Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Google redirect malware


  • This topic is locked This topic is locked
21 replies to this topic

#1 c-a-l

c-a-l

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 19 May 2011 - 08:37 PM

Hi
Thank you in advance for the help.

About two weeks ago, a fake AVG update was downloaded and installed to my computer. I've managed to get rid of the obvious trojans that it brought, and install the real AVG, but am left with the google redirect problem (and perhaps other problems of which I am not aware) that I need help getting rid of. This post follows the directions for posting here given at:
http://www.bleepingcomputer.com/forums/topic34773.html

Below is the text from DDS and attached is the log.
Per the directions, I downloaded and tried to run GMER, but AVG Identity Protection pops up stating "Threat detected" and gives GMER.exe as the threat. I'm not sure if I should click on "Allow" so I did not.

DDS Text File:
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_20
Run by myusername at 20:58:58 on 2011-05-19
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.784 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\brsvc01a.exe
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MSSQL\Primavera\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\avgemcx.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\myusername\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\taskeng.exe
C:\Windows\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
C:\Program Files\KeePass Password Safe 2\KeePass.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Downloads\dds.scr
C:\Windows\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://en.us.acer.yahoo.com
mStart Page = hxxp://en.us.acer.yahoo.com
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [eRecoveryService]
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [<NO NAME>]
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\myusername\appdata\roaming\mozilla\firefox\profiles\1oeduggr.default\
FF - prefs.js: browser.startup.homepage - hxxps://webmail.atl.earthlink.net/wam/login.jsp?redirect=%2Fwam%2Findex.jsp&x=-1443703386&x=1438187168
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\npican.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg10\Firefox4
FF - Ext: AVG Security Toolbar em:version=6.103.018.001 em:displayname=AVG Security Toolbar em:iconURL=chrome://tavgp/skin/logo.ico em:creator=AVG Technologies em:description=AVG Security Toolbar em:homepageURL=http://www.avg.com >: avg@igeared - c:\program files\avg\avg10\toolbar\firefox\avg@igeared
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: XULRunner: {4C3A46DA-784C-4197-9FDB-51CC427FA1F3} - c:\users\myusername\appdata\local\{4C3A46DA-784C-4197-9FDB-51CC427FA1F3}
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-31 64288]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-6-19 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-6-19 35712]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-4-18 7398752]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 msftesql$PRIMAVERA;SQL Server FullText Search (PRIMAVERA);c:\program files\mssql\primavera\mssql.2\mssql\binn\msftesql.exe [2010-3-26 91992]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-4-14 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 28624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-8 947528]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
S3 MSSQL$PRIMAVERA;SQL Server (PRIMAVERA);c:\program files\mssql\primavera\mssql.2\mssql\binn\sqlservr.exe [2010-12-10 29293408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-30 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-30 136176]
S4 PrmBackAgent;Primavera Background Agent;c:\program files\common files\primavera common\backgroundagent\PrmBackgroundAgent.exe [2007-12-3 841728]
.
=============== Created Last 30 ================
.
2011-05-17 02:25:36 -------- d-----w- c:\users\myusername\appdata\roaming\SUPERAntiSpyware.com
2011-05-17 02:25:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-05-17 02:25:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-11 05:35:44 7071056 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{53caa4c5-42ad-4717-b5d1-bd3d4a14f098}\mpengine.dll
2011-05-11 00:56:34 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-08 03:01:40 -------- d-----w- c:\users\myusername\appdata\local\AVG Security Toolbar
2011-05-08 02:58:50 -------- d-----w- c:\users\myusername\appdata\roaming\AVG10
2011-05-08 02:57:46 -------- d-----w- c:\programdata\AVG Security Toolbar
2011-05-08 02:56:51 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-08 02:56:51 -------- d-----w- c:\programdata\AVG10
2011-05-08 02:40:46 -------- d-----w- c:\programdata\MFAData
2011-04-30 13:38:00 0 ----a-w- c:\users\myusername\appdata\local\Olirihoji.bin
2011-04-30 13:37:59 -------- d-----w- c:\users\myusername\appdata\local\{4C3A46DA-784C-4197-9FDB-51CC427FA1F3}
2011-04-27 00:05:44 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 00:05:44 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 00:05:37 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
==================== Find3M ====================
.
2011-04-15 01:28:18 134480 ----a-w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-04-05 04:59:56 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2011-03-16 20:03:20 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13:01 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33:12 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33:09 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24:10 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24:02 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23:59 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23:55 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-22 12:12:38 22992 ----a-w- c:\windows\system32\drivers\AVGIDSEH.sys
2011-02-22 06:21:28 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17:08 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16:53 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16:40 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16:40 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20:39 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43:54 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 21:00:53.37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 21 May 2011 - 04:28 AM

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days. :)


Hello there, c-a-l

:welcome:

I'm Conspire, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Read the entire procedure
  • It is important to perform ALL actions in sequence.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with me till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
  • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.

IMPORTANT NOTE : Please do not delete anything unless instructed to.

---------------------------------------------------------------------------------------------------

downloaded and tried to run GMER, but AVG Identity Protection pops up stating "Threat detected" and gives GMER.exe as the threat. I'm not sure if I should click on "Allow" so I did not.

You have to make sure your real time protections are all turned off. Disable AVG Identity Protection and run GMER then post the results back here. Thanks. :)

---------------------------------------------------------------------------------------------------
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#3 c-a-l

c-a-l
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 21 May 2011 - 12:45 PM

First, thank you very much for your response and willingness to help.

I went into AVG, Tools, Advanced Settings, and clicked temporarily disable AVG Products. Then I ran GMER per the instructions, but I got the same message from "AVG Identity Protection." This time I clicked allow, and GMER finished. The GMER log is pasted below.

Two other pieces of info that might be applicable:
1) Before even my first post above, in an attempt to try to fix this problem, I disabled a bunch of things in Windows Startup. Those remain disabled.
2) Another problem started concurrently with this redirect problem, which is that the laptop runs VERY hot, and always runs. It will no longer go to sleep, and it is always running - CPU usage stays at about 25% and it constantly uses about half the memory. Neither was a problem before this redirect problem started.

