Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Alureon infection, rootkit likely


  • This topic is locked This topic is locked
14 replies to this topic

#1 Diegno

Diegno

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 AM

Posted 23 May 2011 - 05:19 AM

The infected computer is a laptop running Vista Home Premium with no internet access currently. Microsoft Security Essentials lists the infection as Alureon.CV, Alureon.BU, Alureon.D etc. Security Center (Windows') seems to be disabled, giving the message "Security Center could not be enabled." when I try. I tried to move MBAM and HJT over via flash drive, and they installed apparently, but nothing happens after running the .exe(s).
Couldn't start the Windows Firewall either, with the message "WF settings cannot be displayed because the associated service is not running. Do you want to start the WF service?"
When I click Yes, I get "Windows cannot start the WF service."
Since I haven't been using the internet, the only internet-related issue I've seen is that MSE warns me of an infection just about every time IE is opened, while working offline.

__________

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.19048
Run by Bob at 3:37:53 on 2011-05-23
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSEARCH PAGE = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://att.yahoo.com
mDefault_Page_URL = hxxp://att.yahoo.com
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\3.bin\MWSSRCAS.DLL
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - mwsBar BHO
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - Yahoo! IE Services Button
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Hotbar: {90b8b761-df2b-48ac-bbe0-bcc03a819b3b} - Hotbar
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} -
TB: Hotbar: {90b8b761-df2b-48ac-bbe0-bcc03a819b3b} -
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
EB: {2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} - Hotbar Information Window
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [RegistryBooster] "c:\program files\uniblue\registrybooster\launcher.exe" delay 20000
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [cdloader] "c:\users\bob\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Avi Player] "c:\program files\avi player\AviPlayer.exe" hmw
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [YMailAdvisor] "c:\program files\yahoo!\common\YMailAdvisor.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\3.bin\M3PLUGIN.DLL,UPF
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\3.bin\mwsoemon.exe
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\3.bin\m3SrchMn.exe" /m=2 /w
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [lxctmon.exe] "c:\program files\lexmark 5400 series\lxctmon.exe"
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [Lexmark 5400 Series Fax Server] "c:\program files\lexmark 5400 series\fm3032.exe" /s
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [EzPrint] "c:\program files\lexmark 5400 series\ezprint.exe"
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: NameServer = 85.255.112.73,85.255.112.7
Notify: igfxcui - igfxdev.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2011-05-23 08:30:06 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{428e8d4a-5a4c-434b-95c0-22cebdb718cf}\MpKsl43939438.sys
2011-05-23 07:57:09 -------- d-sh--w- C:\$RECYCLE.BIN
2011-05-23 07:35:36 388096 ----a-r- c:\users\bob\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-23 07:35:35 -------- d-----w- c:\program files\Trend Micro
2011-05-23 07:31:54 -------- d-----w- c:\program files\CCleaner
2011-05-16 23:02:02 7071056 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{428e8d4a-5a4c-434b-95c0-22cebdb718cf}\mpengine.dll
2011-05-11 10:35:20 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-27 19:56:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 19:56:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
.
==================== Find3M ====================
.
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-10 16:12:54 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 16:12:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:00:15 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 14:56:29 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 14:56:26 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 14:56:25 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 14:56:25 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 12:53:48 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 14:49:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 12:52:11 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 12:52:04 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 12:51:53 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 12:51:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2001-02-16 06:05:38 9164192 ----a-r- c:\program files\EXCEL.EXE
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001
.
CreateFile("\\.\PHYSICALDRIVE0"): The maximum number of secrets that may be stored in a single system has been exceeded.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x86369D7A]<< >>UNKNOWN [0x8B638D70]<<
_asm { JMP 0x52ceff6; }
1 ntkrnlpa!IofCallDriver[0x824CDFEF] -> \Device\Harddisk0\DR0[0x856CD110]
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
user != kernel MBR !!!
.
============= FINISH: 3:39:58.56 ===============

Attached Files


Edited by Diegno, 23 May 2011 - 05:27 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:47 AM

Posted 23 May 2011 - 11:32 AM

Hi

Please do the following:

Download Combofix from either of the links below. You must rename it to iexplore before saving it.
Save it to your desktop. Change the save as file type to "all files"

**Note: In the event you already have Combofix, delete it, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

Link 1
Link 2

-----------------------------------------------------------


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • NOTE: If ComboFix asks to install the Recovery Console, please ALLOW it to do so.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts. When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

-----------------------------------------------------------



If ComboFix wont run in normal mode, please boot into safe mode and run it:

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 Diegno

Diegno
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 AM

Posted 23 May 2011 - 04:43 PM

My fault, I had accidentally disabled all Windows "Services" yesterday, but managed to enable them today. Security Center/Firewall have been restored.

