Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirects MalwareBytes can't find anything


  • This topic is locked This topic is locked
22 replies to this topic

#1 Yankee1010

Yankee1010

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 29 April 2011 - 09:49 PM

I made the mistake of clicking on an incorrect link and now I am having problems with browser redirects and random pop ups. This happens with both IE and Firefox. Here is the dds log (The GMER program kept crashing my computer):

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by xxxx at 21:38:34.25 on 04/29/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2934.1834 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\vcsFPService.exe
c:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\LANDesk\LDClient\amtmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Microsoft Office\Office14\GROOVE.EXE
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
C:\Program Files\Citrix\ICA Client\PNAMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\mydocs\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uWindow Title = Windows Internet Explorer
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = http://www.google.com
uDefault_Page_URL = http://www.google.com
mDefault_Page_URL = http://www.google.com
uInternet Settings,ProxyOverride = cidevarch.ali.pri;cidwinvault3;evstore.ali.pri;msnwinvault4;msnevarch.ali.pri;msnwinvault3;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [ISUSPM] "c:\documents and settings\all users\application data\macrovision\flexnet connect\6\isuspm.exe" -scheduler
mRun: [snp2uvc] rundll32.exe c:\windows\system32\csnp2uvc.dll,ResetCIDS
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
dRun: [ISUSPM] "c:\documents and settings\all users\application data\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
mExplorerRun: [1] \\ali.pri\ec_dfsroot\messages\apm_ko.exe
StartupFolder: c:\docume~1\a03050\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office14\GROOVE.EXE
StartupFolder: c:\docume~1\a03050\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\progra~1.lnk - c:\windows\installer\{e89956f9-5b89-470e-818d-bd46102d0a01}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{a7091e1d-36a4-47f1-a739-173cc341414f}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
Trusted Zone: burops-128-vc
Trusted Zone: cidcsc-fx-vc
Trusted Zone: cidgo-128-vc1
Trusted Zone: cidgo-fx-vc2
Trusted Zone: dbqgo-fx-vc
Trusted Zone: fdlops-128-vc
Trusted Zone: jvlcsc-fx-vc
Trusted Zone: mcops-128-vc
Trusted Zone: msn2ksqlprod01
Trusted Zone: msn2ksqltest01
Trusted Zone: msngo-512-vc3
Trusted Zone: msngo-fx-vc1
Trusted Zone: msngo-fx-vc2
Trusted Zone: saops-128-vc
Trusted Zone: splops-128-vc
Trusted Zone: tvkcsc-512-vc
Trusted Zone: wamops-128-vc
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://psfsprod.xxxx.com/scriptx/smsx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\a03050\applic~1\mozilla\firefox\profiles\3pcb4lgc.default\
FF - prefs.js: browser.startup.homepage - hxxps://mycompass.xxxx.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2010-10-15 147456]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-4-14 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-4-14 108392]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2009-11-19 102968]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2011-2-23 205312]
R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\landesk\ldclient\tmcsvc.exe [2011-2-23 178688]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files\landesk\ldclient\amtmon.exe [2011-2-23 1058304]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2011-2-23 385024]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-4-14 2440120]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-3-3 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-12-14 1639728]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-3-3 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-3-3 228408]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-3-2 166568]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-26 102448]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-3-3 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-3-3 251904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2010-7-26 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2010-7-26 6144]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110428.034\NAVENG.SYS [2011-4-29 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110428.034\NAVEX15.SYS [2011-4-29 1393144]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-3-3 49152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-4-14 23888]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2010-7-26 14336]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-6-13 1120752]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-30 02:38:33 98816 ----a-w- c:\temp\67.tmp\SED.DAT
2011-04-30 02:38:33 518144 ----a-w- c:\temp\67.tmp\SWREG.DAT
2011-04-30 02:38:32 89088 ----a-w- c:\temp\67.tmp\MBR.DAT
2011-04-30 02:38:32 256512 ----a-w- c:\temp\67.tmp\PEV.DAT
2011-04-28 15:51:04 -------- d-----w- c:\docume~1\a03050\applic~1\Malwarebytes
2011-04-28 15:50:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 15:50:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 15:50:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 15:50:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-18 22:06:03 -------- d-----w- c:\docume~1\a03050\locals~1\applic~1\Microsoft_Corporation
2011-04-18 22:05:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Winwaed
2011-04-18 22:05:26 -------- d-----w- c:\docume~1\a03050\locals~1\applic~1\Winwaed
2011-04-18 22:04:55 -------- d-----w- c:\docume~1\a03050\applic~1\Winwaed Software Technology LLC
2011-04-18 20:44:11 -------- d-----w- c:\program files\MapPoint Spatial Data Import COM Add-in Sample
2011-04-15 22:31:27 -------- d-----w- c:\docume~1\a03050\applic~1\Windows Search
2011-04-15 18:11:53 -------- d-----w- c:\docume~1\a03050\applic~1\ICAClient
2011-04-15 18:00:08 -------- d-----w- c:\docume~1\a03050\applic~1\Macrovision
2011-04-13 19:52:49 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2011-04-13 19:52:49 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
2011-04-13 19:52:23 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-04-13 19:52:23 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
2011-04-07 03:00:21 -------- d-----w- c:\program files\Microsoft MapPoint 2011
2011-04-07 02:51:03 85280 ----a-w- c:\program files\mozilla firefox\mp2011\mp2011\mappoint\msmap\pfiles\msmap\BUGREP10.dll
2011-04-07 02:51:03 633632 ----a-w- c:\program files\mozilla firefox\mp2011\mp2011\mappoint\msmap\pfiles\msmap\2DMgr100.dll
2011-04-07 02:51:03 39712 ----a-w- c:\program files\mozilla firefox\mp2011\mp2011\mappoint\msmap\pfiles\msmap\BR90.dll
2011-04-07 02:51:03 21280 ----a-w- c:\program files\mozilla firefox\mp2011\mp2011\mappoint\msmap\pfiles\msmap\Activate.exe
2011-04-05 19:33:11 -------- d-----w- c:\documents and settings\a03050\Citrix
2011-03-31 19:15:34 -------- d-----w- c:\documents and settings\a03050\Bluetooth Software
.
==================== Find3M ====================
.
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 21:40:05.78 ===============

Edited by Orange Blossom, 29 April 2011 - 10:21 PM.
Moved to log forum. ~ OB


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:05 PM

Posted 07 May 2011 - 03:10 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.