Thanks

GMER Log:
GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-21 13:36:16
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS542512K9SA00 rev.BB2OC31P
Running: gmer.exe; Driver: C:\Users\myusername\AppData\Local\Temp\kglyqpod.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9E3057A0]
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8D720620]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9E3058E4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9E305980]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 828C9B74 4 Bytes [A0, 57, 30, 9E]
.text ntkrnlpa.exe!KeSetEvent + 621 828C9DA4 8 Bytes [20, 06, 72, 8D, E4, 58, 30, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 828C9E04 4 Bytes [80, 59, 30, 9E] {SBB BYTE [ECX+0x30], 0x9e}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8C410000, 0x213E57, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- EOF - GMER 1.0.15 ----

#4 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 21 May 2011 - 11:46 PM

You're welcome.

Thanks for the additional info provided. I will take note of the two issues in mind. :)


Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
Posted Image

On completion of the scan click save log, save it to your desktop and post in your next reply
Posted Image
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#5 c-a-l

c-a-l
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 22 May 2011 - 12:09 PM

Here is the text of the that log:
aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-22 13:04:17
-----------------------------
13:04:17.636 OS Version: Windows 6.0.6002 Service Pack 2
13:04:17.636 Number of processors: 2 586 0x6802
13:04:17.638 ComputerName: myputername UserName: myusername
13:04:52.139 Initialize success
13:05:13.029 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:05:13.032 Disk 0 Vendor: Hitachi_HTS542512K9SA00 BB2OC31P Size: 114473MB BusType: 3
13:05:15.072 Disk 0 MBR read successfully
13:05:15.079 Disk 0 MBR scan
13:05:15.088 Disk 0 unknown MBR code
13:05:17.100 Disk 0 scanning sectors +234438656
13:05:17.170 Disk 0 scanning C:\Windows\system32\drivers
13:05:27.816 Service scanning
13:05:30.884 Disk 0 trace - called modules:
13:05:30.890
13:05:30.895 Scan finished successfully
13:06:09.764 Disk 0 MBR has been saved successfully to "C:\Users\myusername\Desktop\MBR.dat"
13:06:09.766 The log file has been saved successfully to "C:\Users\myusername\Desktop\aswMBR.txt"

Edited by c-a-l, 22 May 2011 - 12:10 PM.


#6 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 22 May 2011 - 10:40 PM

Hi,

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
===================================================

Please read through these instructions to familarize yourself with what to expect when this tool runs


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

    Regarding AVG - Due to recent changes in AVG and how it interacts with ComboFix, before running ComboFix, AVG must be uninstalled via Start>Control Panel>Add or Remove programs panel.

    If you have difficulty uninstalling AVG, download Opswat AppRemover for AVG. The download for the AVG uninstaller can be found here > http://www.appremover.com/appremover/avg/AppRemover.exe

    **********************************************
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===================================================

On your next reply please post :
TDSSKiller log
Combofix log


Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#7 c-a-l

c-a-l
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 23 May 2011 - 07:17 PM

Ran the tdss Killer without a problem. It indicated there were no problems. Log is posted below.

Removed AVG to run Combo Fix. Should I reinstall AVG or a different AV? Per some reading I did on this site perhaps Avira or Avast is better?
While running ComboFix, when the following was on the ComboFix screen:
"Preparing Log Report
Do not run any programs until ComboFix has finished"
I got a window labeled "Microsoft Windows" and it stated: "pev.cfxxe has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available"
I clicked OK and then I got the exact same thing again. After the second time I clicked OK, Combofix seemed to finish and create a log file, which I have pasted below.

