's on my desktop (even when no internet browsers are active).

Any assistance would be greatly appreciated.


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by jstorter at 14:58:14.21 on Wed 04/20/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2998.1541 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\Explorer.EXE
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Users\jstorter\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\spool\drivers\w32x86\3\E_FATIFRA.EXE
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Users\jstorter\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\jstorter\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\jstorter\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\jstorter\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\jstorter\Desktop\dds.scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {E84CC2C1-B722-48FC-A39C-EDB8B525C777} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon"
uRun: [Google Update] "c:\users\jstorter\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [EPSON Artisan 810 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatifra.exe /fu "c:\windows\temp\E_SF5D5.tmp" /EF "HKCU"
uRun: [EPSON Artisan 810] c:\windows\system32\spool\drivers\w32x86\3\e_fatifra.exe /fu "c:\windows\temp\E_S6EAC.tmp" /EF "HKCU"
mRun: [<NO NAME>]
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\jstorter\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jstorter\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\jstorter\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\sac-de~1.lnk - c:\program files\steepandcheap\desktop alert\SAC-Desktop-Alert.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2010-6-8 17072]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R1 MpKslc2568217;MpKslc2568217;c:\programdata\microsoft\microsoft antimalware\definition updates\{64f38139-6326-4f27-9165-3e059b34ba3e}\MpKslc2568217.sys [2011-4-20 28752]
R1 NEOFLTR_650_15255;Juniper Networks TDI Filter Driver (NEOFLTR_650_15255);c:\windows\system32\drivers\NEOFLTR_650_15255.SYS [2010-9-24 85360]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_111ae7bb7f222578\AEstSrv.exe [2010-6-8 81920]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-12-17 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-12-17 27040]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-12-10 386848]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2010-6-8 13336]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometerp11\InstallFilterService.exe [2010-6-8 60928]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-6-8 59392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-19 1153368]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-6-8 42672]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-6-8 33832]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-6-8 214696]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-6-8 132352]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-6-8 209920]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-24 136176]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2011-1-25 84832]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-23 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-8 48640]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-6-8 38912]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-21 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-04-20 20:10:59 28752 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{64f38139-6326-4f27-9165-3e059b34ba3e}\MpKslc2568217.sys
2011-04-20 19:05:23 -------- d-----w- c:\windows\pss
2011-04-20 16:23:13 -------- d-----w- c:\windows\system32\SPReview
2011-04-20 15:58:35 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-20 15:54:13 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{64f38139-6326-4f27-9165-3e059b34ba3e}\mpengine.dll
2011-04-20 15:53:00 -------- d-----w- c:\users\jstorter\appdata\local\{CF2F9869-920C-4FAB-8923-FF7949816193}
2011-04-20 10:51:52 -------- d-----w- c:\users\jstorter\appdata\roaming\Malwarebytes
2011-04-20 10:51:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 10:51:33 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-20 10:51:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 10:49:49 -------- d-----w- c:\users\jstorter\appdata\local\{40241A0C-A29A-416D-BEF2-7C6252B07941}
2011-04-20 10:38:29 -------- d-sh--w- C:\found.000
2011-04-20 00:34:25 -------- d-----w- c:\windows\system32\EventProviders
2011-04-19 23:59:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-19 23:59:43 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-04-19 23:32:06 -------- d-----w- c:\users\jstorter\appdata\local\{5A02384C-E095-4B2C-ABDF-BFE1A4CA7DFB}
2011-04-18 15:54:26 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-18 15:51:14 -------- d-----w- c:\users\jstorter\appdata\local\{1D83E592-1B49-40D8-B0AC-CC4DB880A285}
2011-04-18 02:57:31 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-15 23:06:31 -------- d-----w- c:\users\jstorter\appdata\local\{0A4A1708-EB13-42FC-85E2-292ADB9B976E}
2011-04-15 23:05:57 -------- d-----w- c:\users\jstorter\appdata\local\{F2FC8187-C2D4-45A9-8DCF-A29E92F4D27D}
2011-04-14 23:49:13 -------- d-----w- c:\users\jstorter\appdata\local\{8892069C-1CF6-47B5-8E38-532EB7FE71FE}
2011-04-13 16:39:07 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-13 16:39:07 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-13 16:39:06 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-13 16:08:00 -------- d-----w- c:\users\jstorter\appdata\local\{98089B1D-C5FB-4964-970F-C97F787720FC}
2011-04-13 04:15:08 -------- d-----w- c:\users\jstorter\appdata\local\{A5F83E61-65DB-4CEB-ABC7-8A3BEDADDCB4}
2011-04-11 23:49:18 -------- d-----w- c:\users\jstorter\appdata\local\{4FDF8CCB-E949-40D0-B319-DA987848B3AB}
2011-04-08 23:35:15 -------- d-----w- c:\users\jstorter\appdata\local\{EDF53F8E-8D22-423A-AB8C-C9862C661FC0}
2011-04-07 18:29:42 -------- d-----w- c:\users\jstorter\appdata\local\{316516BE-CA04-40F6-AE47-E7287E21B761}
2011-04-07 06:28:56 -------- d-----w- c:\users\jstorter\appdata\local\{DEA6B594-3A10-4060-8938-331ADAFE5435}
2011-04-06 18:12:03 -------- d-----w- c:\users\jstorter\appdata\local\{99C106D3-60AD-4190-82D8-97DFBB8AE5A3}
2011-04-05 16:39:14 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{e45abc26-057b-434e-96c3-3972ffb793f3}\gapaengine.dll
2011-03-31 15:43:40 -------- d-----w- c:\users\jstorter\appdata\local\{3B2FEE16-6DFB-41E6-B1AA-FB5309A323CE}
2011-03-25 21:59:26 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
.
==================== Find3M ====================
.
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:32:52 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 05:32:08 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 03:37:02 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-19 01:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 05:36:26 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-12 05:30:49 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-02-09 20:24:32 314880 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp112.dll
2011-02-09 20:24:32 287232 ----a-w- c:\windows\system32\hpcpn112.dll
2011-02-09 20:12:32 328704 ----a-w- c:\windows\system32\hpmml112.dll
2011-02-09 20:12:20 278528 ----a-w- c:\windows\system32\hpmja112.dll
2011-02-09 20:12:14 246272 ----a-w- c:\windows\system32\hpmpm081.dll
2011-02-09 20:12:06 181248 ----a-w- c:\windows\system32\hpmpw081.dll
2011-02-09 20:12:02 223232 ----a-w- c:\windows\system32\hpmtp112.dll
2011-02-09 20:11:58 111104 ----a-w- c:\windows\system32\hpmco112.dll
.
============= FINISH: 15:00:22.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:44 PM

Posted 20 April 2011 - 08:07 PM

Hello ajsnowflake,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, use multiple posts if you have to. Unless Otherwise directed differently.


1.
We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy

2.
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.


3.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


4.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

Edited by fireman4it, 20 April 2011 - 08:10 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 ajsnowflake

ajsnowflake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 21 April 2011 - 01:03 PM

Hi fireman4it,
Thank you for helping me. I have a few problems though. I apparently have a back log of updates going on because automatic updates run and install every time I power down my machine, I mention this because of the first line in your guidelines section. I am also having trouble with step 3 I have renamed and changed the file extension for TDSSKiller and still can't get it to run, I do not have the option to run as administrator. when I chose run I am prompted with the following "User Account Control" message: Do you want to allow the following program to make changes to this computer? I click yes, the window disappears and no program runs. Should I continue with step 4?

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:44 PM

Posted 21 April 2011 - 04:22 PM

Hello,

Go ahead and let all those windows updates finish. Then go ahead to step 4

Edited by fireman4it, 21 April 2011 - 04:22 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 ajsnowflake

ajsnowflake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 21 April 2011 - 05:03 PM

fireman4it,
The windows updates are repeats of failures to install windows servicepack 1. Successfully ran combfix log is attached. Google search results are still redirecting. adn I am still getting script error window popups.

ComboFix 11-04-21.02 - jstorter 04/21/2011 13:42:49.1.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2998.1805 [GMT -8:00]
Running from: c:\users\jstorter\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\jstorter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery
c:\users\jstorter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
c:\users\jstorter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
c:\users\jstorter\g2mdlhlpx.exe
c:\windows\system32\drivers\npf.sys
E:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-03-21 to 2011-04-21 )))))))))))))))))))))))))))))))
.
.
2011-04-21 21:48 . 2011-04-21 21:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-21 21:28 . 2011-04-21 21:28 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1733775-419F-4832-BCE1-F8C82E799E72}\MpKsl72926271.sys
2011-04-21 16:49 . 2011-04-21 16:49 -------- d-----w- c:\users\jstorter\AppData\Local\{248CCC38-FC4C-4F58-9CE0-6A710B7A9D82}
2011-04-21 16:41 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1733775-419F-4832-BCE1-F8C82E799E72}\mpengine.dll
2011-04-20 16:23 . 2011-04-20 16:23 -------- d-----w- c:\windows\system32\SPReview
2011-04-20 15:58 . 2011-01-17 05:38 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-20 15:53 . 2011-04-20 15:53 -------- d-----w- c:\users\jstorter\AppData\Local\{CF2F9869-920C-4FAB-8923-FF7949816193}
2011-04-20 10:51 . 2011-04-20 10:51 -------- d-----w- c:\users\jstorter\AppData\Roaming\Malwarebytes
2011-04-20 10:51 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 10:51 . 2011-04-20 10:51 -------- d-----w- c:\programdata\Malwarebytes
2011-04-20 10:51 . 2011-04-20 10:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 10:49 . 2011-04-20 10:51 -------- d-----w- c:\users\jstorter\AppData\Local\{40241A0C-A29A-416D-BEF2-7C6252B07941}
2011-04-20 10:38 . 2011-04-20 10:38 -------- d-----w- C:\found.000
2011-04-20 00:34 . 2011-04-20 00:34 -------- d-----w- c:\windows\system32\EventProviders
2011-04-19 23:59 . 2011-04-21 17:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-04-19 23:59 . 2011-04-20 00:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-19 23:32 . 2011-04-19 23:32 -------- d-----w- c:\users\jstorter\AppData\Local\{5A02384C-E095-4B2C-ABDF-BFE1A4CA7DFB}
2011-04-18 15:54 . 2009-08-20 07:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-18 15:51 . 2011-04-18 15:51 -------- d-----w- c:\users\jstorter\AppData\Local\{1D83E592-1B49-40D8-B0AC-CC4DB880A285}
2011-04-18 02:57 . 2011-04-18 02:57 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-15 23:06 . 2011-04-15 23:06 -------- d-----w- c:\users\jstorter\AppData\Local\{0A4A1708-EB13-42FC-85E2-292ADB9B976E}
2011-04-15 23:05 . 2011-04-15 23:06 -------- d-----w- c:\users\jstorter\AppData\Local\{F2FC8187-C2D4-45A9-8DCF-A29E92F4D27D}
2011-04-14 23:49 . 2011-04-14 23:49 -------- d-----w- c:\users\jstorter\AppData\Local\{8892069C-1CF6-47B5-8E38-532EB7FE71FE}
2011-04-13 16:39 . 2011-02-23 05:06 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-13 16:39 . 2011-02-23 05:05 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-13 16:39 . 2011-02-23 05:05 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-13 16:08 . 2011-04-13 16:08 -------- d-----w- c:\users\jstorter\AppData\Local\{98089B1D-C5FB-4964-970F-C97F787720FC}
2011-04-13 04:15 . 2011-04-13 04:15 -------- d-----w- c:\users\jstorter\AppData\Local\{A5F83E61-65DB-4CEB-ABC7-8A3BEDADDCB4}
2011-04-11 23:49 . 2011-04-11 23:49 -------- d-----w- c:\users\jstorter\AppData\Local\{4FDF8CCB-E949-40D0-B319-DA987848B3AB}
2011-04-08 23:35 . 2011-04-08 23:35 -------- d-----w- c:\users\jstorter\AppData\Local\{EDF53F8E-8D22-423A-AB8C-C9862C661FC0}
2011-04-07 18:29 . 2011-04-07 18:29 -------- d-----w- c:\users\jstorter\AppData\Local\{316516BE-CA04-40F6-AE47-E7287E21B761}
2011-04-07 06:28 . 2011-04-07 06:29 -------- d-----w- c:\users\jstorter\AppData\Local\{DEA6B594-3A10-4060-8938-331ADAFE5435}
2011-04-06 18:12 . 2011-04-06 18:12 -------- d-----w- c:\users\jstorter\AppData\Local\{99C106D3-60AD-4190-82D8-97DFBB8AE5A3}
2011-04-05 16:39 . 2011-01-27 19:00 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E45ABC26-057B-434E-96C3-3972FFB793F3}\gapaengine.dll
2011-03-31 15:43 . 2011-04-01 17:57 -------- d-----w- c:\users\jstorter\AppData\Local\{3B2FEE16-6DFB-41E6-B1AA-FB5309A323CE}
2011-03-25 21:59 . 2011-01-27 19:00 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-21 21:29 . 2010-06-15 19:20 0 ----a-w- c:\users\jstorter\AppData\Local\WavXMapDrive.bat
2011-04-11 07:04 . 2010-06-26 21:20 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-23 20:46 . 2010-06-24 19:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-19 05:33 . 2011-03-09 21:41 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32 . 2011-03-09 21:41 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32 . 2011-03-09 21:41 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 01:36 . 2011-02-19 01:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-19 01:36 . 2011-02-19 01:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 20:24 . 2011-03-21 19:41 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpcpp112.dll
2011-02-09 20:24 . 2011-03-21 19:41 287232 ----a-w- c:\windows\system32\hpcpn112.dll
2011-02-09 20:12 . 2011-03-21 19:41 328704 ----a-w- c:\windows\system32\hpmml112.dll
2011-02-09 20:12 . 2011-03-21 19:41 278528 ----a-w- c:\windows\system32\hpmja112.dll
2011-02-09 20:12 . 2011-03-21 19:41 246272 ----a-w- c:\windows\system32\hpmpm081.dll
2011-02-09 20:12 . 2011-03-21 19:41 181248 ----a-w- c:\windows\system32\hpmpw081.dll
2011-02-09 20:12 . 2011-03-21 19:41 223232 ----a-w- c:\windows\system32\hpmtp112.dll
2011-02-09 20:11 . 2011-02-09 20:11 111104 ----a-w- c:\windows\system32\hpmco112.dll
2011-02-03 05:45 . 2011-02-09 09:32 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\jstorter\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\jstorter\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\jstorter\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\457\g2mstart.exe" [2010-12-13 39816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2009-11-12 203776]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-01-14 147328]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-01-14 34232]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-01-14 495711]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-04-30 79112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-02 166936]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-02 141848]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-02 175640]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5249024]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-01-31 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
c:\users\jstorter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jstorter\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-12-16 23343848]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-12-10 1327392]
SAC-Desktop-Alert.lnk - c:\program files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe [2008-12-26 370176]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2009-11-24 132456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl38d317f3;MpKsl38d317f3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{64F38139-6326-4F27-9165-3E059B34BA3E}\MpKsl38d317f3.sys [x]
R1 MpKsl9433d143;MpKsl9433d143;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2140CAE4-7D56-4995-9961-D4E070EF6B8C}\MpKsl9433d143.sys [x]
R1 MpKsleae6ab8b;MpKsleae6ab8b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D93CF83C-CFBB-4D3A-B20C-3F99FFC74EB5}\MpKsleae6ab8b.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 136176]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-18 84832]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-01-07 44416]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2010-02-21 48640]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2010-02-21 38912]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-21 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-07 11520]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 17072]
S1 MpKsl72926271;MpKsl72926271;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1733775-419F-4832-BCE1-F8C82E799E72}\MpKsl72926271.sys [2011-04-21 28752]
S1 NEOFLTR_650_15255;Juniper Networks TDI Filter Driver (NEOFLTR_650_15255);c:\windows\system32\Drivers\NEOFLTR_650_15255.SYS [2010-02-19 85360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\aestsrv.exe [2010-01-14 81920]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 278304]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 812448]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 27040]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-12-10 386848]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-02-21 59392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2010-04-30 14088]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 42672]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-10-30 33832]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-12-10 214696]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-01-07 132352]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-11-27 209920]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 00:33]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 00:33]
.
2011-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1620663191-1358164138-3124822037-1003Core.job
- c:\users\jstorter\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-19 23:03]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1620663191-1358164138-3124822037-1003UA.job
- c:\users\jstorter\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-19 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{e84cc2c1-b722-48fc-a39c-edb8b525c777} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{E84CC2C1-B722-48FC-A39C-EDB8B525C777} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3656)
c:\users\jstorter\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\STacSV.exe
c:\windows\system32\WUDFHost.exe
c:\program files\Dell\DW WLAN Card\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\system32\conhost.exe
c:\program files\Dell\DW WLAN Card\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\programdata\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\programdata\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\sppsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2011-04-21 13:57:09 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-21 21:57
.
Pre-Run: 29,124,681,728 bytes free
Post-Run: 28,969,730,048 bytes free
.
- - End Of File - - 40F106656640D8A18E5381EB164FAA20

