Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect Virus AND svchost.exe 100% memory leak


  • This topic is locked This topic is locked
21 replies to this topic

#1 FinalStar14

FinalStar14

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 24 April 2011 - 10:05 PM

Hello, I just want to say thank you for taking the time to read my thread. There's a lot of problems that people experience when surfing the web, and picking up viruses and such is definitely one thing everyone would like to avoid. The experts on here seem to be an incredible help, and I hope to get the same treatment. If my problem cannot be fixed, I still want to say you guys do a great thing helping people online with their problems. Now....

I think I have some kind of very sophisticated viruses, or according to what Ive been reading online, a “rootkit.” When I search for something on Google, results come up, but when I click on one, it redirects me to a random website. I don't stay on the page long enough to know what page it is, but the pages do not look safe or inviting at all. I believe by going on to these pages, my computer picked up some trojans. In any case, it gets really annoying because even when I get to my desired page, sometimes the next page I navigate to won't load. The message would be something like “the connection was resetted” or “cannot display the webpage” or something to that nature. That's just the first problem....

The second problem is the svchost.exe file. I noticed in Task Manager there are many instances of this program, but there's always one in particular that starts to use a lot of memory, bringing the CPU usage to 100%. This happens when I start up my computer. It gets to 100%, and then a message pops up as follows: “The instruction at 0x7c922235 referenced memory at 0x00000000. The memory could not be read”, with options to either terminate or debug it. Occasionally I would get a message that reads: “Generic Host Process For Win32 Services encountered a problem and needs to close”. I'm assuming that the two messages are related to some extent. The particular svchost.exe would shut down and start back up, stay at a reasonable memory usage point, and within minutes it will rise again and repeat the cycle.

Another case is that during the restarts I have to do, NO icons or the Start bar shows up, so I have no choice but to restart again. Initially I tried to do system restore, but when I picked an earlier date, when the computer loaded back up, it would say it was unable to get back to that date, so I felt I was left with no choice but to take care of the problem myself. From Sunday evening (4/17/11) to now (4/24) I have been at this problem trying almost any method I can get my hands on to try to stop this massacre on my computer. I have used Free AVG antivirus, Ad-Aware, Ccleaner, Kapersky Webscan, SuperAntiSpyware, Microsoft Security Essentials (MSE), Malwarebytes, Housecall and Eset Online Scanner. Unfortunately, I do not have any logs of the virus scans; once I saw it found trojans and such, I just had the programs either delete or quarantine them.

I even used the notorious ComboFix. I used ComboFix not knowing how powerful it was and how much people are advised NOT to use it unless an professional tells them to. I also do not have a log file for ComboFix because after almost 5 hrs of waiting for ComboFix to create one I lost patience and closed the screen. It did the scan and deletion of files, which was about an hour or so, but the creation of the log file was too long. Despite the use of ComboFIx, my computer still seems functional, so for now I'll assume I haven't done any damage to my computer.

All of the software I used have found loads of trojans and other malicious software. And yet, the problems still exist on my pc. I read on some other forums and blogs that the svchost.exe problem could be due to faulty Windows updates, so I followed instructions from other websites to download certain Windows files to help with the problem ( fix_svchost.bat, WindowsUpdateAgent30-x86.exe, and WindowsXP-KB927891.exe ). The files in my opinion helped it a small bit, because as svchost.exe climbs to ridiculous levels of memory usage, it looks like it slows down, stops, then gradually crawls back down, but only for a little bit. It jumps up higher, then slowly down, and it repeats that cycle until I get the error message. In other words, it only prolonged it.

I have downloaded Process Explorer to view the programs closely, which is how I saw svchost.exe 's activity. I also downloaded TDSSKiller and tried to run it, but it would reach 80%, stop for a few seconds, and then come up with the message stating that it encountered a problem and needs to close. I tried several times, both in normal and safe mode, but no luck. I probably should have thought to come to experts sooner but I thought I could handle the problem on my own by reading a few blogs and forums. At this point I'm just too exhausted to keep trying all these methods and STILL have the computer with these problems. I apologize if the thread was way too wordy. If you need any other information about my system, just ask and I'll try to get the information to you; I'm no genius on the computer, but I'll do what I can. Any suggestions or instructions will be most helpful. Thank you very much.

Below is the DDS log, and attached is the Attach file created by DDS and the Ark file created by GMER.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Chris at 22:25:24.40 on Sun 04/24/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2769 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Chris\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} - c:\program files\webshots\WSToolbar4IE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
uPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\junior\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.8.99/cab/aolpPlugins.10.6.0.6.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://email2.downstate.edu/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.uboc.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: itlntfy - itlnfw32.dll
Notify: sstqo - sstqo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\a4ook7dt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - About:Blank
FF - prefs.js: keyword.URL - hxxp://search.imesh.com/web?src=ffb&systemid=1&q=
FF - component: c:\documents and settings\chris\application data\mozilla\firefox\profiles\a4ook7dt.default\extensions\{28d35620-51d9-11de-9d13-2db156d89593}\components\dtTransparency.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\chris\application data\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: MediaBar: {28D35620-51D9-11DE-9D13-2DB156D89593} - %profile%\extensions\{28D35620-51D9-11DE-9D13-2DB156D89593}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B} - c:\documents and settings\chris\local settings\application data\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 78433162;78433162 Boot Guard Driver;c:\windows\system32\drivers\78433162.sys [2011-4-20 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-6 64512]
R1 78433161;78433161;c:\windows\system32\drivers\78433161.sys [2011-4-20 128016]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl2eb0b4d6;MpKsl2eb0b4d6;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a97f5d84-184e-4c8b-b399-c6478259fdef}\MpKsl2eb0b4d6.sys [2011-4-24 28752]
R1 MpKsl3ceaf7ea;MpKsl3ceaf7ea;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{a97f5d84-184e-4c8b-b399-c6478259fdef}\MpKsl3ceaf7ea.sys [2011-4-24 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-4-24 18816]
R1 setup_9.0.0.722_20.04.2011_06-51[1]drv;setup_9.0.0.722_20.04.2011_06-51[1]drv;c:\windows\system32\drivers\7843316.sys [2011-4-20 315408]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-22 266240]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-1 2146496]
S1 MpKsl63bc2bfa;MpKsl63bc2bfa;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\mpksl63bc2bfa.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\MpKsl63bc2bfa.sys [?]
S1 MpKsl7c72f81d;MpKsl7c72f81d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\mpksl7c72f81d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\MpKsl7c72f81d.sys [?]
S1 MpKsl871f1c3b;MpKsl871f1c3b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\mpksl871f1c3b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\MpKsl871f1c3b.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-9 136176]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 ACTNDIS5;ACTNDIS5 NDIS Protocol Driver;\??\c:\progra~1\action~1\dslaol\actndis5.sys --> c:\progra~1\action~1\dslaol\ACTNDIS5.SYS [?]
S3 efipsk;efipsk;\??\c:\docume~1\chris\locals~1\temp\efipsk.sys --> c:\docume~1\chris\locals~1\temp\efipsk.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\15.tmp --> c:\windows\system32\15.tmp [?]
.
=============== Created Last 30 ================
.
2011-04-25 02:22:13 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a97f5d84-184e-4c8b-b399-c6478259fdef}\MpKsl2eb0b4d6.sys
2011-04-25 01:55:05 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a97f5d84-184e-4c8b-b399-c6478259fdef}\MpKsl3ceaf7ea.sys
2011-04-24 17:42:32 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-24 17:42:10 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{a97f5d84-184e-4c8b-b399-c6478259fdef}\mpengine.dll
2011-04-24 10:07:40 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-04-24 03:51:56 -------- d-----w- c:\program files\Sophos
2011-04-24 02:08:38 77912 ----a-w- c:\windows\system32\drivers\klmd.sys
2011-04-23 15:54:50 -------- d-----w- c:\program files\iTunes
2011-04-23 15:47:04 -------- d-----w- c:\program files\Bonjour
2011-04-22 18:58:20 385024 ----a-w- c:\windows\system32\anby.exe
2011-04-22 18:27:23 -------- d-----w- c:\windows\system32\NtmsData
2011-04-22 07:13:41 -------- d-----w- c:\program files\ESET
2011-04-22 05:35:16 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-22 05:24:26 -------- d-----w- C:\LOGFILES
2011-04-22 04:49:38 3038 ----a-w- C:\fix_svchost.bat
2011-04-22 04:49:33 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-04-22 04:49:32 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2011-04-21 07:04:15 -------- d-sha-r- C:\cmdcons
2011-04-21 06:48:57 -------- d-----w- C:\ComboFix
2011-04-21 06:46:47 98816 ----a-w- c:\windows\sed.exe
2011-04-21 06:46:47 89088 ----a-w- c:\windows\MBR.exe
2011-04-21 06:46:47 256512 ----a-w- c:\windows\PEV.exe
2011-04-21 06:46:47 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 06:16:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-20 06:16:27 -------- d-----w- c:\docume~1\chris\applic~1\AVG9
2011-04-20 06:10:06 -------- d-----w- c:\docume~1\chris\applic~1\SUPERAntiSpyware.com
2011-04-20 06:09:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-20 04:38:18 37392 ----a-w- c:\windows\system32\drivers\78433162.sys
2011-04-20 04:38:18 315408 ----a-w- c:\windows\system32\drivers\7843316.sys
2011-04-20 04:38:18 128016 ----a-w- c:\windows\system32\drivers\78433161.sys
2011-04-18 22:28:04 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-18 22:20:32 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-18 18:55:20 -------- d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2011-04-18 18:55:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-18 18:55:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-18 18:55:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-18 18:55:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-18 06:18:36 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
2011-04-18 05:15:59 0 ----a-w- c:\windows\Gyujanap.bin
2011-04-18 05:15:58 -------- d-----w- c:\docume~1\chris\locals~1\applic~1\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
==================== Find3M ====================
.
2011-04-24 18:51:54 26112 ----a-w- c:\windows\system32\userinit.exe
2011-04-07 07:59:03 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-03-01 19:22:19 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-04 22:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
.
============= FINISH: 22:32:09.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,854 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:24 PM

Posted 02 May 2011 - 11:34 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 FinalStar14

FinalStar14
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 03 May 2011 - 01:53 AM