TDSS Killer Log:
2011/05/23 19:17:32.0515 5072 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/23 19:17:32.0833 5072 ================================================================================
2011/05/23 19:17:32.0833 5072 SystemInfo:
2011/05/23 19:17:32.0833 5072
2011/05/23 19:17:32.0834 5072 OS Version: 6.0.6002 ServicePack: 2.0
2011/05/23 19:17:32.0834 5072 Product type: Workstation
2011/05/23 19:17:32.0834 5072 ComputerName: myputername
2011/05/23 19:17:32.0834 5072 UserName: myusername
2011/05/23 19:17:32.0834 5072 Windows directory: C:\Windows
2011/05/23 19:17:32.0834 5072 System windows directory: C:\Windows
2011/05/23 19:17:32.0834 5072 Processor architecture: Intel x86
2011/05/23 19:17:32.0834 5072 Number of processors: 2
2011/05/23 19:17:32.0834 5072 Page size: 0x1000
2011/05/23 19:17:32.0834 5072 Boot type: Normal boot
2011/05/23 19:17:32.0834 5072 ================================================================================
2011/05/23 19:17:33.0207 5072 Initialize success
2011/05/23 19:17:36.0064 5144 ================================================================================
2011/05/23 19:17:36.0064 5144 Scan started
2011/05/23 19:17:36.0064 5144 Mode: Manual;
2011/05/23 19:17:36.0064 5144 ================================================================================
2011/05/23 19:17:37.0029 5144 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/05/23 19:17:37.0184 5144 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/05/23 19:17:37.0308 5144 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/05/23 19:17:37.0374 5144 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/05/23 19:17:37.0469 5144 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/05/23 19:17:37.0587 5144 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/05/23 19:17:37.0764 5144 AgereSoftModem (d31d1a92479bd8c0d050a6ffbdd410d9) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/05/23 19:17:37.0940 5144 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/05/23 19:17:38.0026 5144 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/05/23 19:17:38.0077 5144 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/05/23 19:17:38.0192 5144 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/05/23 19:17:38.0248 5144 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/05/23 19:17:38.0286 5144 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/05/23 19:17:38.0394 5144 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2011/05/23 19:17:38.0513 5144 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/05/23 19:17:38.0642 5144 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/05/23 19:17:38.0743 5144 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/23 19:17:38.0849 5144 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/05/23 19:17:39.0105 5144 atikmdag (5e80c91ca04c46a9ac6d4f39e1bce636) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/05/23 19:17:39.0358 5144 AtiPcie (4aa1eb65481c392955939e735d27118b) C:\Windows\system32\DRIVERS\AtiPcie.sys
2011/05/23 19:17:39.0597 5144 AVGIDSDriver (97824e8c95d9717777abd46a7b632310) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
2011/05/23 19:17:39.0709 5144 AVGIDSEH (c59c9bc3f0612bd207ccdc5d8cb9ce39) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
2011/05/23 19:17:39.0836 5144 AVGIDSFilter (c5559de2ec66cede15a1664f6d183d8e) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
2011/05/23 19:17:39.0956 5144 AVGIDSShim (ae5e9667fa40206796d1bd5bd0427a8a) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
2011/05/23 19:17:40.0084 5144 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\Windows\system32\DRIVERS\avgldx86.sys
2011/05/23 19:17:40.0158 5144 avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\Windows\system32\DRIVERS\avgmfx86.sys
2011/05/23 19:17:40.0279 5144 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\Windows\system32\DRIVERS\avgrkx86.sys
2011/05/23 19:17:40.0384 5144 Avgtdix (aaf0ebcad95f2164cffb544e00392498) C:\Windows\system32\DRIVERS\avgtdix.sys
2011/05/23 19:17:40.0565 5144 b57nd60x (502f1c30bd50b32d00ce4dcaecc3d3c7) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/05/23 19:17:40.0749 5144 BCM43XX (e22abcaa7b6ff580feb0d49545dc4263) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/05/23 19:17:40.0892 5144 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/05/23 19:17:40.0994 5144 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/05/23 19:17:41.0143 5144 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/23 19:17:41.0257 5144 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/05/23 19:17:41.0372 5144 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/05/23 19:17:41.0590 5144 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\DRIVERS\BrSerId.sys
2011/05/23 19:17:41.0689 5144 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/05/23 19:17:41.0735 5144 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/05/23 19:17:41.0835 5144 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\DRIVERS\BrUsbSer.sys
2011/05/23 19:17:41.0944 5144 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/05/23 19:17:42.0073 5144 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/23 19:17:42.0211 5144 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/23 19:17:42.0327 5144 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/05/23 19:17:42.0435 5144 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/05/23 19:17:42.0574 5144 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/05/23 19:17:42.0659 5144 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/05/23 19:17:42.0694 5144 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/05/23 19:17:42.0726 5144 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/05/23 19:17:42.0768 5144 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/05/23 19:17:42.0925 5144 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/05/23 19:17:43.0122 5144 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/05/23 19:17:43.0254 5144 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
2011/05/23 19:17:43.0455 5144 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2011/05/23 19:17:43.0563 5144 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/05/23 19:17:43.0708 5144 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/05/23 19:17:43.0810 5144 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/05/23 19:17:43.0979 5144 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/23 19:17:44.0166 5144 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/05/23 19:17:44.0304 5144 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/05/23 19:17:44.0510 5144 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/05/23 19:17:44.0663 5144 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/05/23 19:17:44.0801 5144 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/05/23 19:17:44.0893 5144 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/05/23 19:17:45.0004 5144 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/23 19:17:45.0121 5144 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/05/23 19:17:45.0214 5144 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/05/23 19:17:45.0302 5144 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/23 19:17:45.0435 5144 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/05/23 19:17:45.0582 5144 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/23 19:17:45.0689 5144 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/05/23 19:17:45.0886 5144 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/05/23 19:17:46.0005 5144 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/05/23 19:17:46.0147 5144 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/05/23 19:17:46.0203 5144 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/05/23 19:17:46.0364 5144 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/23 19:17:46.0517 5144 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/05/23 19:17:46.0669 5144 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/05/23 19:17:46.0735 5144 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/05/23 19:17:46.0900 5144 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/05/23 19:17:46.0957 5144 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/05/23 19:17:47.0110 5144 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/05/23 19:17:47.0200 5144 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Acer\Empowering Technology\eRecovery\int15.sys
2011/05/23 19:17:47.0443 5144 IntcAzAudAddService (b795745f7e51aa20d46753ec5a811aca) C:\Windows\system32\drivers\RTKVHDA.sys
2011/05/23 19:17:47.0656 5144 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/05/23 19:17:47.0757 5144 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/23 19:17:47.0900 5144 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/23 19:17:48.0007 5144 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/05/23 19:17:48.0048 5144 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/05/23 19:17:48.0183 5144 irda (e50a95179211b12946f7e035d60af560) C:\Windows\system32\DRIVERS\irda.sys
2011/05/23 19:17:48.0237 5144 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/05/23 19:17:48.0285 5144 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/05/23 19:17:48.0396 5144 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/05/23 19:17:48.0495 5144 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/05/23 19:17:48.0644 5144 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/05/23 19:17:48.0713 5144 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/05/23 19:17:48.0755 5144 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2011/05/23 19:17:48.0888 5144 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/23 19:17:49.0098 5144 Lbd (713cd5267abfb86fe90a72e384e82a38) C:\Windows\system32\DRIVERS\Lbd.sys
2011/05/23 19:17:49.0294 5144 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/23 19:17:49.0419 5144 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/05/23 19:17:49.0517 5144 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/05/23 19:17:49.0558 5144 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/05/23 19:17:49.0660 5144 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/05/23 19:17:49.0767 5144 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/05/23 19:17:49.0896 5144 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/05/23 19:17:49.0999 5144 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/05/23 19:17:50.0096 5144 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/23 19:17:50.0168 5144 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/23 19:17:50.0207 5144 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/23 19:17:50.0305 5144 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/05/23 19:17:50.0416 5144 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/05/23 19:17:50.0529 5144 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/23 19:17:50.0663 5144 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/05/23 19:17:50.0802 5144 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/05/23 19:17:50.0909 5144 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/23 19:17:51.0030 5144 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/23 19:17:51.0128 5144 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/23 19:17:51.0189 5144 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/05/23 19:17:51.0294 5144 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/05/23 19:17:51.0400 5144 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/05/23 19:17:51.0574 5144 MSIRCOMM (11756768993106dd07861096fb97cdb8) C:\Windows\system32\DRIVERS\MSIRCOMM.sys