#6 ajsnowflake

ajsnowflake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 21 April 2011 - 06:31 PM

Oh and I now get random audio clips of advertisements or audio books that play for a while then stop on their own. I don't have any browsers open and no popups appear...

I open task manager when this happens and have no tasks running either.

Edited by ajsnowflake, 21 April 2011 - 06:31 PM.


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:44 PM

Posted 22 April 2011 - 10:31 AM

Hello,

1.
Lets try and run TDSSKiller in Safemode. Lets also rename it to winlogon.exe or winlogon.com
Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

2.
  • Download RogueKiller on the desktop
  • Close all the running processes
  • Under Vista/Seven, right click -> Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • When prompted, type 1 (SCAN) then Enter
  • A report should open, give its content to your helper. (RKreport could also be found next to the executable)
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename in winlogon.exe (or winlogon.com) and try again

3.
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

4.
Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply

5.
Are you able to Burn CD"s and have access to a Usb Flash drive?

6.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *volsnap*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Thing to include in your next reply::
TDssKIller log
RKreport
aswMBR log
RkuUnhooker log
Systemlook.txt
Can you burn Cd's and have access to a usb flash drive?
a new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 ajsnowflake

ajsnowflake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 22 April 2011 - 12:29 PM

fireman4it,

TDSSKiller still will not run even in safe mode. Yes I can burn CD's and access USB thumb drives. Still recieving the scrip error but haven't heard the random audio bits for a while now and google search results are still redirecting.

RogueKiller V4.3.9 [04/16/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User: jstorter [Admin rights]
Mode: Scan -- Date : 04/22/2011 08:55:26