I thought my problem was overlooked, but thank you very much for the support. I can only imagine how many people are coming to your website for assistance. I hope you guys can help me take care of these problems. As requested, here are the new logs. If you need anything else, please let me know and I'll do what I can do.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Chris at 1:58:16.45 on Tue 05/03/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2728 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Webroot Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Chris\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} - c:\program files\webshots\WSToolbar4IE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [P17Helper] "Rundll32" P17.dll,P17Helper
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SpySweeper] "c:\program files\webroot\webrootsecurity\SpySweeperUI.exe" /startintray
uPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\junior\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.8.99/cab/aolpPlugins.10.6.0.6.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://email2.downstate.edu/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.uboc.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: itlntfy - itlnfw32.dll
Notify: sstqo - sstqo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\a4ook7dt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - About:Blank
FF - prefs.js: keyword.URL - hxxp://search.imesh.com/web?src=ffb&systemid=1&q=
FF - component: c:\documents and settings\chris\application data\mozilla\firefox\profiles\a4ook7dt.default\extensions\{28d35620-51d9-11de-9d13-2db156d89593}\components\dtTransparency.dll
FF - plugin: c:\documents and settings\chris\application data\mozilla\plugins\np-mswmp.dll
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: MediaBar: {28D35620-51D9-11DE-9D13-2DB156D89593} - %profile%\extensions\{28D35620-51D9-11DE-9D13-2DB156D89593}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: XULRunner: {C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B} - c:\documents and settings\chris\local settings\application data\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R0 78433162;78433162 Boot Guard Driver;c:\windows\system32\drivers\78433162.sys [2011-4-20 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-6 64512]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2011-3-22 29832]
R1 78433161;78433161;c:\windows\system32\drivers\78433161.sys [2011-4-20 128016]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl1c01b507;MpKsl1c01b507;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKsl1c01b507.sys [2011-5-3 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 setup_9.0.0.722_20.04.2011_06-51[1]drv;setup_9.0.0.722_20.04.2011_06-51[1]drv;c:\windows\system32\drivers\7843316.sys [2011-4-20 315408]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-22 266240]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-1 2146496]
R2 MSSQL$SOPHOS;SQL Server (SOPHOS);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2007-2-10 29178224]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2011-3-22 4048256]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2011-4-29 1201656]
S1 MpKsl63bc2bfa;MpKsl63bc2bfa;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\mpksl63bc2bfa.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\MpKsl63bc2bfa.sys [?]
S1 MpKsl7c72f81d;MpKsl7c72f81d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\mpksl7c72f81d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\MpKsl7c72f81d.sys [?]
S1 MpKsl871f1c3b;MpKsl871f1c3b;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\mpksl871f1c3b.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{124bd83e-7d82-456f-b21f-ab393d496d19}\MpKsl871f1c3b.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-9 136176]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 ACTNDIS5;ACTNDIS5 NDIS Protocol Driver;\??\c:\progra~1\action~1\dslaol\actndis5.sys --> c:\progra~1\action~1\dslaol\ACTNDIS5.SYS [?]
S3 efipsk;efipsk;\??\c:\docume~1\chris\locals~1\temp\efipsk.sys --> c:\docume~1\chris\locals~1\temp\efipsk.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\15.tmp --> c:\windows\system32\15.tmp [?]
.
=============== Created Last 30 ================
.
2011-05-03 05:52:23 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKsl1c01b507.sys
2011-05-01 20:25:26 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKsl7c79be9f.sys
2011-05-01 01:44:14 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKsle10091b9.sys
2011-04-29 23:00:49 1563024 ----a-w- c:\windows\WRSetup.dll
2011-04-29 23:00:49 -------- d-----w- c:\program files\Webroot
2011-04-29 23:00:49 -------- d-----w- c:\docume~1\chris\applic~1\Webroot
2011-04-29 23:00:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2011-04-29 22:54:06 -------- d-----w- C:\savw_97_sa
2011-04-29 21:55:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sophos
2011-04-29 21:39:45 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-29 21:05:58 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKslce6795d6.sys
2011-04-29 19:30:15 -------- d-----w- C:\escw_97_sa
2011-04-29 19:08:13 -------- d-----w- C:\scc_40
2011-04-29 18:05:23 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\mpengine.dll
2011-04-24 17:42:32 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-24 03:51:56 -------- d-----w- c:\program files\Sophos
2011-04-23 15:54:50 -------- d-----w- c:\program files\iTunes
2011-04-23 15:47:04 -------- d-----w- c:\program files\Bonjour
2011-04-22 18:27:23 -------- d-----w- c:\windows\system32\NtmsData
2011-04-22 07:13:41 -------- d-----w- c:\program files\ESET
2011-04-22 05:35:16 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-22 05:24:26 -------- d-----w- C:\LOGFILES
2011-04-22 04:49:38 3038 ----a-w- C:\fix_svchost.bat
2011-04-22 04:49:33 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-04-22 04:49:32 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2011-04-21 07:04:15 -------- d-sha-r- C:\cmdcons
2011-04-21 06:48:57 -------- d-----w- C:\ComboFix
2011-04-21 06:46:47 98816 ----a-w- c:\windows\sed.exe
2011-04-21 06:46:47 89088 ----a-w- c:\windows\MBR.exe
2011-04-21 06:46:47 256512 ----a-w- c:\windows\PEV.exe
2011-04-21 06:46:47 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 06:16:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-20 06:16:27 -------- d-----w- c:\docume~1\chris\applic~1\AVG9
2011-04-20 06:10:06 -------- d-----w- c:\docume~1\chris\applic~1\SUPERAntiSpyware.com
2011-04-20 06:09:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-20 04:38:18 37392 ----a-w- c:\windows\system32\drivers\78433162.sys
2011-04-20 04:38:18 315408 ----a-w- c:\windows\system32\drivers\7843316.sys
2011-04-20 04:38:18 128016 ----a-w- c:\windows\system32\drivers\78433161.sys
2011-04-18 22:28:04 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-18 22:20:32 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-18 18:55:20 -------- d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2011-04-18 18:55:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-18 18:55:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-18 18:55:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-18 18:55:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-18 06:18:36 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
2011-04-18 05:15:59 0 ----a-w- c:\windows\Gyujanap.bin
2011-04-18 05:15:58 -------- d-----w- c:\docume~1\chris\locals~1\applic~1\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
==================== Find3M ====================
.
2011-04-29 16:40:45 26112 ----a-w- c:\windows\system32\userinit.exe
2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-03-01 19:22:19 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-04 22:48:32 456192 ----a-w- c:\windows\system32\encdec.dll
2011-02-04 22:48:30 291840 ----a-w- c:\windows\system32\sbe.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 2:04:42.89 ===============

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:24 PM

Posted 03 May 2011 - 06:10 PM

Hello FinalStar14,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


Please delete any copy of TDSSKiller and Combofix you have. These have been upgraded as of today.

We need to Uninstall AVG Antivirus as it will interfere with some of our tools.
Please use Appremover to remove AVG

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


3.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.



Things to include in your next reply::
TDSSKIller log
Combofix.txt
aswMBR.exe
Are You able to Burn CD's And have access to a USB Flash Drive?
How is your machine running now?

Edited by fireman4it, 03 May 2011 - 06:17 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 FinalStar14

FinalStar14
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 04 May 2011 - 12:51 AM

I uninstalled AVG sometime last week, I'm not sure why its still showing up in the log file. I ran the AppRemover program and it didnt find AVG. I'm assuming that it didn't uninstall properly, should I use the option in AppRemover to clean up failed uninstalls? I do see on the C:\ that there's a folder labeled $AVG. Should I delete that folder or try a different approach to this?

Just as a general question, can I do these steps in Safe mode? I haven't uninstalled ComboFix as of yet, as far as TDSSKiller, by uninstalling that program, is it just completely deleting the .exe file or there's more to it?

Thank you once again for your help.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:24 PM

Posted 04 May 2011 - 04:44 PM

Hello,

Lets see if we can answer all your questions.

I uninstalled AVG sometime last week, I'm not sure why its still showing up in the log file. I ran the AppRemover program and it didnt find AVG. I'm assuming that it didn't uninstall properly, should I use the option in AppRemover to clean up failed uninstalls? I do see on the C:\ that there's a folder labeled $AVG. Should I delete that folder or try a different approach to this?

Yes to both

Just as a general question, can I do these steps in Safe mode? I


Do you mean delete and run TDssskiller and Combofix. In those cases yes. Please use Safemode with Networking for Combofix.

I haven't uninstalled ComboFix as of yet, as far as TDSSKiller, by uninstalling that program, is it just completely deleting the .exe file or there's more to it?


I don't want you to Uninstall them, just delete the copy of them from your desktop. Deleting the .exe is exactly it.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 FinalStar14

FinalStar14
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 04 May 2011 - 05:40 PM

Ok, I will try those steps for AVG when I get in around 12am. TDSSKiller gave me a problem when I tried to run it before; it would get initialized up to 80% and then stop, then after a few seconds state that it "encountered a problem and needs to shut down." I guess that was probably because of the outdated version, but it still creates a log file when I run it.

1. When I get the new version and run it in Safe Mode with networking, if it still gives me the same problem, should I move on to the next step (running Combofix)?
1a. If the problem occurs again, should I give you the log that it generates?

As far as the Safe Mode question I asked, it was geared in reference to running any programs you tell me to run, or any steps to take with my computer. I only asked because it gets easier to operate the computer in Safe Mode. I'll try to be more specific with each question I ask. I apologize and thanks again!!

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:24 PM

Posted 04 May 2011 - 07:47 PM

Hello,

1. Yes you can move on to Combofix if TDSS freezes at 80%, but that problem was corrected with the new version. That's why I want you to delete the old version and download the knew one.

1a. Always save all logs that you can for my review.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 FinalStar14

FinalStar14
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 05 May 2011 - 01:06 AM

I was able to run TDSSKiller without any problems (the log is included in the body of this message). I'm trying to move onto the next step (Combofix) but it keeps saying that AVG and Ad-Aware are still running.

As far as AVG, the AppRemover doesn't find any instances of it, even if I select both options. I deleted the folder I stated before ( "$AVG" ) but Combofix still insists its running.

As far as Ad-Aware, I followed the tutorial on how to temporarily disable anti virus, firewall, etc. I have version 9.0.5, and when I get into the Ad-Watch Live tab, I can only check off Processes Protection; Registry and Network Protection appear as if I could check them off, but when i click to do so, nothing happens. Under detection layers, Behavior based detection (which is grayed out, but checked on), Antivirus engine (I am able to check that off) and Winlog protection (which is checked off) is there. The spyware heuristics option isn't there.

I can right click the Ad-Aware option and shut it down from there, but even when I do that, Combofix still gives me the warning about AVG and Ad-Aware still running. The funny thing is that when I run AppRemover to clean up failed uninstalls, Ad-Aware pops up as the only option: it states Vendor: Lavasoft Inc. (72%) Product: Ad-Aware. Does this have anything to do with Combofix still detecting that it's running even when I shut it down? I don't mind uninstalling this program for now just so I can proceed with Combofix, but only if you say so.

Should I still run Combofix despite the warnings? Or can you advise me on a different approach to this? TDSSKiller did find one object, and once I cured it, the computer has been running normal (in Safe mode with networking at least, I haven't tried normal). svchost.exe doesnt jump up to ridiculous levels, and I was able to use google to search for certain websites and not be redirected somewhere. I know we're on the right path! :) Here is the log TDSSKiller produced.