We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

  • Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger may ask you to reboot the machine, if it does - click OK
Do not re-enable these drivers until otherwise instructed.

Download DDS:

  • Please download DDS by sUBs from one of the links below and save it to your desktop:

    Posted Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply





Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


"just click on Cancel, then Accept".


information and logs:

  • In your next post I need the following

  • .logs from DDS
  • log from RKUnHooker
  • let me know of any problems you may have had

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Yankee1010

Yankee1010
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 07 May 2011 - 09:22 PM

DDS log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by A03050 at 20:57:28.48 on 05/07/2011
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2934.1784 [GMT -5:00]
.
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\vcsFPService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\Program Files\Kaspersky Lab\NetworkAgent 8\klnagent.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\LANDesk\LDClient\amtmon.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Timbuktu Pro\tb2pro.exe
C:\Program Files\Timbuktu Pro\TNOTIFY.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\Microsoft Office\Office14\MSOSYNC.EXE
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Microsoft Office\Office14\GROOVE.EXE
C:\Program Files\Microsoft Office\Office14\ONENOTEM.EXE
c:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\mydocs\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer
uStart Page = http://www.google.com/
mDefault_Page_URL = http://www.google.com
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL
uRun: [OfficeSyncProcess] "c:\program files\microsoft office\office14\MSOSYNC.EXE"
uRun: [ISUSPM] "c:\documents and settings\all users\application data\macrovision\flexnet connect\6\isuspm.exe" -scheduler
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [HPWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWA_Main.exe /hidden
mRun: [TLogonPath] "c:\program files\timbuktu pro\tb2logon.exe"
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\avp.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRun: [ISUSPM] "c:\documents and settings\all users\application data\macrovision\flexnet connect\6\ISUSPM.exe" -scheduler
StartupFolder: c:\docume~1\axxxxx\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office14\GROOVE.EXE
StartupFolder: c:\docume~1\axxxxx\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office14\ONENOTEM.EXE
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\ie_banner_deny.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\scieplgn.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxps://psfsprod.xxxx.com/scriptx/smsx.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\axxxxx\applic~1\mozilla\firefox\profiles\3pcb4lgc.default\
FF - prefs.js: browser.startup.homepage - hxxps://xxxxxxxxx.com/
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\microsoft silverlight\4.0.50917.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-11-12 126480]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2011-5-3 231512]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 AVP;Kaspersky Anti-Virus 6.0;c:\program files\kaspersky lab\kaspersky anti-virus 6.0 for windows workstations mp4\avp.exe [2010-3-12 311680]
R2 CBA8;LANDesk® Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2010-10-15 147456]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2009-11-19 102968]
R2 klnagent;Kaspersky Lab Network Agent;c:\program files\kaspersky lab\networkagent 8\klnagent.exe [2010-3-10 136352]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2011-2-23 205312]
R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\landesk\ldclient\tmcsvc.exe [2011-2-23 178688]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files\landesk\ldclient\amtmon.exe [2011-2-23 1058304]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2011-2-23 385024]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-3-3 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2009-12-14 1639728]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2010-3-3 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2010-3-3 228408]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2010-3-2 166568]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2008-7-23 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [2010-3-3 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [2010-3-3 251904]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2010-7-26 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2010-7-26 6144]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [2010-3-3 49152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2010-7-26 14336]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\safe returner\regkernelhelp.sys --> c:\program files\safe returner\RegKernelHelp.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-6-13 1120752]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== File Associations ===============
.
scrfile="%1" /S
.
=============== Created Last 30 ================
.
2011-05-08 01:57:26 98816 ----a-w- c:\temp\3b.tmp\SED.DAT
2011-05-08 01:57:26 89088 ----a-w- c:\temp\3b.tmp\MBR.DAT
2011-05-08 01:57:26 518144 ----a-w- c:\temp\3b.tmp\SWREG.DAT
2011-05-08 01:57:26 256512 ----a-w- c:\temp\3b.tmp\PEV.DAT
2011-05-03 21:07:39 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2011-05-03 21:07:39 115267 ----a-w- c:\windows\system32\drivers\klin.dat
2011-05-03 21:06:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2011-05-03 21:00:41 208752 ----a-w- c:\temp\nagent_patches\af2d6bf4-c423-4ef2-afa1-89d2050b4303\Up2date.exe
2011-05-03 21:00:41 163696 ----a-w- c:\temp\nagent_patches\af2d6bf4-c423-4ef2-afa1-89d2050b4303\diffsAK.dll
2011-05-03 21:00:41 1439272 ----a-w- c:\temp\nagent_patches\af2d6bf4-c423-4ef2-afa1-89d2050b4303\Patch.exe
2011-05-03 21:00:41 1269624 ----a-w- c:\temp\nagent_patches\af2d6bf4-c423-4ef2-afa1-89d2050b4303\upd_core.dll
2011-05-03 21:00:40 973480 ----a-w- c:\temp\nagent_patches\af2d6bf4-c423-4ef2-afa1-89d2050b4303\klrbtagt.exe
2011-05-03 21:00:40 1027696 ----a-w- c:\temp\nagent_patches\af2d6bf4-c423-4ef2-afa1-89d2050b4303\patch_2090_nagent_a.exe
2011-05-03 21:00:38 1027696 ----a-w- c:\temp\patch_2090_nagent_a.exe
2011-05-03 21:00:12 -------- d-----w- c:\program files\Kaspersky Lab
2011-05-03 21:00:12 -------- d-----w- c:\program files\common files\Kaspersky Lab
2011-05-03 21:00:12 -------- d-----w- c:\program files\common files\Cisco Systems
2011-05-03 20:59:59 32768 ----a-w- c:\program files\common files\installshield\driver\7\intel 32\objps7.dll
2011-05-03 20:59:59 233472 ----a-w- c:\program files\common files\installshield\driver\7\intel 32\IScript7.dll
2011-05-03 20:59:58 335872 ----a-w- c:\program files\common files\installshield\driver\7\intel 32\ISRT.dll
2011-05-03 20:59:58 188416 ----a-w- c:\program files\common files\installshield\driver\7\intel 32\IUser7.dll
2011-05-03 20:59:57 626688 ----a-w- c:\program files\common files\installshield\driver\7\intel 32\IDriver.exe
2011-05-03 20:59:56 290816 ----a-w- c:\program files\common files\installshield\driver\7\intel 32\_ISRES1033.dll
2011-05-03 20:57:30 104606389 ----a-w- c:\temp\23078e83-3875-4265-9f2b-d8685f549dd6.exe
2011-05-03 20:16:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-03 20:16:53 -------- d-----w- c:\docume~1\axxxx\applic~1\SUPERAntiSpyware.com
2011-05-03 20:16:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-03 20:14:58 -------- d-----w- C:\Browser HiJack
2011-05-03 13:37:04 388096 ----a-r- c:\docume~1\axxxx\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-03 13:37:04 -------- d-----w- c:\program files\Trend Micro
2011-05-02 22:01:20 90112 ----a-w- c:\temp\jkos-axxxx\binaries\prremote.dll
2011-05-02 22:01:20 65536 ----a-w- c:\temp\jkos-axxxxx\binaries\ikave.dll
2011-05-02 22:01:20 38400 ----a-w- c:\temp\jkos-axxxxx\binaries\FSSync.dll
2011-05-02 22:01:20 282624 ----a-w- c:\temp\jkos-axxxxx\binaries\kave.dll
2011-05-02 22:01:20 184320 ----a-w- c:\temp\jkos-axxxxx\binaries\prLoader.dll
2011-05-02 22:01:20 139264 ----a-w- c:\temp\jkos-axxxxx\binaries\ScanningProcess.exe
2011-05-02 22:01:19 729152 ----a-w- c:\temp\jkos-axxxxx\binaries\kosglue-7.0.26.0.dll
2011-05-02 22:01:19 626688 ----a-w- c:\temp\jkos-axxxxx\binaries\msvcr80.dll
2011-05-02 22:01:19 548864 ----a-w- c:\temp\jkos-axxxxx\binaries\msvcp80.dll
2011-05-02 22:01:19 479232 ----a-w- c:\temp\jkos-axxxxx\binaries\msvcm80.dll
2011-05-02 21:55:30 81973 ----a-w- c:\temp\sraa.dat
2011-05-02 21:52:42 -------- d-----w- c:\docume~1\alluse~1\applic~1\SafeReturner
2011-05-02 21:52:39 -------- d-----w- c:\program files\Safe Returner
2011-05-02 21:52:20 3673156 ----a-w- C:\SafeReturner.exe
2011-05-02 21:31:32 1402880 ----a-w- C:\HiJackThis.msi
2011-05-02 20:56:39 -------- d-----w- c:\windows\pss
2011-04-29 17:45:36 301568 ----a-r- c:\temp\temporary directory 3 for gmer.zip\gmer.exe
2011-04-29 17:45:36 301568 ----a-r- c:\temp\temporary directory 2 for gmer.zip\gmer.exe
2011-04-29 17:45:36 301568 ----a-r- c:\temp\temporary directory 1 for gmer.zip\gmer.exe
2011-04-28 15:51:04 -------- d-----w- c:\docume~1\axxxxx\applic~1\Malwarebytes
2011-04-28 15:50:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 15:50:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-28 15:50:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 15:50:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-18 22:06:03 -------- d-----w- c:\docume~1\axxxxx\locals~1\applic~1\Microsoft_Corporation
2011-04-18 22:05:26 -------- d-----w- c:\docume~1\alluse~1\applic~1\Winwaed
2011-04-18 22:05:26 -------- d-----w- c:\docume~1\axxxxx\locals~1\applic~1\Winwaed
2011-04-18 22:04:55 -------- d-----w- c:\docume~1\axxxxx\applic~1\Winwaed Software Technology LLC
2011-04-18 20:44:11 -------- d-----w- c:\program files\MapPoint Spatial Data Import COM Add-in Sample
2011-04-15 22:31:27 -------- d-----w- c:\docume~1\axxxxx\applic~1\Windows Search
2011-04-15 18:11:53 -------- d-----w- c:\docume~1\axxxxx\applic~1\ICAClient
2011-04-15 18:00:08 -------- d-----w- c:\docume~1\axxxxx\applic~1\Macrovision
2011-04-13 19:52:49 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2011-04-13 19:52:49 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
2011-04-13 19:52:23 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-04-13 19:52:23 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
.
==================== Find3M ====================
.
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-09 00:03:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-08 13:33:55 978944 ----a-w- c:\windows\system32\mfc42.dll
.
============= FINISH: 20:59:19.62 ===============