2011/05/23 19:17:51.0689 5144 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/05/23 19:17:51.0810 5144 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/23 19:17:51.0887 5144 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/23 19:17:51.0939 5144 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/05/23 19:17:52.0065 5144 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/05/23 19:17:52.0148 5144 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/05/23 19:17:52.0292 5144 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/05/23 19:17:52.0391 5144 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/05/23 19:17:52.0589 5144 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/23 19:17:52.0749 5144 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/05/23 19:17:52.0866 5144 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/23 19:17:52.0905 5144 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/23 19:17:52.0984 5144 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/23 19:17:53.0110 5144 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/05/23 19:17:53.0209 5144 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/23 19:17:53.0364 5144 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/23 19:17:53.0504 5144 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/05/23 19:17:53.0648 5144 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/05/23 19:17:53.0693 5144 NSCIRDA (6d8d2e5652fc2442c810c5d8be784148) C:\Windows\system32\DRIVERS\nscirda.sys
2011/05/23 19:17:53.0739 5144 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/23 19:17:53.0894 5144 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/05/23 19:17:54.0041 5144 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/05/23 19:17:54.0116 5144 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/05/23 19:17:54.0211 5144 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/05/23 19:17:54.0304 5144 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/05/23 19:17:54.0347 5144 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/05/23 19:17:54.0449 5144 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/05/23 19:17:54.0611 5144 O2MDRDR (36ed541ff0ad27d7f1c1e8f86f026309) C:\Windows\system32\DRIVERS\o2media.sys
2011/05/23 19:17:54.0709 5144 O2SDRDR (f3d467025d365a96b5e51c6229562716) C:\Windows\system32\DRIVERS\o2sd.sys
2011/05/23 19:17:54.0827 5144 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/05/23 19:17:54.0969 5144 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/05/23 19:17:55.0063 5144 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/05/23 19:17:55.0168 5144 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/05/23 19:17:55.0292 5144 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/05/23 19:17:55.0416 5144 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/05/23 19:17:55.0559 5144 pcmcia (3bb2244f343b610c29c98035504c9b75) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/05/23 19:17:55.0707 5144 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/05/23 19:17:56.0009 5144 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/23 19:17:56.0087 5144 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/05/23 19:17:56.0168 5144 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/23 19:17:56.0291 5144 PSDFilter (18de162f9b83079c24cd96f59292f5ed) C:\Windows\system32\DRIVERS\psdfilter.sys
2011/05/23 19:17:56.0364 5144 PSDNServ (bc1457a28e76ab3106d43802ac22a627) C:\Windows\system32\DRIVERS\PSDNServ.sys
2011/05/23 19:17:56.0465 5144 psdvdisk (ac151e5b0943304e368c98ec78b5fc4f) C:\Windows\system32\DRIVERS\PSDVdisk.sys
2011/05/23 19:17:56.0550 5144 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys
2011/05/23 19:17:56.0701 5144 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/05/23 19:17:56.0859 5144 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/05/23 19:17:56.0956 5144 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/23 19:17:56.0993 5144 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/23 19:17:57.0105 5144 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/23 19:17:57.0206 5144 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/23 19:17:57.0329 5144 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/23 19:17:57.0407 5144 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/23 19:17:57.0459 5144 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/23 19:17:57.0602 5144 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/05/23 19:17:57.0693 5144 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/23 19:17:57.0832 5144 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/05/23 19:17:57.0968 5144 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
2011/05/23 19:17:58.0121 5144 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
2011/05/23 19:17:58.0193 5144 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2011/05/23 19:17:58.0374 5144 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/23 19:17:58.0498 5144 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/23 19:17:58.0544 5144 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/23 19:17:58.0680 5144 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/05/23 19:17:58.0815 5144 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2011/05/23 19:17:58.0922 5144 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/23 19:17:59.0003 5144 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/05/23 19:17:59.0049 5144 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/05/23 19:17:59.0155 5144 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/05/23 19:17:59.0260 5144 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/05/23 19:17:59.0353 5144 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/23 19:17:59.0453 5144 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/23 19:17:59.0568 5144 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/05/23 19:17:59.0703 5144 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/05/23 19:17:59.0739 5144 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/05/23 19:17:59.0846 5144 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/05/23 19:17:59.0958 5144 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/05/23 19:18:00.0123 5144 SNP2UVC (0302bc619d4a723317e7f8eb0c362bd3) C:\Windows\system32\DRIVERS\snp2uvc.sys
2011/05/23 19:18:00.0266 5144 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/05/23 19:18:00.0386 5144 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/05/23 19:18:00.0508 5144 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/23 19:18:00.0626 5144 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/23 19:18:00.0789 5144 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
2011/05/23 19:18:00.0893 5144 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/05/23 19:18:00.0993 5144 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/05/23 19:18:01.0082 5144 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/05/23 19:18:01.0141 5144 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/05/23 19:18:01.0253 5144 SynTP (c5f25d490d0915732508fd421bf76d93) C:\Windows\system32\DRIVERS\SynTP.sys
2011/05/23 19:18:01.0399 5144 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/05/23 19:18:01.0555 5144 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/23 19:18:01.0711 5144 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/23 19:18:01.0808 5144 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/05/23 19:18:01.0849 5144 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/05/23 19:18:01.0980 5144 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/23 19:18:02.0075 5144 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/05/23 19:18:02.0250 5144 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/23 19:18:02.0342 5144 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/05/23 19:18:02.0448 5144 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/23 19:18:02.0534 5144 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/05/23 19:18:02.0664 5144 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/23 19:18:02.0760 5144 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/23 19:18:02.0872 5144 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/05/23 19:18:02.0951 5144 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/05/23 19:18:03.0072 5144 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/05/23 19:18:03.0143 5144 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/05/23 19:18:03.0286 5144 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/05/23 19:18:03.0361 5144 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/05/23 19:18:03.0535 5144 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/23 19:18:03.0611 5144 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/05/23 19:18:03.0718 5144 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2011/05/23 19:18:03.0808 5144 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/05/23 19:18:03.0932 5144 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/05/23 19:18:04.0033 5144 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/23 19:18:04.0136 5144 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/23 19:18:04.0220 5144 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/05/23 19:18:04.0279 5144 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/23 19:18:04.0380 5144 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/05/23 19:18:04.0450 5144 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/05/23 19:18:04.0510 5144 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/05/23 19:18:04.0619 5144 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/05/23 19:18:04.0695 5144 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/05/23 19:18:04.0775 5144 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/05/23 19:18:04.0912 5144 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/05/23 19:18:04.0985 5144 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/05/23 19:18:05.0121 5144 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/05/23 19:18:05.0214 5144 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/23 19:18:05.0245 5144 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/23 19:18:05.0373 5144 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/05/23 19:18:05.0472 5144 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/23 19:18:05.0626 5144 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/05/23 19:18:05.0815 5144 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/05/23 19:18:05.0904 5144 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/23 19:18:06.0056 5144 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/23 19:18:06.0162 5144 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/05/23 19:18:06.0323 5144 ================================================================================
2011/05/23 19:18:06.0323 5144 Scan finished
2011/05/23 19:18:06.0323 5144 ================================================================================

