Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

LocalServicenetworkRestricted/Tarma?


  • This topic is locked This topic is locked
25 replies to this topic

#1 MaryFigura

MaryFigura

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 07 June 2011 - 07:30 PM

Hello,

When I callup my taskmgr, I have noticed really weird entries that I cant remember having before. This is from Services; for example,
the Windows Font Cache Svc, under Group, has this: LocalServiceAndNoImpersonation and LocalServiceNetworkRestricted. Now every so often, a msg error will come up, when i am saving to desktop: No CD in Drive! and three options, cancel, try again, continue. You have to hit any of them several times before this error goes away. In my email, something/someone has gotten into my email account and sent messages to people on my contacts list;this always comes back as delivery status notification (failure) but, a few on my list got an email about some male enhancement link or something like that. So I am not sure how to proceed. I have spybot, and superantispyware, as well as avast and windows firewall. spybot comes up with several entries, one of which is Yantoo, or something like that. No matter how many times i run it, those entries still come back. So any help you all can give me would be really appreciated.

Thanks,
mary

AS REQUESTED:

.
DDS (Ver_2011-06-03.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by MARY at 17:35:28 on 2011-06-07
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.8190.5870 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
B:\Windows\system32\wininit.exe
B:\Windows\system32\lsm.exe
B:\Windows\system32\svchost.exe -k DcomLaunch
B:\Windows\system32\svchost.exe -k rpcss
B:\Windows\System32\svchost.exe -k secsvcs
B:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
B:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
B:\Windows\system32\svchost.exe -k netsvcs
B:\Windows\system32\AUDIODG.EXE
B:\Windows\system32\svchost.exe -k GPSvcGroup
B:\Windows\system32\SLsvc.exe
B:\Windows\system32\svchost.exe -k LocalService
B:\Windows\system32\svchost.exe -k NetworkService
B:\Program Files\Alwil Software\Avast5\AvastSvc.exe
B:\Windows\System32\spoolsv.exe
B:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
B:\Windows\system32\Dwm.exe
B:\Windows\system32\taskeng.exe
B:\Windows\Explorer.EXE
B:\Windows\system32\taskeng.exe
B:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
B:\Windows\system32\AEADISRV.EXE
B:\Windows\system32\svchost.exe -k apphost
B:\Windows\system32\CISVC.EXE
B:\Windows\System32\svchost.exe -k LPDService
B:\Windows\system32\mqsvc.exe
B:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
B:\Windows\SysWOW64\PnkBstrA.exe
B:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
B:\Windows\system32\svchost.exe -k imgsvc
B:\Windows\system32\svchost.exe -k iissvcs
B:\Windows\System32\svchost.exe -k WerSvcGroup
B:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
B:\Windows\system32\WUDFHost.exe
B:\Windows\System32\alg.exe
B:\Program Files\Windows Media Player\wmpnscfg.exe
B:\Program Files\Windows Media Player\wmpnetwk.exe
B:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
B:\Windows\system32\svchost.exe -k WindowsMobile
B:\Windows\system32\wuauclt.exe
B:\Windows\splwow64.exe
B:\Program Files\Alwil Software\Avast5\AvastUI.exe
B:\ComboFix\CF144.cfxxe
B:\Users\MARY\AppData\Local\Google\Chrome\Application\chrome.exe
B:\Windows\SysWOW64\rundll32.exe
B:\Users\MARY\AppData\Local\Google\Chrome\Application\chrome.exe
B:\Users\MARY\AppData\Local\Google\Chrome\Application\chrome.exe
B:\Windows\system32\Taskmgr.exe
B:\Users\MARY\AppData\Local\Google\Chrome\Application\chrome.exe
B:\Windows\system32\NOTEPAD.EXE
B:\Windows\system32\DllHost.exe
B:\Windows\system32\DllHost.exe
B:\Windows\SysWOW64\cmd.exe
B:\Windows\SysWOW64\cscript.exe
B:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - B:\Program Files (x86)\XfireXO\prxtbXfi0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - B:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - B:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - B:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - B:\Program Files (x86)\XfireXO\prxtbXfi0.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - B:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - B:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - B:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