_____________________

ComboFix 11-05-23.02 - Bob 05/23/2011 16:07:58.1.2 - x86
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.1013.362 [GMT -5:00]
Running from: c:\users\Bob\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\3.bin\F3CJpeg.dll
c:\program files\MyWebSearch\bar\3.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\3.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\3.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\3.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\3.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\3.bin\F3SCrctr.dll
c:\program files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\3.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\3.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\3.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\3.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\3.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\3.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\3.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\3.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\3.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\SrchAstt\3.bin\MWSSrcas.dll
c:\program files\puredefmusic\toolbar
c:\program files\puredefmusic\toolbar\Settings\s_pid.dat
c:\programdata\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\programdata\HotbarSA
c:\programdata\HotbarSA\HotbarSA.dat
c:\programdata\HotbarSA\HotbarSA_kyf.dat
c:\programdata\HotbarSA\HotbarSAAbout.mht
c:\programdata\HotbarSA\HotbarSAau.dat
c:\programdata\HotbarSA\HotbarSAEULA.mht
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\About Hotbar.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Games!.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Videos!.lnk
c:\programdata\Microsoft\Windows\Start Menu\Programs\Hotbar\Reset Cursor.lnk
c:\users\Bob\AppData\Roaming\Hotbar
c:\users\Bob\AppData\Roaming\Hotbar\Weather\history
c:\users\Bob\AppData\Roaming\Hotbar\Weather\Weather_XML\Default
c:\users\Bob\AppData\Roaming\Hotbar\Weather\Weather_XML\Genera1
c:\users\Bob\AppData\Roaming\Hotbar\Weather\Weather_XML\General
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\Links
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\radar-big.jpg
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\radar-small
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\satellite-big.jpg
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\satellite-small
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\Weather_XML\Display
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\Weather_XML\Loading
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\Weather_XML\screen2
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherDPA\WeatherPreferences
c:\users\Bob\AppData\Roaming\Hotbar\Weather\WeatherStartup.xml
c:\users\Bob\AppData\Roaming\inst.exe
c:\users\Bob\AppData\Roaming\WeatherDPA
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\system32\drivers\gxvxcvqxrmopmeeufxuvinhppptpsjaoqbcqi.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\gxvxcbqakumepddbudaoiifbvbrbucxfwsoqe.dll
c:\windows\system32\gxvxccount
c:\windows\System32\gxvxcycwbmjvmtepyuaovtcybfwyobojvpvgw.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_gxvxcserv.sys
-------\Service_gxvxcserv.sys
-------\Service_MyWebSearchService
-------\Service_usnjsvc
.
.
((((((((((((((((((((((((( Files Created from 2011-04-23 to 2011-05-23 )))))))))))))))))))))))))))))))
.
.
2011-05-23 21:24 . 2011-05-23 21:31 -------- d-----w- c:\users\Bob\AppData\Local\temp
2011-05-23 07:35 . 2011-05-23 07:35 388096 ----a-r- c:\users\Bob\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-23 07:35 . 2011-05-23 07:35 -------- d-----w- c:\program files\Trend Micro
2011-05-23 07:31 . 2011-05-23 07:31 -------- d-----w- c:\program files\CCleaner
2011-05-16 23:02 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{428E8D4A-5A4C-434B-95C0-22CEBDB718CF}\mpengine.dll
2011-05-11 10:35 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-27 19:56 . 2011-03-03 14:56 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 19:56 . 2011-03-03 13:01 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-11 07:04 . 2011-02-28 23:22 7071056 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-10 16:12 . 2011-04-15 13:40 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 16:12 . 2011-04-15 13:40 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:00 . 2011-04-15 13:39 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 14:56 . 2011-04-27 19:56 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 14:56 . 2011-04-27 19:56 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 14:56 . 2011-04-27 19:56 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 14:56 . 2011-04-27 19:56 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 12:53 . 2011-04-15 13:39 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 14:49 . 2011-04-15 13:39 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2001-02-16 06:05 . 2008-02-26 17:57 9164192 ----a-r- c:\program files\EXCEL.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]
"cdloader"="c:\users\Bob\AppData\Roaming\mjusbsp\cdloader2.exe" [2008-12-17 50520]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-01 153136]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2009-05-08 174424]
"TkBellExe"="c:\program files\real\realplayer\Update\realsched.exe" [2011-01-27 274608]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-16 815104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 4186112]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2007-01-11 483328]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-11-18 827904]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Acer Assist Launcher"="c:\program files\Acer Assist\launcher.exe" [2007-02-02 1261568]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{0cab0400-7395-11d0-a5e5-0020afe2fdd9}"= "qvphook.dll" [2008-05-30 57344]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rootrepeal.sys]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
backupExtension=Common Startup
.
[HKLM\~\startupfolder\C:^Users^Bob^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^StarOffice 8.lnk]
backup=c:\windows\pss\StarOffice 8.lnkStartup
backupExtension=Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-169336076-4065198783-776734391-1000]
"EnableNotificationsRef"=dword:00000001
.