2011/05/04 23:38:38.0500 2756 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/04 23:38:38.0890 2756 ================================================================================
2011/05/04 23:38:38.0890 2756 SystemInfo:
2011/05/04 23:38:38.0890 2756
2011/05/04 23:38:38.0890 2756 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/04 23:38:38.0890 2756 Product type: Workstation
2011/05/04 23:38:38.0890 2756 ComputerName: IVORY
2011/05/04 23:38:38.0890 2756 UserName: Chris
2011/05/04 23:38:38.0890 2756 Windows directory: C:\WINDOWS
2011/05/04 23:38:38.0890 2756 System windows directory: C:\WINDOWS
2011/05/04 23:38:38.0890 2756 Processor architecture: Intel x86
2011/05/04 23:38:38.0890 2756 Number of processors: 2
2011/05/04 23:38:38.0890 2756 Page size: 0x1000
2011/05/04 23:38:38.0890 2756 Boot type: Safe boot with network
2011/05/04 23:38:38.0890 2756 ================================================================================
2011/05/04 23:38:39.0234 2756 Initialize success
2011/05/04 23:39:31.0781 2812 ================================================================================
2011/05/04 23:39:31.0781 2812 Scan started
2011/05/04 23:39:31.0781 2812 Mode: Manual;
2011/05/04 23:39:31.0781 2812 ================================================================================
2011/05/04 23:39:33.0296 2812 78433161 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\78433161.sys
2011/05/04 23:39:33.0375 2812 78433162 (a305fad3719c5db0c13d1c2bfd08a04d) C:\WINDOWS\system32\DRIVERS\78433162.sys
2011/05/04 23:39:33.0453 2812 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/05/04 23:39:33.0546 2812 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/04 23:39:33.0609 2812 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/04 23:39:33.0734 2812 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/05/04 23:39:33.0796 2812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/04 23:39:33.0859 2812 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/04 23:39:33.0921 2812 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/04 23:39:33.0953 2812 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/05/04 23:39:34.0000 2812 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/05/04 23:39:34.0046 2812 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/05/04 23:39:34.0109 2812 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/04 23:39:34.0203 2812 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/05/04 23:39:34.0265 2812 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/05/04 23:39:34.0328 2812 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/05/04 23:39:34.0375 2812 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/05/04 23:39:34.0453 2812 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/05/04 23:39:34.0546 2812 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/05/04 23:39:34.0578 2812 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/05/04 23:39:34.0687 2812 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2011/05/04 23:39:34.0750 2812 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/04 23:39:34.0812 2812 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/04 23:39:34.0937 2812 ati2mtag (b8142104502f794689c1c0bcbfb53b98) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/04 23:39:35.0015 2812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/04 23:39:35.0078 2812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/04 23:39:35.0125 2812 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/04 23:39:35.0218 2812 BlueletAudio (1d866faf96d7369a1817ab208c04cf55) C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
2011/05/04 23:39:35.0296 2812 BlueletSCOAudio (8fc27b12a02b43947787f0ef1885df9b) C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys
2011/05/04 23:39:35.0390 2812 BrScnUsb (6cf3aed19c2185c60de2ae50ee37a342) C:\WINDOWS\system32\Drivers\BrScnUsb.sys
2011/05/04 23:39:35.0437 2812 BT (c5cce2b26f73f8cf7f3c82159e79aa08) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
2011/05/04 23:39:35.0500 2812 Btcsrusb (d5d025b5f704817b42d13a3e443f7893) C:\WINDOWS\system32\Drivers\btcusb.sys
2011/05/04 23:39:35.0562 2812 BTHidEnum (ce643d0918123d76a5caab008fca9663) C:\WINDOWS\system32\Drivers\vbtenum.sys
2011/05/04 23:39:35.0593 2812 BTHidMgr (dfca4fe4c8aec786b4d0f432eb730f48) C:\WINDOWS\system32\Drivers\BTHidMgr.sys
2011/05/04 23:39:35.0718 2812 BTNetFilter (4f26303becbb7cc5ca8ff39593124cf2) C:\Program Files\IVT Corporation\BlueSoleil\Device\Win2k\BTNetFilter.sys
2011/05/04 23:39:36.0046 2812 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/05/04 23:39:36.0078 2812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/04 23:39:36.0156 2812 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/05/04 23:39:36.0203 2812 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/04 23:39:36.0265 2812 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/04 23:39:36.0328 2812 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/04 23:39:36.0453 2812 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/05/04 23:39:36.0531 2812 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/05/04 23:39:36.0625 2812 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/05/04 23:39:36.0687 2812 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/05/04 23:39:36.0734 2812 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/05/04 23:39:36.0812 2812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/04 23:39:36.0890 2812 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/04 23:39:36.0953 2812 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/04 23:39:37.0015 2812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/04 23:39:37.0062 2812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/04 23:39:37.0156 2812 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/05/04 23:39:37.0187 2812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/04 23:39:37.0296 2812 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/04 23:39:37.0703 2812 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/04 23:39:37.0765 2812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/04 23:39:37.0796 2812 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/04 23:39:37.0843 2812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/04 23:39:37.0906 2812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/04 23:39:37.0984 2812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/04 23:39:38.0015 2812 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/04 23:39:38.0093 2812 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/05/04 23:39:38.0125 2812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/04 23:39:38.0234 2812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/04 23:39:38.0343 2812 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/05/04 23:39:38.0390 2812 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/04 23:39:38.0453 2812 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/05/04 23:39:38.0500 2812 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/05/04 23:39:38.0546 2812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/04 23:39:38.0640 2812 iastor (d593517879e65167df35f6015814ac59) C:\WINDOWS\system32\drivers\iastor.sys
2011/05/04 23:39:38.0703 2812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/04 23:39:38.0781 2812 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/05/04 23:39:38.0875 2812 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/05/04 23:39:38.0953 2812 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/05/04 23:39:39.0000 2812 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/05/04 23:39:39.0062 2812 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/04 23:39:39.0125 2812 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/04 23:39:39.0187 2812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/04 23:39:39.0265 2812 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/04 23:39:39.0328 2812 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/04 23:39:39.0390 2812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/04 23:39:39.0437 2812 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/04 23:39:39.0484 2812 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/04 23:39:39.0531 2812 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/04 23:39:39.0562 2812 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/04 23:39:39.0593 2812 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/04 23:39:39.0640 2812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/04 23:39:39.0703 2812 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/04 23:39:39.0828 2812 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/05/04 23:39:39.0890 2812 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/05/04 23:39:40.0109 2812 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/05/04 23:39:40.0171 2812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/04 23:39:40.0234 2812 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/04 23:39:40.0296 2812 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/04 23:39:40.0343 2812 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/05/04 23:39:40.0375 2812 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/04 23:39:40.0437 2812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/04 23:39:40.0484 2812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/04 23:39:40.0546 2812 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/05/04 23:39:40.0765 2812 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/05/04 23:39:40.0828 2812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/04 23:39:40.0890 2812 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/04 23:39:40.0968 2812 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/04 23:39:41.0031 2812 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/04 23:39:41.0078 2812 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/04 23:39:41.0109 2812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/04 23:39:41.0218 2812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/04 23:39:41.0281 2812 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/04 23:39:41.0343 2812 NAL (9121d8ffff773c66bbf4955e4f7aac23) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/05/04 23:39:41.0406 2812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/04 23:39:41.0453 2812 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/04 23:39:41.0484 2812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/04 23:39:41.0531 2812 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/04 23:39:41.0609 2812 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/04 23:39:41.0671 2812 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/04 23:39:41.0703 2812 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/04 23:39:41.0843 2812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/04 23:39:41.0906 2812 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/04 23:39:41.0984 2812 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/04 23:39:42.0093 2812 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/04 23:39:42.0218 2812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/04 23:39:42.0265 2812 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/04 23:39:42.0343 2812 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/05/04 23:39:42.0421 2812 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/05/04 23:39:42.0484 2812 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
2011/05/04 23:39:42.0593 2812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/04 23:39:42.0640 2812 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/04 23:39:42.0687 2812 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/04 23:39:42.0796 2812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/04 23:39:42.0875 2812 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/04 23:39:42.0921 2812 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/04 23:39:42.0984 2812 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/05/04 23:39:43.0203 2812 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/05/04 23:39:43.0234 2812 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/05/04 23:39:43.0390 2812 pnarp (36fcac4fa28b462ca867742dea59b0d0) C:\WINDOWS\system32\DRIVERS\pnarp.sys
2011/05/04 23:39:43.0453 2812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/04 23:39:43.0515 2812 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/04 23:39:43.0546 2812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/04 23:39:43.0625 2812 purendis (d8ac00388262b1a4878a7ee12f31d376) C:\WINDOWS\system32\DRIVERS\purendis.sys
2011/05/04 23:39:43.0671 2812 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/04 23:39:43.0718 2812 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/05/04 23:39:43.0750 2812 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/05/04 23:39:43.0796 2812 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/05/04 23:39:43.0843 2812 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/05/04 23:39:43.0875 2812 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/05/04 23:39:43.0937 2812 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/04 23:39:44.0000 2812 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/04 23:39:44.0062 2812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/04 23:39:44.0109 2812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/04 23:39:44.0156 2812 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/04 23:39:44.0218 2812 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/04 23:39:44.0296 2812 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/04 23:39:44.0359 2812 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/04 23:39:44.0421 2812 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/04 23:39:44.0484 2812 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/05/04 23:39:44.0640 2812 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/04 23:39:44.0687 2812 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/04 23:39:44.0812 2812 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/04 23:39:44.0890 2812 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/04 23:39:44.0921 2812 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/04 23:39:45.0046 2812 setup_9.0.0.722_20.04.2011_06-51[1]drv (66ef49622baa18e4d4f1fe4bae1d51b8) C:\WINDOWS\system32\DRIVERS\7843316.sys
2011/05/04 23:39:45.0093 2812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/04 23:39:45.0250 2812 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/05/04 23:39:45.0328 2812 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/05/04 23:39:45.0359 2812 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/05/04 23:39:45.0406 2812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/04 23:39:45.0484 2812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/04 23:39:45.0578 2812 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/04 23:39:45.0656 2812 ssfs0bbc (6c46d1d2fc31a8cf0f1d6f9d6859d836) C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys
2011/05/04 23:39:45.0687 2812 sshrmd (cfbd9006204468f64c5737f71eb602f3) C:\WINDOWS\system32\DRIVERS\sshrmd.sys
2011/05/04 23:39:45.0750 2812 ssidrv (808c18876dd615b82f08298c98af46b2) C:\WINDOWS\system32\DRIVERS\ssidrv.sys
2011/05/04 23:39:45.0828 2812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/04 23:39:45.0859 2812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/04 23:39:45.0937 2812 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/05/04 23:39:45.0984 2812 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/05/04 23:39:46.0015 2812 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/05/04 23:39:46.0046 2812 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/05/04 23:39:46.0125 2812 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/04 23:39:46.0234 2812 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/04 23:39:46.0296 2812 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/04 23:39:46.0375 2812 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/04 23:39:46.0421 2812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/04 23:39:46.0500 2812 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/05/04 23:39:46.0578 2812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/04 23:39:46.0656 2812 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/05/04 23:39:46.0734 2812 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/04 23:39:46.0843 2812 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/04 23:39:46.0906 2812 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/04 23:39:46.0953 2812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/04 23:39:46.0984 2812 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/04 23:39:47.0046 2812 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/04 23:39:47.0109 2812 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/04 23:39:47.0171 2812 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2011/05/04 23:39:47.0218 2812 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/04 23:39:47.0265 2812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/04 23:39:47.0328 2812 VComm (51750b0539986186c6931fc40d171521) C:\WINDOWS\system32\DRIVERS\VComm.sys
2011/05/04 23:39:47.0375 2812 VcommMgr (6d9c891c0a761afed1f3609c2e56f2b9) C:\WINDOWS\system32\Drivers\VcommMgr.sys
2011/05/04 23:39:47.0437 2812 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/04 23:39:47.0484 2812 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/05/04 23:39:47.0546 2812 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/04 23:39:47.0640 2812 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/04 23:39:47.0750 2812 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/04 23:39:47.0812 2812 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/05/04 23:39:47.0890 2812 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/05/04 23:39:48.0015 2812 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/04 23:39:48.0234 2812 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/05/04 23:39:48.0296 2812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/04 23:39:48.0406 2812 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/04 23:39:48.0437 2812 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/04 23:39:48.0531 2812 xusb21 (a640c90b007762939507c28a021be3b3) C:\WINDOWS\system32\DRIVERS\xusb21.sys
2011/05/04 23:39:48.0609 2812 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/04 23:39:48.0671 2812 ================================================================================
2011/05/04 23:39:48.0671 2812 Scan finished
2011/05/04 23:39:48.0671 2812 ================================================================================
2011/05/04 23:39:48.0703 2460 Detected object count: 1
2011/05/04 23:40:45.0843 2460 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/04 23:40:45.0843 2460 \HardDisk1 - ok
2011/05/04 23:40:45.0843 2460 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/05/04 23:42:11.0640 2748 Deinitialize success