TB: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - B:\Program Files (x86)\XfireXO\prxtbXfi0.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - B:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
EB: {32004B8A-44A9-43E7-84E9-808838809519} - No File
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - B:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - B:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - B:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} - hxxp://ccfiles.creative.com/Web/softwareupdate/su/ocx/15101/CTSUEng.cab
DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} - hxxp://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15116/CTPID.cab
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
TCP: Interfaces\{90C8329A-D66C-4CD9-8DE0-014C41359B6A} : DhcpNameServer = 68.87.85.102 68.87.69.150
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - B:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - B:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - B:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Conduit Engine : {30F9B915-B755-4826-820B-08FBA6BD249D} - B:\Program Files (x86)\ConduitEngine\prxConduitEngine.dll
BHO-X64: Conduit Engine - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - B:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - B:\Program Files (x86)\XfireXO\prxtbXfi0.dll
BHO-X64: XfireXO - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - B:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - B:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - B:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
TB-X64: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - B:\Program Files (x86)\XfireXO\prxtbXfi0.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - B:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
EB-X64: {32004B8A-44A9-43E7-84E9-808838809519} - No File
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - B:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - B:\Users\MARY\AppData\Roaming\Mozilla\Firefox\Profiles\qhgqk4li.default\
FF - plugin: B:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: B:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: B:\Program Files (x86)\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: B:\Users\MARY\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: B:\Users\MARY\AppData\Roaming\Mozilla\Firefox\Profiles\qhgqk4li.default\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}\plugins\npProductDetectPlugin.dll
FF - plugin: B:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - B:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - B:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;B:\Windows\system32\drivers\aswSnx.sys --> B:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;B:\Windows\system32\drivers\aswSP.sys --> B:\Windows\system32\drivers\aswSP.sys [?]
R1 SASDIFSV;SASDIFSV;B:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2010-2-17 14920]
R1 SASKUTIL;SASKUTIL;B:\Program Files\SUPERAntiSpyware\saskutil64.sys [2010-2-17 12360]
R2 !SASCORE;SAS Core Service;B:\Program Files\SUPERAntiSpyware\SASCore64.exe [2011-5-4 128384]
R2 aswFsBlk;aswFsBlk;B:\Windows\system32\drivers\aswFsBlk.sys --> B:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\B:\Windows\system32\drivers\aswMonFlt.sys --> B:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;B:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2010-12-18 42184]
R2 FontCache;Windows Font Cache Service;B:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 SBSDWSCService;SBSD Security Center Service;B:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-5-22 1153368]
R2 sensorsview64;sensorsview64;B:\Windows\SysWOW64\sensorsview32_64.sys [2011-5-24 14544]
R3 amdkmdag;amdkmdag;B:\Windows\system32\DRIVERS\atikmdag.sys --> B:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;B:\Windows\system32\DRIVERS\atikmpag.sys --> B:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;B:\Windows\system32\DRIVERS\yk60x64.sys --> B:\Windows\system32\DRIVERS\yk60x64.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;B:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;B:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);B:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-6 136176]