Rootkit Report:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #4
==============================================
==============================================
>Stealth
==============================================
0x040D0000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x85BE1908 ] PID: 2564, 307200 bytes
0x03A50000 Hidden Image-->System.Runtime.Remoting.dll [ EPROCESS 0x859E1728 ] PID: 3728, 307200 bytes

Edited by Yankee1010, 07 May 2011 - 09:25 PM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:05 PM

Posted 07 May 2011 - 09:28 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Yankee1010

Yankee1010
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 07 May 2011 - 10:07 PM

Still getting the redirects. Here is the log

ComboFix 11-05-07.01 - A03050 05/07/2011 21:48:11.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2934.2351 [GMT -5:00]
Running from: c:\mydocs\Downloads\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-08 to 2011-05-08 )))))))))))))))))))))))))))))))
.
.
2011-05-08 02:56 . 2011-05-08 02:57 53248 ----a-w- c:\temp\catchme.dll
2011-05-03 21:07 . 2011-05-03 21:31 97859 ----a-w- c:\windows\system32\drivers\klick.dat
2011-05-03 21:07 . 2011-05-03 21:31 115267 ----a-w- c:\windows\system32\drivers\klin.dat
2011-05-03 21:06 . 2011-05-08 02:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2011-05-03 21:00 . 2011-05-03 21:06 -------- d-----w- c:\program files\Kaspersky Lab
2011-05-03 21:00 . 2011-05-03 21:00 -------- d-----w- c:\program files\Common Files\Kaspersky Lab
2011-05-03 21:00 . 2011-05-03 21:00 -------- d-----w- c:\program files\Common Files\Cisco Systems
2011-05-03 20:59 . 2011-05-03 20:59 32768 ----a-w- c:\program files\Common Files\InstallShield\Driver\7\Intel 32\objps7.dll
2011-05-03 20:59 . 2011-05-03 20:59 233472 ----a-w- c:\program files\Common Files\InstallShield\Driver\7\Intel 32\IScript7.dll
2011-05-03 20:59 . 2011-05-03 20:59 335872 ----a-w- c:\program files\Common Files\InstallShield\Driver\7\Intel 32\ISRT.dll
2011-05-03 20:59 . 2011-05-03 20:59 188416 ----a-w- c:\program files\Common Files\InstallShield\Driver\7\Intel 32\IUser7.dll
2011-05-03 20:59 . 2011-05-03 20:59 626688 ----a-w- c:\program files\Common Files\InstallShield\Driver\7\Intel 32\IDriver.exe
2011-05-03 20:59 . 2011-05-03 20:59 290816 ----a-w- c:\program files\Common Files\InstallShield\Driver\7\Intel 32\_ISRES1033.dll
2011-05-03 20:16 . 2011-05-03 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-03 20:16 . 2011-05-03 20:16 -------- d-----w- c:\documents and settings\xxxxx\Application Data\SUPERAntiSpyware.com
2011-05-03 20:16 . 2011-05-03 20:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-03 20:14 . 2011-05-03 20:14 -------- d-----w- C:\Browser HiJack
2011-05-03 13:37 . 2011-05-03 13:37 388096 ----a-r- c:\documents and settings\xxxxx\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-03 13:37 . 2011-05-03 13:37 -------- d-----w- c:\program files\Trend Micro
2011-05-02 21:52 . 2011-05-02 21:53 -------- d-----w- c:\documents and settings\All Users\Application Data\SafeReturner
2011-05-02 21:52 . 2011-05-02 21:56 -------- d-----w- c:\program files\Safe Returner
2011-05-02 21:52 . 2011-01-13 20:24 3673156 ----a-w- C:\SafeReturner.exe
2011-05-02 21:51 . 2011-05-04 13:00 -------- d-----w- c:\documents and settings\a07231
2011-05-02 21:31 . 2011-05-02 21:29 1402880 ----a-w- C:\HiJackThis.msi
2011-05-02 01:52 . 2011-05-02 01:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-28 15:51 . 2011-04-28 15:51 -------- d-----w- c:\documents and settings\xxxxx\Application Data\Malwarebytes
2011-04-28 15:50 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-28 15:50 . 2011-04-28 16:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-28 15:50 . 2011-04-28 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-28 15:50 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-18 22:06 . 2011-04-18 22:06 -------- d-----w- c:\documents and settings\xxxxx\Local Settings\Application Data\Microsoft_Corporation
2011-04-18 22:05 . 2011-04-18 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Winwaed
2011-04-18 22:05 . 2011-04-18 22:05 -------- d-----w- c:\documents and settings\xxxxx\Local Settings\Application Data\Winwaed
2011-04-18 22:04 . 2011-04-18 22:04 -------- d-----w- c:\documents and settings\xxxxx\Application Data\Winwaed Software Technology LLC
2011-04-18 20:44 . 2011-04-18 20:44 -------- d-----w- c:\program files\MapPoint Spatial Data Import COM Add-in Sample
2011-04-15 22:31 . 2011-04-15 22:31 -------- d-----w- c:\documents and settings\xxxxx\Application Data\Windows Search
2011-04-15 18:11 . 2011-04-15 18:15 -------- d-----w- c:\documents and settings\xxxxx\Application Data\ICAClient
2011-04-15 18:00 . 2011-04-15 18:00 -------- d-----w- c:\documents and settings\xxxxx\Application Data\Macrovision
2011-04-13 19:52 . 2011-02-02 07:58 2067456 -c----w- c:\windows\system32\dllcache\lhmstscx.dll
2011-04-13 19:52 . 2011-01-27 11:57 677888 -c----w- c:\windows\system32\dllcache\lhmstsc.exe
2011-04-13 19:52 . 2011-02-09 13:53 270848 -c----w- c:\windows\system32\dllcache\sbe.dll
2011-04-13 19:52 . 2011-02-09 13:53 186880 -c----w- c:\windows\system32\dllcache\encdec.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-17 13:18 . 2004-08-04 05:15 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2004-08-04 05:14 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2010-03-03 21:21 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2004-08-04 06:56 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2004-08-04 06:56 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2004-08-04 06:56 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-09 00:03 . 2004-08-04 06:56 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-02-08 13:33 . 2004-08-04 06:56 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-03-18 17:53 . 2011-04-28 16:54 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeSyncProcess"="c:\program files\Microsoft Office\Office14\MSOSYNC.EXE" [2010-03-16 718208]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\isuspm.exe" [2007-03-29 222128]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-11 287800]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-01-04 1594664]
"HPWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe" [2009-11-19 363064]
"TLogonPath"="c:\program files\Timbuktu Pro\tb2logon.exe" [2003-07-10 151552]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2010-11-12 5145952]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2010-11-30 136216]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2010-11-30 170008]
"Persistence"="c:\windows\system32\igfxpers.exe" [2010-11-30 145432]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations MP4\avp.exe" [2010-03-13 311680]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]
.
c:\documents and settings\xxxxx\Start Menu\Programs\Startup\
Microsoft SharePoint Workspace.lnk - c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Timbuktu Pro]
2003-07-10 00:12 81973 ----a-w- c:\program files\Timbuktu Pro\HOOK32.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1438187004-1712135945-2243566058-21879\Scripts\Logon\0\0]
"Script"=MapCommonDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1438187004-1712135945-2243566058-22026\Scripts\Logon\0\0]
"Script"=MapCommonDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1438187004-1712135945-2243566058-80142\Scripts\Logon\0\0]
"Script"=MapCommonDrives.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Program Neighborhood Agent.lnk
backup=c:\windows\pss\Program Neighborhood Agent.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 19:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMSS]
2009-11-04 21:46 111640 ----a-w- c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snp2uvc]
2009-09-18 01:03 213040 ----a-w- c:\windows\system32\csnp2uvc.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\WINDOWS\\system32\\msgsys.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15000:UDP"= 15000:UDP:Kaspersky Administration Kit
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [02/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/10/2010 1:41 PM 67656]
R1 Tb2Device;TB2 Remote Control Driver;NetopiaRC\Tb2Device.sys --> NetopiaRC\Tb2Device.sys [?]
R1 Tb2MirrorSys;TB2 Remote Control Mirror Driver;NetopiaRC\Tb2MirrorSys.sys --> NetopiaRC\Tb2MirrorSys.sys [?]
R2 CBA8;LANDesk® Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [10/15/2010 8:41 AM 147456]
R2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [11/19/2009 4:11 PM 102968]
R2 klnagent;Kaspersky Lab Network Agent;c:\program files\Kaspersky Lab\NetworkAgent 8\klnagent.exe [03/10/2010 7:36 PM 136352]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [02/23/2011 2:45 PM 205312]
R2 LANDesk Targeted Multicast;LANDesk Targeted Multicast;c:\program files\LANDesk\LDClient\tmcsvc.exe [02/23/2011 2:45 PM 178688]
R2 LANDesk® Out-of-Band Monitor Service;LANDesk® Out-of-Band Monitor Service;c:\program files\LANDesk\LDClient\amtmon.exe [02/23/2011 2:45 PM 1058304]
R2 Softmon;LANDesk® Software Monitoring Service;c:\program files\LANDesk\LDClient\SoftMon.exe [02/23/2011 2:45 PM 385024]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [03/03/2010 10:11 AM 2320920]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [12/14/2009 11:47 AM 1639728]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [03/03/2010 8:50 AM 113664]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [03/03/2010 8:56 AM 228408]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [03/02/2010 5:04 PM 166568]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [07/23/2008 12:31 PM 44800]
R3 Impcd;Impcd;c:\windows\system32\drivers\Impcd.sys [03/03/2010 9:25 AM 132480]
R3 IntcDAud;Intel® Display Audio;c:\windows\system32\drivers\IntcDAud.sys [03/03/2010 9:25 AM 251904]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [09/14/2009 1:42 PM 32272]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [07/26/2010 4:26 PM 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [07/26/2010 4:26 PM 6144]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [01/09/2010 9:37 PM 4640000]
R3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [03/03/2010 9:03 AM 49152]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [03/18/2010 1:16 PM 130384]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [07/26/2010 4:26 PM 14336]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [03/25/2010 10:25 AM 30969208]
S3 RegKernelHelp;RegKernelHelp;\??\c:\program files\Safe Returner\RegKernelHelp.sys --> c:\program files\Safe Returner\RegKernelHelp.sys [?]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [06/13/2009 12:13 AM 1120752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [03/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-06-17 18:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-08 c:\windows\Tasks\User_Feed_Synchronization-{02ED9F3A-20AA-4C40-8703-35413BFC0DB7}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 00:36]
.
2011-05-08 c:\windows\Tasks\User_Feed_Synchronization-{0DF2A254-94D9-4D46-8462-F51A62BA1653}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 00:36]
.
2011-05-08 c:\windows\Tasks\User_Feed_Synchronization-{947390D8-ED7B-4194-A8F2-B97DB2B2A32C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 00:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = http://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
FF - ProfilePath - c:\documents and settings\xxxxx\Application Data\Mozilla\Firefox\Profiles\3pcb4lgc.default\
FF - prefs.js: browser.startup.homepage - hxxps://xxxxxxxx.com/
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-{69333A04-5134-40A5-A055-9166A7AA1EC8} - c:\program files\InstallShield Installation Information\{69333A04-5134-40A5-A055-9166A7AA1EC8}\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-07 21:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(2044)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
- - - - - - - > 'lsass.exe'(256)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4396)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-07 22:01:03
ComboFix-quarantined-files.txt 2011-05-08 03:00
.
Pre-Run: 213,154,689,024 bytes free
Post-Run: 215,580,831,744 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 557D9D1F5008AEB89B404B754234025B