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:24 PM

Posted 05 May 2011 - 05:03 PM

Hello,

Go ahead a run Combofix and ignore the warnings about Avg and Adaware.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 FinalStar14

FinalStar14
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 05 May 2011 - 06:24 PM

OK I ran all 3 programs. As requested, the logs are all in the body of this post.
1. TDSSKiller
2. Combofix
3. aswMBR

2011/05/04 23:38:38.0500 2756 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/04 23:38:38.0890 2756 ================================================================================
2011/05/04 23:38:38.0890 2756 SystemInfo:
2011/05/04 23:38:38.0890 2756
2011/05/04 23:38:38.0890 2756 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/04 23:38:38.0890 2756 Product type: Workstation
2011/05/04 23:38:38.0890 2756 ComputerName: IVORY
2011/05/04 23:38:38.0890 2756 UserName: Chris
2011/05/04 23:38:38.0890 2756 Windows directory: C:\WINDOWS
2011/05/04 23:38:38.0890 2756 System windows directory: C:\WINDOWS
2011/05/04 23:38:38.0890 2756 Processor architecture: Intel x86
2011/05/04 23:38:38.0890 2756 Number of processors: 2
2011/05/04 23:38:38.0890 2756 Page size: 0x1000
2011/05/04 23:38:38.0890 2756 Boot type: Safe boot with network
2011/05/04 23:38:38.0890 2756 ================================================================================
2011/05/04 23:38:39.0234 2756 Initialize success
2011/05/04 23:39:31.0781 2812 ================================================================================
2011/05/04 23:39:31.0781 2812 Scan started
2011/05/04 23:39:31.0781 2812 Mode: Manual;
2011/05/04 23:39:31.0781 2812 ================================================================================
2011/05/04 23:39:33.0296 2812 78433161 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\78433161.sys
2011/05/04 23:39:33.0375 2812 78433162 (a305fad3719c5db0c13d1c2bfd08a04d) C:\WINDOWS\system32\DRIVERS\78433162.sys
2011/05/04 23:39:33.0453 2812 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/05/04 23:39:33.0546 2812 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/04 23:39:33.0609 2812 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/04 23:39:33.0734 2812 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/05/04 23:39:33.0796 2812 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/04 23:39:33.0859 2812 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/04 23:39:33.0921 2812 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/05/04 23:39:33.0953 2812 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/05/04 23:39:34.0000 2812 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/05/04 23:39:34.0046 2812 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/05/04 23:39:34.0109 2812 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/05/04 23:39:34.0203 2812 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/05/04 23:39:34.0265 2812 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/05/04 23:39:34.0328 2812 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/05/04 23:39:34.0375 2812 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/05/04 23:39:34.0453 2812 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/05/04 23:39:34.0546 2812 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/05/04 23:39:34.0578 2812 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/05/04 23:39:34.0687 2812 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
2011/05/04 23:39:34.0750 2812 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/04 23:39:34.0812 2812 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/04 23:39:34.0937 2812 ati2mtag (b8142104502f794689c1c0bcbfb53b98) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/05/04 23:39:35.0015 2812 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/04 23:39:35.0078 2812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/04 23:39:35.0125 2812 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/04 23:39:35.0218 2812 BlueletAudio (1d866faf96d7369a1817ab208c04cf55) C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
2011/05/04 23:39:35.0296 2812 BlueletSCOAudio (8fc27b12a02b43947787f0ef1885df9b) C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys
2011/05/04 23:39:35.0390 2812 BrScnUsb (6cf3aed19c2185c60de2ae50ee37a342) C:\WINDOWS\system32\Drivers\BrScnUsb.sys
2011/05/04 23:39:35.0437 2812 BT (c5cce2b26f73f8cf7f3c82159e79aa08) C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
2011/05/04 23:39:35.0500 2812 Btcsrusb (d5d025b5f704817b42d13a3e443f7893) C:\WINDOWS\system32\Drivers\btcusb.sys
2011/05/04 23:39:35.0562 2812 BTHidEnum (ce643d0918123d76a5caab008fca9663) C:\WINDOWS\system32\Drivers\vbtenum.sys
2011/05/04 23:39:35.0593 2812 BTHidMgr (dfca4fe4c8aec786b4d0f432eb730f48) C:\WINDOWS\system32\Drivers\BTHidMgr.sys
2011/05/04 23:39:35.0718 2812 BTNetFilter (4f26303becbb7cc5ca8ff39593124cf2) C:\Program Files\IVT Corporation\BlueSoleil\Device\Win2k\BTNetFilter.sys
2011/05/04 23:39:36.0046 2812 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/05/04 23:39:36.0078 2812 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/04 23:39:36.0156 2812 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/05/04 23:39:36.0203 2812 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/04 23:39:36.0265 2812 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/04 23:39:36.0328 2812 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/04 23:39:36.0453 2812 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/05/04 23:39:36.0531 2812 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/05/04 23:39:36.0625 2812 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/05/04 23:39:36.0687 2812 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/05/04 23:39:36.0734 2812 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/05/04 23:39:36.0812 2812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/04 23:39:36.0890 2812 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/04 23:39:36.0953 2812 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/04 23:39:37.0015 2812 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/04 23:39:37.0062 2812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/04 23:39:37.0156 2812 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/05/04 23:39:37.0187 2812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/04 23:39:37.0296 2812 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/05/04 23:39:37.0703 2812 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/04 23:39:37.0765 2812 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/05/04 23:39:37.0796 2812 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/04 23:39:37.0843 2812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/05/04 23:39:37.0906 2812 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/04 23:39:37.0984 2812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/04 23:39:38.0015 2812 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/04 23:39:38.0093 2812 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/05/04 23:39:38.0125 2812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/04 23:39:38.0234 2812 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/04 23:39:38.0343 2812 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/05/04 23:39:38.0390 2812 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/04 23:39:38.0453 2812 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/05/04 23:39:38.0500 2812 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/05/04 23:39:38.0546 2812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/04 23:39:38.0640 2812 iastor (d593517879e65167df35f6015814ac59) C:\WINDOWS\system32\drivers\iastor.sys
2011/05/04 23:39:38.0703 2812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/04 23:39:38.0781 2812 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/05/04 23:39:38.0875 2812 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/05/04 23:39:38.0953 2812 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/05/04 23:39:39.0000 2812 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/05/04 23:39:39.0062 2812 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/05/04 23:39:39.0125 2812 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/04 23:39:39.0187 2812 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/04 23:39:39.0265 2812 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/04 23:39:39.0328 2812 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/04 23:39:39.0390 2812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/04 23:39:39.0437 2812 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/04 23:39:39.0484 2812 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/04 23:39:39.0531 2812 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/04 23:39:39.0562 2812 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/04 23:39:39.0593 2812 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/04 23:39:39.0640 2812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/04 23:39:39.0703 2812 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/04 23:39:39.0828 2812 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
2011/05/04 23:39:39.0890 2812 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/05/04 23:39:40.0109 2812 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/05/04 23:39:40.0171 2812 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/04 23:39:40.0234 2812 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/04 23:39:40.0296 2812 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/05/04 23:39:40.0343 2812 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/05/04 23:39:40.0375 2812 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/04 23:39:40.0437 2812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/04 23:39:40.0484 2812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/04 23:39:40.0546 2812 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/05/04 23:39:40.0765 2812 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/05/04 23:39:40.0828 2812 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/04 23:39:40.0890 2812 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/04 23:39:40.0968 2812 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/04 23:39:41.0031 2812 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/04 23:39:41.0078 2812 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/04 23:39:41.0109 2812 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/04 23:39:41.0218 2812 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/04 23:39:41.0281 2812 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/04 23:39:41.0343 2812 NAL (9121d8ffff773c66bbf4955e4f7aac23) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/05/04 23:39:41.0406 2812 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/04 23:39:41.0453 2812 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/04 23:39:41.0484 2812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/04 23:39:41.0531 2812 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/04 23:39:41.0609 2812 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/04 23:39:41.0671 2812 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/04 23:39:41.0703 2812 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/04 23:39:41.0843 2812 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/04 23:39:41.0906 2812 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/04 23:39:41.0984 2812 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/04 23:39:42.0093 2812 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/04 23:39:42.0218 2812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/04 23:39:42.0265 2812 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/04 23:39:42.0343 2812 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/05/04 23:39:42.0421 2812 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/05/04 23:39:42.0484 2812 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
2011/05/04 23:39:42.0593 2812 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/04 23:39:42.0640 2812 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/04 23:39:42.0687 2812 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/04 23:39:42.0796 2812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/04 23:39:42.0875 2812 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/04 23:39:42.0921 2812 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/05/04 23:39:42.0984 2812 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2011/05/04 23:39:43.0203 2812 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/05/04 23:39:43.0234 2812 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/05/04 23:39:43.0390 2812 pnarp (36fcac4fa28b462ca867742dea59b0d0) C:\WINDOWS\system32\DRIVERS\pnarp.sys
2011/05/04 23:39:43.0453 2812 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/04 23:39:43.0515 2812 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/04 23:39:43.0546 2812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/04 23:39:43.0625 2812 purendis (d8ac00388262b1a4878a7ee12f31d376) C:\WINDOWS\system32\DRIVERS\purendis.sys
2011/05/04 23:39:43.0671 2812 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/04 23:39:43.0718 2812 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/05/04 23:39:43.0750 2812 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/05/04 23:39:43.0796 2812 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/05/04 23:39:43.0843 2812 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/05/04 23:39:43.0875 2812 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/05/04 23:39:43.0937 2812 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/04 23:39:44.0000 2812 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/04 23:39:44.0062 2812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/04 23:39:44.0109 2812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/04 23:39:44.0156 2812 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/04 23:39:44.0218 2812 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/04 23:39:44.0296 2812 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/04 23:39:44.0359 2812 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/04 23:39:44.0421 2812 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/04 23:39:44.0484 2812 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/05/04 23:39:44.0640 2812 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/04 23:39:44.0687 2812 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/04 23:39:44.0812 2812 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/04 23:39:44.0890 2812 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/04 23:39:44.0921 2812 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/04 23:39:45.0046 2812 setup_9.0.0.722_20.04.2011_06-51[1]drv (66ef49622baa18e4d4f1fe4bae1d51b8) C:\WINDOWS\system32\DRIVERS\7843316.sys
2011/05/04 23:39:45.0093 2812 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/04 23:39:45.0250 2812 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/05/04 23:39:45.0328 2812 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2011/05/04 23:39:45.0359 2812 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/05/04 23:39:45.0406 2812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/04 23:39:45.0484 2812 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/04 23:39:45.0578 2812 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/04 23:39:45.0656 2812 ssfs0bbc (6c46d1d2fc31a8cf0f1d6f9d6859d836) C:\WINDOWS\system32\DRIVERS\ssfs0bbc.sys
2011/05/04 23:39:45.0687 2812 sshrmd (cfbd9006204468f64c5737f71eb602f3) C:\WINDOWS\system32\DRIVERS\sshrmd.sys
2011/05/04 23:39:45.0750 2812 ssidrv (808c18876dd615b82f08298c98af46b2) C:\WINDOWS\system32\DRIVERS\ssidrv.sys
2011/05/04 23:39:45.0828 2812 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/04 23:39:45.0859 2812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/04 23:39:45.0937 2812 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/05/04 23:39:45.0984 2812 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/05/04 23:39:46.0015 2812 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/05/04 23:39:46.0046 2812 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/05/04 23:39:46.0125 2812 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/04 23:39:46.0234 2812 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/04 23:39:46.0296 2812 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/04 23:39:46.0375 2812 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/04 23:39:46.0421 2812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/04 23:39:46.0500 2812 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/05/04 23:39:46.0578 2812 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/04 23:39:46.0656 2812 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/05/04 23:39:46.0734 2812 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/04 23:39:46.0843 2812 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/04 23:39:46.0906 2812 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/04 23:39:46.0953 2812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/04 23:39:46.0984 2812 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/04 23:39:47.0046 2812 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/04 23:39:47.0109 2812 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/04 23:39:47.0171 2812 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
2011/05/04 23:39:47.0218 2812 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/04 23:39:47.0265 2812 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/04 23:39:47.0328 2812 VComm (51750b0539986186c6931fc40d171521) C:\WINDOWS\system32\DRIVERS\VComm.sys
2011/05/04 23:39:47.0375 2812 VcommMgr (6d9c891c0a761afed1f3609c2e56f2b9) C:\WINDOWS\system32\Drivers\VcommMgr.sys
2011/05/04 23:39:47.0437 2812 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/04 23:39:47.0484 2812 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/05/04 23:39:47.0546 2812 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/05/04 23:39:47.0640 2812 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/04 23:39:47.0750 2812 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/04 23:39:47.0812 2812 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/05/04 23:39:47.0890 2812 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/05/04 23:39:48.0015 2812 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/04 23:39:48.0234 2812 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/05/04 23:39:48.0296 2812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/04 23:39:48.0406 2812 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/04 23:39:48.0437 2812 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/04 23:39:48.0531 2812 xusb21 (a640c90b007762939507c28a021be3b3) C:\WINDOWS\system32\DRIVERS\xusb21.sys
2011/05/04 23:39:48.0609 2812 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/04 23:39:48.0671 2812 ================================================================================
2011/05/04 23:39:48.0671 2812 Scan finished
2011/05/04 23:39:48.0671 2812 ================================================================================
2011/05/04 23:39:48.0703 2460 Detected object count: 1
2011/05/04 23:40:45.0843 2460 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/04 23:40:45.0843 2460 \HardDisk1 - ok
2011/05/04 23:40:45.0843 2460 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/05/04 23:42:11.0640 2748 Deinitialize success