S3 COMMONFX.SYS;COMMONFX.SYS;B:\Windows\system32\drivers\COMMONFX.SYS --> B:\Windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;B:\Windows\system32\drivers\COMMONFX.SYS --> B:\Windows\system32\drivers\COMMONFX.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;B:\Windows\system32\drivers\CTAUDFX.SYS --> B:\Windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;B:\Windows\system32\drivers\CTAUDFX.SYS --> B:\Windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;B:\Windows\system32\drivers\CTERFXFX.SYS --> B:\Windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;B:\Windows\system32\drivers\CTERFXFX.SYS --> B:\Windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;B:\Windows\system32\drivers\CTSBLFX.SYS --> B:\Windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;B:\Windows\system32\drivers\CTSBLFX.SYS --> B:\Windows\system32\drivers\CTSBLFX.SYS [?]
S3 gupdatem;Google Update Service (gupdatem);B:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-3-6 136176]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;B:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;B:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 PerfHost;Performance Counter DLL Host;B:\Windows\SysWOW64\perfhost.exe [2008-1-20 19968]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);B:\Windows\system32\DRIVERS\ssadbus.sys --> B:\Windows\system32\DRIVERS\ssadbus.sys [?]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);B:\Windows\system32\DRIVERS\ssadmdfl.sys --> B:\Windows\system32\DRIVERS\ssadmdfl.sys [?]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;B:\Windows\system32\DRIVERS\ssadmdm.sys --> B:\Windows\system32\DRIVERS\ssadmdm.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;B:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-3-18 1020768]
S4 AMD External Events Utility;AMD External Events Utility;B:\Windows\system32\atiesrxx.exe --> B:\Windows\system32\atiesrxx.exe [?]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;B:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2010-10-1 89920]
.
=============== File Associations ===============
.
JSEFile=B:\Windows\SysWOW64\WScript.exe "%1" %*
.
=============== Created Last 30 ================
.
2011-06-07 22:57:22 98816 ----a-w- B:\Windows\sed.exe
2011-06-07 22:57:22 518144 ----a-w- B:\Windows\SWREG.exe
2011-06-07 22:57:22 256512 ----a-w- B:\Windows\PEV.exe
2011-06-07 22:57:22 208896 ----a-w- B:\Windows\MBR.exe
2011-06-07 22:57:18 -------- d-----w- B:\ComboFix
2011-06-07 02:39:27 0 ---ha-w- B:\Users\MARY\AppData\Local\BIT4C71.tmp
2011-06-06 20:14:11 404640 ----a-w- B:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-06-03 18:43:52 8718160 ----a-w- B:\ProgramData\Microsoft\Windows Defender\Definition Updates\{65441EB6-FF71-4F31-A987-81223C647E96}\mpengine.dll
2011-05-28 23:46:24 0 ----a-w- B:\Windows\SysWow64\ConduitEngine.tmp
2011-05-28 23:46:24 -------- d-----w- B:\Program Files (x86)\ConduitEngine
2011-05-28 23:46:23 -------- d-----w- B:\Users\MARY\AppData\Local\Conduit
2011-05-24 23:59:04 360580 ----a-w- B:\Windows\eSellerateEngine.dll
2011-05-24 23:59:04 -------- d-----w- B:\Program Files (x86)\Hot CPU Tester Pro 4 LE
2011-05-24 23:58:01 14544 ----a-w- B:\Windows\SysWow64\sensorsview32_64.sys
2011-05-24 23:57:24 -------- d-----w- B:\Program Files (x86)\SensorsViewPro32
2011-05-24 02:14:33 -------- d-----w- B:\Boot
2011-05-24 00:19:59 -------- d-----w- B:\Program Files (x86)\NeoSmart Technologies
2011-05-23 21:23:04 -------- d-----w- B:\Program Files (x86)\Microsoft Games
2011-05-23 20:59:50 3851784 ----a-w- B:\Windows\SysWow64\D3DX9_39.dll
2011-05-23 20:59:23 2048 ----a-w- B:\Program Files (x86)\Microsoft Games\Tinker\SparkResource.dll
2011-05-23 20:59:22 333312 ----a-w- B:\Program Files (x86)\Microsoft Games\Tinker\SparkGDF.dll
2011-05-23 20:59:22 1307136 ----a-w- B:\Program Files (x86)\Microsoft Games\Tinker\Tinker.exe
2011-05-22 08:49:28 -------- d-----w- B:\Users\MARY\AppData\Roaming\SUPERAntiSpyware.com
2011-05-22 08:49:28 -------- d-----w- B:\ProgramData\SUPERAntiSpyware.com