ComboFix Log File:

ComboFix 11-05-23.02 - myusername 05/23/2011 19:42:11.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.693 [GMT -4:00]
Running from: c:\downloads\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\myusername\AppData\Local\{4C3A46DA-784C-4197-9FDB-51CC427FA1F3}
c:\users\myusername\AppData\Local\{4C3A46DA-784C-4197-9FDB-51CC427FA1F3}\chrome.manifest
c:\users\myusername\AppData\Local\{4C3A46DA-784C-4197-9FDB-51CC427FA1F3}\chrome\content\_cfg.js
c:\users\myusername\AppData\Local\{4C3A46DA-784C-4197-9FDB-51CC427FA1F3}\chrome\content\overlay.xul
c:\users\myusername\AppData\Local\{4C3A46DA-784C-4197-9FDB-51CC427FA1F3}\install.rdf
c:\users\myusername\AppData\Roaming\Microsoft\Windows\Templates\q1nnvo3465rw336k60884mp5f
c:\users\myusername\g2mdlhlpx.exe
c:\windows\system\olepro32.dll
c:\windows\system\W32MKSET.DLL
c:\windows\system\W32MKSET.EXE
c:\windows\system\WDBUUI32.DLL
c:\windows\system32\midas.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 23:51 . 2011-05-23 23:52 -------- d-----w- c:\users\myusername\AppData\Local\temp
2011-05-23 23:51 . 2011-05-23 23:51 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-05-23 23:51 . 2011-05-23 23:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-23 23:51 . 2011-05-23 23:51 -------- d-----w- c:\users\otherusername\AppData\Local\temp
2011-05-17 02:25 . 2011-05-17 02:25 -------- d-----w- c:\users\myusername\AppData\Roaming\SUPERAntiSpyware.com
2011-05-17 02:25 . 2011-05-19 23:53 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-11 00:56 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-08 02:58 . 2011-05-08 02:58 -------- d-----w- c:\users\myusername\AppData\Roaming\AVG10
2011-05-07 23:10 . 2011-05-07 23:10 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2011-04-30 13:38 . 2011-05-07 11:35 0 ----a-w- c:\users\myusername\AppData\Local\Olirihoji.bin
2011-04-27 00:05 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 00:05 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 00:05 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 17:03 . 2011-04-14 01:54 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-14 01:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-14 01:54 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-27 00:05 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 00:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 00:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 00:05 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-14 01:54 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-14 01:54 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2006-11-08 22:34 . 2006-11-08 22:34 24848 ----a-w- c:\program files\opera\program\plugins\cgpcfg.dll
2006-11-08 22:34 . 2006-11-08 22:34 74000 ----a-w- c:\program files\opera\program\plugins\cgpcore.dll
2006-11-08 22:34 . 2006-11-08 22:34 45328 ----a-w- c:\program files\opera\program\plugins\icalogon.dll
2006-11-08 22:34 . 2006-11-08 22:34 28944 ----a-w- c:\program files\opera\program\plugins\pscript.dll
2006-11-08 22:34 . 2006-11-08 22:34 69904 ----a-w- c:\program files\opera\program\plugins\sslsdk_b.dll
2006-11-08 22:34 . 2006-11-08 22:34 24848 ----a-w- c:\program files\opera\program\plugins\tcppserv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-04 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2011-02-10 202256]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2007-03-08 19:00 622592 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-07-19 19:51 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 08:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:06 62760 ------w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51 858632 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 17:56 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-08 00:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 19:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1181328]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 MSSQL$PRIMAVERA;SQL Server (PRIMAVERA);c:\program files\MSSQL\Primavera\MSSQL.2\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 136176]
R4 PrmBackAgent;Primavera Background Agent;c:\program files\Common Files\Primavera Common\BackgroundAgent\PrmBackgroundAgent.exe [2007-12-03 841728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 msftesql$PRIMAVERA;SQL Server FullText Search (PRIMAVERA);c:\program files\MSSQL\Primavera\MSSQL.2\MSSQL\Binn\msftesql.exe [2010-03-26 91992]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-21 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-21 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-21 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 20:47]
.
2011-05-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 20:47]
.
2011-05-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-11-13 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.us.acer.yahoo.com
mStart Page = hxxp://en.us.acer.yahoo.com
FF - ProfilePath - c:\users\myusername\AppData\Roaming\Mozilla\Firefox\Profiles\1oeduggr.default\
FF - prefs.js: browser.startup.homepage - hxxps://webmail.atl.earthlink.net/wam/login.jsp?redirect=%2Fwam%2Findex.jsp&x=-1443703386&x=1438187168
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
MSConfigStartUp-Rzakulukelikufe - c:\users\myusername\AppData\Local\ucehasaf.dll
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-23 19:52
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\TEMP\TMP00000046C7CE06868EA6AC3E 524288 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$PRIMAVERA]
"ImagePath"="\"c:\program files\MSSQL\Primavera\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:PRIMAVERA"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-23 20:00:47
ComboFix-quarantined-files.txt 2011-05-24 00:00
.
Pre-Run: 11,489,832,960 bytes free
Post-Run: 11,335,663,616 bytes free
.
- - End Of File - - BAF2209189F928A25DF60C33C4E052D2