ComboFix 11-05-05.01 - Chris 05/05/2011 18:41:19.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3249 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Webroot Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Chris\Local Settings\Application Data\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}
c:\documents and settings\Chris\Local Settings\Application Data\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}\chrome.manifest
c:\documents and settings\Chris\Local Settings\Application Data\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}\chrome\content\_cfg.js
c:\documents and settings\Chris\Local Settings\Application Data\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}\chrome\content\overlay.xul
c:\documents and settings\Chris\Local Settings\Application Data\{C8C0D4C0-E163-47B1-ACA1-ABED4B2DA98B}\install.rdf
c:\documents and settings\Terrence\Application Data\inst.exe
c:\documents and settings\Terrence\Application Data\PriceGong
c:\documents and settings\Terrence\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Terrence\Application Data\PriceGong\Data\z.xml
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
c:\documents and settings\Chris\Application Data\inst.exe
c:\documents and settings\Chris\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Chris\Application Data\PriceGong\Data\z.xml
C:\iexplore.exe
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.0.inf
c:\windows\settings.reg
c:\windows\system32\ffhkj.bak1
c:\windows\system32\ffhkj.bak2
c:\windows\system32\ffhkj.ini
c:\windows\system32\ffhkj.ini2
c:\windows\system32\ffhkj.tmp
c:\windows\system32\itlpfw32.dll
c:\windows\system32\midas.dll
c:\windows\system32\qpqss.bak1
c:\windows\system32\qpqss.bak2
c:\windows\system32\qpqss.ini
c:\windows\system32\qpqss.ini2
c:\windows\system32\tttss.bak1
c:\windows\system32\tttss.bak2
c:\windows\system32\tttss.ini
c:\windows\system32\tttss.ini2
c:\windows\system32\tttss.tmp
G:\autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
-------\Service_Parameters
-------\Service_Security
-------\Service_Parameters
-------\Service_Security
.
.
((((((((((((((((((((((((( Files Created from 2011-04-05 to 2011-05-05 )))))))))))))))))))))))))))))))
.
.
2011-05-04 05:01 . 2011-05-04 05:01 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKsl9e77b615.sys
2011-05-01 20:25 . 2011-05-01 20:25 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKsl7c79be9f.sys
2011-05-01 17:43 . 2011-05-01 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-01 17:29 . 2011-05-01 17:29 -------- d-----w- c:\documents and settings\Terrence\Application Data\Webroot
2011-05-01 01:44 . 2011-05-01 01:44 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKsle10091b9.sys
2011-04-29 23:00 . 2011-04-29 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-04-29 23:00 . 2011-04-29 23:00 -------- d-----w- c:\program files\Webroot
2011-04-29 23:00 . 2011-04-29 23:00 -------- d-----w- c:\documents and settings\Chris\Application Data\Webroot
2011-04-29 23:00 . 2011-04-20 13:34 1563024 ----a-w- c:\windows\WRSetup.dll
2011-04-29 22:54 . 2011-04-29 22:54 -------- d-----w- C:\savw_97_sa
2011-04-29 21:55 . 2011-04-29 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2011-04-29 21:39 . 2011-05-05 17:52 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-29 21:05 . 2011-04-29 21:05 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKslce6795d6.sys
2011-04-29 19:30 . 2011-04-29 19:30 -------- d-----w- C:\escw_97_sa
2011-04-29 19:08 . 2011-04-29 19:08 -------- d-----w- C:\scc_40
2011-04-29 18:05 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\mpengine.dll
2011-04-24 17:42 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-24 05:22 . 2011-05-03 05:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-24 03:51 . 2011-04-29 22:57 -------- d-----w- c:\program files\Sophos
2011-04-23 15:54 . 2011-04-23 15:56 -------- d-----w- c:\program files\iTunes
2011-04-23 15:47 . 2011-04-23 15:47 -------- d-----w- c:\program files\Bonjour
2011-04-22 18:27 . 2011-04-22 18:35 -------- d-----w- c:\windows\system32\NtmsData
2011-04-22 07:13 . 2011-04-22 07:13 -------- d-----w- c:\program files\ESET
2011-04-22 05:35 . 2011-05-05 22:41 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-22 05:24 . 2011-04-24 18:52 -------- d-----w- C:\LOGFILES
2011-04-22 04:49 . 2011-04-22 04:37 3038 ----a-w- C:\fix_svchost.bat
2011-04-22 04:49 . 2011-04-22 04:46 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-04-22 04:49 . 2011-04-22 04:29 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2011-04-20 08:08 . 2011-04-20 08:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-04-20 06:16 . 2011-04-20 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-20 06:16 . 2011-04-20 06:16 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG9
2011-04-20 06:10 . 2011-04-20 06:10 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2011-04-20 06:09 . 2011-04-29 19:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-20 04:38 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\78433162.sys
2011-04-20 04:38 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\7843316.sys
2011-04-20 04:38 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\78433161.sys
2011-04-18 22:28 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-18 22:20 . 2011-04-20 06:16 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-18 20:53 . 2011-04-18 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-18 20:51 . 2011-04-18 20:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-04-18 18:55 . 2011-04-18 18:55 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2011-04-18 18:55 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-18 18:55 . 2011-04-18 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-18 18:55 . 2011-04-20 06:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-18 18:55 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-18 06:18 . 2011-04-18 06:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
2011-04-18 05:24 . 2011-04-18 05:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-18 05:15 . 2011-04-18 05:15 0 ----a-w- c:\windows\Gyujanap.bin
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 16:40 . 2004-08-19 20:49 26112 ----a-w- c:\windows\system32\userinit.exe
2011-04-18 10:23 . 2009-10-07 04:12 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-18 06:19 . 2009-11-26 18:09 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-01 07:22 . 2009-10-07 03:42 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-22 14:14 . 2011-03-22 14:14 29832 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2011-03-22 14:14 . 2011-03-22 14:14 23176 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-03-22 14:14 . 2011-03-22 14:14 176776 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-03-07 05:33 . 2004-08-19 21:04 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-19 20:49 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-19 20:49 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-03-01 19:22 . 2010-01-07 06:49 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-22 23:06 . 2004-08-19 20:49 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-19 20:49 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-19 20:49 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-19 20:49 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36 . 2009-03-12 03:12 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 21:36 . 2007-11-22 12:43 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-17 13:18 . 2005-09-26 20:17 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2005-09-26 20:17 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-15 09:37 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-19 20:49 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-19 21:01 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-19 20:49 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-19 20:49 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-22 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 60928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=c:\windows\pss\Dataviz Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor for SD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor for SD.lnk
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor for SD.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk
backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.51.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.51.lnk
backup=c:\windows\pss\Wireless Configuration Utility HW.51.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^setup_9.0.0.722_20.04.2011_06-51[1].lnk]
path=c:\documents and settings\Chris\Start Menu\Programs\Startup\setup_9.0.0.722_20.04.2011_06-51[1].lnk
backup=c:\windows\pss\setup_9.0.0.722_20.04.2011_06-51[1].lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Terrence^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Terrence\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Terrence^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Terrence\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2008-01-23 10:15 50528 ----a-w- c:\program files\AOL 9.1\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2010-07-13 20:40 70720 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-22 04:28 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-15 02:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 13:34 851968 -c--a-w- c:\program files\Brother\ControlCenter2\brctrcen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 15:43 57344 -c--a-w- c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 18:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27 41800 ----a-w- c:\program files\Common Files\AOL\1127966207\EE\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-04-25 13:50 139264 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 -c--a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2009-07-08 07:53 472112 -c--a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 19:48 647216 -c--a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2004-05-25 13:16 49152 -c----w- c:\program files\Brother\Brmfl04a\BrStDvPt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 -c--a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-05 01:55 77824 -c--a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2007-12-05 00:34 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127966207\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127966207\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\1127966207\\EE\\aim6.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 78433162;78433162 Boot Guard Driver;c:\windows\system32\drivers\78433162.sys [4/20/2011 12:38 AM 37392]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/6/2009 11:42 PM 64512]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [3/22/2011 10:14 AM 29832]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [4/29/2011 7:02 PM 1201656]
S1 78433161;78433161;c:\windows\system32\drivers\78433161.sys [4/20/2011 12:38 AM 128016]
S1 MpKsl63bc2bfa;MpKsl63bc2bfa;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{124BD83E-7D82-456F-B21F-AB393D496D19}\MpKsl63bc2bfa.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{124BD83E-7D82-456F-B21F-AB393D496D19}\MpKsl63bc2bfa.sys [?]
S1 MpKsl7c72f81d;MpKsl7c72f81d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{124BD83E-7D82-456F-B21F-AB393D496D19}\MpKsl7c72f81d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{124BD83E-7D82-456F-B21F-AB393D496D19}\MpKsl7c72f81d.sys [?]
S1 MpKsl871f1c3b;MpKsl871f1c3b;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{124BD83E-7D82-456F-B21F-AB393D496D19}\MpKsl871f1c3b.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{124BD83E-7D82-456F-B21F-AB393D496D19}\MpKsl871f1c3b.sys [?]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/22/2009 1:01 AM 266240]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 3:40 PM 136176]
S2 MSSQL$SOPHOS;SQL Server (SOPHOS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
S3 ACTNDIS5;ACTNDIS5 NDIS Protocol Driver;\??\c:\progra~1\ACTION~1\DslAOL\ACTNDIS5.SYS --> c:\progra~1\ACTION~1\DslAOL\ACTNDIS5.SYS [?]
S3 efipsk;efipsk;\??\c:\docume~1\Chris\LOCALS~1\Temp\efipsk.sys --> c:\docume~1\Chris\LOCALS~1\Temp\efipsk.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 3:40 PM 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 3:22 AM 2146496]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 3:22 AM 15232]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\15.tmp --> c:\windows\system32\15.tmp [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 19:40]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 19:40]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3229787047-2203135887-1497668293-1006Core.job
- c:\documents and settings\Terrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 23:25]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3229787047-2203135887-1497668293-1006UA.job
- c:\documents and settings\Terrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 23:25]
.
2011-05-05 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-05-05 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-05-05 c:\windows\Tasks\User_Feed_Synchronization-{602B48FA-EC09-4A0F-890C-EFE8B5D25DB9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
2011-04-29 c:\windows\Tasks\wrSpySweeper_LF16D4E8E5C484377AA265F6C76CB9CBB.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2011-04-29 13:33]
.
2011-04-29 c:\windows\Tasks\wrSpySweeper_LF16D4E8E5C484377AA265F6C76CB9CBB.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2011-04-29 13:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Junior\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\a4ook7dt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - About:Blank
FF - prefs.js: keyword.URL - hxxp://search.imesh.com/web?src=ffb&systemid=1&q=
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: MediaBar: {28D35620-51D9-11DE-9D13-2DB156D89593} - %profile%\extensions\{28D35620-51D9-11DE-9D13-2DB156D89593}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{ABB49B3B-AB7D-4ED0-9135-93FD5AA4F69F} - (no file)
Notify-avgrsstarter - avgrsstx.dll
Notify-itlntfy - itlnfw32.dll
Notify-sstqo - sstqo.dll
SafeBoot-dfd.sys
MSConfigStartUp-AIM - c:\program files\AIM\aim.exe
MSConfigStartUp-AOL Music Now - c:\progra~1\AOLMUS~1\AOLMusicNow.exe
MSConfigStartUp-AOLSPScheduler - c:\program files\Common Files\AOL\1127966207\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
MSConfigStartUp-AVG9_TRAY - c:\progra~1\AVG\AVG9\avgtray.exe
MSConfigStartUp-cftmon - c:\windows\system32\anby.exe
MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
MSConfigStartUp-dla - c:\windows\system32\dla\tfswctrl.exe
MSConfigStartUp-DVDLauncher - c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
MSConfigStartUp-EmailScan - c:\program files\mcafee.com\antivirus\mcvsescn.exe
MSConfigStartUp-FASTTRACKNETVISION - c:\windows\NETVISION.exe
MSConfigStartUp-Grehupecej - c:\windows\keaz32.dll
MSConfigStartUp-IndexSearch - c:\program files\ScanSoft\PaperPort\IndexSearch.exe
MSConfigStartUp-Lfujevih - c:\windows\ilozozahuyuruwok.dll
MSConfigStartUp-MCAgentExe - c:\progra~1\McAfee.com\Agent\McAgent.exe
MSConfigStartUp-MCUpdateExe - c:\progra~1\McAfee.com\Agent\McUpdate.exe
MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\Money Express.exe
MSConfigStartUp-MPFEXE - c:\program files\mcafee.com\personal firewall\MPfTray.exe
MSConfigStartUp-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe
MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
MSConfigStartUp-OASClnt - c:\program files\mcafee.com\antivirus\oasclnt.exe
MSConfigStartUp-OM2_Monitor - c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe
MSConfigStartUp-PaperPort PTD - c:\program files\ScanSoft\PaperPort\pptd40nt.exe
MSConfigStartUp-PCSuiteTrayApplication - c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
MSConfigStartUp-PlaxoUpdate - c:\program files\Plaxo\\2.5.6.21\PlaxoHelper.exe
MSConfigStartUp-PPort9reminder - c:\program files\ScanSoft\PaperPort\WebEreg\Ereg.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
MSConfigStartUp-SMSI Loader - c:\program files\Common Files\Smith Micro Shared\Fax\SMLoader.exe
MSConfigStartUp-sscRun - c:\program files\Common Files\AOL\1127966207\ee\SSCRun.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
MSConfigStartUp-TIxDSL - c:\progra~1\TIADSL~1\BIN\WIN2K\tidslmon.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-VideoraiPodConverter - c:\program files\VideoraiPodConverter\VideoraConverter.exe
MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
MSConfigStartUp-WatchDog - c:\program files\Nokia\MoTo\WatchDog.exe
MSConfigStartUp-XboxStat - c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{9C244239-ED8E-40f1-937F-51C706CD2160} - c:\program files\EA GAMES\The Sims 2 Deluxe\EAUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-05 19:00
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\15.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3229787047-2203135887-1497668293-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:47,82,a8,ec,9a,8d,0a,46,e5,be,71,92,df,31,5e,b0,0e,bc,f9,4b,a5,a1,c7,
03,14,eb,ef,0c,a4,fa,c9,77,f6,9a,68,2c,3f,1a,00,4a,43,c5,bb,3f,60,03,5b,d6,\
"??"=hex:c7,c6,f5,d5,23,de,6a,7a,60,d9,9c,bb,59,fe,46,b4
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1932)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
.
**************************************************************************
.
Completion time: 2011-05-05 19:09:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-05 23:09
.
Pre-Run: 30,298,329,088 bytes free
Post-Run: 31,327,096,832 bytes free
.
- - End Of File - - 7275221FC73EDAD19A9EB0CD777684DB





aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-05 19:12:17
-----------------------------
19:12:17.656 OS Version: Windows 5.1.2600 Service Pack 3
19:12:17.656 Number of processors: 2 586 0x404
19:12:17.656 ComputerName: IVORY UserName: Chris
19:12:18.468 Initialize success
19:12:45.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:12:45.750 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
19:12:45.796 Disk 0 MBR read successfully
19:12:45.812 Disk 0 MBR scan
19:12:45.828 Disk 0 unknown MBR code
19:12:45.843 Disk 0 scanning sectors +312496380
19:12:45.890 Disk 0 scanning C:\WINDOWS\system32\drivers
19:12:53.375 Service scanning
19:12:57.343 Disk 0 trace - called modules:
19:12:57.375 ntoskrnl.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
19:12:57.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad97ab8]
19:12:57.406 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8b198030]
19:12:57.421 Scan finished successfully
19:13:57.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris\Desktop\MBR.dat"
19:13:57.984 The log file has been saved successfully to "C:\Documents and Settings\Chris\Desktop\aswMBR.txt"


If you need me to attach them to the post, just let me know and I'll do it in the next post. I have access to a flash usb drive and I can burn CDs. The pc seems to be running normal; svchost.exe doesn't jump up to 100% anymore and I haven't surfed the web too much, but the times that I did i wasn't hit with any pop ups, redirects or "connection resetted/cannot display webpage" screens. In safe mode and in normal mode I ran the computer and I didn't detect or see any abnormalities.