R1 MpKsl04c19d7c;MpKsl04c19d7c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4B1E9F4D-8685-495A-B477-117777D1F1AD}\MpKsl04c19d7c.sys [x]
R1 MpKsl0c1dfb0b;MpKsl0c1dfb0b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE743838-1C1B-437B-BA9A-F0FADA4D6E0B}\MpKsl0c1dfb0b.sys [x]
R1 MpKsl0e229334;MpKsl0e229334;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7F8E9A83-BD8C-4E4F-AE6E-6C375EF2CBAF}\MpKsl0e229334.sys [x]
R1 MpKsl10396ebb;MpKsl10396ebb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKsl10396ebb.sys [x]
R1 MpKsl146fa912;MpKsl146fa912;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKsl146fa912.sys [x]
R1 MpKsl159b55c3;MpKsl159b55c3;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3EE2E323-EFF8-4E0C-9098-3F40A95B9A9D}\MpKsl159b55c3.sys [x]
R1 MpKsl1f84deeb;MpKsl1f84deeb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{02AD61A1-CC10-469C-A4F5-60A4D5B2422C}\MpKsl1f84deeb.sys [x]
R1 MpKsl2090efc9;MpKsl2090efc9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{767C742A-67BB-41A2-85B2-8D853D73F7FD}\MpKsl2090efc9.sys [x]
R1 MpKsl2364cea6;MpKsl2364cea6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4E938F85-AF6C-4DAF-84D6-1C4235CE9FCE}\MpKsl2364cea6.sys [x]
R1 MpKsl24b0c4d4;MpKsl24b0c4d4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4B1E9F4D-8685-495A-B477-117777D1F1AD}\MpKsl24b0c4d4.sys [x]
R1 MpKsl26bb6965;MpKsl26bb6965;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6E862756-ADA5-47C6-AC7C-5699DF42D16E}\MpKsl26bb6965.sys [x]
R1 MpKsl2d1fc635;MpKsl2d1fc635;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4E938F85-AF6C-4DAF-84D6-1C4235CE9FCE}\MpKsl2d1fc635.sys [x]
R1 MpKsl2dea97bc;MpKsl2dea97bc;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKsl2dea97bc.sys [x]
R1 MpKsl304f32ac;MpKsl304f32ac;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{030CEBDD-9B47-449C-8316-8F4E81235CE7}\MpKsl304f32ac.sys [x]
R1 MpKsl32d01060;MpKsl32d01060;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKsl32d01060.sys [x]
R1 MpKsl3692d56e;MpKsl3692d56e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37EE0F30-1B1A-4302-AA71-09CEB0D401AA}\MpKsl3692d56e.sys [x]
R1 MpKsl389c96bb;MpKsl389c96bb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37EE0F30-1B1A-4302-AA71-09CEB0D401AA}\MpKsl389c96bb.sys [x]
R1 MpKsl3a691574;MpKsl3a691574;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{767C742A-67BB-41A2-85B2-8D853D73F7FD}\MpKsl3a691574.sys [x]
R1 MpKsl433dc53c;MpKsl433dc53c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C56CFF5-04D0-40A9-AFC5-4BCF9D5D8DD1}\MpKsl433dc53c.sys [x]
R1 MpKsl43939438;MpKsl43939438;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{428E8D4A-5A4C-434B-95C0-22CEBDB718CF}\MpKsl43939438.sys [2011-05-23 28752]
R1 MpKsl46972bdb;MpKsl46972bdb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{030CEBDD-9B47-449C-8316-8F4E81235CE7}\MpKsl46972bdb.sys [x]
R1 MpKsl48692e97;MpKsl48692e97;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37EE0F30-1B1A-4302-AA71-09CEB0D401AA}\MpKsl48692e97.sys [x]
R1 MpKsl4d176e2d;MpKsl4d176e2d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKsl4d176e2d.sys [x]
R1 MpKsl4f6d81ed;MpKsl4f6d81ed;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6C56CFF5-04D0-40A9-AFC5-4BCF9D5D8DD1}\MpKsl4f6d81ed.sys [x]
R1 MpKsl506b72d2;MpKsl506b72d2;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9C41985D-C895-493C-8035-1E3CB334356F}\MpKsl506b72d2.sys [x]
R1 MpKsl5302c828;MpKsl5302c828;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKsl5302c828.sys [x]
R1 MpKsl57f2335c;MpKsl57f2335c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{428E8D4A-5A4C-434B-95C0-22CEBDB718CF}\MpKsl57f2335c.sys [x]
R1 MpKsl5805ef7d;MpKsl5805ef7d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKsl5805ef7d.sys [x]
R1 MpKsl5a002ba0;MpKsl5a002ba0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37EE0F30-1B1A-4302-AA71-09CEB0D401AA}\MpKsl5a002ba0.sys [x]
R1 MpKsl68488146;MpKsl68488146;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7F8E9A83-BD8C-4E4F-AE6E-6C375EF2CBAF}\MpKsl68488146.sys [x]
R1 MpKsl6c48b6b1;MpKsl6c48b6b1;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9C41985D-C895-493C-8035-1E3CB334356F}\MpKsl6c48b6b1.sys [x]
R1 MpKsl6f5b6786;MpKsl6f5b6786;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKsl6f5b6786.sys [x]
R1 MpKsl6f8a0502;MpKsl6f8a0502;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKsl6f8a0502.sys [x]
R1 MpKsl6fdd8ce5;MpKsl6fdd8ce5;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96EBF348-5DEB-4718-8DAA-9BACA169FC75}\MpKsl6fdd8ce5.sys [x]
R1 MpKsl7096ab17;MpKsl7096ab17;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{02AD61A1-CC10-469C-A4F5-60A4D5B2422C}\MpKsl7096ab17.sys [x]
R1 MpKsl7801b56f;MpKsl7801b56f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96EBF348-5DEB-4718-8DAA-9BACA169FC75}\MpKsl7801b56f.sys [x]
R1 MpKsl82fc2338;MpKsl82fc2338;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3EE2E323-EFF8-4E0C-9098-3F40A95B9A9D}\MpKsl82fc2338.sys [x]
R1 MpKsl8385d46b;MpKsl8385d46b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9C41985D-C895-493C-8035-1E3CB334356F}\MpKsl8385d46b.sys [x]
R1 MpKsl89bb5127;MpKsl89bb5127;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9C41985D-C895-493C-8035-1E3CB334356F}\MpKsl89bb5127.sys [x]
R1 MpKsl8bab9d80;MpKsl8bab9d80;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKsl8bab9d80.sys [x]
R1 MpKsl8dd68a51;MpKsl8dd68a51;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96EBF348-5DEB-4718-8DAA-9BACA169FC75}\MpKsl8dd68a51.sys [x]
R1 MpKsl8e5d38f9;MpKsl8e5d38f9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{02AD61A1-CC10-469C-A4F5-60A4D5B2422C}\MpKsl8e5d38f9.sys [x]
R1 MpKsl92b8b4a6;MpKsl92b8b4a6;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96EBF348-5DEB-4718-8DAA-9BACA169FC75}\MpKsl92b8b4a6.sys [x]
R1 MpKsl9c448b07;MpKsl9c448b07;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKsl9c448b07.sys [x]
R1 MpKsl9d48427c;MpKsl9d48427c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKsl9d48427c.sys [x]
R1 MpKsl9f7e9480;MpKsl9f7e9480;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37EE0F30-1B1A-4302-AA71-09CEB0D401AA}\MpKsl9f7e9480.sys [x]
R1 MpKsl9fa9e7a0;MpKsl9fa9e7a0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{9B91F9D4-9A23-4B91-BDB0-B763EBE472E2}\MpKsl9fa9e7a0.sys [x]
R1 MpKsla6275678;MpKsla6275678;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{7F8E9A83-BD8C-4E4F-AE6E-6C375EF2CBAF}\MpKsla6275678.sys [x]