#8 c-a-l

c-a-l
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 23 May 2011 - 09:28 PM

Since I needed to reinstall some sort of AV, I decided to install Avira.
I am also happy to report that the Google redirect problem seems to be gone, thanks I think to ComboFix and your great directions! Computer is also running ALOT cooler.
Not sure if you can tell from the logs above, but I am eager to learn if it actually is all gone. Once I get the all clear from you, I will reset all my passwords on all the sites onto which I have logged on since this mess started. Again, thank you!

#9 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 24 May 2011 - 01:18 AM

Good to hear that, but we still have one more thing to do. :)


Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Rootkit::
c:\windows\TEMP\TMP00000046C7CE06868EA6AC3E


In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image

===================================================

Please run DDS again and post the DDS.txt in your next reply.

===================================================

On your next reply please post :
Combofix log
DDS log


Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#10 c-a-l

c-a-l
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 24 May 2011 - 06:23 PM

OK. I did as you directed and the log files are pasted below.

When I ran ComboFix I got an error message stating:
"Pev.exe has stopped working" The only option was OK

Then later I got the same thing as yesterday
"pev.cfxxe has stopped working..." The only option was "Close Program." As yesterday, I got this twice, at the same stage in ComboFix as yesterday. As yesterday, it seemed to continue after the second time I clicked "Close Program."

Logs are below. I will await your confirmation that it is safe for me to log on to my websites and change my passwords. Thanks again so much for help help. I do truly appreciate it very much.

Combo Fix Log from today:
ComboFix 11-05-23.02 - myusername 05/24/2011 18:49:23.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.942 [GMT -4:00]
Running from: c:\users\myusername\Desktop\ComboFix.exe
Command switches used :: c:\users\myusername\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-24 to 2011-05-24 )))))))))))))))))))))))))))))))
.
.
2011-05-24 23:01 . 2011-05-24 23:01 -------- d-----w- c:\users\myusername\AppData\Local\temp
2011-05-24 23:01 . 2011-05-24 23:01 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-05-24 23:01 . 2011-05-24 23:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-24 23:01 . 2011-05-24 23:01 -------- d-----w- c:\users\otherusername\AppData\Local\temp
2011-05-24 00:21 . 2011-04-01 21:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-24 00:21 . 2011-04-01 21:07 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-05-24 00:20 . 2011-05-24 00:20 -------- d-----w- c:\program files\Avira
2011-05-17 02:25 . 2011-05-17 02:25 -------- d-----w- c:\users\myusername\AppData\Roaming\SUPERAntiSpyware.com
2011-05-17 02:25 . 2011-05-24 06:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-11 00:56 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-05-08 02:58 . 2011-05-08 02:58 -------- d-----w- c:\users\myusername\AppData\Roaming\AVG10
2011-05-07 23:10 . 2011-05-07 23:10 -------- d-----w- c:\users\Guest\AppData\Roaming\Malwarebytes
2011-04-30 13:38 . 2011-05-07 11:35 0 ----a-w- c:\users\myusername\AppData\Local\Olirihoji.bin
2011-04-27 00:05 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 00:05 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 00:05 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 17:03 . 2011-04-14 01:54 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-14 01:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-14 01:54 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-27 00:05 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-27 00:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-27 00:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-27 00:05 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-14 01:54 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-14 01:54 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2006-11-08 22:34 . 2006-11-08 22:34 24848 ----a-w- c:\program files\opera\program\plugins\cgpcfg.dll
2006-11-08 22:34 . 2006-11-08 22:34 74000 ----a-w- c:\program files\opera\program\plugins\cgpcore.dll
2006-11-08 22:34 . 2006-11-08 22:34 45328 ----a-w- c:\program files\opera\program\plugins\icalogon.dll
2006-11-08 22:34 . 2006-11-08 22:34 28944 ----a-w- c:\program files\opera\program\plugins\pscript.dll
2006-11-08 22:34 . 2006-11-08 22:34 69904 ----a-w- c:\program files\opera\program\plugins\sslsdk_b.dll
2006-11-08 22:34 . 2006-11-08 22:34 24848 ----a-w- c:\program files\opera\program\plugins\tcppserv.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-23_23.52.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2011-05-24 22:37 80980 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2011-05-24 00:21 . 2010-06-17 19:27 28520 c:\windows\System32\drivers\ssmdrv.sys
+ 2008-10-07 01:34 . 2011-05-24 22:34 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-10-07 01:34 . 2011-05-23 22:31 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-10-07 01:34 . 2011-05-24 22:34 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-07 01:34 . 2011-05-23 22:31 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-07 01:34 . 2011-05-23 22:31 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-10-07 01:34 . 2011-05-24 22:34 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-05-24 22:28 . 2011-05-24 22:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-05-23 23:30 . 2011-05-23 23:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-05-23 23:30 . 2011-05-23 23:30 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-05-24 22:28 . 2011-05-24 22:28 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-06-24 18:56 . 2011-01-08 15:02 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-06-24 18:56 . 2011-05-24 00:22 262144 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2011-02-15 07:28 . 2011-05-23 23:28 412392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-02-15 07:28 . 2011-05-24 06:12 412392 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-05-24 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-07 102400]
"Acer Product Registration"="c:\program files\Acer\Acer Registration\ACE1.exe" [2007-11-26 3387392]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-08 4853760]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2011-02-10 202256]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-20 963976]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http:" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Office Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk
backup=c:\windows\pss\Office Startup.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2007-03-08 19:00 622592 ------w- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2006-07-19 19:51 65536 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 08:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 08:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:06 62760 ------w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51 858632 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 17:56 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 12:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-08 00:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2008-01-21 19:17 61440 ----a-w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-04 1181328]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 MSSQL$PRIMAVERA;SQL Server (PRIMAVERA);c:\program files\MSSQL\Primavera\MSSQL.2\MSSQL\Binn\sqlservr.exe [2010-12-10 29293408]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 136176]
R4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 136176]
R4 PrmBackAgent;Primavera Background Agent;c:\program files\Common Files\Primavera Common\BackgroundAgent\PrmBackgroundAgent.exe [2007-12-03 841728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-28 136360]
S2 msftesql$PRIMAVERA;SQL Server FullText Search (PRIMAVERA);c:\program files\MSSQL\Primavera\MSSQL.2\MSSQL\Binn\msftesql.exe [2010-03-26 91992]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SASDIFSV
*NewlyCreated* - SSMDRV
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-24 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-24 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-21 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-21 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 19:09]
.
2011-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 20:47]
.
2011-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-30 20:47]
.
2011-05-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-11-13 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://en.us.acer.yahoo.com
mStart Page = hxxp://en.us.acer.yahoo.com
FF - ProfilePath - c:\users\myusername\AppData\Roaming\Mozilla\Firefox\Profiles\1oeduggr.default\
FF - prefs.js: browser.startup.homepage - hxxps://webmail.atl.earthlink.net/wam/login.jsp?redirect=%2Fwam%2Findex.jsp&x=-1443703386&x=1438187168
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-24 19:01
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql$PRIMAVERA]
"ImagePath"="\"c:\program files\MSSQL\Primavera\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:PRIMAVERA"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3692)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2011-05-24 19:06:37
ComboFix-quarantined-files.txt 2011-05-24 23:06
ComboFix2.txt 2011-05-24 00:00
.
Pre-Run: 11,375,083,520 bytes free
Post-Run: 10,792,681,472 bytes free
.
- - End Of File - - E51BFFB218F4B184F50557C8B8508960