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:05 PM

Posted 07 May 2011 - 10:11 PM

we are going to check the router

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results
gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Yankee1010

Yankee1010
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 07 May 2011 - 10:17 PM

Now I'm having all sorts of new issues. Security Center pop ups and can't get anything to run. I booted into safe mode and am running malwarebytes and a few others just to try to get the computer so that I can use it again to run anything. My antivirus has picked up on several exploit.java.cve 2010 files. I'm assuming my java is out of date and need to get the newest version.

Here is the log.



Windows IP Configuration



Host Name . . . . . . . . . . . . : Mycomputername

Primary Dns Suffix . . . . . . . : ALI.PRI

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : xxxxx.com

xxxx.com

ALI.PRI



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : domain.actdsltmp

Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6200 AGN

Physical Address. . . . . . . . . : 00-23-14-31-4F-80

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.101

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

205.171.3.25

Lease Obtained. . . . . . . . . . : Saturday, May 07, 2011 9:34:56 PM

Lease Expires . . . . . . . . . . : Sunday, May 08, 2011 9:34:56 PM



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® 82577LM Gigabit Network Connection

Physical Address. . . . . . . . . : 70-5A-B6-9D-82-24

Server: dslmodem.domain.actdsltmp
Address: 192.168.0.1

Name: google.com.xxxxxx.com
Addresses: 63.146.68.201, 63.146.68.202

Server: dslmodem.domain.actdsltmp
Address: 192.168.0.1

Name: yahoo.com.xxxxxx.com
Addresses: 63.146.68.201, 63.146.68.202



Pinging google.com [74.125.225.18] with 32 bytes of data:



Reply from 74.125.225.18: bytes=32 time=91ms TTL=55

Reply from 74.125.225.18: bytes=32 time=87ms TTL=55



Ping statistics for 74.125.225.18:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 87ms, Maximum = 91ms, Average = 89ms



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=130ms TTL=52

Reply from 98.137.149.56: bytes=32 time=149ms TTL=52



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 130ms, Maximum = 149ms, Average = 139ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 23 14 31 4f 80 ...... Intel® Centrino® Advanced-N 6200 AGN - Packet Scheduler Miniport
0x3 ...70 5a b6 9d 82 24 ...... Intel® 82577LM Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.101 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.101 192.168.1.101 25
192.168.1.101 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.101 192.168.1.101 25
224.0.0.0 240.0.0.0 192.168.1.101 192.168.1.101 25
255.255.255.255 255.255.255.255 192.168.1.101 3 1
255.255.255.255 255.255.255.255 192.168.1.101 192.168.1.101 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

Edited by Yankee1010, 07 May 2011 - 11:04 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:05 PM

Posted 07 May 2011 - 11:19 PM

Resetting Router

Letís try to reset the router to its default configuration.
  • This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
  • Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
  • If you donít know the router's default password, you can look it up. Here
  • You also need to reconfigure any security settings you had in place prior to the reset.
  • You may also need to consult with your Internet service provider to find out which DNS servers your network should be using or you can use OpenDNS
Note: After resetting your router, it is important to set a non-default password, and if possible, username, on the router. This will assist in eliminating the possibility of the router being hijacked again.

flush the DNS:

Now lets flush the DNS on the computer:

  • click on Start
  • select run
  • enter cmd and hit enter
  • a black window will open.
  • please enter the following text into that window and hit enter:


    ipconfig /flushdns

Now lets check the router again

Create and Run Batch File
Open Notepad and copy/paste the entire contents of the codebox below, into Notepad:
@echo off
>Log1.txt (
ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print
)
start Log1.txt
del %0
Save this as router.bat Choose to Save type as - All Files and where to save - Desktop - then close the Notepad file.