R1 MpKsla7e1e647;MpKsla7e1e647;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37EE0F30-1B1A-4302-AA71-09CEB0D401AA}\MpKsla7e1e647.sys [x]
R1 MpKsla9b39b1c;MpKsla9b39b1c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{767C742A-67BB-41A2-85B2-8D853D73F7FD}\MpKsla9b39b1c.sys [x]
R1 MpKslae69465a;MpKslae69465a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{767C742A-67BB-41A2-85B2-8D853D73F7FD}\MpKslae69465a.sys [x]
R1 MpKslaef63d54;MpKslaef63d54;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKslaef63d54.sys [x]
R1 MpKslb5a83f92;MpKslb5a83f92;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3EE2E323-EFF8-4E0C-9098-3F40A95B9A9D}\MpKslb5a83f92.sys [x]
R1 MpKslb8d4de9c;MpKslb8d4de9c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6E862756-ADA5-47C6-AC7C-5699DF42D16E}\MpKslb8d4de9c.sys [x]
R1 MpKslbbc00480;MpKslbbc00480;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKslbbc00480.sys [x]
R1 MpKslbd276b4b;MpKslbd276b4b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{428E8D4A-5A4C-434B-95C0-22CEBDB718CF}\MpKslbd276b4b.sys [2011-05-16 28752]
R1 MpKslbd3e1a05;MpKslbd3e1a05;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKslbd3e1a05.sys [x]
R1 MpKslcb7b09e4;MpKslcb7b09e4;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKslcb7b09e4.sys [x]
R1 MpKslcc2a181c;MpKslcc2a181c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{030CEBDD-9B47-449C-8316-8F4E81235CE7}\MpKslcc2a181c.sys [x]
R1 MpKslcd045033;MpKslcd045033;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96E25027-5E01-4F47-B26F-33E1F1EB0A0A}\MpKslcd045033.sys [x]
R1 MpKslcfeb0ee9;MpKslcfeb0ee9;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKslcfeb0ee9.sys [x]
R1 MpKsld18352ce;MpKsld18352ce;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{030CEBDD-9B47-449C-8316-8F4E81235CE7}\MpKsld18352ce.sys [x]
R1 MpKsld6e9085a;MpKsld6e9085a;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{EE743838-1C1B-437B-BA9A-F0FADA4D6E0B}\MpKsld6e9085a.sys [x]
R1 MpKsld747068c;MpKsld747068c;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{37EE0F30-1B1A-4302-AA71-09CEB0D401AA}\MpKsld747068c.sys [x]
R1 MpKsld9c02729;MpKsld9c02729;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKsld9c02729.sys [x]
R1 MpKsle12e324b;MpKsle12e324b;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6E862756-ADA5-47C6-AC7C-5699DF42D16E}\MpKsle12e324b.sys [x]
R1 MpKslec24f0bd;MpKslec24f0bd;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKslec24f0bd.sys [x]
R1 MpKsled4044cb;MpKsled4044cb;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{971EC814-1876-4AE7-B2BF-6FA36B7F265D}\MpKsled4044cb.sys [x]
R1 MpKslf04f785d;MpKslf04f785d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKslf04f785d.sys [x]
R1 MpKslf532b04e;MpKslf532b04e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{02AD61A1-CC10-469C-A4F5-60A4D5B2422C}\MpKslf532b04e.sys [x]
R1 MpKslf7bb697e;MpKslf7bb697e;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{84D3EB51-FE38-4B4B-9E99-BD69D7B20823}\MpKslf7bb697e.sys [x]
R1 MpKslf86ec5de;MpKslf86ec5de;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{96EBF348-5DEB-4718-8DAA-9BACA169FC75}\MpKslf86ec5de.sys [x]
R1 MpKslfbcaa38d;MpKslfbcaa38d;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{6E862756-ADA5-47C6-AC7C-5699DF42D16E}\MpKslfbcaa38d.sys [x]
R1 MpKslfdcc756f;MpKslfdcc756f;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{FF12FEAA-5131-4E1C-B20E-504F46206FD4}\MpKslfdcc756f.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [x]
R3 ALaunchService;ALaunch Service; [x]
R3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [2010-04-10 266544]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R4 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-01-15 20376]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-23 c:\windows\Tasks\User_Feed_Synchronization-{AE58F7F7-0213-45D4-96F6-459D1DF7A1ED}.job
- c:\windows\system32\msfeedssync.exe [2011-04-15 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://att.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-RegistryBooster - c:\program files\Uniblue\RegistryBooster\launcher.exe
HKLM-Run-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\3.bin\M3PLUGIN.DLL
HKLM-Run-lxczbmgr.exe - c:\program files\Lexmark 1200 Series\lxczbmgr.exe
HKLM-Run-lxctmon.exe - c:\program files\Lexmark 5400 Series\lxctmon.exe
HKLM-Run-Lexmark 5400 Series Fax Server - c:\program files\Lexmark 5400 Series\fm3032.exe
HKLM-Run-FaxCenterServer - c:\program files\Lexmark Fax Solutions\fm3032.exe
HKLM-Run-EzPrint - c:\program files\Lexmark 5400 Series\ezprint.exe
SafeBoot-OneCareMP
AddRemove-AT&T Yahoo! Browser Configuration - c:\program files\SBC Yahoo!\Connection Manager\uninstATTConfig.exe
AddRemove-Weather Services - c:\progra~1\THEWEA~1\FRAMEW~1\wxfw.cpl
AddRemove-Yahoo! Extras - c:\progra~1\Yahoo!\Common\UNIN_Y~1.EXE
.
.
.
**************************************************************************
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-169336076-4065198783-776734391-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F57F7F3E-AC53-A155-D09B-85687AA5DC1E}*]
"bbmldflocpkiapbalaocmepjfabmijoogcfp"=hex:61,61,00,00
"abmldflocpkiapbalaldjbcegijgllaall"=hex:61,61,00,00
.
[HKEY_USERS\S-1-5-21-169336076-4065198783-776734391-1000\*g\g(*gH*gH*gH*gH*gH*gH*gH*gl\g٪*g\g*g8*g*gB*g*gʲ*g*g*g3)6{*O>`3)6{*O>`jو_*@2Q]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_USERS\S-1-5-21-169336076-4065198783-776734391-1000\*g\g(*gH*gH*gH*gH*gH*gH*gH*gl\g٪*g\g*g8*g*gB*g*gʲ*g*g*g3)6{*O>`3)6{*O>`jو_*@2Q\Dont Show]
"Dblclick To Manual"=dword:00000000
DUMPHIVE0.003 (REGF)
.
[HKEY_LOCAL_MACHINE\system\ControlSet054\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet054\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\lxctcoms.exe
c:\windows\system32\lxczcoms.exe
c:\acer\Mobility Center\MobilityService.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\acer\Empowering Technology\eSettings\Service\capuserv.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\RtHDVCpl.exe
c:\program files\Launch Manager\QtZgAcer.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\users\Bob\AppData\Local\Temp\RtkBtMnt.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2011-05-23 16:37:44 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-23 21:37
.
Pre-Run: 29,404,303,360 bytes free
Post-Run: 28,911,472,640 bytes free
.
- - End Of File - - 5B236AC3911544B494FE97018FE63998