Bad processes: 0

Registry Entries: 1
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows 7
Version 6.1.7600
Number of processors #4
==============================================
>Drivers
==============================================
0x91A24000 C:\Windows\system32\DRIVERS\igdkmd32.sys 6840320 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x83019000 C:\Windows\system32\ntkrnlpa.exe 4259840 bytes (Microsoft Corporation, NT Kernel & System)
0x83019000 PnpManager 4259840 bytes
0x83019000 RAW 4259840 bytes
0x83019000 WMIxWDM 4259840 bytes
0x9761C000 C:\Windows\system32\DRIVERS\bcmwl6.sys 2723840 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)
0x99900000 Win32k 2404352 bytes
0x99900000 C:\Windows\System32\win32k.sys 2404352 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x8F82D000 C:\Windows\System32\Drivers\dump_iaStor.sys 1789952 bytes
0x8B42B000 C:\Windows\system32\DRIVERS\iaStor.sys 1789952 bytes (Intel Corporation, Intel Rapid Storage Technology driver - x86)
0x8BA2C000 C:\Windows\System32\drivers\tcpip.sys 1347584 bytes (Microsoft Corporation, TCP/IP Driver)
0x8B61B000 C:\Windows\System32\Drivers\Ntfs.sys 1241088 bytes (Microsoft Corporation, NT File System Driver)
0x920AA000 C:\Windows\System32\drivers\dxgkrnl.sys 749568 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x8B82A000 C:\Windows\system32\drivers\ndis.sys 749568 bytes (Microsoft Corporation, NDIS 6.20 driver)
0x836FE000 C:\Windows\system32\CI.dll 700416 bytes (Microsoft Corporation, Code Integrity Module)
0xAF02B000 C:\Windows\system32\drivers\peauth.sys 618496 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x99E6E000 C:\Windows\system32\drivers\HTTP.sys 544768 bytes (Microsoft Corporation, HTTP Protocol Stack)
0x8362B000 C:\Windows\system32\mcupdate_GenuineIntel.dll 491520 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x8B20A000 C:\Windows\system32\drivers\Wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)
0x9862C000 C:\Windows\system32\DRIVERS\stwrt.sys 442368 bytes (IDT, Inc., IDT PC Audio TPE)
0xC1826000 C:\Windows\system32\drivers\spsys.sys 434176 bytes (Microsoft Corporation, security processor)
0x90D98000 C:\Windows\system32\drivers\csc.sys 409600 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x8B788000 C:\Windows\System32\Drivers\cng.sys 380928 bytes (Microsoft Corporation, Kernel Cryptography, Next Generation)
0x90C29000 C:\Windows\system32\drivers\afd.sys 368640 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xAF149000 C:\Windows\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xAF0FA000 C:\Windows\System32\DRIVERS\srv2.sys 323584 bytes (Microsoft Corporation, Smb 2.0 Server driver)
0x99BB0000 C:\Windows\System32\ATMFD.DLL 315392 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x90E35000 C:\Windows\system32\DRIVERS\USBPORT.SYS 307200 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x8B34B000 C:\Windows\System32\drivers\volmgrx.sys 307200 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x8B289000 C:\Windows\system32\DRIVERS\ACPI.sys 294912 bytes (Microsoft Corporation, ACPI Driver for NT)
0x99E05000 C:\Windows\system32\DRIVERS\nwifi.sys 286720 bytes (Microsoft Corporation, NativeWiFi Miniport Driver)
0x90F61000 C:\Windows\system32\DRIVERS\usbhub.sys 278528 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x97946000 C:\Windows\system32\DRIVERS\Apfiltr.sys 274432 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0x836BC000 C:\Windows\system32\CLFS.SYS 270336 bytes (Microsoft Corporation, Common Log File System Driver)
0x90D37000 C:\Windows\system32\DRIVERS\rdbss.sys 266240 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x8BBAF000 C:\Windows\system32\DRIVERS\volsnap.sys 258048 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x8B8E1000 C:\Windows\system32\drivers\NETIO.SYS 253952 bytes (Microsoft Corporation, Network I/O Subsystem)
0x99F4A000 C:\Windows\system32\DRIVERS\mrxsmb10.sys 241664 bytes (Microsoft Corporation, Longhorn SMB Downlevel SubRdr)
0x986E0000 C:\Windows\system32\DRIVERS\IntcDAud.sys 237568 bytes (Intel® Corporation, Intel® Display HD Audio driver)
0x92161000 C:\Windows\System32\drivers\dxgmms1.sys 233472 bytes (Microsoft Corporation, DirectX Graphics MMS)
0x90FB6000 C:\Windows\system32\DRIVERS\WavxDMgr.sys 229376 bytes (Wave Systems Corp., WavX Document Manager Filter Driver)
0x83429000 ACPI_HAL 225280 bytes
0x83429000 C:\Windows\system32\halmacpi.dll 225280 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x9219A000 C:\Windows\system32\DRIVERS\e1k6232.sys 217088 bytes (Intel Corporation, Intel® Gigabit Adapter NDIS 6.x driver)
0x837A9000 C:\Windows\system32\drivers\fltmgr.sys 212992 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x90F1F000 C:\Windows\system32\DRIVERS\ks.sys 212992 bytes (Microsoft Corporation, Kernel CSA Library)
0x8B971000 C:\Windows\System32\DRIVERS\fvevol.sys 204800 bytes (Microsoft Corporation, BitLocker Drive Encryption Driver)
0x90C83000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x8BB75000 C:\Windows\System32\drivers\fwpkclnt.sys 200704 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x98698000 C:\Windows\system32\DRIVERS\portcls.sys 192512 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x8B396000 C:\Windows\system32\DRIVERS\pcmcia.sys 188416 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0x8B944000 C:\Windows\System32\drivers\rdyboost.sys 184320 bytes (Microsoft Corporation, ReadyBoost Driver)
0x978D3000 C:\Windows\system32\DRIVERS\1394ohci.sys 180224 bytes (Microsoft Corporation, 1394 OpenHCI Driver)
0x8B74A000 C:\Windows\System32\Drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0xAF1A3000 C:\Windows\System32\Drivers\fastfat.SYS 172032 bytes (Microsoft Corporation, Fast FAT File System Driver)
0x8B2E2000 C:\Windows\system32\DRIVERS\pci.sys 172032 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x8B800000 C:\Windows\system32\DRIVERS\MpFilter.sys 159744 bytes (Microsoft Corporation, Microsoft antimalware file system filter driver)
0x8B9B4000 C:\Windows\system32\DRIVERS\CLASSPNP.SYS 151552 bytes (Microsoft Corporation, SCSI Class System Dll)
0x8B91F000 C:\Windows\System32\Drivers\ksecpkg.sys 151552 bytes (Microsoft Corporation, Kernel Security Support Provider Interface Packages)
0x99F27000 C:\Windows\system32\DRIVERS\mrxsmb.sys 143360 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x90EB7000 C:\Windows\system32\DRIVERS\ndiswan.sys 139264 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9799C000 C:\Windows\system32\DRIVERS\Impcd.sys 135168 bytes (Intel Corporation, Intel® Turbo Boost Technology Driver)
0xAF0CC000 C:\Windows\System32\DRIVERS\srvnet.sys 135168 bytes (Microsoft Corporation, Server Network driver)
0x83600000 C:\Windows\system32\DRIVERS\tunnel.sys 135168 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x8B40A000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x98797000 C:\Windows\system32\DRIVERS\WUDFRd.sys 135168 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Reflector)
0x8F800000 C:\Windows\system32\DRIVERS\cdrom.sys 126976 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x90E80000 C:\Windows\system32\DRIVERS\HDAudBus.sys 126976 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x90CBC000 C:\Windows\system32\DRIVERS\pacer.sys 126976 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x99B90000 C:\Windows\System32\cdd.dll 122880 bytes (Microsoft Corporation, Canonical Display Driver)
0x987D8000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x99F85000 C:\Windows\system32\DRIVERS\mrxsmb20.sys 110592 bytes (Microsoft Corporation, Longhorn SMB 2.0 Redirector)
0x90CFA000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x98600000 C:\Windows\system32\drivers\WudfPf.sys 106496 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0x99EFC000 C:\Windows\system32\DRIVERS\bowser.sys 102400 bytes (Microsoft Corporation, NT Lan Manager Datagram Receiver Driver)
0x986C7000 C:\Windows\system32\DRIVERS\drmk.sys 102400 bytes (Microsoft Corporation, Microsoft Trusted Audio Drivers)
0x90C00000 C:\Windows\System32\Drivers\dfsc.sys 98304 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x978FF000 C:\Windows\system32\DRIVERS\i8042prt.sys 98304 bytes (Microsoft Corporation, i8042 Port Driver)
0x837E8000 C:\Windows\system32\Drivers\NEOFLTR_650_15255.SYS 98304 bytes (Juniper Networks, NetBIOS Redirector)
0x9792E000 C:\Windows\system32\DRIVERS\parport.sys 98304 bytes (Microsoft Corporation, Parallel Port Driver)
0x90E9F000 C:\Windows\system32\DRIVERS\rasl2tp.sys 98304 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x90ED9000 C:\Windows\system32\DRIVERS\raspppoe.sys 98304 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x90EF1000 C:\Windows\system32\DRIVERS\raspptp.sys 94208 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x90F08000 C:\Windows\system32\DRIVERS\rassstp.sys 94208 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x8B3E8000 C:\Windows\system32\DRIVERS\tdx.sys 94208 bytes (Microsoft Corporation, TDI Translation Driver)
0x98774000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x8B3C4000 C:\Windows\System32\drivers\mountmgr.sys 90112 bytes (Microsoft Corporation, Mount Point Manager)
0x978BF000 C:\Windows\system32\DRIVERS\risdpe86.sys 81920 bytes (REDC, RICOH SD/MMC Driver)
0x9874D000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 77824 bytes (Microsoft Corporation, Hid Class Library)
0x8B775000 C:\Windows\System32\Drivers\ksecdd.sys 77824 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x99E5B000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x90D14000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x97600000 C:\Windows\system32\DRIVERS\AgileVpn.sys 73728 bytes (Microsoft Corporation, RAS Agile Vpn Miniport Call Manager)
0x979C6000 C:\Windows\system32\DRIVERS\intelppm.sys 73728 bytes (Microsoft Corporation, Processor Device Driver)
0x99F15000 C:\Windows\System32\drivers\mpsdrv.sys 73728 bytes (Microsoft Corporation, Microsoft Protection Service Driver)
0x8B9A3000 C:\Windows\system32\DRIVERS\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x98731000 C:\Windows\System32\Drivers\dump_dumpfve.sys 69632 bytes
0x8B5E9000 C:\Windows\system32\drivers\fileinfo.sys 69632 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x90FA5000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x8B317000 C:\Windows\System32\drivers\partmgr.sys 69632 bytes (Microsoft Corporation, Partition Management Driver)
0x836A3000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x90CDB000 C:\Windows\system32\DRIVERS\vwififlt.sys 69632 bytes (Microsoft Corporation, Virtual WiFi Filter Driver)
0x90FEE000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x8BA0B000 C:\Windows\System32\Drivers\mup.sys 65536 bytes (Microsoft Corporation, Multiple UNC Provider Driver)
0x99E4B000 C:\Windows\system32\DRIVERS\ndisuio.sys 65536 bytes (Microsoft Corporation, NDIS User mode I/O driver)
0x90D27000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Remote Desktop Server Driver)
0x8B33B000 C:\Windows\system32\DRIVERS\volmgr.sys 65536 bytes (Microsoft Corporation, Volume Manager Driver)
0x921CF000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x90C18000 C:\Windows\system32\DRIVERS\blbdrive.sys 57344 bytes (Microsoft Corporation, BLB Drive Driver)
0x90CEC000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x8B3DA000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x8B7E5000 C:\Windows\System32\drivers\pcw.sys 57344 bytes (Microsoft Corporation, Performance Counters for Windows Driver)
0x90F53000 C:\Windows\system32\DRIVERS\umbus.sys 57344 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x8B27B000 C:\Windows\system32\drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)
0x979E5000 C:\Windows\system32\DRIVERS\CompositeBus.sys 53248 bytes (Microsoft Corporation, Multi-Transport Composite Bus Enumerator)
0x98724000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x97917000 C:\Windows\system32\DRIVERS\kbdclass.sys 53248 bytes (Microsoft Corporation, Keyboard Class Driver)
0x97989000 C:\Windows\system32\DRIVERS\mouclass.sys 53248 bytes (Microsoft Corporation, Mouse Class Driver)
0xAF0ED000 C:\Windows\System32\drivers\tcpipreg.sys 53248 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x8B9E6000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x9878B000 C:\Windows\System32\Drivers\cvusbdrv.sys 49152 bytes (Broadcom Corporation, Broadcom Credential Vault USB Driver)
0x90D8C000 C:\Windows\System32\drivers\discache.sys 49152 bytes (Microsoft Corporation, System Indexer/Cache Driver)
0x987C1000 C:\Windows\system32\DRIVERS\kbdhid.sys 49152 bytes (Microsoft Corporation, HID Keyboard Filter Driver)
0x987F3000 C:\Windows\System32\DRIVERS\scfilter.sys 49152 bytes (Microsoft Corporation, Microsoft Smart Card Reader Filter Driver)
0x8F9F3000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x8B330000 C:\Windows\system32\DRIVERS\BATTC.SYS 45056 bytes (Microsoft Corporation, Battery Class Driver)
0x98742000 C:\Windows\system32\DRIVERS\hidusb.sys 45056 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x987CD000 C:\Windows\system32\DRIVERS\monitor.sys 45056 bytes (Microsoft Corporation, Monitor Driver)
0x98769000 C:\Windows\system32\DRIVERS\mouhid.sys 45056 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0x8B608000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x979F2000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x8BA00000 C:\Windows\system32\DRIVERS\PBADRV.sys 45056 bytes (Dell Inc, PBA Support Driver)
0x837DD000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8B30C000 C:\Windows\system32\DRIVERS\vdrvroot.sys 45056 bytes (Microsoft Corporation, Virtual Drive Root Enumerator)
0x9871A000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x90D82000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x90D78000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x8B400000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x97612000 C:\Windows\system32\DRIVERS\rdpbus.sys 40960 bytes (Microsoft Corporation, Microsoft RDP Bus Device driver)
0xAF0C2000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x97924000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x978B5000 C:\Windows\system32\DRIVERS\vwifibus.sys 40960 bytes (Microsoft Corporation, Virtual WiFi Bus Driver)
0x979BD000 C:\Windows\system32\DRIVERS\Accelern.sys 36864 bytes (ST Microelectronics, Accelerometer Port I/O)
0x8B5E0000 C:\Windows\system32\DRIVERS\amdxata.sys 36864 bytes (Advanced Micro Devices, Storage Filter Driver)
0x8B7F3000 C:\Windows\System32\Drivers\Fs_Rec.sys 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0xC1890000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x99B60000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8BBA6000 C:\Windows\system32\DRIVERS\vmstorfl.sys 36864 bytes (Microsoft Corporation, Virtual Storage Filter Driver)
0x99EF3000 C:\Windows\system32\DRIVERS\vwifimp.sys 36864 bytes (Microsoft Corporation, Virtual WiFi Miniport Driver)
0x9861A000 C:\Windows\system32\DRIVERS\WinUSB.sys 36864 bytes (Microsoft Corporation, Windows USB Class Driver BETA)
0x979DC000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x8B2D1000 C:\Windows\system32\DRIVERS\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xAF19B000 C:\Windows\system32\drivers\BCM42RLY.sys 32768 bytes (Broadcom Corporation, Broadcom iLine10™ PCI Network Adapter Proxy Protocol Driver)
0x836B4000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8B328000 C:\Windows\system32\DRIVERS\compbatt.sys 32768 bytes (Microsoft Corporation, Composite Battery Driver)
0x8BA1B000 C:\Windows\System32\drivers\hwpolicy.sys 32768 bytes (Microsoft Corporation, Hardware Policy Driver)
0x80B96000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Serial Kernel Debugger)
0x8B2DA000 C:\Windows\system32\DRIVERS\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x8BA23000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x8B9F3000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Encoder Miniport)
0x8B600000 C:\Windows\system32\drivers\rdprefmp.sys 32768 bytes (Microsoft Corporation, RDP Reflector Driver Miniport)
0x8BBF1000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x8F826000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x98760000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x8F81F000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x99FA0000 C:\Windows\system32\DRIVERS\parvdm.sys 28672 bytes (Microsoft Corporation, VDM Parallel Driver)
0x90CB5000 C:\Windows\system32\DRIVERS\wfplwf.sys 28672 bytes (Microsoft Corporation, WFP NDIS 6.20 Lightweight Filter Driver)
0x97996000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x979D8000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x8BBEE000 C:\Windows\system32\DRIVERS\stdfltn.sys 12288 bytes (ST Microelectronics, Disk Filter Driver for Accelerometer)
0x979FD000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x98767000 C:\Windows\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
==============================================
>Stealth
==============================================
0x04200000 Hidden Image-->IntelVisualDesign.dll [ EPROCESS 0x89F0BD40 ] PID: 4456, 1069056 bytes
0x03ED0000 Hidden Image-->bcmwlrmt.dll [ EPROCESS 0x88C1C030 ] PID: 1764, 122880 bytes
0x02810000 Hidden Image-->bcmwlrmt.dll [ EPROCESS 0x89E65748 ] PID: 4552, 122880 bytes
0x882C8A91 Unknown page with executable code, 1391 bytes
0x003D0000 Hidden Image-->SmithMicro.Common.dll [ EPROCESS 0x89E617B8 ] PID: 4536, 143360 bytes
0x00410000 Hidden Image-->IAStorUtil.dll [ EPROCESS 0x89F0BD40 ] PID: 4456, 151552 bytes
0x00430000 Hidden Image-->IAStorUtil.dll [ EPROCESS 0x89EBD208 ] PID: 5180, 151552 bytes
0x03E00000 Hidden Image-->IAStorUIHelper.dll [ EPROCESS 0x89F0BD40 ] PID: 4456, 184320 bytes
0x882CBF14 Unknown page with executable code, 236 bytes
0x03A40000 Hidden Image-->msvcm90.dll [ EPROCESS 0x88C1C030 ] PID: 1764, 270336 bytes
0x04F40000 Hidden Image-->msvcm90.dll [ EPROCESS 0x89E65748 ] PID: 4552, 270336 bytes
0x03330000 Hidden Image-->msvcm90.dll [ EPROCESS 0x89EBD208 ] PID: 5180, 270336 bytes
0x043E0000 Hidden Image-->Interop.Wavx_PluginManagerLib.dll [ EPROCESS 0x89E79D40 ] PID: 3728, 28672 bytes
0x05CE0000 Hidden Image-->Interop.Wavx_PluginManagerLib.dll [ EPROCESS 0x89E79D40 ] PID: 3728, 28672 bytes
0x006B0000 Hidden Image-->Dell.DcpPlugin.dll [ EPROCESS 0x89E617B8 ] PID: 4536, 28672 bytes
0x05EE0000 Hidden Image-->PrebootManager.dll [ EPROCESS 0x89E79D40 ] PID: 3728, 307200 bytes
0x03DD0000 Hidden Image-->Dell.SystemOverview.Plugin.dll [ EPROCESS 0x89E617B8 ] PID: 4536, 339968 bytes
0x882C7288 Unknown page with executable code, 3448 bytes
0x882C9191 Unknown page with executable code, 3695 bytes
0x882CC02C Unknown page with executable code, 4052 bytes
0x05130000 Hidden Image-->Interop.PBMCredentialManager.dll [ EPROCESS 0x89E79D40 ] PID: 3728, 45056 bytes
0x05F60000 Hidden Image-->msvcm80.dll [ EPROCESS 0x89E79D40 ] PID: 3728, 507904 bytes
0x03D40000 Hidden Image-->SmithMicro.Controls.dll [ EPROCESS 0x89E617B8 ] PID: 4536, 569344 bytes
0x882CADC6 Unknown page with executable code, 570 bytes
0x05BB0000 Hidden Image-->WLTRAY.EXE [ EPROCESS 0x88C1C030 ] PID: 1764, 5791744 bytes
0x882CBE7A Unknown thread object [ ETHREAD 0x885038A8 ] TID: 312, 600 bytes
0x882CE008 Unknown thread object [ ETHREAD 0x88540020 ] TID: 316, 600 bytes
0x882CD0DE Unknown thread object [ ETHREAD 0x858ED7A0 ] , 600 bytes
0x882CBB45 Unknown thread object [ ETHREAD 0x88506D48 ] , 600 bytes
0x00860000 Hidden Image-->IsdiInterop.dll [ EPROCESS 0x89EBD208 ] PID: 5180, 73728 bytes
0x00460000 Hidden Image-->IAStorDataMgr.dll [ EPROCESS 0x89EBD208 ] PID: 5180, 77824 bytes
0x882CDCDC Unknown page with executable code, 804 bytes


aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-04-22 09:07:24
-----------------------------
09:07:24.905 OS Version: Windows 6.1.7600
09:07:24.905 Number of processors: 4 586 0x2502
09:07:24.906 ComputerName: JSTORTER-MMI UserName: jstorter
09:07:28.524 Initialize success
09:07:30.054 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
09:07:30.058 Disk 0 Vendor: ST925041 D005 Size: 238475MB BusType: 8
09:07:30.105 Disk 0 MBR read successfully
09:07:30.109 Disk 0 MBR scan
09:07:30.116 Disk 0 scanning sectors +488395120
09:07:30.159 Disk 0 scanning C:\Windows\system32\drivers
09:07:39.045 Service scanning
09:07:40.546 Disk 0 trace - called modules:
09:07:40.566 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x882c71ed]<<
09:07:40.572 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x881dd030]
09:07:40.580 3 CLASSPNP.SYS[8b9b859e] -> nt!IofCallDriver -> [0x881dc580]
09:07:40.587 \Driver\stdflt[0x88191c48] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x882c71ed
09:07:40.595 Scan finished successfully


SystemLook 04.09.10 by jpshortstuff
Log created at 09:19 on 22/04/2011 by jstorter
Administrator - Elevation successful

========== filefind ==========

Searching for "*volsnap*"
C:\Windows\inf\volsnap.inf --a---- 1666 bytes [04:51 14/07/2009] [04:51 14/07/2009] 0513FB1D99C3313A55B8C7F378AB5714
C:\Windows\inf\volsnap.PNF --a---- 5096 bytes [04:38 14/07/2009] [10:02 08/06/2010] EE7FB84D064F2EA30F260BD3F25A39DF
C:\Windows\System32\drivers\volsnap.sys --a---- 245328 bytes [23:11 13/07/2009] [01:19 14/07/2009] 58DF9D2481A56EDDE167E51B334D44FD
C:\Windows\System32\drivers\en-US\volsnap.sys.mui --a---- 23552 bytes [04:55 14/07/2009] [02:03 14/07/2009] 747EC73A2F1046431763323C1E26F017
C:\Windows\System32\DriverStore\en-US\volsnap.inf_loc --a---- 198 bytes [04:55 14/07/2009] [02:04 14/07/2009] F040058B592FE682204B2FC15DDEAC0D
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_x86_neutral_42f862e05fcb0306\volsnap.inf --a---- 1666 bytes [20:21 13/07/2009] [20:21 13/07/2009] 0513FB1D99C3313A55B8C7F378AB5714
C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_x86_neutral_42f862e05fcb0306\volsnap.PNF --a---- 4960 bytes [04:51 14/07/2009] [00:54 20/04/2011] E798CBA230BF51302F9D683F0E04264D
C:\Windows\System32\DriverStore\FileRepository\volume.inf_x86_neutral_29364d30156a24ca\volsnap.sys --a---- 245328 bytes [23:11 13/07/2009] [01:19 14/07/2009] 58DF9D2481A56EDDE167E51B334D44FD
C:\Windows\winsxs\Manifests\x86_volsnap.inf-languagepack_31bf3856ad364e35_6.1.7600.16385_en-us_ed02f6405b9711ea.manifest --a---- 1113 bytes [04:55 14/07/2009] [04:55 14/07/2009] E425BB46B4D05E728EBEF4BC115867A7
C:\Windows\winsxs\Manifests\x86_volsnap.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_13398118e291963b.manifest --a---- 1781 bytes [04:54 14/07/2009] [02:28 14/07/2009] 0525B94A71005B3BCAF07176F8D17809
C:\Windows\winsxs\Manifests\x86_volsnap.inf_31bf3856ad364e35_6.1.7600.16385_none_6d76054c9136060d.manifest --a---- 1452 bytes [04:48 14/07/2009] [04:48 14/07/2009] F2B80CAC19522D2440AD4E2E6AC25380
C:\Windows\winsxs\x86_volsnap.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_13398118e291963b\volsnap.inf_loc --a---- 198 bytes [04:55 14/07/2009] [02:04 14/07/2009] F040058B592FE682204B2FC15DDEAC0D
C:\Windows\winsxs\x86_volsnap.inf_31bf3856ad364e35_6.1.7600.16385_none_6d76054c9136060d\volsnap.inf --a---- 1666 bytes [20:21 13/07/2009] [20:21 13/07/2009] 0513FB1D99C3313A55B8C7F378AB5714
C:\Windows\winsxs\x86_volume.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7afca05c2148f2a6\volsnap.sys.mui --a---- 23552 bytes [04:55 14/07/2009] [02:03 14/07/2009] 747EC73A2F1046431763323C1E26F017
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e\volsnap.sys --a---- 245328 bytes [23:11 13/07/2009] [01:19 14/07/2009] 58DF9D2481A56EDDE167E51B334D44FD
C:\Windows\winsxs\x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8\volsnap.sys --a---- 245632 bytes [00:30 20/04/2011] [12:30 20/11/2010] F497F67932C6FA693D7DE2780631CFE7

-= EOF =-


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by jstorter at 9:25:27.75 on Fri 04/22/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2998.1504 [GMT -8:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\STacSV.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe
C:\Program Files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\aestsrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Epson Software\FAX Utility\FUFAXSTM.exe
C:\Program Files\Epson Software\Event Manager\EEventManager.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\conhost.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Seagate\Seagate Dashboard\MemeoDashboard.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mstart.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Users\jstorter\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Citrix\GoToMeeting\457\g2mcomm.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Citrix\GoToMeeting\457\g2mlauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\jstorter\Desktop\dds.scr
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~1\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [GoToMeeting] "c:\program files\citrix\gotomeeting\457\g2mstart.exe" "/Trigger RunAtLogon"
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Seagate Dashboard] c:\program files\seagate\seagate dashboard\MemeoLauncher.exe --silent --no_ui
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAStorIcon] c:\program files\intel\intel® rapid storage technology\IAStorIcon.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [FUFAXSTM] "c:\program files\epson software\fax utility\FUFAXSTM.exe"
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [Broadcom Wireless Manager UI] c:\program files\dell\dw wlan card\WLTRAY.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\jstorter\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\jstorter\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\jstorter\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\sac-de~1.lnk - c:\program files\steepandcheap\desktop alert\SAC-Desktop-Alert.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~1\office14\ONBttnIE.dll/105
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
.
============= SERVICES / DRIVERS ===============
.
R0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\drivers\stdfltn.sys [2010-6-8 17072]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 165264]
R1 NEOFLTR_650_15255;Juniper Networks TDI Filter Driver (NEOFLTR_650_15255);c:\windows\system32\drivers\NEOFLTR_650_15255.SYS [2010-9-24 85360]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_x86_neutral_111ae7bb7f222578\AEstSrv.exe [2010-6-8 81920]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostControlService.exe [2009-12-17 812448]
R2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\broadcom corporation\broadcom ush host components\cv\bin\HostStorageService.exe [2009-12-17 27040]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2009-12-10 386848]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\intel\intel® rapid storage technology\IAStorDataMgrSvc.exe [2010-6-8 13336]
R2 InstallFilterService;FF Install Filter Service;c:\program files\stmicroelectronics\accelerometerp11\InstallFilterService.exe [2010-6-8 60928]
R2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-6-8 59392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-4-19 1153368]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\seagate\seagate dashboard\SeagateDashboardService.exe [2010-4-30 14088]
R3 Acceler;Accelerometer Service;c:\windows\system32\drivers\Accelern.sys [2010-6-8 42672]
R3 cvusbdrv;Dell ControlVault;c:\windows\system32\drivers\cvusbdrv.sys [2010-6-8 33832]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-6-8 214696]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-6-8 132352]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-6-8 209920]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-24 136176]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2011-1-25 84832]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-10-23 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-9-23 1493352]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2009-12-2 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-8 48640]
S3 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-6-8 38912]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-21 1343400]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-04-22 17:04:22 7071056 ----a-w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{a1c8a50b-0d1d-4c59-94e9-45631d76270d}\mpengine.dll
2011-04-22 16:36:12 -------- d-----w- c:\users\jstorter\appdata\local\{A7739B44-4BCE-4AE7-9A77-34DEFC0725F3}
2011-04-21 21:52:12 -------- d-----w- C:\$RECYCLE.BIN
2011-04-21 21:40:38 98816 ----a-w- c:\windows\sed.exe
2011-04-21 21:40:38 89088 ----a-w- c:\windows\MBR.exe
2011-04-21 21:40:38 256512 ----a-w- c:\windows\PEV.exe
2011-04-21 21:40:38 161792 ----a-w- c:\windows\SWREG.exe
2011-04-21 16:49:44 -------- d-----w- c:\users\jstorter\appdata\local\{248CCC38-FC4C-4F58-9CE0-6A710B7A9D82}
2011-04-20 19:05:23 -------- d-----w- c:\windows\pss
2011-04-20 16:23:13 -------- d-----w- c:\windows\system32\SPReview
2011-04-20 15:58:35 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-20 15:53:00 -------- d-----w- c:\users\jstorter\appdata\local\{CF2F9869-920C-4FAB-8923-FF7949816193}
2011-04-20 10:51:52 -------- d-----w- c:\users\jstorter\appdata\roaming\Malwarebytes
2011-04-20 10:51:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 10:51:33 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-20 10:51:28 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 10:49:49 -------- d-----w- c:\users\jstorter\appdata\local\{40241A0C-A29A-416D-BEF2-7C6252B07941}
2011-04-20 10:38:29 -------- d-----w- C:\found.000
2011-04-20 00:34:25 -------- d-----w- c:\windows\system32\EventProviders
2011-04-19 23:59:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-19 23:59:43 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2011-04-19 23:32:06 -------- d-----w- c:\users\jstorter\appdata\local\{5A02384C-E095-4B2C-ABDF-BFE1A4CA7DFB}
2011-04-18 15:54:26 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-18 15:51:14 -------- d-----w- c:\users\jstorter\appdata\local\{1D83E592-1B49-40D8-B0AC-CC4DB880A285}
2011-04-18 02:57:31 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-15 23:06:31 -------- d-----w- c:\users\jstorter\appdata\local\{0A4A1708-EB13-42FC-85E2-292ADB9B976E}
2011-04-15 23:05:57 -------- d-----w- c:\users\jstorter\appdata\local\{F2FC8187-C2D4-45A9-8DCF-A29E92F4D27D}
2011-04-14 23:49:13 -------- d-----w- c:\users\jstorter\appdata\local\{8892069C-1CF6-47B5-8E38-532EB7FE71FE}
2011-04-13 16:39:07 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-13 16:39:07 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-13 16:39:06 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-13 16:08:00 -------- d-----w- c:\users\jstorter\appdata\local\{98089B1D-C5FB-4964-970F-C97F787720FC}
2011-04-13 04:15:08 -------- d-----w- c:\users\jstorter\appdata\local\{A5F83E61-65DB-4CEB-ABC7-8A3BEDADDCB4}
2011-04-11 23:49:18 -------- d-----w- c:\users\jstorter\appdata\local\{4FDF8CCB-E949-40D0-B319-DA987848B3AB}
2011-04-08 23:35:15 -------- d-----w- c:\users\jstorter\appdata\local\{EDF53F8E-8D22-423A-AB8C-C9862C661FC0}
2011-04-07 18:29:42 -------- d-----w- c:\users\jstorter\appdata\local\{316516BE-CA04-40F6-AE47-E7287E21B761}
2011-04-07 06:28:56 -------- d-----w- c:\users\jstorter\appdata\local\{DEA6B594-3A10-4060-8938-331ADAFE5435}
2011-04-06 18:12:03 -------- d-----w- c:\users\jstorter\appdata\local\{99C106D3-60AD-4190-82D8-97DFBB8AE5A3}
2011-04-05 16:39:14 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\{e45abc26-057b-434e-96c3-3972ffb793f3}\gapaengine.dll
2011-03-31 15:43:40 -------- d-----w- c:\users\jstorter\appdata\local\{3B2FEE16-6DFB-41E6-B1AA-FB5309A323CE}
2011-03-25 21:59:26 439632 ------w- c:\progra~2\microsoft\microsoft antimalware\definition updates\nisbackup\gapaengine.dll
.
==================== Find3M ====================
.
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 05:29:23 132608 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-03-03 05:27:30 28672 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-03-03 03:31:32 2331136 ----a-w- c:\windows\system32\win32k.sys
2011-02-24 05:32:52 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-24 05:32:44 981504 ----a-w- c:\windows\system32\wininet.dll
2011-02-24 05:30:16 44544 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-24 04:23:48 386048 ----a-w- c:\windows\system32\html.iec
2011-02-24 03:50:26 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-19 05:33:11 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32:48 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 05:32:08 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-19 03:37:02 294912 ----a-w- c:\windows\system32\atmfd.dll
2011-02-19 01:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 05:36:26 428032 ----a-w- c:\windows\system32\vbscript.dll
2011-02-12 05:30:49 191488 ----a-w- c:\windows\system32\FXSCOVER.exe
2011-02-09 20:24:32 314880 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpcpp112.dll
2011-02-09 20:24:32 287232 ----a-w- c:\windows\system32\hpcpn112.dll
2011-02-09 20:12:32 328704 ----a-w- c:\windows\system32\hpmml112.dll
2011-02-09 20:12:20 278528 ----a-w- c:\windows\system32\hpmja112.dll
2011-02-09 20:12:14 246272 ----a-w- c:\windows\system32\hpmpm081.dll
2011-02-09 20:12:06 181248 ----a-w- c:\windows\system32\hpmpw081.dll
2011-02-09 20:12:02 223232 ----a-w- c:\windows\system32\hpmtp112.dll
2011-02-09 20:11:58 111104 ----a-w- c:\windows\system32\hpmco112.dll
.
============= FINISH: 9:26:22.03 ===============