It should look like this: Posted Image <--XP
Double-click on router.bat to run it. it will open notepad when done please post back the results

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Yankee1010

Yankee1010
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 08 May 2011 - 01:16 PM

Windows IP Configuration



Host Name . . . . . . . . . . . . : computername
Primary Dns Suffix . . . . . . . : ALI.PRI

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : xxxxx.com

xxx.com

ALI.PRI



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel® Centrino® Advanced-N 6200 AGN

Physical Address. . . . . . . . . : 00-23-14-31-4F-80

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DHCP Server . . . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Lease Obtained. . . . . . . . . . : Sunday, May 08, 2011 1:11:28 PM

Lease Expires . . . . . . . . . . : Monday, May 09, 2011 1:11:28 PM



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Intel® 82577LM Gigabit Network Connection

Physical Address. . . . . . . . . : 70-5A-B6-9D-82-24

Server: UnKnown
Address: 192.168.1.1

Name: google.com.xxxx.com
Addresses: 63.146.68.202, 63.146.68.201

Server: UnKnown
Address: 192.168.1.1

Name: yahoo.com.xxxx.com
Addresses: 63.146.68.201, 63.146.68.202



Pinging google.com [74.125.225.20] with 32 bytes of data:



Reply from 74.125.225.20: bytes=32 time=86ms TTL=55

Reply from 74.125.225.20: bytes=32 time=115ms TTL=55



Ping statistics for 74.125.225.20:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 86ms, Maximum = 115ms, Average = 100ms



Pinging yahoo.com [67.195.160.76] with 32 bytes of data:



Reply from 67.195.160.76: bytes=32 time=131ms TTL=52

Reply from 67.195.160.76: bytes=32 time=133ms TTL=52



Ping statistics for 67.195.160.76:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 131ms, Maximum = 133ms, Average = 132ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 23 14 31 4f 80 ...... Intel® Centrino® Advanced-N 6200 AGN - Packet Scheduler Miniport
0x3 ...70 5a b6 9d 82 24 ...... Intel® 82577LM Gigabit Network Connection - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.4 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.4 192.168.1.4 10
192.168.1.4 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.4 192.168.1.4 10
224.0.0.0 240.0.0.0 192.168.1.4 192.168.1.4 10
255.255.255.255 255.255.255.255 192.168.1.4 3 1
255.255.255.255 255.255.255.255 192.168.1.4 192.168.1.4 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:05 PM

Posted 08 May 2011 - 04:31 PM

Hello

how is the computer doingnow?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Yankee1010

Yankee1010
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 08 May 2011 - 04:59 PM

Still getting redirects.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:05 PM

Posted 08 May 2011 - 05:01 PM

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Yankee1010

Yankee1010
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 08 May 2011 - 07:10 PM

It seems to be working better. I have not had it redirect on 10 tries yet.