DDS Log File:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.19048 BrowserJavaVersion: 1.6.0_20
Run by myusername at 19:12:24 on 2011-05-24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1789.703 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {61CDFD9D-3CAC-9270-C6FC-52325ACB795B}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\brss01a.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\MSSQL\Primavera\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\explorer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Downloads\dds.scr
C:\Windows\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://en.us.acer.yahoo.com
mStart Page = hxxp://en.us.acer.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\acer\empowering technology\edatasecurity\x86\ActiveToolBand.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Skytel] Skytel.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNjE2Mjc0MTE5LVhMKzEtVDUtVUNBTEwrMS1VQ0FMTDIrMS1GUDkrNi1UQjkrMi1GTCs5LVhPMzYrMS1GOU03Qys1LUY5TTEwQisyLUY5TTIrMS1GTDEwKzEtTElDKzItVFVHKzM"&"prod=90"&"ver=10.0.1375
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\myusername\appdata\roaming\mozilla\firefox\profiles\1oeduggr.default\
FF - prefs.js: browser.startup.homepage - hxxps://webmail.atl.earthlink.net/wam/login.jsp?redirect=%2Fwam%2Findex.jsp&x=-1443703386&x=1438187168
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\opera\program\plugins\npican.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-31 64288]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-6-19 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-6-19 35712]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-5-23 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-5-23 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-5-23 61960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 msftesql$PRIMAVERA;SQL Server FullText Search (PRIMAVERA);c:\program files\mssql\primavera\mssql.2\mssql\binn\msftesql.exe [2010-3-26 91992]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
S3 MSSQL$PRIMAVERA;SQL Server (PRIMAVERA);c:\program files\mssql\primavera\mssql.2\mssql\binn\sqlservr.exe [2010-12-10 29293408]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-30 136176]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-30 136176]
S4 PrmBackAgent;Primavera Background Agent;c:\program files\common files\primavera common\backgroundagent\PrmBackgroundAgent.exe [2007-12-3 841728]
.
=============== Created Last 30 ================
.
2011-05-24 23:06:39 -------- d-----w- c:\users\myusername\appdata\local\temp
2011-05-24 23:05:17 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-24 06:01:18 6962000 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{99303d39-209e-475c-991a-96dacd7a93ea}\mpengine.dll
2011-05-24 00:21:01 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-05-24 00:20:57 -------- d-----w- c:\programdata\Avira
2011-05-24 00:20:57 -------- d-----w- c:\program files\Avira
2011-05-23 23:35:37 98816 ----a-w- c:\windows\sed.exe
2011-05-23 23:35:37 89088 ----a-w- c:\windows\MBR.exe
2011-05-23 23:35:37 256512 ----a-w- c:\windows\PEV.exe
2011-05-23 23:35:37 161792 ----a-w- c:\windows\SWREG.exe
2011-05-17 02:25:36 -------- d-----w- c:\users\myusername\appdata\roaming\SUPERAntiSpyware.com
2011-05-17 02:25:36 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2011-05-17 02:25:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-11 00:56:34 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-05-08 02:58:50 -------- d-----w- c:\users\myusername\appdata\roaming\AVG10
2011-05-08 02:56:51 -------- d-----w- c:\programdata\AVG10
2011-05-08 02:40:46 -------- d-----w- c:\programdata\MFAData
2011-04-30 13:38:00 0 ----a-w- c:\users\myusername\appdata\local\Olirihoji.bin
2011-04-27 00:05:44 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-27 00:05:44 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 00:05:37 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
==================== Find3M ====================
.
2011-03-10 17:03:51 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03:51 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42:03 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40:07 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40:05 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40:05 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25:11 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44:27 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
.
============= FINISH: 19:13:01.48 ===============

#11 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 25 May 2011 - 04:19 AM

We will ignore the error from CF. Before you can change your password, I need you to perform one followup scan to be safe. If the report says clear, then you can safely change your password. :)

Re-run Malwarebytes' Anti-Malware
  • Double-click MalwareBytes' (Note to Vista users, please right-click and select Run as Administrator.)
    • Go to Update tab to update Malwarebytes' Anti-Malware
  • Then click Check for Updates.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply
Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.