2011-05-22 08:49:24 -------- d-----w- B:\ProgramData\!SASCORE
2011-05-22 08:49:22 -------- d-----w- B:\Program Files\SUPERAntiSpyware
2011-05-22 08:28:51 -------- d-----w- B:\ProgramData\Spybot - Search & Destroy
2011-05-22 08:28:51 -------- d-----w- B:\Program Files (x86)\Spybot - Search & Destroy
2011-05-22 05:01:44 2409784 ----a-w- B:\Program Files\Windows Mail\OESpamFilter.dat
2011-05-22 05:01:44 2409784 ----a-w- B:\Program Files (x86)\Windows Mail\OESpamFilter.dat
2011-05-22 05:01:11 876032 ----a-w- B:\Windows\SysWow64\XpsPrint.dll
2011-05-22 05:01:11 1653760 ----a-w- B:\Windows\System32\XpsPrint.dll
2011-05-22 05:01:04 4240384 ----a-w- B:\Windows\SysWow64\GameUXLegacyGDFs.dll
2011-05-22 05:01:04 32256 ----a-w- B:\Windows\System32\Apphlpdm.dll
2011-05-22 05:01:04 28672 ----a-w- B:\Windows\SysWow64\Apphlpdm.dll
2011-05-22 05:01:03 4240384 ----a-w- B:\Windows\System32\GameUXLegacyGDFs.dll
2011-05-22 05:00:32 -------- d-----w- B:\Users\MARY\AppData\Roaming\VSRevoGroup
2011-05-22 03:39:58 48128 ----a-w- B:\Windows\System32\atmlib.dll
2011-05-22 03:39:58 367616 ----a-w- B:\Windows\System32\atmfd.dll
2011-05-22 03:39:58 34304 ----a-w- B:\Windows\SysWow64\atmlib.dll
2011-05-22 03:39:58 292864 ----a-w- B:\Windows\SysWow64\atmfd.dll
2011-05-22 03:39:55 1360384 ----a-w- B:\Windows\System32\mfc42u.dll
2011-05-22 03:39:54 1398784 ----a-w- B:\Windows\System32\mfc42.dll
2011-05-22 03:39:54 1162240 ----a-w- B:\Windows\SysWow64\mfc42u.dll
2011-05-22 03:39:54 1136640 ----a-w- B:\Windows\SysWow64\mfc42.dll
2011-05-22 03:39:51 28672 ----a-w- B:\Windows\System32\dnscacheugc.exe
2011-05-22 03:39:50 25088 ----a-w- B:\Windows\SysWow64\dnscacheugc.exe
2011-05-22 01:38:12 -------- d-----w- B:\$RECYCLE(4).BIN
2011-05-21 20:29:57 -------- d-----w- B:\Windows\Temp(527)
2011-05-10 22:56:42 19016 ----a-w- B:\Windows\System32\drivers\sscdmdfl.sys
2011-05-10 22:56:42 172104 ----a-w- B:\Windows\System32\drivers\sscdmdm.sys
2011-05-10 22:56:42 15944 ----a-w- B:\Windows\System32\drivers\sscdwhnt.sys
2011-05-10 22:56:42 15944 ----a-w- B:\Windows\System32\drivers\sscdwh.sys
2011-05-10 22:56:42 15432 ----a-w- B:\Windows\System32\drivers\sscdcmnt.sys
2011-05-10 22:56:42 15432 ----a-w- B:\Windows\System32\drivers\sscdcm.sys
2011-05-10 22:56:42 136264 ----a-w- B:\Windows\System32\drivers\sscdbus.sys
2011-05-10 22:54:47 16872 ----a-w- B:\Windows\System32\drivers\ssadmdfl.sys
2011-05-10 22:54:47 159208 ----a-w- B:\Windows\System32\drivers\ssadmdm.sys
2011-05-10 22:54:47 13800 ----a-w- B:\Windows\System32\drivers\ssadwhnt.sys
2011-05-10 22:54:47 13800 ----a-w- B:\Windows\System32\drivers\ssadwh.sys
2011-05-10 22:54:47 13288 ----a-w- B:\Windows\System32\drivers\ssadcmnt.sys
2011-05-10 22:54:47 13288 ----a-w- B:\Windows\System32\drivers\ssadcm.sys
2011-05-10 22:54:47 125416 ----a-w- B:\Windows\System32\drivers\ssadbus.sys
2011-05-10 22:53:51 -------- d-----w- B:\Program Files (x86)\Samsung
2011-05-10 22:53:03 -------- d-----w- B:\ProgramData\Samsung
2011-05-10 22:52:46 -------- d-----w- B:\Users\MARY\AppData\Local\Downloaded Installations
.
==================== Find3M ====================
.
2011-06-07 16:22:42 202448 ----a-w- B:\Windows\SysWow64\PnkBstrB.exe
2011-05-10 12:10:59 40112 ----a-w- B:\Windows\avastSS.scr
2011-04-20 23:28:45 1785344 ----a-w- B:\Windows\SysWow64\iertutil(1164).dll
2011-04-20 23:28:45 1126912 ----a-w- B:\Windows\SysWow64\wininet.dll
2011-04-20 23:28:45 1126912 ----a-w- B:\Windows\SysWow64\wininet(1207).dll
2011-04-20 23:28:45 1102336 ----a-w- B:\Windows\SysWow64\urlmon(1201).dll
2011-04-20 23:28:44 2136064 ----a-w- B:\Windows\System32\iertutil(1018).dll
2011-04-20 23:28:44 1389056 ----a-w- B:\Windows\System32\wininet.dll
2011-04-20 23:28:44 1389056 ----a-w- B:\Windows\System32\wininet(1082).dll
2011-04-20 23:28:44 1344000 ----a-w- B:\Windows\System32\urlmon(1069).dll
2011-04-08 11:28:58 41872 ----a-w- B:\Windows\SysWow64\xfcodec.dll
2011-04-08 11:28:58 27536 ----a-w- B:\Windows\System32\xfcodec64.dll
2011-03-24 02:48:51 431104 ----a-w- B:\Windows\System32\wrap_oal.dll
2011-03-24 02:48:51 136192 ----a-w- B:\Windows\System32\OpenAL32.dll
2011-03-24 02:48:50 409600 ----a-w- B:\Windows\SysWow64\wrap_oal.dll
2011-03-24 02:48:50 114688 ----a-w- B:\Windows\SysWow64\OpenAL32.dll
.
============= FINISH: 17:37:34.32 ===============