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:44 PM

Posted 22 April 2011 - 03:30 PM

Hello,

Well I found whats causing the problem. It a new very hard infection to remove. We will see if we can get it. It may take several attempts.


1.
IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:[quote]Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system[/quote]Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.[quote]The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

Because your computer was compromised please read:

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

TDL::
c:\windows\system32\drivers\volsnap.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


3.
Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Remove the USB drive and insert it back in your working computer and navigate to report.txt

    Please note - all text entries are case sensitive
Copy and paste the report.txt for my review

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 ajsnowflake

ajsnowflake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 22 April 2011 - 04:17 PM

fireman4it,
your info on back door trojans is kinda worrisome. This is on my work laptop but I own it and I need it to be trust worthy on other peoples networks and for my own use. I have the operating system disks (Reinstallation DVD) provided by dell, would you running this disk and reinstalling the OS be a more thorough fix that I could trust? In the interim I am running through your steps provided.

Thank you,
Johnathon

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:44 PM

Posted 22 April 2011 - 04:25 PM

Hello,

A reformat and reinstall is the only way to make sure your machine is clean. If you decide to reformat and reinstall you can save some files that you want to your usb or cd. Here is how to do that so you will not re-infect your machine.We can try to clean your machine, but even if all the logs show you are clean I can't be 100% sure you are.
Maybe 99.9% but not 100%.

You can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions . Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.

Note:
Again, do not back up any data with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.


I will wait for your reply:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 ajsnowflake

ajsnowflake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 22 April 2011 - 05:28 PM

Logs below...


ComboFix 11-04-21.02 - jstorter 04/22/2011 13:25:05.2.4 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2998.1534 [GMT -8:00]
Running from: c:\users\jstorter\Desktop\ComboFix.exe
Command switches used :: c:\users\jstorter\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-03-22 to 2011-04-22 )))))))))))))))))))))))))))))))
.
.
2011-04-22 21:31 . 2011-04-22 21:31 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-22 20:58 . 2011-04-22 20:58 -------- d-----w- C:\Mount
2011-04-22 17:04 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{A1C8A50B-0D1D-4C59-94E9-45631D76270D}\mpengine.dll
2011-04-22 16:36 . 2011-04-22 16:36 -------- d-----w- c:\users\jstorter\AppData\Local\{A7739B44-4BCE-4AE7-9A77-34DEFC0725F3}
2011-04-21 16:49 . 2011-04-21 16:49 -------- d-----w- c:\users\jstorter\AppData\Local\{248CCC38-FC4C-4F58-9CE0-6A710B7A9D82}
2011-04-20 16:23 . 2011-04-20 16:23 -------- d-----w- c:\windows\system32\SPReview
2011-04-20 15:58 . 2011-01-17 05:38 161792 ----a-w- c:\windows\system32\d3d10_1.dll
2011-04-20 15:53 . 2011-04-20 15:53 -------- d-----w- c:\users\jstorter\AppData\Local\{CF2F9869-920C-4FAB-8923-FF7949816193}
2011-04-20 10:51 . 2011-04-20 10:51 -------- d-----w- c:\users\jstorter\AppData\Roaming\Malwarebytes
2011-04-20 10:51 . 2010-12-21 02:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-20 10:51 . 2011-04-20 10:51 -------- d-----w- c:\programdata\Malwarebytes
2011-04-20 10:51 . 2011-04-20 10:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-20 10:49 . 2011-04-20 10:51 -------- d-----w- c:\users\jstorter\AppData\Local\{40241A0C-A29A-416D-BEF2-7C6252B07941}
2011-04-20 10:38 . 2011-04-20 10:38 -------- d-----w- C:\found.000
2011-04-20 00:34 . 2011-04-20 00:34 -------- d-----w- c:\windows\system32\EventProviders
2011-04-19 23:59 . 2011-04-21 17:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-04-19 23:59 . 2011-04-20 00:00 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-04-19 23:32 . 2011-04-19 23:32 -------- d-----w- c:\users\jstorter\AppData\Local\{5A02384C-E095-4B2C-ABDF-BFE1A4CA7DFB}
2011-04-18 15:54 . 2009-08-20 07:50 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2011-04-18 15:51 . 2011-04-18 15:51 -------- d-----w- c:\users\jstorter\AppData\Local\{1D83E592-1B49-40D8-B0AC-CC4DB880A285}
2011-04-18 02:57 . 2011-04-18 02:57 -------- d-----w- c:\program files\Microsoft IntelliPoint
2011-04-15 23:06 . 2011-04-15 23:06 -------- d-----w- c:\users\jstorter\AppData\Local\{0A4A1708-EB13-42FC-85E2-292ADB9B976E}
2011-04-15 23:05 . 2011-04-15 23:06 -------- d-----w- c:\users\jstorter\AppData\Local\{F2FC8187-C2D4-45A9-8DCF-A29E92F4D27D}
2011-04-14 23:49 . 2011-04-14 23:49 -------- d-----w- c:\users\jstorter\AppData\Local\{8892069C-1CF6-47B5-8E38-532EB7FE71FE}
2011-04-13 16:39 . 2011-02-23 05:06 311296 ----a-w- c:\windows\system32\drivers\srv.sys
2011-04-13 16:39 . 2011-02-23 05:05 309760 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-04-13 16:39 . 2011-02-23 05:05 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-04-13 16:08 . 2011-04-13 16:08 -------- d-----w- c:\users\jstorter\AppData\Local\{98089B1D-C5FB-4964-970F-C97F787720FC}
2011-04-13 04:15 . 2011-04-13 04:15 -------- d-----w- c:\users\jstorter\AppData\Local\{A5F83E61-65DB-4CEB-ABC7-8A3BEDADDCB4}
2011-04-11 23:49 . 2011-04-11 23:49 -------- d-----w- c:\users\jstorter\AppData\Local\{4FDF8CCB-E949-40D0-B319-DA987848B3AB}
2011-04-08 23:35 . 2011-04-08 23:35 -------- d-----w- c:\users\jstorter\AppData\Local\{EDF53F8E-8D22-423A-AB8C-C9862C661FC0}
2011-04-07 18:29 . 2011-04-07 18:29 -------- d-----w- c:\users\jstorter\AppData\Local\{316516BE-CA04-40F6-AE47-E7287E21B761}
2011-04-07 06:28 . 2011-04-07 06:29 -------- d-----w- c:\users\jstorter\AppData\Local\{DEA6B594-3A10-4060-8938-331ADAFE5435}
2011-04-06 18:12 . 2011-04-06 18:12 -------- d-----w- c:\users\jstorter\AppData\Local\{99C106D3-60AD-4190-82D8-97DFBB8AE5A3}
2011-04-05 16:39 . 2011-01-27 19:00 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{E45ABC26-057B-434E-96C3-3972FFB793F3}\gapaengine.dll
2011-03-31 15:43 . 2011-04-01 17:57 -------- d-----w- c:\users\jstorter\AppData\Local\{3B2FEE16-6DFB-41E6-B1AA-FB5309A323CE}
2011-03-25 21:59 . 2011-01-27 19:00 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-22 16:54 . 2010-06-15 19:20 0 ----a-w- c:\users\jstorter\AppData\Local\WavXMapDrive.bat
2011-04-11 07:04 . 2010-06-26 21:20 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-23 20:46 . 2010-06-24 19:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-19 05:33 . 2011-03-09 21:41 802304 ----a-w- c:\windows\system32\FntCache.dll
2011-02-19 05:32 . 2011-03-09 21:41 1074176 ----a-w- c:\windows\system32\DWrite.dll
2011-02-19 05:32 . 2011-03-09 21:41 739840 ----a-w- c:\windows\system32\d2d1.dll
2011-02-19 01:36 . 2011-02-19 01:36 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-19 01:36 . 2011-02-19 01:36 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-09 20:24 . 2011-03-21 19:41 314880 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpcpp112.dll
2011-02-09 20:24 . 2011-03-21 19:41 287232 ----a-w- c:\windows\system32\hpcpn112.dll
2011-02-09 20:12 . 2011-03-21 19:41 328704 ----a-w- c:\windows\system32\hpmml112.dll
2011-02-09 20:12 . 2011-03-21 19:41 278528 ----a-w- c:\windows\system32\hpmja112.dll
2011-02-09 20:12 . 2011-03-21 19:41 246272 ----a-w- c:\windows\system32\hpmpm081.dll
2011-02-09 20:12 . 2011-03-21 19:41 181248 ----a-w- c:\windows\system32\hpmpw081.dll
2011-02-09 20:12 . 2011-03-21 19:41 223232 ----a-w- c:\windows\system32\hpmtp112.dll
2011-02-09 20:11 . 2011-02-09 20:11 111104 ----a-w- c:\windows\system32\hpmco112.dll
2011-02-03 05:45 . 2011-02-09 09:32 219008 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\jstorter\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\jstorter\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\jstorter\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2009-11-24 20:48 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-11-10 4240760]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\457\g2mstart.exe" [2010-12-13 39816]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2009-11-12 203776]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-01-14 147328]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-01-14 34232]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2010-01-14 495711]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Seagate Dashboard"="c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe" [2010-04-30 79112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-02-02 166936]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-12-29 140520]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-03-07 421160]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-01-07 1797488]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-02-02 141848]
"IAStorIcon"="c:\program files\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe" [2010-03-04 284696]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-02-02 175640]
"FUFAXSTM"="c:\program files\Epson Software\FAX Utility\FUFAXSTM.exe" [2009-02-06 843776]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2010-02-02 5249024]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-06-04 292208]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-01-31 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
c:\users\jstorter\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\jstorter\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-12-16 23343848]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2009-12-10 1327392]
SAC-Desktop-Alert.lnk - c:\program files\SteepAndCheap\Desktop Alert\SAC-Desktop-Alert.exe [2008-12-26 370176]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2009-11-24 132456]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R1 MpKsl38d317f3;MpKsl38d317f3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{64F38139-6326-4F27-9165-3E059B34BA3E}\MpKsl38d317f3.sys [x]
R1 MpKsl9433d143;MpKsl9433d143;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2140CAE4-7D56-4995-9961-D4E070EF6B8C}\MpKsl9433d143.sys [x]
R1 MpKsleae6ab8b;MpKsleae6ab8b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{D93CF83C-CFBB-4D3A-B20C-3F99FFC74EB5}\MpKsleae6ab8b.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 136176]
R2 InstallFilterService;FF Install Filter Service;c:\program files\STMicroelectronics\AccelerometerP11\InstallFilterService.exe [2010-01-10 60928]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-18 84832]
R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-01-07 44416]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [2010-02-21 48640]
R3 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [2010-02-21 38912]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-06-21 1343400]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-07 11520]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-23 51040]
S0 stdflt;Disk Filter Driver for Accelerometer;c:\windows\system32\DRIVERS\stdfltn.sys [2010-01-18 17072]
S1 NEOFLTR_650_15255;Juniper Networks TDI Filter Driver (NEOFLTR_650_15255);c:\windows\system32\Drivers\NEOFLTR_650_15255.SYS [2010-02-19 85360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_111ae7bb7f222578\aestsrv.exe [2010-01-14 81920]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [2009-11-20 278304]
S2 Credential Vault Host Control Service;Credential Vault Host Control Service;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostControlService.exe [2009-12-17 812448]
S2 Credential Vault Host Storage;Credential Vault Host Storage;c:\program files\Broadcom Corporation\Broadcom USH Host Components\CV\bin\HostStorageService.exe [2009-12-17 27040]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2009-12-10 386848]
S2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2010-03-04 13336]
S2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [2010-02-21 59392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [2010-04-30 14088]
S3 Acceler;Accelerometer Service;c:\windows\system32\DRIVERS\Accelern.sys [2010-01-18 42672]
S3 cvusbdrv;Dell ControlVault;c:\windows\system32\Drivers\cvusbdrv.sys [2009-10-30 33832]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-12-10 214696]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-01-07 132352]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-11-27 209920]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*NewlyCreated* - NORMANDY
*NewlyCreated* - WIMMOUNT
*Deregistered* - aswMBR
*Deregistered* - Normandy
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 00:33]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 00:33]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1620663191-1358164138-3124822037-1003Core.job
- c:\users\jstorter\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-19 23:03]
.
2011-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1620663191-1358164138-3124822037-1003UA.job
- c:\users\jstorter\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-19 23:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(7472)
c:\users\jstorter\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
Completion time: 2011-04-22 13:32:40
ComboFix-quarantined-files.txt 2011-04-22 21:32
ComboFix2.txt 2011-04-21 21:57
.
Pre-Run: 38,621,491,200 bytes free
Post-Run: 38,592,131,072 bytes free
.
- - End Of File - - FBB3E61706B5FAC3EB71766953627E4D