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:47 AM

Posted 23 May 2011 - 05:58 PM

Hi,

Please do the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 Diegno

Diegno
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 AM

Posted 23 May 2011 - 06:57 PM

I was unable to get the ESET scanner to run. After installing, the scan begins to download virus signatures, then says "Can not get update. Is Proxy configured?"

_________________

2011/05/23 18:27:28.0935 1896 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/23 18:27:28.0950 1896 ================================================================================
2011/05/23 18:27:28.0950 1896 SystemInfo:
2011/05/23 18:27:28.0950 1896
2011/05/23 18:27:28.0950 1896 OS Version: 6.0.6001 ServicePack: 1.0
2011/05/23 18:27:28.0950 1896 Product type: Workstation
2011/05/23 18:27:28.0950 1896 ComputerName: BOB-PC
2011/05/23 18:27:28.0950 1896 UserName: Bob
2011/05/23 18:27:28.0950 1896 Windows directory: C:\Windows
2011/05/23 18:27:28.0950 1896 System windows directory: C:\Windows
2011/05/23 18:27:28.0950 1896 Processor architecture: Intel x86
2011/05/23 18:27:28.0950 1896 Number of processors: 2
2011/05/23 18:27:28.0950 1896 Page size: 0x1000
2011/05/23 18:27:28.0950 1896 Boot type: Normal boot
2011/05/23 18:27:28.0950 1896 ================================================================================
2011/05/23 18:27:30.0152 1896 Initialize success
2011/05/23 18:27:56.0141 2080 ================================================================================
2011/05/23 18:27:56.0141 2080 Scan started
2011/05/23 18:27:56.0141 2080 Mode: Manual;
2011/05/23 18:27:56.0141 2080 ================================================================================
2011/05/23 18:27:57.0030 2080 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2011/05/23 18:27:57.0108 2080 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/05/23 18:27:57.0186 2080 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/05/23 18:27:57.0233 2080 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/05/23 18:27:57.0280 2080 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/05/23 18:27:57.0358 2080 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
2011/05/23 18:27:57.0467 2080 AgereSoftModem (2e3abaacbf547abbb5e73a504a56d05a) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/05/23 18:27:57.0545 2080 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/05/23 18:27:57.0608 2080 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/05/23 18:27:57.0732 2080 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/05/23 18:27:57.0779 2080 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/05/23 18:27:57.0810 2080 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/05/23 18:27:57.0857 2080 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/05/23 18:27:57.0920 2080 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/05/23 18:27:57.0998 2080 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/05/23 18:27:58.0044 2080 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/05/23 18:27:58.0091 2080 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/23 18:27:58.0154 2080 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2011/05/23 18:27:58.0232 2080 athr (044dcfc10b9144725b0e59ac319759e3) C:\Windows\system32\DRIVERS\athr.sys
2011/05/23 18:27:58.0341 2080 BCM43XV (746f59822a5187510471fc46889b8cc9) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/05/23 18:27:58.0388 2080 BCM43XX (746f59822a5187510471fc46889b8cc9) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/05/23 18:27:58.0450 2080 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/05/23 18:27:58.0575 2080 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/23 18:27:58.0637 2080 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/05/23 18:27:58.0684 2080 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/05/23 18:27:58.0715 2080 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/05/23 18:27:58.0746 2080 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/05/23 18:27:58.0793 2080 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/05/23 18:27:58.0824 2080 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/05/23 18:27:58.0856 2080 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/05/23 18:27:58.0996 2080 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/23 18:27:59.0074 2080 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/23 18:27:59.0136 2080 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/05/23 18:27:59.0214 2080 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2011/05/23 18:27:59.0292 2080 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/05/23 18:27:59.0324 2080 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/05/23 18:27:59.0355 2080 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/05/23 18:27:59.0542 2080 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/05/23 18:27:59.0604 2080 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/05/23 18:27:59.0682 2080 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
2011/05/23 18:27:59.0745 2080 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2011/05/23 18:27:59.0792 2080 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
2011/05/23 18:27:59.0963 2080 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/05/23 18:28:00.0057 2080 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\Windows\system32\DRIVERS\dvd43llh.sys
2011/05/23 18:28:00.0182 2080 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/23 18:28:00.0244 2080 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/05/23 18:28:00.0291 2080 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2011/05/23 18:28:00.0384 2080 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/05/23 18:28:00.0525 2080 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2011/05/23 18:28:00.0556 2080 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2011/05/23 18:28:00.0603 2080 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/23 18:28:00.0665 2080 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/05/23 18:28:00.0728 2080 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/05/23 18:28:00.0774 2080 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/23 18:28:00.0806 2080 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2011/05/23 18:28:00.0852 2080 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/23 18:28:00.0884 2080 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/05/23 18:28:00.0962 2080 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/05/23 18:28:01.0040 2080 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/05/23 18:28:01.0086 2080 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/05/23 18:28:01.0133 2080 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/05/23 18:28:01.0180 2080 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/05/23 18:28:01.0227 2080 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/23 18:28:01.0274 2080 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/05/23 18:28:01.0383 2080 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
2011/05/23 18:28:01.0445 2080 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/05/23 18:28:01.0492 2080 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/05/23 18:28:01.0617 2080 ialm (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/05/23 18:28:01.0742 2080 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/05/23 18:28:01.0866 2080 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/05/23 18:28:01.0929 2080 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/05/23 18:28:02.0069 2080 int15 (9d64201c9e5ac8d1f088762ba00ff3ab) C:\Acer\Empowering Technology\eRecovery\int15.sys
2011/05/23 18:28:02.0210 2080 IntcAzAudAddService (04bef1c4aa990e0d5851c7532fc8642c) C:\Windows\system32\drivers\RTKVHDA.sys
2011/05/23 18:28:02.0381 2080 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/05/23 18:28:02.0444 2080 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/23 18:28:02.0537 2080 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/23 18:28:02.0615 2080 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/05/23 18:28:02.0678 2080 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/05/23 18:28:02.0912 2080 irda (e50a95179211b12946f7e035d60af560) C:\Windows\system32\DRIVERS\irda.sys
2011/05/23 18:28:03.0005 2080 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/05/23 18:28:03.0083 2080 irsir (5896b5ff6332ab2be1582523e9656a67) C:\Windows\system32\DRIVERS\irsir.sys
2011/05/23 18:28:03.0130 2080 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/05/23 18:28:03.0192 2080 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/05/23 18:28:03.0255 2080 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/05/23 18:28:03.0317 2080 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/05/23 18:28:03.0395 2080 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/05/23 18:28:03.0442 2080 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\drivers\kbdhid.sys
2011/05/23 18:28:03.0551 2080 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/23 18:28:03.0660 2080 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/23 18:28:03.0723 2080 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/05/23 18:28:03.0754 2080 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/05/23 18:28:03.0785 2080 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/05/23 18:28:03.0863 2080 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/05/23 18:28:03.0988 2080 LVMVDrv (fe3fb994f8702d9e37648927819b74b8) C:\Windows\system32\DRIVERS\LVMVDrv.sys
2011/05/23 18:28:04.0160 2080 LVUSBSta (caef4c05ba2c1acad4ebcaa4261cd55d) C:\Windows\system32\drivers\LVUSBSta.sys
2011/05/23 18:28:04.0253 2080 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/05/23 18:28:04.0347 2080 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/05/23 18:28:04.0456 2080 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/23 18:28:04.0518 2080 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/23 18:28:04.0596 2080 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/23 18:28:04.0674 2080 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/05/23 18:28:04.0768 2080 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/05/23 18:28:04.0815 2080 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/05/23 18:28:06.0110 2080 MpKsla1c01fbe (5f53edfead46fa7adb78eee9ecce8fdf) C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{551880AC-5400-4CBB-AD61-B456F797B7B7}\MpKsla1c01fbe.sys