Edited by MaryFigura, 07 June 2011 - 07:40 PM.


BC AdBot (Login to Remove)

 


#2 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:33 AM

Posted 16 June 2011 - 11:17 AM

Hello MaryFigura and welcome to Bleeping Computer! :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. :thumbup2:

Please print or save this topic: it will make it easier for you to follow the instructions and complete all of the necessary steps.

--------------------------

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure Advanced Mode is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck Resident TeaTimer and OK any prompts
You can re-enable TeaTimer once your system is clean.

--------------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.
Also, please let me know if any problems still remain.

--------------------

Please do the following:
  • Download GMER from here. Save it to your Desktop. Take note of the filename, as it is a randomly named .exe file.
  • Disconnect from the Internet and close all running programs while scan is running.
  • Make sure all antivirus and other real-time security programs are disabled. See here for directions.
  • Double-click on the downloaded file to start the program. (If running Vista or Win 7, right click on it and Run as an Administrator)
  • If possible rootkit activity is found, you will be asked if you would like to perform a full scan.-->Click on NO, then use the following settings for a more complete scan:


    Posted Image
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Click the Scan button to begin. (Please be patient: this can take some time.
  • When the scan is finished, click Save and type in gmer.txt and save to Desktop and copy/paste the contents in your next reply.
Note!: These types of scans can produce false positives. Do not take any action until a trained helper has seen the log.

--------------------

Please download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------------

In your next reply, please include:
  • C:\ComboFix.txt
  • GMER log
  • Security Check checkup.txt

How is your computer running now?
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#3 MaryFigura

MaryFigura
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 16 June 2011 - 06:28 PM

Hello! Thank you so much for getting back to me. I realize how difficult it is to answer a billion requests, so thank you for your time.


As requested, Combofix, GMER, and Security Check follows:




ComboFix 11-06-16.01 - MARY 06/16/2011 15:30:59.1.4 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.8190.6444 [GMT -7:00]
Running from: b:\users\MARY\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
b:\program files (x86)\Search Toolbar
b:\program files (x86)\Search Toolbar\icon.ico
b:\program files (x86)\Search Toolbar\SearchToolbar.dll
b:\program files (x86)\Search Toolbar\SearchToolbarUninstall.exe
b:\program files (x86)\Search Toolbar\SearchToolbarUpdater.exe
b:\programdata\Tarma Installer
b:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
b:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll
b:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
b:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-16 22:36 . 2011-06-16 22:36 -------- d-----w- b:\users\Default\AppData\Local\temp
2011-06-16 22:28 . 2011-06-16 22:28 -------- d-----w- B:\32788R22FWJFW
2011-06-15 21:30 . 2011-06-15 21:30 -------- d-----w- b:\program files\HP
2011-06-11 05:37 . 2011-05-18 19:37 8718160 ----a-w- b:\programdata\Microsoft\Windows Defender\Definition Updates\{09490BE0-0890-4ED0-86D7-5758B0F92B99}\mpengine.dll
2011-06-11 00:51 . 2011-06-11 00:51 -------- d-----w- b:\program files (x86)\PROnetworks
2011-06-10 22:24 . 2011-06-11 02:29 -------- d-----w- b:\users\Administrator
2011-06-10 22:09 . 2011-06-11 02:29 -------- d-----w- b:\users\Mary's Standard Acct
2011-06-10 06:03 . 2011-06-10 06:03 -------- d-----w- b:\users\MARY\AppData\Roaming\Malwarebytes
2011-06-10 06:03 . 2011-06-10 06:03 -------- d-----w- b:\programdata\Malwarebytes
2011-06-10 06:03 . 2011-06-10 06:03 -------- d-----w- b:\program files (x86)\Malwarebytes' Anti-Malware
2011-06-09 06:35 . 2011-06-09 06:35 -------- d-----w- b:\program files (x86)\Remove on Reboot
2011-06-08 00:38 . 2011-06-10 22:25 -------- d-----w- B:\$RECYCLE(6).BIN
2011-06-07 23:13 . 2011-06-11 02:04 -------- d-----w- b:\windows\Temp(7123)
2011-05-28 23:46 . 2011-06-11 02:24 -------- d-----w- b:\program files (x86)\ConduitEngine
2011-05-28 23:46 . 2011-05-28 23:46 0 ----a-w- b:\windows\SysWow64\ConduitEngine.tmp
2011-05-28 23:46 . 2011-05-28 23:46 -------- d-----w- b:\users\MARY\AppData\Local\Conduit
2011-05-24 23:59 . 2011-05-24 23:59 -------- d-----w- b:\program files (x86)\Hot CPU Tester Pro 4 LE
2011-05-24 23:59 . 2007-03-05 18:51 360580 ----a-w- b:\windows\eSellerateEngine.dll
2011-05-24 23:58 . 2008-07-26 18:30 14544 ----a-w- b:\windows\SysWow64\sensorsview32_64.sys
2011-05-24 23:57 . 2011-05-24 23:59 -------- d-----w- b:\program files (x86)\SensorsViewPro32
2011-05-24 02:14 . 2011-05-24 02:35 -------- d-----w- B:\Boot
2011-05-24 00:19 . 2011-05-24 00:19 -------- d-----w- b:\program files (x86)\NeoSmart Technologies
2011-05-23 23:29 . 2011-05-23 23:29 -------- d-----w- b:\program files (x86)\Common Files\Acronis
2011-05-23 21:23 . 2011-05-23 21:23 -------- d-----w- b:\program files (x86)\Microsoft Games
2011-05-23 20:59 . 2008-07-12 15:18 3851784 ----a-w- b:\windows\SysWow64\D3DX9_39.dll
2011-05-22 08:49 . 2011-05-22 08:49 -------- d-----w- b:\users\MARY\AppData\Roaming\SUPERAntiSpyware.com
2011-05-22 08:49 . 2011-05-22 08:49 -------- d-----w- b:\programdata\SUPERAntiSpyware.com
2011-05-22 08:49 . 2011-05-22 08:49 -------- d-----w- b:\programdata\!SASCORE
2011-05-22 08:49 . 2011-05-24 23:21 -------- d-----w- b:\program files\SUPERAntiSpyware
2011-05-22 08:28 . 2011-06-11 02:24 -------- d-----w- b:\programdata\Spybot - Search & Destroy