2011/05/08 19:01:13.0609 1288 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16
2011/05/08 19:01:14.0140 1288 ================================================================================
2011/05/08 19:01:14.0140 1288 SystemInfo:
2011/05/08 19:01:14.0140 1288
2011/05/08 19:01:14.0140 1288 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/08 19:01:14.0140 1288 Product type: Workstation
2011/05/08 19:01:14.0140 1288 ComputerName: computername
2011/05/08 19:01:14.0140 1288 UserName: xxxxx
2011/05/08 19:01:14.0140 1288 Windows directory: C:\WINDOWS
2011/05/08 19:01:14.0140 1288 System windows directory: C:\WINDOWS
2011/05/08 19:01:14.0140 1288 Processor architecture: Intel x86
2011/05/08 19:01:14.0140 1288 Number of processors: 4
2011/05/08 19:01:14.0140 1288 Page size: 0x1000
2011/05/08 19:01:14.0140 1288 Boot type: Normal boot
2011/05/08 19:01:14.0140 1288 ================================================================================
2011/05/08 19:01:14.0296 1288 Initialize success
2011/05/08 19:01:18.0656 3516 ================================================================================
2011/05/08 19:01:18.0656 3516 Scan started
2011/05/08 19:01:18.0656 3516 Mode: Manual;
2011/05/08 19:01:18.0656 3516 ================================================================================
2011/05/08 19:01:19.0390 3516 Accelerometer (a0baabb7d3549460e3f8c5ad6f778683) C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
2011/05/08 19:01:19.0453 3516 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/08 19:01:19.0500 3516 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/05/08 19:01:19.0593 3516 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/08 19:01:19.0656 3516 AESTAud (822d53766d57c90c437536232ece9023) C:\WINDOWS\system32\drivers\AESTAud.sys
2011/05/08 19:01:19.0750 3516 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/08 19:01:19.0828 3516 AgereSoftModem (07758c2196a62f207f77556311e7459a) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2011/05/08 19:01:20.0031 3516 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/08 19:01:20.0171 3516 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/08 19:01:20.0203 3516 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\drivers\atapi.sys
2011/05/08 19:01:20.0265 3516 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/08 19:01:20.0328 3516 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/08 19:01:20.0375 3516 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/08 19:01:20.0453 3516 BTKRNL (9f704f40cd50ae05bbfc492c0342e765) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/05/08 19:01:20.0484 3516 BTWUSB (1166cb501e1c34750a91600579efeab3) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/05/08 19:01:20.0640 3516 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/08 19:01:20.0656 3516 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/08 19:01:20.0687 3516 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/08 19:01:20.0734 3516 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/08 19:01:20.0765 3516 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/08 19:01:20.0812 3516 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/05/08 19:01:20.0859 3516 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/05/08 19:01:20.0921 3516 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/05/08 19:01:20.0984 3516 CVPNDRVA (465ced77e7c4f9d71b81ba600edafac1) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2011/05/08 19:01:21.0031 3516 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/08 19:01:21.0078 3516 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/08 19:01:21.0109 3516 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/08 19:01:21.0125 3516 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/08 19:01:21.0156 3516 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/08 19:01:21.0187 3516 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/05/08 19:01:21.0218 3516 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/08 19:01:21.0265 3516 e1kexpress (c08a912bc3257859516d2b71f5e29802) C:\WINDOWS\system32\DRIVERS\e1k5132.sys
2011/05/08 19:01:21.0343 3516 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/08 19:01:21.0375 3516 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/08 19:01:21.0390 3516 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/08 19:01:21.0406 3516 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/08 19:01:21.0437 3516 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/08 19:01:21.0484 3516 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/08 19:01:21.0500 3516 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/08 19:01:21.0515 3516 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/08 19:01:21.0531 3516 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/08 19:01:21.0593 3516 HECI (a88485dc6a7136c10d9a6c7e38fdfe3c) C:\WINDOWS\system32\DRIVERS\HECI.sys
2011/05/08 19:01:21.0656 3516 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/08 19:01:21.0687 3516 hpdskflt (9f620e11b80b74f4dab50a81a5df357f) C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
2011/05/08 19:01:21.0750 3516 HpqKbFiltr (35956140e686d53bf676cf0c778880fc) C:\WINDOWS\system32\DRIVERS\HpqKbFiltr.sys
2011/05/08 19:01:21.0781 3516 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/08 19:01:21.0843 3516 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/08 19:01:21.0937 3516 ialm (364872e9c594af4bf0f742273cea0238) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/05/08 19:01:22.0000 3516 iaStor (d5edb998656e6ecf1a17c78dab019a3c) C:\WINDOWS\system32\drivers\iaStor.sys
2011/05/08 19:01:22.0078 3516 IFXTPM (91c5e9f49f32110ced27e2f902fad607) C:\WINDOWS\system32\DRIVERS\IFXTPM.SYS
2011/05/08 19:01:22.0109 3516 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/08 19:01:22.0171 3516 Impcd (e3c36ac5ae87ec970ae8ea2a93d59ae1) C:\WINDOWS\system32\DRIVERS\Impcd.sys
2011/05/08 19:01:22.0250 3516 IntcDAud (7a49e753011c0bd37170cc1ceb944e92) C:\WINDOWS\system32\DRIVERS\IntcDAud.sys
2011/05/08 19:01:22.0296 3516 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/08 19:01:22.0328 3516 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/08 19:01:22.0359 3516 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/08 19:01:22.0375 3516 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/08 19:01:22.0421 3516 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/08 19:01:22.0453 3516 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/08 19:01:22.0468 3516 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/08 19:01:22.0500 3516 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/08 19:01:22.0531 3516 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/08 19:01:22.0578 3516 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/08 19:01:22.0656 3516 kl1 (a884729b0e98cd93d6511de6d58cdc98) c:\WINDOWS\system32\drivers\kl1.sys
2011/05/08 19:01:22.0718 3516 KLIF (8561637834a84bfc5743607432fd9f41) C:\WINDOWS\system32\DRIVERS\klif.sys
2011/05/08 19:01:22.0765 3516 klim5 (fbdc2034b58d2135d25fe99eb8b747c3) C:\WINDOWS\system32\DRIVERS\klim5.sys
2011/05/08 19:01:22.0796 3516 KLOGNT (a6a666c00638ed982eb7afef872a62ff) C:\WINDOWS\System32\drivers\klognt.sys
2011/05/08 19:01:22.0843 3516 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/08 19:01:22.0859 3516 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/08 19:01:22.0937 3516 ldblank (b42d0d37f8c76ed9a462404afe520edb) C:\WINDOWS\system32\DRIVERS\ldblank.sys
2011/05/08 19:01:22.0984 3516 ldmirror (a3b89beb5fb3ad3bef5e58a5885aea63) C:\WINDOWS\system32\DRIVERS\ldmirror.sys
2011/05/08 19:01:23.0000 3516 mirrorflt (aadae4ec10f7075217e87c5cfc0580c9) C:\WINDOWS\system32\DRIVERS\mirrorflt.sys