2011/05/23 18:28:07.0030 2080 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/05/23 18:28:07.0092 2080 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/23 18:28:07.0170 2080 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/05/23 18:28:07.0248 2080 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2011/05/23 18:28:07.0326 2080 mrxsmb (cc752d233ef39875ca6885d9415ba869) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/23 18:28:07.0389 2080 mrxsmb10 (9049dddd4bd27d43d82f5968f1da76e4) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/23 18:28:07.0451 2080 mrxsmb20 (91dc069b6831ef564e7d8c97eaf0343e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/23 18:28:07.0498 2080 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/05/23 18:28:07.0529 2080 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/05/23 18:28:07.0623 2080 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/05/23 18:28:07.0670 2080 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/05/23 18:28:07.0794 2080 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/23 18:28:07.0872 2080 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/23 18:28:07.0935 2080 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/05/23 18:28:07.0997 2080 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2011/05/23 18:28:08.0091 2080 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/05/23 18:28:08.0138 2080 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/05/23 18:28:08.0184 2080 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2011/05/23 18:28:08.0231 2080 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/23 18:28:08.0309 2080 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
2011/05/23 18:28:08.0387 2080 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/23 18:28:08.0450 2080 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/23 18:28:08.0481 2080 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/23 18:28:08.0528 2080 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/05/23 18:28:08.0574 2080 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/23 18:28:08.0621 2080 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/23 18:28:08.0699 2080 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/05/23 18:28:08.0746 2080 NisDrv (17e2c08c5ecfbe94a7c67b1c275ee9d9) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2011/05/23 18:28:08.0824 2080 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2011/05/23 18:28:08.0886 2080 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/23 18:28:08.0980 2080 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2011/05/23 18:28:09.0152 2080 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/05/23 18:28:09.0245 2080 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/05/23 18:28:09.0308 2080 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/05/23 18:28:09.0354 2080 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/05/23 18:28:09.0401 2080 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/05/23 18:28:09.0448 2080 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/05/23 18:28:09.0542 2080 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
2011/05/23 18:28:09.0604 2080 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/05/23 18:28:09.0682 2080 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2011/05/23 18:28:09.0729 2080 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/05/23 18:28:09.0776 2080 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2011/05/23 18:28:09.0822 2080 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2011/05/23 18:28:09.0854 2080 pcmcia (b7c5a8769541900f6dfa6fe0c5e4d513) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/05/23 18:28:09.0932 2080 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\Windows\system32\Drivers\pcouffin.sys
2011/05/23 18:28:10.0041 2080 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/05/23 18:28:10.0244 2080 PID_0928 (eb0855d1c75940d4f992d02ffc522e81) C:\Windows\system32\DRIVERS\LV561AV.SYS
2011/05/23 18:28:10.0415 2080 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/23 18:28:10.0478 2080 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/05/23 18:28:10.0524 2080 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/23 18:28:10.0571 2080 PSDFilter (c2821f33b846a52fdc25ff554acf11f2) C:\Windows\system32\DRIVERS\psdfilter.sys
2011/05/23 18:28:10.0665 2080 PSDNServ (28d3a91fe7791b970e6b15c88f98dfbd) C:\Windows\system32\drivers\PSDNServ.sys
2011/05/23 18:28:10.0758 2080 psdvdisk (3a66f69459052de13ef8a0f77d728a73) C:\Windows\system32\drivers\psdvdisk.sys
2011/05/23 18:28:10.0961 2080 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/05/23 18:28:11.0039 2080 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/05/23 18:28:11.0133 2080 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/23 18:28:11.0273 2080 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/23 18:28:11.0351 2080 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/23 18:28:11.0445 2080 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/23 18:28:11.0492 2080 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/23 18:28:11.0523 2080 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/23 18:28:11.0585 2080 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/23 18:28:11.0632 2080 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/05/23 18:28:11.0710 2080 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/23 18:28:11.0741 2080 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2011/05/23 18:28:11.0850 2080 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/23 18:28:11.0913 2080 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/05/23 18:28:11.0991 2080 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/23 18:28:12.0053 2080 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/05/23 18:28:12.0116 2080 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/05/23 18:28:12.0162 2080 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/05/23 18:28:12.0240 2080 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/05/23 18:28:12.0287 2080 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/23 18:28:12.0334 2080 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/05/23 18:28:12.0365 2080 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/05/23 18:28:12.0412 2080 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/05/23 18:28:12.0490 2080 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/05/23 18:28:12.0521 2080 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/05/23 18:28:12.0615 2080 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2011/05/23 18:28:12.0677 2080 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/05/23 18:28:12.0771 2080 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
2011/05/23 18:28:12.0864 2080 srv2 (96512f4a30b741e7d33a7936b9abbc20) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/23 18:28:12.0927 2080 srvnet (1c69e33e0e23626da5a34ca5ba0dd990) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/23 18:28:13.0020 2080 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/05/23 18:28:13.0192 2080 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/05/23 18:28:13.0239 2080 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/05/23 18:28:13.0286 2080 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/05/23 18:28:13.0348 2080 SynTP (2d2c815364a878c7e358d5f549711197) C:\Windows\system32\DRIVERS\SynTP.sys
2011/05/23 18:28:13.0488 2080 Tcpip (6216a954ed7045b62880a92d6c9b9fc7) C:\Windows\system32\drivers\tcpip.sys
2011/05/23 18:28:13.0551 2080 Tcpip6 (6216a954ed7045b62880a92d6c9b9fc7) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/23 18:28:13.0644 2080 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/23 18:28:13.0722 2080 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/05/23 18:28:13.0785 2080 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/05/23 18:28:13.0847 2080 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/23 18:28:13.0894 2080 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2011/05/23 18:28:13.0988 2080 tifm21 (f779ba4cd37963ab4600c9871b7752a3) C:\Windows\system32\drivers\tifm21.sys
2011/05/23 18:28:14.0066 2080 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/23 18:28:14.0128 2080 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/05/23 18:28:14.0206 2080 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/23 18:28:14.0268 2080 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/05/23 18:28:14.0331 2080 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/23 18:28:14.0409 2080 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/23 18:28:14.0456 2080 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/05/23 18:28:14.0549 2080 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/05/23 18:28:14.0596 2080 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/05/23 18:28:14.0643 2080 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/05/23 18:28:14.0752 2080 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\Windows\system32\Drivers\usbaapl.sys
2011/05/23 18:28:14.0908 2080 usbaudio (292a25bb75a568ae2c67169ba2c6365a) C:\Windows\system32\drivers\usbaudio.sys
2011/05/23 18:28:14.0970 2080 usbbus (5353218b3265e3b8190335059f697a11) C:\Windows\system32\DRIVERS\lgusbbus.sys
2011/05/23 18:28:15.0002 2080 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/05/23 18:28:15.0064 2080 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/05/23 18:28:15.0111 2080 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/23 18:28:15.0142 2080 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2011/05/23 18:28:15.0173 2080 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\Windows\system32\DRIVERS\lgusbmodem.sys
2011/05/23 18:28:15.0220 2080 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/05/23 18:28:15.0267 2080 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/05/23 18:28:15.0298 2080 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/05/23 18:28:15.0329 2080 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/23 18:28:15.0376 2080 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/23 18:28:15.0423 2080 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/23 18:28:15.0516 2080 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/05/23 18:28:15.0563 2080 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/05/23 18:28:15.0594 2080 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/05/23 18:28:15.0626 2080 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/05/23 18:28:15.0672 2080 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/05/23 18:28:15.0735 2080 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2011/05/23 18:28:15.0844 2080 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
2011/05/23 18:28:15.0891 2080 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/05/23 18:28:15.0953 2080 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/05/23 18:28:16.0000 2080 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/23 18:28:16.0031 2080 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/23 18:28:16.0094 2080 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/05/23 18:28:16.0156 2080 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/23 18:28:16.0359 2080 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/05/23 18:28:16.0468 2080 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/05/23 18:28:16.0515 2080 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/23 18:28:16.0593 2080 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/23 18:28:16.0686 2080 yukonwlh (04e268adfc81964c49dc0c082d520f7e) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/05/23 18:28:16.0858 2080 ================================================================================
2011/05/23 18:28:16.0858 2080 Scan finished
2011/05/23 18:28:16.0858 2080 ================================================================================