2011-05-22 08:28 . 2011-05-22 09:04 -------- d-----w- b:\program files (x86)\Spybot - Search & Destroy
2011-05-22 05:01 . 2011-04-07 12:02 2409784 ----a-w- b:\program files\Windows Mail\OESpamFilter.dat
2011-05-22 05:01 . 2011-04-07 12:01 2409784 ----a-w- b:\program files (x86)\Windows Mail\OESpamFilter.dat
2011-05-22 05:01 . 2011-03-12 22:52 1653760 ----a-w- b:\windows\system32\XpsPrint.dll
2011-05-22 05:01 . 2011-03-12 21:55 876032 ----a-w- b:\windows\SysWow64\XpsPrint.dll
2011-05-22 05:01 . 2011-03-03 15:59 32256 ----a-w- b:\windows\system32\Apphlpdm.dll
2011-05-22 05:01 . 2011-03-03 15:40 28672 ----a-w- b:\windows\SysWow64\Apphlpdm.dll
2011-05-22 05:01 . 2011-03-03 13:35 4240384 ----a-w- b:\windows\SysWow64\GameUXLegacyGDFs.dll
2011-05-22 05:01 . 2011-03-03 14:00 4240384 ----a-w- b:\windows\system32\GameUXLegacyGDFs.dll
2011-05-22 05:00 . 2011-05-22 05:00 -------- d-----w- b:\users\MARY\AppData\Roaming\VSRevoGroup
2011-05-22 03:39 . 2011-02-16 16:37 48128 ----a-w- b:\windows\system32\atmlib.dll
2011-05-22 03:39 . 2011-02-16 16:16 34304 ----a-w- b:\windows\SysWow64\atmlib.dll
2011-05-22 03:39 . 2011-02-16 14:15 367616 ----a-w- b:\windows\system32\atmfd.dll
2011-05-22 03:39 . 2011-02-16 14:02 292864 ----a-w- b:\windows\SysWow64\atmfd.dll
2011-05-22 03:39 . 2011-03-10 17:18 1360384 ----a-w- b:\windows\system32\mfc42u.dll
2011-05-22 03:39 . 2011-03-10 17:18 1398784 ----a-w- b:\windows\system32\mfc42.dll
2011-05-22 03:39 . 2011-03-10 17:03 1162240 ----a-w- b:\windows\SysWow64\mfc42u.dll
2011-05-22 03:39 . 2011-03-10 17:03 1136640 ----a-w- b:\windows\SysWow64\mfc42.dll
2011-05-22 03:39 . 2009-05-04 10:21 28672 ----a-w- b:\windows\system32\dnscacheugc.exe
2011-05-22 03:39 . 2009-05-04 09:59 25088 ----a-w- b:\windows\SysWow64\dnscacheugc.exe
2011-05-22 01:38 . 2011-06-10 03:38 -------- d-----w- B:\$RECYCLE(4).BIN
2011-05-21 20:29 . 2011-06-11 02:25 -------- d-----w- b:\windows\Temp(527)
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-16 05:07 . 2010-09-21 02:36 202448 ----a-w- b:\windows\SysWow64\PnkBstrB.exe
2011-05-10 12:10 . 2010-12-19 02:52 40112 ----a-w- b:\windows\avastSS.scr
2011-05-10 12:10 . 2010-12-19 02:52 199304 ----a-w- b:\windows\SysWow64\aswBoot.exe
2011-05-10 12:10 . 2011-01-19 01:38 253888 ----a-w- b:\windows\system32\aswBoot.exe
2011-05-10 12:04 . 2011-03-21 23:55 600920 ----a-w- b:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:04 . 2010-12-19 02:53 287576 ----a-w- b:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2010-12-19 02:53 53592 ----a-w- b:\windows\system32\drivers\aswTdi.sys
2011-05-10 11:59 . 2010-12-19 02:53 31064 ----a-w- b:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2010-12-19 02:53 64344 ----a-w- b:\windows\system32\drivers\aswMonFlt.sys
2011-05-10 11:59 . 2010-12-19 02:53 22360 ----a-w- b:\windows\system32\drivers\aswFsBlk.sys
2011-04-20 23:28 . 2011-04-20 23:28 1785344 ----a-w- b:\windows\SysWow64\iertutil(1164).dll
2011-04-20 23:28 . 2011-04-20 23:28 1126912 ----a-w- b:\windows\SysWow64\wininet.dll
2011-04-20 23:28 . 2011-04-20 23:28 1126912 ----a-w- b:\windows\SysWow64\wininet(1207).dll
2011-04-20 23:28 . 2011-04-20 23:28 1102336 ----a-w- b:\windows\SysWow64\urlmon(1201).dll
2011-04-20 23:28 . 2011-04-20 23:28 2136064 ----a-w- b:\windows\system32\iertutil(1018).dll
2011-04-20 23:28 . 2011-04-20 23:28 1389056 ----a-w- b:\windows\system32\wininet.dll
2011-04-20 23:28 . 2011-04-20 23:28 1389056 ----a-w- b:\windows\system32\wininet(1082).dll