Fri Apr 22 13:53:51 UTC 2011
Driver report for /mnt/sda3/Qoobox/Quarantine/C/Windows/System32/drivers

Driver report for /mnt/sda3/Windows/System32/drivers
7c28b63e4c9e5c3be7ffe53789593619 volsnap.sys has NO Company Name!

fbce2f43185104ae8bf4d32571b19203 1394bus.sys
Microsoft Corporation

bf02f806c873abb04b197161e8e5a316 1394ohci.sys
Microsoft Corporation

af1f178b0218b44876e63bf0b019e96b Accelern.sys
tHHHVS_VERSION_INFO?baStringFileInfoBHCompanyNameSTMicroelectronicsVFileDescriptionAccelerometerPortI/OvFileVersion...:rInternalNameaccelern.sys~-LegalCopyrightCopyright©STMicroelectronics-BrOriginalFilenameaccelern.sysXProductNameAccelerometerSensorDriver:vProductVersion...DVarFileInfo$Translationt*

98d81ca942d19f7d9153b095162ac013 acpipmi.sys
Microsoft Corporation

f0e07d144c8685b8774bc32fc8da4df0 acpi.sys
Microsoft Corporation

21e785ebd7dc90a06391141aac7892fb adp94xx.sys
Adaptec

0c676bc278d5b59ff5abd57bbe9123f2 adpahci.sys
Adaptec

7c7b5ee4b7b822ec85321fe23a27db33 adpu320.sys
Adaptec

ddc040fdb01ef1712a6b13e52afb104c afd.sys
Microsoft Corporation

57ec4aef73660166074d8f7f31c0d4fd agilevpn.sys
Microsoft Corporation

507812c3054c21cef746b6ee3d04dd6e AGP440.sys
Microsoft Corporation

0d40bcf52ea90fc7df2aeab6503dea44 aliide.sys
Acer Laboratories

3c6600a0696e90a463771c7422e23ab5 AMDAGP.SYS
Microsoft Corporation

cd5914170297126b6266860198d1d4f0 amdide.sys
Microsoft Corporation

00dda200d71bac534bf56a9db5dfd666 amdk8.sys
Microsoft Corporation

3cbf30f5370fda40dd3e87df38ea53b6 amdppm.sys
Microsoft Corporation

2101a86c25c154f8314b24ef49d7fbc2 amdsata.sys
Advanced Micro Devices

ea43af0c423ff267355f74e7a53bdaba amdsbs.sys
AMD Technologies

b81c2b5616f6420a9941ea093a92b150 amdxata.sys
Advanced Micro Devices

e8a8e6072cb7e2032e85e7735daa511f Apfiltr.sys
Alps Electric

feb834c02ce1e84b6a38f953ca067706 appid.sys
Microsoft Corporation

5d6f36c46fd283ae1b57bd2e9feb0bc7 arcsas.sys
Adaptec

2932004f49677bd84dbc72edb754ffb3 arc.sys
Adaptec

e54e27976e2c5a6465d44c10b1d87ac0 ASPI32.SYS
Adaptec

add2ade1c2b285ab8378d2daaf991481 asyncmac.sys
Microsoft Corporation

338c86357871c167a96ab976519bf59e atapi.sys
Microsoft Corporation

bca15585efdde7eba8568bdfb75983a3 ataport.sys
Microsoft Corporation

bd8869eb9cde6bbe4508d869929869ee b57nd60x.sys
Broadcom Corporation

2b8ee031fd700ab942ebe60665440e83 battc.sys
Microsoft Corporation

94f2dc372163d520d7b1dad78ae40b5e bcm42rly.sys
Broadcom Corporation

f689c5965cefad780a2948546703bd5d BCMWL6.SYS
Broadcom Corporation

505506526a9d467307b3c393dedaf858 beep.sys
Microsoft Corporation

2287078ed48fcfc477b05b20cf38f36f blbdrive.sys
Microsoft Corporation

9a5c671b7fbae4865149bb11f59b91b2 bowser.sys
Microsoft Corporation

9f9acc7f7ccde8a15c282d3f88b43309 BrFiltLo.sys
Brother Industries

56801ad62213a41f6497f96dee83755a BrFiltUp.sys
Brother Industries

77361d72a04f18809d0efb6cceb74d4b bridge.sys
Microsoft Corporation

845b8ce732e67f3b4133164868c666ea BrSerId.sys
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries
Brother Industries