___________________

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6658

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

5/23/2011 6:42:48 PM
mbam-log-2011-05-23 (18-42-48).txt

Scan type: Quick scan
Objects scanned: 169263
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{F42228FB-E84E-479E-B922-FBBD096E792C} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EDDBB5EE-BB64-4bfc-9DBE-E7C85941335B} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WakeNet (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\HostOL.MailAnim (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Value: f3PopularScreensavers -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:47 AM

Posted 23 May 2011 - 07:06 PM

Hi

do the following:

  • Go to Start > Control Panel, and choose Network Connections.
  • Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.
  • Click the Networking tab
  • Double-click on the Internet Protocol (TCP/IP) item.
  • Write down the settings in case you should need to change them back.
  • Select the radio button that says "Obtain DNS servers automatically".
  • Click OK twice to get out of the properties screen and restart your computer.
  • If not prompted to reboot go ahead and reboot manually.

In I.E.
  • Check internet options settings.
  • Tools > Internet Options > Connections
  • LAN settings
  • Choose "automatically detect settings"
  • uncheck both proxy settings boxes

In FireFox
  • Click on Advanced -> Network -> Settings
  • the No Proxy option should be selected



NEXT



Download TFC to your desktop
Mirror
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
It's normal after running TFC cleaner that the PC will be slower to boot the first time.



Now please try running ESET again

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 Diegno

Diegno
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 AM

Posted 23 May 2011 - 10:29 PM

ESET ran fine after changing those settings.

_______________________

C:\Program Files\MSN Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\Windows Live\Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application
C:\Program Files\Windows Live\Messenger\riched20.dll Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3CJpeg.dll.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3DTactl.dll.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HISTSW.DLL.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HTMLMU.DLL.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3IMSTUB.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3POPSWT.DLL.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3REPROX.DLL.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3RESTUB.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3SCHMON.EXE.vir Win32/Adware.FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3SCrctr.dll.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL.vir Win32/FunWeb application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3HIGHIN.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3HTML.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3IDLE.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3IMPIPE.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3MEDINT.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3MSG.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3SKIN.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3SLSRCH.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\M3SRCHMN.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL.vir a variant of Win32/Toolbar.MyWebSearch.J application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\MWSSVC.EXE.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSrcas.dll.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\About Hotbar.lnk.vir LNK/URL.B trojan
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Customer Support Center.lnk.vir LNK/URL.B trojan
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Games!.lnk.vir LNK/URL.B trojan
C:\Qoobox\Quarantine\C\ProgramData\Microsoft\Windows\Start Menu\Programs\Hotbar\Hotbar Videos!.lnk.vir LNK/URL.B trojan
C:\Qoobox\Quarantine\C\Windows\System32\f3PSSavr.scr.vir Win32/Toolbar.MyWebSearch application
C:\Qoobox\Quarantine\C\Windows\System32\gxvxcbqakumepddbudaoiifbvbrbucxfwsoqe.dll.vir a variant of Win32/Kryptik.PF trojan
C:\Qoobox\Quarantine\C\Windows\System32\gxvxcycwbmjvmtepyuaovtcybfwyobojvpvgw.dll.vir a variant of Win32/Kryptik.PF trojan
C:\Qoobox\Quarantine\C\Windows\System32\drivers\gxvxcvqxrmopmeeufxuvinhppptpsjaoqbcqi.sys.vir a variant of Win32/Rootkit.Kryptik.T trojan