2011/05/08 19:01:23.0062 3516 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/08 19:01:23.0093 3516 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/08 19:01:23.0125 3516 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/08 19:01:23.0187 3516 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/08 19:01:23.0203 3516 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/08 19:01:23.0234 3516 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/08 19:01:23.0265 3516 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/08 19:01:23.0328 3516 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/08 19:01:23.0359 3516 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/08 19:01:23.0375 3516 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/08 19:01:23.0390 3516 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/08 19:01:23.0437 3516 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/08 19:01:23.0453 3516 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/08 19:01:23.0468 3516 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/08 19:01:23.0484 3516 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/08 19:01:23.0515 3516 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/08 19:01:23.0546 3516 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/08 19:01:23.0562 3516 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/08 19:01:23.0593 3516 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/08 19:01:23.0609 3516 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/08 19:01:23.0656 3516 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/08 19:01:23.0671 3516 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/08 19:01:23.0687 3516 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/08 19:01:23.0843 3516 NETw5x32 (580207a7c9bde8ba65401f51f9ba9741) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
2011/05/08 19:01:23.0968 3516 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/08 19:01:23.0984 3516 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/08 19:01:24.0000 3516 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/08 19:01:24.0031 3516 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/08 19:01:24.0093 3516 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/08 19:01:24.0109 3516 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/08 19:01:24.0125 3516 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/08 19:01:24.0156 3516 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/08 19:01:24.0171 3516 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/08 19:01:24.0218 3516 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/08 19:01:24.0234 3516 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/08 19:01:24.0312 3516 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/05/08 19:01:24.0468 3516 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/08 19:01:24.0484 3516 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/08 19:01:24.0500 3516 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/08 19:01:24.0546 3516 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/08 19:01:24.0671 3516 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/08 19:01:24.0687 3516 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/08 19:01:24.0718 3516 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/08 19:01:24.0734 3516 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/08 19:01:24.0765 3516 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/08 19:01:24.0796 3516 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/08 19:01:24.0828 3516 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/08 19:01:24.0859 3516 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/08 19:01:24.0890 3516 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/08 19:01:25.0031 3516 rimmptsk (df672613fbbcd58c38bb0bc2694bcfb0) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/05/08 19:01:25.0062 3516 rismc32 (470fc46e2989f6606043c1c5365b15fd) C:\WINDOWS\system32\DRIVERS\rismc32.sys
2011/05/08 19:01:25.0171 3516 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/08 19:01:25.0234 3516 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/08 19:01:25.0296 3516 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/05/08 19:01:25.0343 3516 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/08 19:01:25.0375 3516 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/08 19:01:25.0406 3516 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/08 19:01:25.0437 3516 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/05/08 19:01:25.0484 3516 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/08 19:01:25.0609 3516 SNP2UVC (4d8a49526aa035b1a8ff3fe6807783f5) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2011/05/08 19:01:25.0656 3516 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/08 19:01:25.0687 3516 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/08 19:01:25.0765 3516 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/08 19:01:25.0859 3516 STHDA (c2bf767970f54814e6a26650ece2bd76) C:\WINDOWS\system32\drivers\sthda.sys
2011/05/08 19:01:25.0890 3516 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/08 19:01:25.0921 3516 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/08 19:01:25.0937 3516 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/08 19:01:26.0078 3516 SynTP (07fdb043f69eb95e1dad7ce16b95bdd3) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/05/08 19:01:26.0093 3516 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/08 19:01:26.0156 3516 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/08 19:01:26.0203 3516 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/08 19:01:26.0218 3516 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/08 19:01:26.0250 3516 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/08 19:01:26.0312 3516 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/08 19:01:26.0390 3516 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/08 19:01:26.0468 3516 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/08 19:01:26.0531 3516 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/08 19:01:26.0562 3516 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/08 19:01:26.0609 3516 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/08 19:01:26.0640 3516 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/08 19:01:26.0703 3516 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/05/08 19:01:26.0765 3516 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/08 19:01:26.0812 3516 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/08 19:01:26.0875 3516 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2011/05/08 19:01:26.0984 3516 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/08 19:01:27.0046 3516 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/08 19:01:27.0093 3516 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/08 19:01:27.0171 3516 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/05/08 19:01:27.0203 3516 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/05/08 19:01:27.0265 3516 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/08 19:01:27.0328 3516 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/08 19:01:27.0359 3516 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/08 19:01:27.0406 3516 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/08 19:01:27.0406 3516 ================================================================================
2011/05/08 19:01:27.0406 3516 Scan finished
2011/05/08 19:01:27.0406 3516 ================================================================================
2011/05/08 19:01:27.0421 3180 Detected object count: 1
2011/05/08 19:02:04.0343 3180 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/08 19:02:04.0343 3180 \HardDisk0 - ok
2011/05/08 19:02:04.0343 3180 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/05/08 19:02:09.0796 4464 Deinitialize success