203f0b1e73adadbbb7b7b1fabd901f6b BrSerWdm.sys
Brother Industries

bd456606156ba17e60a04e18016ae54b BrUsbMdm.sys
Brother Industries

af72ed54503f717a43268b3cc5faec2e BrUsbSer.sys
Brother Industries

ed3df7c56ce0084eb2034432fc56565a bthmodem.sys
Microsoft Corporation

1a231abec60fd316ec54c66715543cec bxvbdx.sys
Broadcom Corporation

77ea11b065e0a8ab902d78145ca51e10 cdfs.sys
Microsoft Corporation

c716c877a528fae6d352a7430ae0a4a4 cdr4_xp.sys
Sonic Solutions

17cd01a8b4d0a1e6cbf4bb07cd57043c cdralw2k.sys
Sonic Solutions

ba6e70aa0e6091bc39de29477d866a77 cdrom.sys
Microsoft Corporation

3fe3fe94a34df6fb06e6418d0f6a0060 circlass.sys
Microsoft Corporation

a6388a5abf92c7927c085db0a958125f Classpnp.sys
Microsoft Corporation

dea805815e587dad1dd2c502220b5616 CmBatt.sys
Microsoft Corporation

c537b1db64d495b9b4717b4d6d9edbf2 cmdide.sys
CMD Technology

1b675691ed940766149c93e8f4488d68 cng.sys
Microsoft Corporation

a6023d3823c37043986713f118a89bee compbatt.sys
Microsoft Corporation

f1724ba27e97d627f808fb0ba77a28a6 CompositeBus.sys
Microsoft Corporation

b7efef22ff426ec4158a177cb3b558d3 crashdmp.sys
Microsoft Corporation

2c4ebcfc84a9b44f209dff6c6e6c61d1 crcdisk.sys
Microsoft Corporation

27c9490bdd0ae48911ab8cf1932591ed csc.sys
Microsoft Corporation

d1697063e2cdb6575aa46d668ffee825 cvusbdrv.sys
Broadcom Corporation

484ffbcec4091ff617494b6b0cb04eb3 dc3d.sys
Microsoft Corporation

8e09e52ee2e3ceb199ef3dd99cf9e3fb dfsc.sys
Microsoft Corporation

1a050b0274bfb3890703d490f330c0da discache.sys
Microsoft Corporation

3d8bdf695ba1569995027ad904f847e9 Diskdump.sys
Microsoft Corporation

565003f326f99802e68ca78f2a68e9ff disk.sys
Microsoft Corporation

8b30250d573a8f6b4bd23195160d8707 djsvs.sys
Adaptec

b918e7c5f9bf77202f89e1a9539f2eb4 drmkaud.sys
Microsoft Corporation

27f9288af019e6daca281ede51ff5928 drmk.sys
Microsoft Corporation

5428227d4730ebdfc842e9fb593f8c8a Dumpata.sys
Microsoft Corporation

62a63ef2f3053b461cb327e4d69aaa74 dumpfve.sys
Microsoft Corporation

5fcd3320aae71506b43f9e12e4e72172 dxapi.sys
Microsoft Corporation

1679a4669326cb1a67cc95658d273234 dxgkrnl.sys
Microsoft Corporation

cf519d46e5b8bde8d7ba981ba9a174cd dxgmms1.sys
Microsoft Corporation

1b6242b20cb56f85a158e67f09ee84fe dxg.sys
Microsoft Corporation

a13f07a0422e4a04e7ff6f6f3b05e729 e1k6232.sys
Intel Corporation

0ed67910c8c326796faa00b2bf6d9d3c elxstor.sys
Emulex

8fc3208352dd3912c94367a206ab3f11 errdev.sys
Microsoft Corporation

024e1b5cac09731e4d868e64dbfb4ab0 evbdx.sys
Broadcom Corporation

2dc9108d74081149cc8b651d3a26207f exfat.sys
Microsoft Corporation

7e0ab74553476622fb6ae36f73d97d35 fastfat.sys
Microsoft Corporation

e817a017f82df2a1f8cfdbda29388b29 fdc.sys
Microsoft Corporation

6cf00369c97f3cf563be99be983d13d8 fileinfo.sys
Microsoft Corporation

42c51dc94c91da21cb9196eb64c45db9 filetrace.sys
Microsoft Corporation

87907aa70cb3c56600f1c2fb8841579b flpydisk.sys
Microsoft Corporation

7520ec808e0c35e0ee6f841294316653 fltMgr.sys
Microsoft Corporation

1a16b57943853e598cff37fe2b8cbf1d fsdepends.sys
Microsoft Corporation

a574b4360e438977038aae4bf60d79a2 fs_rec.sys
Microsoft Corporation

d909075fa72c090f27aa926c32cb4612 fssfltr.sys
Microsoft Corporation

dafbd9fe39197495aed6d51f3b85b5d2 fvevol.sys
Microsoft Corporation

5a50439aac7bb7763237a88f0f3a337f FWPKCLNT.SYS
Microsoft Corporation

65ee0c7a58b65e74ae05637418153938 GAGP30KX.SYS
Microsoft Corporation

8182ff89c65e4d38b2de4bb0fb18564e GEARAspiWDM.sys
GEAR Software

52d390504a7087a0f591cdf64cdc6ecb grmn0200.sys
GARMIN Corp

95bbfdaef6f9c25fae80713766456f7c grmn0400.sys
GARMIN Corp

167115b180488785d578b616ac968ea7 grmn1200.sys
GARMIN Corp

9cfcd5df1cee66681ab2df079a8ff3ca grmngen.sys
GARMIN Corp

6003bc70f1a8307262bd3c941bda0b7e grmnusb.sys
GARMIN Corp

c44e3c2bab6837db337ddee7544736db hcw85cir.sys
Hauppauge Computer Works

717a2207fd6f13ad3e664c7d5a43c7bf hdaudbus.sys
Microsoft Corporation

a88485dc6a7136c10d9a6c7e38fdfe3c HECI.sys
Intel Corporation

1d58a7f3e11a9731d0eaaaa8405acc36 hidbatt.sys
Microsoft Corporation

89448f40e6df260c206a193a4683ba78 hidbth.sys
Microsoft Corporation

b682e1cc0fdc7ac04b71d1fa9a07ef21 hidclass.sys
Microsoft Corporation

cf50b4cf4a4f229b9f3c08351f99ca5e hidir.sys
Microsoft Corporation

6c26122f1931d4d7810240f32ddce890 hidparse.sys
Microsoft Corporation

25072fb35ac90b25f9e4e3bacf774102 hidusb.sys
Microsoft Corporation

295fdc419039090eb8b49ffdbb374549 HpSAMD.sys
Hewlett-Packard

c531c7fd9e8b62021112787c4e2c5a5a http.sys
Microsoft Corporation

8305f33cde89ad6c7a0763ed0b5a8d42 hwpolicy.sys
Microsoft Corporation

f151f0bdc47f4a28b1b20a0818ea36d6 i8042prt.sys
Microsoft Corporation

26541a068572f650a2fa490726fe81be iaStor.sys
Intel Corporation

934af4d7c5f457b9f0743f4299b77b67 iaStorV.sys
Intel Corporation

4ee7874572a515d112d2f35112f5ad41 igdkmd32.sys
Intel Corporation

4173ff5708f3236cf25195fecd742915 iirsp.sys
Intel Corp

1e8154841a0a24d6b38778f07831a82b Impcd.sys
Intel Corporation

2d79c681ce6d53a0c6c725a84594df4c IntcDAud.sys
Intel Corporation

a0f12f2c9ba6c72f3987ce780e77c130 intelide.sys
Microsoft Corporation

3b514d27bfc4accb4037bc6685f766e0 intelppm.sys
Microsoft Corporation

709d1761d3b19a932ff0238ea6d50200 ipfltdrv.sys
Microsoft Corporation

e4454b6c37d7ffd5649611f6496308a7 IPMIDrv.sys
Microsoft Corporation

a5fa468d67abcdaa36264e463a7bb0cd ipnat.sys
Microsoft Corporation

cbbbbcace1abda7336410df4ab3c74d7 iqvw32.sys
Intel Corporation

9f7e491fb0ba0f9e370163834fc1fe31 irda.sys
Microsoft Corporation

42996cff20a3084a56017b7902307e9f irenum.sys
Microsoft Corporation

1f32bb6b38f62f7df1a7ab7292638a35 isapnp.sys
Microsoft Corporation

adef52ca1aeae82b50df86b56413107e kbdclass.sys
Microsoft Corporation

3d9f0ebf350edcfd6498057301455964 kbdhid.sys
Microsoft Corporation

e36a061ec11b373826905b21be10948f ksecdd.sys
Microsoft Corporation

365c6154bbbc5377173f1ca7bfb6cc59 ksecpkg.sys
Microsoft Corporation

9e79e2354301783d5e0d48411c2a7466 ks.sys
Microsoft Corporation

f7611ec07349979da9b0ae1f18ccc7a6 lltdio.sys
Microsoft Corporation

eb119a53ccf2acc000ac71b065b78fef lsi_fc.sys
LSI Corporation

dc9dc3d3daa0e276fd2ec262e38b11e9 lsi_sas2.sys
LSI Corporation

8ade1c877256a22e49b75d1cc9161f9c lsi_sas.sys
LSI Corporation

0a036c7d7cab643a7f07135ac47e0524 lsi_scsi.sys
LSI Corporation

6703e366cc18d3b6e534f5cf7df39cee luafv.sys
Microsoft Corporation

d68e165c3123aba3b1282eddb4213bd8 mbamswissarmy.sys
Malwarebytes Corporation

ef08d2ebe3eabba43cc57eee001027b6 mcd.sys
Microsoft Corporation

0fff5b045293002ab38eb1fd1fc2fb74 megasas.sys
LSI Corporation

dcbab2920c75f390caf1d29f675d03d6 MegaSR.sys
LSI Corporation

f001861e5700ee84e2d4e52c712f4964 modem.sys
Microsoft Corporation

79d10964de86b292320e9dfe02282a23 monitor.sys
Microsoft Corporation

fb18cc1d4c2e716b6b903b0ac0cc0609 mouclass.sys
Microsoft Corporation

2c388d2cd01c9042596cf3c8f3c7b24d mouhid.sys
Microsoft Corporation

921c18727c5920d6c0300736646931c2 mountmgr.sys
Microsoft Corporation

7e34bfa1a7b60bba1da03d677f16cd63 MpFilter.sys
Microsoft Corporation

2af5997438c55fb79d33d015c30e1974 mpio.sys
Microsoft Corporation

f32e2d6a1640a469a9ed4f1929a4a861 MpNWMon.sys
Microsoft Corporation

ad2723a7b53dd1aacae6ad8c0bfbf4d0 mpsdrv.sys
Microsoft Corporation

b1be47008d20e43da3adc37c24cdb89d mrxdav.sys
Microsoft Corporation

e593d45024a3fdd11e93cc4a6ca91101 mrxsmb10.sys
Microsoft Corporation

a9f86c82c9cc3b679cc3957e1183a30f mrxsmb20.sys
Microsoft Corporation

b4c76ef46322a9711c7b0f4e21ef6ea5 mrxsmb.sys
Microsoft Corporation

cb5d37e91135b0f15cee64d1f1ba5de5 msahci.sys
Microsoft Corporation

455029c7174a2dbb03dba8a0d8bddd9a msdsm.sys
Microsoft Corporation

daefb28e3af5a76abcc2c3078c07327f msfs.sys
Microsoft Corporation

3e1e5767043c5af9367f0056295e9f84 mshidkmdf.sys
Microsoft Corporation

0a4e5757ae09fa9622e3158cc1aef114 msisadrv.sys
Microsoft Corporation

ed46c223ae46c6866ab77cdc41c404b7 msiscsi.sys
Microsoft Corporation

8c0860d6366aaffb6c5bb9df9448e631 mskssrv.sys
Microsoft Corporation

3ea8b949f963562cedbb549eac0c11ce mspclock.sys
Microsoft Corporation

f456e973590d663b1073e9c463b40932 mspqm.sys
Microsoft Corporation

0e008fc4819d238c51d7c93e7b41e560 msrpc.sys
Microsoft Corporation

fc6b9ff600cc585ea38b12589bd4e246 mssmbios.sys
Microsoft Corporation

b42c6b921f61a6e55159b8be6cd54a36 mstee.sys
Microsoft Corporation

33599130f44e1f34631cea241de8ac84 MTConfig.sys
Microsoft Corporation

159fad02f64e6381758c990f753bcc80 mup.sys
Microsoft Corporation

0e1787aa6c9191d3d319e8bafe86f80c ndiscap.sys
Microsoft Corporation

23759d175a0a9baaf04d05047bc135a8 ndis.sys
Microsoft Corporation

e4a8aec125a2e43a9e32afeea7c9c888 ndistapi.sys
Microsoft Corporation

b30ae7f2b6d7e343b0df32e6c08fce75 ndisuio.sys
Microsoft Corporation

267c415eadcbe53c9ca873dee39cf3a4 ndiswan.sys
Microsoft Corporation

af7e7c63dcef3f8772726f86039d6eb4 ndproxy.sys
Microsoft Corporation

1240d1a4ae8346a6ec16c43f04faacb4 NEOFLTR_650_15255.SYS
tH`PVS_VERSION_INFO;;?DStringFileInfobCommentsBCompanyNameJuniperNetworksNFileDescriptionNetBIOSRedirector>FileVersion,,,bInternalNameneofltrBLegalCopyrightCopyright-JuniperNetworks,Inc.Allrightsreserved.(LegalTrademarks@bOriginalFilenameneofltr.sysPrivateBuildVProductNameSecureApplicationManagerBProductVersion,,,SpecialBuildDVarFileInfo$Translationt*

80b275b1ce3b0e79909db7b39af74d51 netbios.sys
Microsoft Corporation

dd52a733bf4ca5af84562a5e2f963b91 netbt.sys
Microsoft Corporation

f9af5386a27b2b9dbc5a0c990a9020fe netio.sys
Microsoft Corporation

1d85c4b390b0ee09c7a46b91efb2c097 nfrd960.sys
IBM Corp

17e2c08c5ecfbe94a7c67b1c275ee9d9 NisDrvWFP.sys
Microsoft Corporation

1db262a9f8c087e8153d89bef3d2235f npfs.sys
Microsoft Corporation

e9a0a4d07e53d8fea2bb8387a3293c58 nsiproxy.sys
Microsoft Corporation

3795dcd21f740ee799fb7223234215af ntfs.sys
Microsoft Corporation

ef2b9a14ec5dd74ade3417faf1b45e16 nuidfltr.sys
Microsoft Corporation

f9756a98d69098dca8945d62858a812c null.sys
Microsoft Corporation

5a0983915f02bae73267cc2a041f717d NV_AGP.SYS
Microsoft Corporation

3f3d04b1d08d43c16ea7963954ec768d nvraid.sys
NVIDIA Corporation

c99f251a5de63c6f129cf71933aced0f nvstor.sys
NVIDIA Corporation

26384429fcd85d83746f63e798ab1480 nwifi.sys
Microsoft Corporation

08a70a1f2cdde9bb49b885cb817a66eb ohci1394.sys
Microsoft Corporation

6270ccae2a86de6d146529fe55b3246a pacer.sys
Microsoft Corporation

2ea877ed5dd9713c5ac74e8ea7348d14 parport.sys
Microsoft Corporation

ff4218952b51de44fe910953a3e686b9 partmgr.sys
Microsoft Corporation

eb0a59f29c19b86479d36b35983daadc parvdm.sys
Microsoft Corporation

4088c1ecd1f54281a92fa663b0fdc36f PBADRV.sys
Dell

afe86f419014db4e5593f69ffe26ce0a pciide.sys
Microsoft Corporation

ede040d666ff81bf1978d0f19f799e7a pciidex.sys
Microsoft Corporation

c858cb77c577780ecc456a892e7e7d0f pci.sys
Microsoft Corporation

f396431b31693e71e8a80687ef523506 pcmcia.sys
Microsoft Corporation

250f6b43d2b613172035c6747aeeb19f pcw.sys
Microsoft Corporation

9e0104ba49f4e6973749a02bf41344ed PEAuth.sys
Microsoft Corporation

420336f91eb745811cf130c80ede0653 point32.sys
Microsoft Corporation

d72708c9f49500c13d7d067e169b7715 portcls.sys
Microsoft Corporation

85b1e3a0c7585bc4aae6899ec6fcf011 processr.sys
Microsoft Corporation

40fedd328f98245ad201cf5f9f311724 pxhelp20.sys
Sonic Solutions

ab95ecf1f6659a60ddc166d8315b0751 ql2300.sys
QLogic Corporation

b4dd51dd25182244b86737dc51af2270 ql40xx.sys
QLogic Corporation

584078ca1b95ca72df2a27c336f9719d qwavedrv.sys
Microsoft Corporation

30a81b53c766d0133bb86d234e5556ab rasacd.sys
Microsoft Corporation

d9f91eafec2815365cbe6d167e4e332a rasl2tp.sys
Microsoft Corporation

0fe8b15916307a6ac12bfb6a63e45507 raspppoe.sys
Microsoft Corporation

631e3e205ad6d86f2aed6a4a8e69f2db raspptp.sys
Microsoft Corporation

44101f495a83ea6401d886e7fd70096b rassstp.sys
Microsoft Corporation

835d7e81bf517a3b72384bdcc85e1ce6 rdbss.sys
Microsoft Corporation

0d8f05481cb76e70e1da06ee9f0da9df rdpbus.sys
Microsoft Corporation

1e016846895b15a99f9a176a05029075 RDPCDD.sys
Microsoft Corporation

c5ff95883ffef704d50c40d21cfb3ab5 rdpdr.sys
Microsoft Corporation

5a53ca1598dd4156d44196d200c94b8a RDPENCDD.sys
Microsoft Corporation

44b0a53cd4f27d50ed461dae0c0b4e1f RDPREFMP.sys
Microsoft Corporation

801371ba9782282892d00aadb08ee367 rdpwd.sys
Microsoft Corporation

4ea225bf1cf05e158853f30a99ca29a7 rdyboost.sys
Microsoft Corporation

e891f07815af88075705ef6a248711f6 rimspe86.sys
Ricoh Company

f3095d13ba9ed73b10005c94ec0118f4 risdpe86.sys
Ricoh Company

cf2de2365fd99e5b8e38c9f3467dcdb8 rixdpe86.sys
Ricoh Company

b4090006a82eeb608c358ab5d37de85a rmcast.sys
Microsoft Corporation

7400cfab5cf36f2294e80b3f3bda3ebc RNDISMP.sys
Microsoft Corporation

564297827d213f52c7a3a2ff749568ca rootmdm.sys
Microsoft Corporation

032b0d36ad92b582d869879f5af5b928 rspndr.sys
Microsoft Corporation

34ee0c44b724e3e4ce2eff29126de5b5 sbp2port.sys
Microsoft Corporation

a95c54b2ac3cc9c73fcdf9e51a1d6b51 scfilter.sys
Microsoft Corporation

f9882099e58ecf8b0e1c7afa5d2cc56d scsiport.sys
Microsoft Corporation

90a3935d05b494a5a39d37e71f09a677 secdrv.sys
Macrovision Corporation

9ad8b8b515e3df6acd4212ef465de2d1 serenum.sys
Microsoft Corporation

5fb7fcea0490d821f26f39cc5ea3d1e2 serial.sys
Microsoft Corporation

79bffb520327ff916a582dfea17aa813 sermouse.sys
Microsoft Corporation

9f976e1eb233df46fce808d9dea3eb9c sffdisk.sys
Microsoft Corporation

932a68ee27833cfd57c1639d375f2731 sffp_mmc.sys
Microsoft Corporation

a0708bbd07d245c06ff9de549ca47185 sffp_sd.sys
Microsoft Corporation

db96666cc8312ebc45032f30b007a547 sfloppy.sys
Microsoft Corporation

2565cac0dc9fe0371bdce60832582b2e SISAGP.SYS
Microsoft Corporation

a9f0486851becb6dda1d89d381e71055 sisraid2.sys
Silicon Integrated Systems

3727097b55738e2f554972c3be5bc1aa sisraid4.sys
Silicon Integrated Systems

3e21c083b8a01cb70ba1f09303010fce smb.sys
Microsoft Corporation

2e467e6ca8e0a140c08011844c0d3936 smclib.sys
Microsoft Corporation

95cf1ae7527fb70f7816563cbc09d942 spldr.sys
Microsoft Corporation

d16d818e9930a6e5b4f6476dd0998d1a spsys.sys
Microsoft Corporation

14c44875518ae1c982e54ea8c5f7fe28 srv2.sys
Microsoft Corporation

07a14223b0a50e76ade003fdf95d4fec srvnet.sys
Microsoft Corporation

4a9b0f215de2519e2363f91df25c1e97 srv.sys
Microsoft Corporation

a5b83c8050572622e5c43b5b3326a129 stdfltn.sys
tH"ttVS_VERSION_INFO?baStringFileInfoBHCompanyNameSTMicroelectronicsr%FileDescriptionDiskFilterDriverforAccelerometervFileVersion...bInternalNamestdfltn.sysLegalCopyrightCopyright©STMicroelectronics-Current@bOriginalFilenamestdfltn.sysj%ProductNameDiskFilterDriverforAccelerometer:vProductVersion...DVarFileInfo$Translationt*