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:24 PM

Posted 05 May 2011 - 07:24 PM

Hello,

We still have a little work to do.

1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

File::
C:\Windows\System32\itlnfw32.dll 
c:\windows\system32\itlpfw32.dll
c:\windows\Gyujanap.bin


DDS::
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Junior\Start Menu\Programs\IMVU\Run IMVU.lnk

Firefox::
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\a4ook7dt.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=4&q=
FF - prefs.js: browser.startup.homepage - About:Blank
FF - prefs.js: keyword.URL - hxxp://search.imesh.com/web?src=ffb&systemid=1&q=

Driver::
itlsvc
itlperf
78433162
78433161
MpKsl63bc2bfa
MpKsl7c72f81d
MpKsl871f1c3b
ACTNDIS5
efipsk
MEMSWEEP2

Netsvc::
itlsvc
itlperf

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

SecCenter::
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Re-Run aswMBR

  • Click Scan
  • On completion of the scan, click the FIXMBR button
  • There is a slight pause after clicking the 'Fix' button.
  • Wait for the tool to report 'Infection fixed successfully', now reboot the machine.
  • Rebooting the machine prematurely, before seeing this line will result in an incomplete fix.

    Note:After the 'Infection fixed successfully' message appears, the machine may became unresponsive. You may have to do a hard boot of your machine. That may be a side effect from the fix. All will be well after the reboot.
  • Save the log as before and post in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 FinalStar14

FinalStar14
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 06 May 2011 - 12:27 AM

Ok cool. I dragged the notepad file onto Combofix and also ran aswMBR again. Here are the log files.

ComboFix 11-05-05.01 - Chris 05/06/2011 0:48.3.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3247 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Chris\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Webroot Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.
FILE ::
"c:\windows\Gyujanap.bin"
"c:\windows\System32\itlnfw32.dll"
"c:\windows\system32\itlpfw32.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Gyujanap.bin
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_78433161
-------\Legacy_78433162
-------\Legacy_ACTNDIS5
-------\Legacy_EFIPSK
-------\Legacy_MEMSWEEP2
-------\Legacy_MPKSL63BC2BFA
-------\Legacy_MPKSL7C72F81D
-------\Legacy_MPKSL871F1C3B
-------\Service_78433161
-------\Service_78433162
-------\Service_ACTNDIS5
-------\Service_efipsk
-------\Service_MEMSWEEP2
-------\Service_MpKsl63bc2bfa
-------\Service_MpKsl7c72f81d
-------\Service_MpKsl871f1c3b
-------\Service_Parameters
-------\Service_Security
.
.
((((((((((((((((((((((((( Files Created from 2011-04-06 to 2011-05-06 )))))))))))))))))))))))))))))))
.
.
2011-05-06 04:31 . 2011-05-06 04:31 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKsl0d6104f2.sys
2011-05-04 05:01 . 2011-05-04 05:01 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKsl9e77b615.sys
2011-05-01 20:25 . 2011-05-01 20:25 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKsl7c79be9f.sys
2011-05-01 17:43 . 2011-05-01 17:43 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-05-01 17:29 . 2011-05-01 17:29 -------- d-----w- c:\documents and settings\Terrence\Application Data\Webroot
2011-05-01 01:44 . 2011-05-01 01:44 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKsle10091b9.sys
2011-04-29 23:00 . 2011-04-29 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2011-04-29 23:00 . 2011-04-29 23:00 -------- d-----w- c:\program files\Webroot
2011-04-29 23:00 . 2011-04-29 23:00 -------- d-----w- c:\documents and settings\Chris\Application Data\Webroot
2011-04-29 23:00 . 2011-04-20 13:34 1563024 ----a-w- c:\windows\WRSetup.dll
2011-04-29 22:54 . 2011-04-29 22:54 -------- d-----w- C:\savw_97_sa
2011-04-29 21:55 . 2011-04-29 22:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2011-04-29 21:39 . 2011-05-05 17:52 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-29 21:05 . 2011-04-29 21:05 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\MpKslce6795d6.sys
2011-04-29 19:30 . 2011-04-29 19:30 -------- d-----w- C:\escw_97_sa
2011-04-29 19:08 . 2011-04-29 19:08 -------- d-----w- C:\scc_40
2011-04-29 18:05 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{53955825-FC9F-4A39-A217-8ED2B41D6E9F}\mpengine.dll
2011-04-24 17:42 . 2011-04-18 13:15 7071056 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-24 05:22 . 2011-05-03 05:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-24 03:51 . 2011-04-29 22:57 -------- d-----w- c:\program files\Sophos
2011-04-23 15:54 . 2011-04-23 15:56 -------- d-----w- c:\program files\iTunes
2011-04-23 15:47 . 2011-04-23 15:47 -------- d-----w- c:\program files\Bonjour
2011-04-22 18:27 . 2011-04-22 18:35 -------- d-----w- c:\windows\system32\NtmsData
2011-04-22 07:13 . 2011-04-22 07:13 -------- d-----w- c:\program files\ESET
2011-04-22 05:35 . 2011-05-06 04:48 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-22 05:24 . 2011-04-24 18:52 -------- d-----w- C:\LOGFILES
2011-04-22 04:49 . 2011-04-22 04:37 3038 ----a-w- C:\fix_svchost.bat
2011-04-22 04:49 . 2011-04-22 04:46 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-04-22 04:49 . 2011-04-22 04:29 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2011-04-20 08:08 . 2011-04-20 08:08 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer
2011-04-20 06:16 . 2011-04-20 06:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-04-20 06:16 . 2011-04-20 06:16 -------- d-----w- c:\documents and settings\Chris\Application Data\AVG9
2011-04-20 06:10 . 2011-04-20 06:10 -------- d-----w- c:\documents and settings\Chris\Application Data\SUPERAntiSpyware.com
2011-04-20 06:09 . 2011-04-29 19:35 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-20 04:38 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\78433162.sys
2011-04-20 04:38 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\7843316.sys
2011-04-20 04:38 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\78433161.sys
2011-04-18 22:28 . 2011-02-02 22:11 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-18 22:20 . 2011-04-20 06:16 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-18 20:53 . 2011-04-18 20:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-18 20:51 . 2011-04-18 20:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-04-18 18:55 . 2011-04-18 18:55 -------- d-----w- c:\documents and settings\Chris\Application Data\Malwarebytes
2011-04-18 18:55 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-18 18:55 . 2011-04-18 18:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-18 18:55 . 2011-04-20 06:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-18 18:55 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-18 06:18 . 2011-04-18 06:18 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
2011-04-18 05:24 . 2011-04-18 05:24 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-29 16:40 . 2004-08-19 20:49 26112 ----a-w- c:\windows\system32\userinit.exe
2011-04-18 10:23 . 2009-10-07 04:12 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-18 06:19 . 2009-11-26 18:09 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-04-01 07:22 . 2009-10-07 03:42 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-03-22 14:14 . 2011-03-22 14:14 29832 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2011-03-22 14:14 . 2011-03-22 14:14 23176 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2011-03-22 14:14 . 2011-03-22 14:14 176776 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2011-03-07 05:33 . 2004-08-19 21:04 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-19 20:49 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-19 20:49 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-03-01 19:22 . 2010-01-07 06:49 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-22 23:06 . 2004-08-19 20:49 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-19 20:49 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-19 20:49 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-19 20:49 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36 . 2009-03-12 03:12 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-18 21:36 . 2007-11-22 12:43 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-02-17 13:18 . 2005-09-26 20:17 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2005-09-26 20:17 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-04-15 09:37 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-19 20:49 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2004-08-19 21:01 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33 . 2004-08-19 20:49 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2004-08-19 20:49 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-04-22 2423752]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"P17Helper"="P17.dll" [2004-06-10 60928]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=c:\windows\pss\Dataviz Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk
backup=c:\windows\pss\Image Transfer.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor for SD.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor for SD.lnk
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor for SD.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Status Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Status Monitor.lnk
backup=c:\windows\pss\Status Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WD Backup Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WD Backup Monitor.lnk
backup=c:\windows\pss\WD Backup Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Configuration Utility HW.51.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.51.lnk
backup=c:\windows\pss\Wireless Configuration Utility HW.51.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^setup_9.0.0.722_20.04.2011_06-51[1].lnk]
path=c:\documents and settings\Chris\Start Menu\Programs\Startup\setup_9.0.0.722_20.04.2011_06-51[1].lnk
backup=c:\windows\pss\setup_9.0.0.722_20.04.2011_06-51[1].lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Terrence^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Terrence\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Terrence^Start Menu^Programs^Startup^Webshots.lnk]
path=c:\documents and settings\Terrence\Start Menu\Programs\Startup\Webshots.lnk
backup=c:\windows\pss\Webshots.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Fast Start]
2008-01-23 10:15 50528 ----a-w- c:\program files\AOL 9.1\aol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2010-07-13 20:40 70720 ----a-r- c:\program files\Common Files\AOL\acs\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2010-09-22 04:28 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-15 02:05 344064 -c--a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 13:34 851968 -c--a-w- c:\program files\Brother\ControlCenter2\brctrcen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 15:43 57344 -c--a-w- c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 18:56 64512 -c--a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27 41800 ----a-w- c:\program files\Common Files\AOL\1127966207\EE\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-04-25 13:50 139264 -c--a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 -c--a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmapp]
2009-07-08 07:53 472112 -c--a-w- c:\program files\Pure Networks\Network Magic\nmapp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2009-07-07 19:48 647216 -c--a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2004-05-25 13:16 49152 -c----w- c:\program files\Brother\Brmfl04a\BrStDvPt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 -c--a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-05 01:55 77824 -c--a-w- c:\program files\Java\jre1.6.0\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 -c----w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
2007-12-05 00:34 364544 ----a-w- c:\windows\system32\WDBtnMgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127966207\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\1127966207\\EE\\aolsoftware.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\AOL\\1127966207\\EE\\aim6.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AOL 9.5\\waol.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\Program Files\\AOL Desktop 9.6\\waol.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/6/2009 11:42 PM 64512]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [3/22/2011 10:14 AM 29832]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [4/29/2011 7:02 PM 1201656]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2/22/2009 1:01 AM 266240]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 3:40 PM 136176]
S2 MSSQL$SOPHOS;SQL Server (SOPHOS);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [12/10/2010 6:29 PM 29293408]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/9/2010 3:40 PM 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [4/1/2011 3:22 AM 2146496]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [4/1/2011 3:22 AM 15232]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itlsvc REG_MULTI_SZ itlperf
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]
.
2011-05-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 19:40]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-09 19:40]
.
2011-04-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3229787047-2203135887-1497668293-1006Core.job
- c:\documents and settings\Terrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 23:25]
.
2011-05-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3229787047-2203135887-1497668293-1006UA.job
- c:\documents and settings\Terrence\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-31 23:25]
.
2011-05-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-05-06 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 16:26]
.
2011-05-06 c:\windows\Tasks\User_Feed_Synchronization-{602B48FA-EC09-4A0F-890C-EFE8B5D25DB9}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Junior\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\a4ook7dt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: MediaBar: {28D35620-51D9-11DE-9D13-2DB156D89593} - %profile%\extensions\{28D35620-51D9-11DE-9D13-2DB156D89593}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-06 01:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3229787047-2203135887-1497668293-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:47,82,a8,ec,9a,8d,0a,46,e5,be,71,92,df,31,5e,b0,0e,bc,f9,4b,a5,a1,c7,
03,14,eb,ef,0c,a4,fa,c9,77,f6,9a,68,2c,3f,1a,00,4a,43,c5,bb,3f,60,03,5b,d6,\
"??"=hex:c7,c6,f5,d5,23,de,6a,7a,60,d9,9c,bb,59,fe,46,b4
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(608)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.5592_x-ww_179798c8\MSVCR80.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-05-06 01:16:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-06 05:16
.
Pre-Run: 31,333,969,920 bytes free
Post-Run: 31,326,044,160 bytes free
.
- - End Of File - - 1F79652B6AA84EE61857288553241606






aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-05 19:12:17
-----------------------------
19:12:17.656 OS Version: Windows 5.1.2600 Service Pack 3
19:12:17.656 Number of processors: 2 586 0x404
19:12:17.656 ComputerName: IVORY UserName: Chris
19:12:18.468 Initialize success
19:12:45.734 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:12:45.750 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
19:12:45.796 Disk 0 MBR read successfully
19:12:45.812 Disk 0 MBR scan
19:12:45.828 Disk 0 unknown MBR code
19:12:45.843 Disk 0 scanning sectors +312496380
19:12:45.890 Disk 0 scanning C:\WINDOWS\system32\drivers
19:12:53.375 Service scanning
19:12:57.343 Disk 0 trace - called modules:
19:12:57.375 ntoskrnl.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
19:12:57.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad97ab8]
19:12:57.406 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8b198030]
19:12:57.421 Scan finished successfully
19:13:57.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris\Desktop\MBR.dat"
19:13:57.984 The log file has been saved successfully to "C:\Documents and Settings\Chris\Desktop\aswMBR.txt"


aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-06 01:18:10
-----------------------------
01:18:10.562 OS Version: Windows 5.1.2600 Service Pack 3
01:18:10.562 Number of processors: 2 586 0x404
01:18:10.562 ComputerName: IVORY UserName: Chris
01:18:11.250 Initialize success
01:18:19.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
01:18:19.046 Disk 0 Vendor: ST316002 8.12 Size: 152587MB BusType: 3
01:18:19.078 Disk 0 MBR read successfully
01:18:19.093 Disk 0 MBR scan
01:18:19.109 Disk 0 unknown MBR code
01:18:19.125 Disk 0 scanning sectors +312496380
01:18:19.171 Disk 0 scanning C:\WINDOWS\system32\drivers
01:18:26.656 Service scanning
01:18:29.109 Disk 0 trace - called modules:
01:18:29.125 ntoskrnl.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
01:18:29.156 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad97030]
01:18:29.171 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8b6cc030]
01:18:29.187 Scan finished successfully
01:20:34.734 Disk 0 Windows 501 MBR fixed successfully
01:21:13.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Chris\Desktop\MBR.dat"
01:21:13.312 The log file has been saved successfully to "C:\Documents and Settings\Chris\Desktop\aswMBR.txt"


Everything ran fine without any problems.

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:03:24 PM

Posted 07 May 2011 - 10:41 AM

Hello,

Things are looking better. let do some final checking.


1.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Things to include in your next reply::
MBAM log
Eset log
A new DDS log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 FinalStar14

FinalStar14
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 07 May 2011 - 03:33 PM

Hey, I was able to do both scans. MBAM produced a log, which is in the body of this post. ESET took about 3 hrs to scan, but I didn't see an option to export to a text file. I checked off all of the options I was instructed to do, and after the scan it said there were no threats.

The computer seems to be doing fine. svchost.exe is still behaving normally, and I didnt have any problems navigating to this page to post the logs. I'll be honest, I havent used the search engine Google as much but there seems to be no problem clicking links and actually getting to the desired page. I'm still taking all of these steps in Safe Mode with networking. In any case, the MBAM log and a DDS log are listed below.

Thank you so much for being patient with me and helping me out with this pc problem. Things are starting to look up! :thumbup2:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6526

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/7/2011 1:00:41 PM
mbam-log-2011-05-07 (13-00-41).txt

Scan type: Quick scan
Objects scanned: 249670
Time elapsed: 8 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)






.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by Chris at 16:23:35.15 on Sat 05/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3083 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Webroot Spy Sweeper *Disabled/Updated* {77E10C7F-2CCA-4187-9394-BDBC267AD597}
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Chris\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} - c:\program files\webshots\WSToolbar4IE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [P17Helper] "Rundll32" P17.dll,P17Helper
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\junior\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
DPF: {26FCCDF9-A7E1-452A-A73D-7BF7B4D0BA6C} - hxxp://o.aolcdn.com/pictures/ap/Resources/2.0.8.99/cab/aolpPlugins.10.6.0.6.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6F6FDB9E-5072-498C-BCB0-2B7F00C49EE7} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A903E5AB-C67E-40FB-94F1-E1305982F6E0} - hxxp://www.ooxtv.com/livetv.ocx
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} - hxxps://email2.downstate.edu/dwa7W.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://remote.uboc.com/dana-cached/setup/JuniperSetupSP1.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\chris\applic~1\mozilla\firefox\profiles\a4ook7dt.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\documents and settings\chris\application data\mozilla\firefox\profiles\a4ook7dt.default\extensions\{28d35620-51d9-11de-9d13-2db156d89593}\components\dtTransparency.dll
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: MediaBar: {28D35620-51D9-11DE-9D13-2DB156D89593} - %profile%\extensions\{28D35620-51D9-11DE-9D13-2DB156D89593}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-10-6 64512]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2011-3-22 29832]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2011-3-22 4048256]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\webrootsecurity\WRConsumerService.exe [2011-4-29 1201656]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S1 setup_9.0.0.722_20.04.2011_06-51[1]drv;setup_9.0.0.722_20.04.2011_06-51[1]drv;c:\windows\system32\drivers\7843316.sys [2011-4-20 315408]
S2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-2-22 266240]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-9 136176]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 MSSQL$SOPHOS;SQL Server (SOPHOS);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2010-12-10 29293408]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-9 136176]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-4-1 2146496]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-4-1 15232]
.
=============== Created Last 30 ================
.
2011-05-06 04:31:12 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKsl0d6104f2.sys
2011-05-04 05:01:32 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKsl9e77b615.sys
2011-05-01 20:25:26 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKsl7c79be9f.sys
2011-05-01 01:44:14 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKsle10091b9.sys
2011-04-29 23:00:49 1563024 ----a-w- c:\windows\WRSetup.dll
2011-04-29 23:00:49 -------- d-----w- c:\program files\Webroot
2011-04-29 23:00:49 -------- d-----w- c:\docume~1\chris\applic~1\Webroot
2011-04-29 23:00:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2011-04-29 22:54:06 -------- d-----w- C:\savw_97_sa
2011-04-29 21:55:20 -------- d-----w- c:\docume~1\alluse~1\applic~1\Sophos
2011-04-29 21:39:45 -------- d-----w- c:\program files\Microsoft SQL Server
2011-04-29 21:05:58 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\MpKslce6795d6.sys
2011-04-29 19:30:15 -------- d-----w- C:\escw_97_sa
2011-04-29 19:08:13 -------- d-----w- C:\scc_40
2011-04-29 18:05:23 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{53955825-fc9f-4a39-a217-8ed2b41d6e9f}\mpengine.dll
2011-04-24 17:42:32 7071056 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-04-24 03:51:56 -------- d-----w- c:\program files\Sophos
2011-04-23 15:54:50 -------- d-----w- c:\program files\iTunes
2011-04-23 15:47:04 -------- d-----w- c:\program files\Bonjour
2011-04-22 18:27:23 -------- d-----w- c:\windows\system32\NtmsData
2011-04-22 07:13:41 -------- d-----w- c:\program files\ESET
2011-04-22 05:35:16 -------- d-----w- c:\windows\system32\CatRoot2
2011-04-22 05:24:26 -------- d-----w- C:\LOGFILES
2011-04-22 04:49:38 3038 ----a-w- C:\fix_svchost.bat
2011-04-22 04:49:33 1266056 ----a-w- C:\WindowsXP-KB927891-v3-x86-ENU.exe
2011-04-22 04:49:32 6776168 ----a-w- C:\WindowsUpdateAgent30-x86.exe
2011-04-21 07:04:15 -------- d-sha-r- C:\cmdcons
2011-04-21 06:46:47 98816 ----a-w- c:\windows\sed.exe
2011-04-21 06:46:47 89088 ----a-w- c:\windows\MBR.exe
2011-04-21 06:46:47 256512 ----a-w- c:\windows\PEV.exe
2011-04-21 06:46:47 161792 ----a-w- c:\windows\SWREG.exe
2011-04-20 06:16:45 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-04-20 06:16:27 -------- d-----w- c:\docume~1\chris\applic~1\AVG9
2011-04-20 06:10:06 -------- d-----w- c:\docume~1\chris\applic~1\SUPERAntiSpyware.com
2011-04-20 06:09:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-04-20 04:38:18 37392 ----a-w- c:\windows\system32\drivers\78433162.sys
2011-04-20 04:38:18 315408 ----a-w- c:\windows\system32\drivers\7843316.sys
2011-04-20 04:38:18 128016 ----a-w- c:\windows\system32\drivers\78433161.sys
2011-04-18 22:28:04 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-04-18 22:20:32 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-18 18:55:20 -------- d-----w- c:\docume~1\chris\applic~1\Malwarebytes
2011-04-18 18:55:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-18 18:55:11 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-18 18:55:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-18 18:55:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-18 06:18:36 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{6A395471-4AA3-4072-AE1B-9B69A97AD164}
.
==================== Find3M ====================
.
2011-04-29 16:40:45 26112 ----a-w- c:\windows\system32\userinit.exe
2011-04-18 10:23:39 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-03-01 19:22:19 398760 ----a-r- c:\windows\system32\cpnprt2.cid
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ----a-w- c:\windows\system32\fxscover.exe
2011-02-08 13:33:55 978944 ------w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ----a-w- c:\windows\system32\mfc42u.dll
.
============= FINISH: 16:24:32.43 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users