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:05 PM

Posted 08 May 2011 - 08:13 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Yankee1010

Yankee1010
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:08:05 PM

Posted 08 May 2011 - 08:23 PM

Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
Bd Training System
Autodesk DWF Viewer 7
Cisco Systems VPN Client 5.0.03.0560
Citrix Presentation Server Client
Compatibility Pack for the 2007 Office system
CSC Statistical Reports
DirectX 9 Runtime
Embedded Security for HP ProtectTools Driver
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB949764)
Hotfix for Windows XP (KB953955)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB969238)
Hotfix for Windows XP (KB981128)
HP 3D DriveGuard
HP BatteryCheck 2.10 A4
HP ESU for Microsoft Windows XP
HP Integrated Module with Bluetooth wireless technology
HP Quick Launch Buttons
HP Web Camera
HP Webcam
HP Webcam Driver
HP Wireless Assistant
IDT Audio
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Components
Intel® Network Connections Drivers
Internet Explorer (Enable DEP)
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
J2SE Runtime Environment 5.0 Update 6
Kaspersky Anti-Virus 6.0 for Windows Workstations
Kaspersky Lab Network Agent
LANDesk Advance Agent
LANDesk® Common Base Agent 8
LightScribe System Software
LSI HDA Modem
Malwarebytes' Anti-Malware
MapPoint Spatial Data Import COM Add-in Sample
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886904)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Access database engine 2010 (English)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft English TTS Engine
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft MapPoint North America 2011
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Communicator 2007 R2
Microsoft Office Excel MUI (English) 2010
Microsoft Office Groove MUI (English) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2007
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2007
Microsoft Office Proof (French) 2010
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (English) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Visio Viewer 2007
Microsoft Office Word MUI (English) 2010
Microsoft Printing
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Software Update for Web Folders (English) 14
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Windows Journal Viewer
Microsoft WinUsb 1.0
Minitab 15 English
Mozilla Firefox 4.0 (x86 en-US)
MPSuperShape
Ms VB 6.04 Run-time Support
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP3 Parser
MSXML 6.0 Parser (KB933579)
OQ Plus
OQ Plus Addins
Oracle Data Provider for .NET Help
Oracle10
PC3270 v4.3.3
Powerbuilder Support Files
Powerbuilder Support Files 8.03 (2/4/2004)
QLBCASL
RICOH Media Driver
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Business
Roxio Creator Business v10
Roxio Creator Copy
Roxio Creator Data
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD
SAPI Wrapper
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft Excel 2010 (KB2466146)
Security Update for Microsoft Office 2010 (KB2289078)
Security Update for Microsoft Office 2010 (KB2289161)
Security Update for Microsoft Office Visio 2007 (KB957831)
Security Update for Microsoft Publisher 2010 (KB2409055)
Security Update for Microsoft Word 2010 (KB2345000)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic CinePlayer Decoder Pack
SUPERAntiSpyware
Symantec Enterprise Vault HTTP-only Outlook Add-In
Synaptics Pointing Device Driver
Timbuktu Pro
TTS Wrapper
Update for Microsoft Outlook Social Connector (KB983403)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB943729)
Update for Windows XP (KB955839)
Update for Windows XP (KB958752)
Update for Windows XP (KB973815)
Validity Fingerprint Driver
ViewMail for Outlook 7.0(2)
WebFldrs XP
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WMS Storms




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users