db32d325c192b801df274bfd12a7e72b stexstor.sys
Promise Technology

55dca8693ed545fd7f2f93776e294ae2 storport.sys
Microsoft Corporation

d5751969dc3e4b88bf482ac8ec9fe019 storvsc.sys
Microsoft Corporation

45b44fc9e5ac0db02b19d515ee809de5 stream.sys
Microsoft Corporation

4e5c74bd3244139ecaa73cc2c0f8b86b stwrt.sys
nu?btStringFileInfoBnCompanyNameIDT,Inc.JFileDescriptionIDTPCAudioTPEbFileVersion...bInternalNameIDTPCATPEh"LegalCopyrightCopyright-IDT,Inc.<nOriginalFilenamestwrt.sys:rProductNameIDTPCAudio<bProductVersion...BrLegalTrademarksIDTPCAudiol*CommentsAllRightsReserved-IDT,Inc.DVarFileInfo$Translationt

e58c78a848add9610a4db6d214af5224 swenum.sys
Microsoft Corporation

949c35bf4ae6c110a924ab5e2175dda7 tape.sys
Microsoft Corporation

e64444523add154f86567c469bc0b17f tcpipreg.sys
Microsoft Corporation

bb7f39c31c4a4417fd318e7cd184e225 tcpip.sys
Microsoft Corporation

52639c994fe3cd975bfe7428b939b320 tdi.sys
Microsoft Corporation

1875c1490d99e70e449e3afae9fcbadf tdpipe.sys
Microsoft Corporation

7551e91ea999ee9a8e9c331d5a9c31f3 tdtcp.sys
Microsoft Corporation

cb39e896a2a83702d1737bfd402b3542 tdx.sys
Microsoft Corporation

c36f41ee20e6999dbf4b0425963268a5 termdd.sys
Microsoft Corporation

98ae6fa07d12cb4ec5cf4a9bfa5f4242 tssecsrv.sys
Microsoft Corporation

3e461d890a97f9d4c168f5fda36e1d00 tunnel.sys
Microsoft Corporation

750fbcb269f4d7dd2e420c56b795db6d UAGP35.SYS
Microsoft Corporation

eb0a7bd4d471ac3ce55564a4c55b9d8e udfs.sys
Microsoft Corporation

44e8048ace47befbfdc2e9be4cbc8880 ULIAGPKX.SYS
Microsoft Corporation

049b3a50b3d646baeeee9eec9b0668dc umbus.sys
Microsoft Corporation

7550ad0c6998ba1cb4843e920ee0feac umpass.sys
Microsoft Corporation

b71da871254d96d0349639d03e4c1cc1 usb8023.sys
Microsoft Corporation

d4fb6ecc60a428564ba8768b0e23c0fc usbaapl.sys
Apple

2190f65ec7e9ae7a301e01e4261acef8 USBCAMD2.sys
Microsoft Corporation

47d88f155eb4e4be60ebd76ac8d17db7 USBCAMD.sys
Microsoft Corporation

8455c4ed038efd09e99327f9d2d48ffa usbccgp.sys
Microsoft Corporation

04ec7cec62ec3b6d9354eee93327fc82 usbcir.sys
Microsoft Corporation

18e71ea0e063037a5c3c8272a5262b7c usbd.sys
Microsoft Corporation

0eeedd78c2bedac75e8ed1ba8d77878b usbehci.sys
Microsoft Corporation

ba50148445e5b2b3abdba208fc9b6fb5 usbhub.sys
Microsoft Corporation

a6fb7957ea7afb1165991e54ce934b74 usbohci.sys
Microsoft Corporation

f6d1c957c5bf4f274aad1da7059916e4 usbport.sys
Microsoft Corporation

797d862fe0875e75c7cc4c1ad7b30252 usbprint.sys
Microsoft Corporation

fb9f340ecacdaeb939372cc543e72c6d usbrpm.sys
Microsoft Corporation

576096ccbc07e7c4ea4f5e6686d6888f usbscan.sys
Microsoft Corporation

d8889d56e0d27e57ed4591837fe71d27 USBSTOR.SYS
Microsoft Corporation

78780c3ebce17405b1ccd07a3a8a7d72 usbuhci.sys
Microsoft Corporation

a059c4c3edb09e07d21a8e5c0aabd3cb vdrvroot.sys
Microsoft Corporation

17c408214ea61696cec9c66e388b14f3 vgapnp.sys
Microsoft Corporation

8e38096ad5c8570a6f1570a61e251561 vga.sys
Microsoft Corporation

3be6e1f3a4f1afec8cee0d7883f93583 vhdmp.sys
Microsoft Corporation

c829317a37b4bea8f39735d4b076e923 VIAAGP.SYS
Microsoft Corporation

e02f079a6aa107f06b16549c6e5c7b74 viac7.sys
Microsoft Corporation

e43574f6a56a0ee11809b48c09e4fd3c viaide.sys
VIA Technologies

15c126d1b55814b9e5cab10a9c1f4c67 videoprt.sys
Microsoft Corporation

ec2bbab4b84d0738c6c83d2234dc36fe VMBusHID.sys
Microsoft Corporation

379b349f65f453d2a6e75ea6b7448e49 vmbus.sys
Microsoft Corporation

5423d8437051e89dd34749f242c98648 vms3cap.sys
Microsoft Corporation

957e346ca948668f2496a6ccf6ff82cc vmstorfl.sys
Microsoft Corporation

384e5a2aa49934295171e499f86ba6f3 volmgr.sys
Microsoft Corporation

b5bb72067ddddbbfb04b2f89ff8c3c87 volmgrx.sys
Microsoft Corporation

7c28b63e4c9e5c3be7ffe53789593619 volsnap.sys

9dfa0cc2f8855a04816729651175b631 vsmraid.sys
VIA Technologies

90567b1e658001e79d7c8bbd3dde5aa6 vwifibus.sys
Microsoft Corporation

7090d3436eeb4e7da3373090a23448f7 vwififlt.sys
Microsoft Corporation

a3f04cbea6c2a10e6cb01f8b47611882 vwifimp.sys
Microsoft Corporation

de3721e89c653aa281428c8a69745d90 wacompen.sys
Microsoft Corporation

692a712062146e96d28ba0b7d75de31b wanarp.sys
Microsoft Corporation

cb45a417c8ef7ba6bac67edcdded8700 watchdog.sys
Microsoft Corporation

b5a4dc2aa19f0d4594f7897e87a10d21 WavxDMgr.sys
?baStringFileInfoBFCompanyNameWaveSystemsCorp.p$FileDescriptionWavXDocumentManagerFilterDriverFileVersion...builtby:WinDDKbInternalNamescanner.sysp&LegalCopyrightCopyright©WaveSystemsCorp.@bOriginalFilenamescanner.sysDProductNameDocumentManager>rProductVersion...DVarFileInfo$Translationt*

d6efaf429fd30c5df613d220e344cce7 wdcsam.sys
tH'$$VS_VERSION_INFOaStringFileInfo`bZCompanyNameWesternDigitalTechnologiesz+LegalCopyright©-WesternDigitalTechnologiesx(FileDescriptionWDSCSIArchitectureModel(SAM)drivervFileVersion,,,vInternalNameSAMdriver>vOriginalFilenamewdcsam.sysHProductNameWDExternalStorageDVarFileInfo$Translationt*

9950e3d0f08141c7e89e64456ae7dc73 Wdf01000.sys
Microsoft Corporation

fe7a7675c26fe936226641ef32ae9bb5 WdfLdr.sys
Microsoft Corporation

1d7284e0f3cb98a189f0ac17c3f13337 WDMSTUB.sys
tH%VS_VERSION_INFO?StringFileInfobVCommentsThisdrivermayberedistributedonlyunderspeciallicensefromWalterOneySoftwareJCompanyNameWalterOneySoftwarel"FileDescriptionWDMstubfunctionsforWindowstFileVersion..bInternalNameWDMSTUBdLegalCopyrightCopyrightbyWalterOney(LegalTrademarks@bOriginalFilenamewdmstub.sysPrivateBuildProductNameProgrammingtheMicrosoftWindowsDriverModelSP-tProductVersion..SpecialBuildDVarFileInfo$Translationtt

1112a9badacb47b7c0bb0392e3158dff wd.sys
Microsoft Corporation

8b9a943f3b53861f2bfaf6c186168f79 wfplwf.sys
Microsoft Corporation

5cf95b35e59e2a38023836fff31be64c wimmount.sys
Microsoft Corporation

d41f4ea6727415013405c7ffdd250dd8 winhv.sys
Microsoft Corporation

b5ba3cc19d00f2eba92f1cfbebb5d650 winusb.sys
Microsoft Corporation

0217679b8fca58714c3bf2726d2ca84e wmiacpi.sys
Microsoft Corporation

9a5b1059fe015db5269fbb25acbf841d wmilib.sys
Microsoft Corporation

6db3276587b853bf886b69528fdb048c ws2ifsl.sys
Microsoft Corporation

a52494b107afc92ddca21f0b64f83376 WUDFPf.sys
Microsoft Corporation

90a541c607da0025ae75f0f3673945fe WUDFRd.sys
Microsoft Corporation

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:44 PM

Posted 23 April 2011 - 01:31 AM

Hello,


1.
Does your computer connect to the internet through a router? If so we need to reset that router.
How to reset my Router.

2.
  • Insert the USB drive and CD in the Sick computer and boot the computer from the CD again
  • Click on File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    volsnap.sys

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

Please note - all text entries are case sensitive

Copy and paste the filefind.txt for my review

How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 ajsnowflake

ajsnowflake
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:44 PM

Posted 25 April 2011 - 11:31 AM

Hi fireman4it,

google search results still redirect and the random audio still plays.



Search results for volsnap.sys

7c28b63e4c9e5c3be7ffe53789593619 /mnt/sda3/Windows/System32/drivers/volsnap.sys
239.6K Jul 14 2009

58df9d2481a56edde167e51b334d44fd /mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_x86_neutral_29364d30156a24ca/volsnap.sys
239.6K Jul 14 2009

58df9d2481a56edde167e51b334d44fd /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.1.7600.16385_none_158d0da45d68903e/volsnap.sys
239.6K Jul 14 2009

f497f67932c6fa693d7de2780631cfe7 /mnt/sda3/Windows/winsxs/x86_volume.inf_31bf3856ad364e35_6.1.7601.17514_none_17be216c5a5713d8/volsnap.sys
239.9K Nov 20 12:30

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:44 PM

Posted 25 April 2011 - 12:36 PM

Hello,

We need to replace that infected volsnap file.



Ok, well let's keep our fingers crossed that replacing the patched file will fix the background noise

Please do the following:

boot into xPUD as you did before and navigate to the following file:

/mnt/sda3/Windows/System32/DriverStore/FileRepository/volume.inf_x86_neutral_29364d30156a24ca/volsnap.sys

right click on the file and choose COPY


now navigate to

/mnt/sda3/Windows/System32/drivers/volsnap.sys


right click on volsnap.sys > choose to RENAME it and rename it to volsnap.sys.vir


now right click anywhere in that same "drivers" folder and choose PASTE

The patched volsnap.sys should now be replaced with the copy from the Windows/System32/DriverStore/FileRepository folder.

Exit out of xPUD and reboot normally.

let me know exactly what happens and if the audio noise is gone.

Edited by fireman4it, 25 April 2011 - 12:37 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users