Edited by Diegno, 23 May 2011 - 10:30 PM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:47 AM

Posted 23 May 2011 - 10:49 PM

These files appear to contain malware, navigate to them > right click and delete them:

C:\Program Files\MSN Messenger\riched20.dll
C:\Program Files\Windows Live\Messenger\msimg32.dll
C:\Program Files\Windows Live\Messenger\riched20.dll



NEXT

Visit ADOBEand download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 22 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

NEXT

Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Edited by CatByte, 23 May 2011 - 10:50 PM.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 Diegno

Diegno
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 AM

Posted 24 May 2011 - 01:47 AM

The three files appear to have been removed successfully.
No real issues to speak of at this point. Computer and internet seem to be running fine.
_________________

DDS.txt:

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.19048
Run by Bob at 1:34:48 on 2011-05-24
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.350 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Acer\Empowering Technology\eNet\eNet Service.exe
C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\lxctcoms.exe
C:\Windows\system32\lxczcoms.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Bob\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Bob\Documents\MBAM2011\dds.scr
C:\Windows\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://att.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - Yahoo! IE Services Button
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DW6] "c:\program files\the weather channel fw\desktop\DesktopWeather.exe"
uRun: [cdloader] "c:\users\bob\appdata\roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup
mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Notify: igfxcui - igfxdev.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsleb6902a7;MpKsleb6902a7;c:\programdata\microsoft\microsoft antimalware\definition updates\{7838992c-adab-4788-b3d3-d0b265c8c71c}\MpKsleb6902a7.sys [2011-5-24 28752]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 OcHealthMon;Windows Live OneCare Health Monitor;"c:\program files\microsoft windows onecare live\ochealthmon.exe" --> c:\program files\microsoft windows onecare live\OcHealthMon.exe [?]
S3 ALaunchService;ALaunch Service; [x]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2010-4-10 266544]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2009-1-15 20376]
.
=============== Created Last 30 ================
.
2011-05-24 06:07:45 439632 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{9ac37835-9979-46de-9c80-64f0aba59fcd}\gapaengine.dll
2011-05-24 06:07:44 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{7838992c-adab-4788-b3d3-d0b265c8c71c}\MpKsleb6902a7.sys
2011-05-24 06:07:21 6962000 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{7838992c-adab-4788-b3d3-d0b265c8c71c}\mpengine.dll
2011-05-23 23:48:56 -------- d-----w- c:\program files\ESET
2011-05-23 23:30:30 -------- d-----w- c:\users\bob\appdata\roaming\Malwarebytes
2011-05-23 21:30:23 -------- d-----w- C:\$RECYCLE.BIN
2011-05-23 21:24:25 -------- d-----w- c:\users\bob\appdata\local\temp
2011-05-23 20:51:56 98816 ----a-w- c:\windows\sed.exe
2011-05-23 20:51:56 89088 ----a-w- c:\windows\MBR.exe
2011-05-23 20:51:56 256512 ----a-w- c:\windows\PEV.exe
2011-05-23 20:51:56 161792 ----a-w- c:\windows\SWREG.exe
2011-05-23 20:51:48 -------- d-----w- C:\ComboFix
2011-05-23 07:35:36 388096 ----a-r- c:\users\bob\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-23 07:35:35 -------- d-----w- c:\program files\Trend Micro
2011-05-23 07:31:54 -------- d-----w- c:\program files\CCleaner
2011-05-11 10:35:20 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-04-27 19:56:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-27 19:56:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
.
==================== Find3M ====================
.
2011-04-06 21:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-10 16:12:54 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 16:12:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:00:15 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 14:56:29 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 14:56:26 459776 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 14:56:25 541696 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 14:56:25 2153984 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 12:53:48 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 14:49:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2001-02-16 06:05:38 9164192 ----a-r- c:\program files\EXCEL.EXE
.
============= FINISH: 1:35:26.86 ===============

Edited by Diegno, 24 May 2011 - 02:01 AM.


#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:47 AM

Posted 24 May 2011 - 08:31 AM

Hi

Just some housekeeping to do now,

Please do the following:


You can delete the TDSSKiller, DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 Diegno

Diegno
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 AM

Posted 24 May 2011 - 03:00 PM

Thanks for the help, CatByte! My laptop seems to be running much better, but there were a few odd things I wanted to ask about. While uninstalling ComboFix I received a Windows message saying that "pev.cfxxe has stopped working" Is that related to malware?
The other thing was the running process "C:\Users\Bob\AppData\Local\Temp\RtkBtMnt.exe" in my last DDS log. Is it normal to be running from a Temp location?

Edited by Diegno, 24 May 2011 - 04:17 PM.


#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:47 AM

Posted 24 May 2011 - 07:23 PM

RtkBtMnt.exe is related to RealTek and it does appear to be running from a temp folder....

http://www.exe-dll.com/process/rtkbtmnt.exe.htm

I'm not sure why Realtak would choose a temp folder, but there is likely a reason, they may have a FAQ on their website where you could ask

"pev.cfxxe" is part of ComboFix, and nothing to worry about.

If you want to upload that file to make certain, then do the following:

submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\Users\Bob\AppData\Local\Temp\RtkBtMnt.exe
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 Diegno

Diegno
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 AM

Posted 24 May 2011 - 08:04 PM

http://www.virustotal.com/file-scan/compact.html?id=9c4a541f58ee46014483ebb41f3ff35e6e1fbdcfe1286fc29b83d95b6b23d3df-1306284632

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:47 AM

Posted 24 May 2011 - 08:08 PM

That's good, nothing to be concerned with then

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:09:47 AM

Posted 29 May 2011 - 01:08 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users