===================================================

ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

Note: If you are using Windows Vista/7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • Look for report in C:\Program Files\ESET\ESET Online Scanner\log.txt. Include the contents of this report in your next reply.
  • Select Uninstall application on close check box and push Posted Image
===================================================

On your next reply please post :
MBAM log
ESET log


Let me know if you have any problems in performing with the steps above or any questions you may have.

Good Day!
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#12 c-a-l

c-a-l
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 26 May 2011 - 12:22 AM

Well, I guess things don't look so good. Malwarebytes log is fine, but Eset found 8 problems. Yikes. Logs are below.

Malwarebytes Log
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6678

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

5/25/2011 7:03:51 PM
mbam-log-2011-05-25 (19-03-51).txt

Scan type: Quick scan
Objects scanned: 187148
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESET Log

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=419c1d31e8c39842a4a846558fabcc8b
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-26 05:18:13
# local_time=2011-05-26 01:18:13 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=1024 16777215 100 0 633473 633473 0 0
# compatibility_mode=1797 16775165 100 94 0 41971833 109892 0
# compatibility_mode=5892 16776573 100 100 0 142986012 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=181153
# found=8
# cleaned=0
# scan_time=8609
C:\ProgramData\Spybot - Search & Destroy\Recovery\FraudInternetSecurity18.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Users\All Users\Spybot - Search & Destroy\Recovery\FraudInternetSecurity18.zip Win32/Bagle.gen.zip worm (unable to clean) 00000000000000000000000000000000 I
C:\Users\myusername\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\6685d300-623182e3 Java/Exploit.CVE-2010-4452.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\myusername\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\11\560f078b-51728330 multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\myusername\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\18\79bbcad2-1c53674e multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\myusername\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\39\58ec35a7-39769005 a variant of Java/Exploit.CVE-2010-4452.A trojan (unable to clean) 00000000000000000000000000000000 I
C:\Users\myusername\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\6\79ea2406-2d85edbe multiple threats (unable to clean) 00000000000000000000000000000000 I
C:\Users\myusername\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\23dbfa3d-76a6ad7a multiple threats (unable to clean) 00000000000000000000000000000000 I

#13 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 26 May 2011 - 03:57 AM

Well the files found in Spybot's folder is actually a quarantine folder. So the zip files that were detected is already quarantined. As for Java, we will just have to clear the cache then everything will be fine. Having done that, you are good to go. :thumbup2:

Empty your Spybot Recovery (quarantine) folder
  • Open Spybot and click on the "Recovery" button.
  • The items that Spybot has quarantined will be listed.
  • Place a check mark in the box next to each item listed and that click on "Purge Selected Items".
  • Empty your recycle bin.
===================================================

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Settings... button
  • Click the Delete Files button.
  • There are two options in the window to clear the cache - Leave both Checked
    • Applications and Applets
    • Trace and log files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Settings
  • Click OK to leave the Java Control Panel.
===================================================

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now copy/paste the code into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.
Combofix /Uninstall
Posted Image

===================================================

Thank you for your patience, and performing all of the procedures requested. I would also like to take this opportunity to apologize for any delay that may have occurred.

--------------------------------------------------------------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.


Passwords
It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
Strong passwords: How to create and use them and consider a password keeper, to keep all your passwords safe.


SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:
To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:
  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an add-on available for both Firefox and IE.

  • SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites. See tutorial here
  • MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting the attempted connections to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  • Download Host.zip and Save it to your Desktop.
  • Right-click hosts.zip and select 'Extract all files' or 'Extract files...'.
  • Follow the prompts and click 'Finish'.
  • This will open the newly created hosts folder on your Desktop.
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
  • Once updated you should see another prompt that the task was completed.
Follow this list and keep your antivirus program and antispyware programs updated and scan with them on a regular basis. By doing so, your potential for being infected again will reduce dramatically.

Hopefully this should take care of your problems! Good luck.

Do you have any questions or problems to ask? Please do not hesitate to do so.

**Please respond this one more time to ensure it is resolved and close this topic.
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif

#14 c-a-l

c-a-l
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 26 May 2011 - 08:44 PM

1. Emptied Spybot quarantine folder. They were not in the recycle bin after this, but I emptied the bin anyway.
2. Deleted Java temporary files
3. Uninstalled Combo Fix (had to disable Avira, but that's ok)
4. Microsoft Updates - I usually install the security updates, but I don't understand installing, for example, a Power Point 2007 update when my most recent MS Office Suite is '97, plus Outlook 2002. I had removed the trail version of Office '08 that came with the computer, but I think there were still a bunch of hangers on. I went into the programs and uninstalled a bunch of stuff associated with any MS Office program after 2002.
I'm not sure why I have all these MS.net framework programs, and MS Visual C++ 2005 and 2008, but per your direction I installed those updates anyway (usually don't). It installed the update for Visual C++ 2005, but the 2008 constantly fails. I installed Internet Explorer 9 even though I use Firefox.
5. Changed the passwords!
6. Added the WOT to Firefox
7. Installed Spyware blaster
8. I am reading more about how to install MVPS in Vista. Is there any downside to doing this (like are there legitimate sites that would not work if I did this?)

Again thank you!

#15 Conspire

Conspire

  • Malware Response Team
  • 1,155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 26 May 2011 - 10:35 PM

Most if not all, the entries in the host file only block ads and harmful sites. You should not have any problems accessing legitimate sites. There is no downside for using it as far as I'm concerned and I have been using it for long time and find no problems whatsoever.

When you're not sure about what the updates do, just download the ones that is absolute necessary to have. Usually updates like .NET Framework are optionals unless it is required by certain programs.

Anymore questions? I will be glad to help. :)
Proud Graduate of the WTT Classroom
Member of UNITE
The help you receive here is always free. If you wish to show your appreciation, then you may btn_donate_SM.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users