2011-04-20 23:28 . 2011-04-20 23:28 1344000 ----a-w- b:\windows\system32\urlmon(1069).dll
2011-04-08 11:28 . 2011-04-08 11:28 41872 ----a-w- b:\windows\SysWow64\xfcodec.dll
2011-04-08 11:28 . 2011-04-08 11:28 27536 ----a-w- b:\windows\system32\xfcodec64.dll
2011-03-24 02:48 . 2011-03-24 02:48 431104 ----a-w- b:\windows\system32\wrap_oal.dll
2011-03-24 02:48 . 2011-03-24 02:48 136192 ----a-w- b:\windows\system32\OpenAL32.dll
2011-03-24 02:48 . 2011-03-24 02:48 409600 ----a-w- b:\windows\SysWow64\wrap_oal.dll
2011-03-24 02:48 . 2011-03-24 02:48 114688 ----a-w- b:\windows\SysWow64\OpenAL32.dll
2011-03-24 02:40 . 2008-04-03 19:31 172032 ----a-w- b:\windows\system32\SFProc64.dll
2011-03-24 02:40 . 2008-04-03 19:30 122880 ----a-w- b:\windows\system32\SFFXCPStr.dll
2011-03-24 02:40 . 2008-04-03 19:29 59392 ----a-w- b:\windows\system32\SFLAPO64.dll
2011-03-24 02:40 . 2008-04-03 19:29 59392 ----a-w- b:\windows\system32\SFMAPO64.dll
2011-03-24 02:40 . 2008-04-03 19:29 74752 ----a-w- b:\windows\system32\SFHAPO64.dll
2011-03-24 02:40 . 2008-04-03 19:29 74752 ----a-w- b:\windows\system32\SFDAPO64.dll
2011-03-24 02:40 . 2008-04-03 19:29 163840 ----a-w- b:\windows\system32\SFCTPL64.dll
2011-03-24 02:40 . 2008-04-03 19:29 65536 ----a-w- b:\windows\system32\SFComm64.dll
2011-03-24 02:40 . 2008-04-03 19:29 77824 ----a-w- b:\windows\system32\SFSAPO64.dll
2011-03-24 02:40 . 2008-03-20 15:44 467456 ----a-w- b:\windows\system32\drivers\ADIHdAud.sys
2011-03-24 02:40 . 2008-02-28 23:18 41472 ----a-w- b:\windows\system32\SmaxCo.dll
2011-03-24 02:40 . 2007-12-05 14:56 428544 ----a-w- b:\windows\system32\AEADIExt.dll
2011-03-24 02:40 . 2007-10-19 18:10 89600 ----a-w- b:\windows\system32\AEADISRV.EXE
2011-03-24 02:40 . 2007-08-24 15:43 154112 ----a-w- b:\windows\system32\AEADIAPO.dll
2011-03-24 02:40 . 2007-01-10 21:38 56320 ----a-w- b:\windows\system32\AEADIAPR.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "b:\program files (x86)\XfireXO\prxtbXfi0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- b:\program files (x86)\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\Wow6432Node\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2011-01-17 14:54 175912 ----a-w- b:\program files (x86)\XfireXO\prxtbXfi0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "b:\program files (x86)\XfireXO\prxtbXfi0.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="b:\windows\ehome\ehTray.exe" [2008-01-21 138240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"avast"="b:\program files\Alwil Software\Avast5\avastUI.exe" [2011-05-10 3459712]
"HP Software Update"="b:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
.
b:\users\MARY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - b:\program files (x86)\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;b:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;b:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);b:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-07 136176]
R3 7ByteIo;7ByteIo;b:\program files (x86)\Hot CPU Tester Pro 4 LE\SysInfoX64.sys [x]
R3 COMMONFX.SYS;COMMONFX.SYS;b:\windows\System32\drivers\COMMONFX.SYS [x]
R3 COMMONFX;COMMONFX;b:\windows\system32\drivers\COMMONFX.SYS [x]
R3 CTAUDFX.SYS;CTAUDFX.SYS;b:\windows\System32\drivers\CTAUDFX.SYS [x]
R3 CTAUDFX;CTAUDFX;b:\windows\system32\drivers\CTAUDFX.SYS [x]
R3 CTERFXFX.SYS;CTERFXFX.SYS;b:\windows\System32\drivers\CTERFXFX.SYS [x]
R3 CTERFXFX;CTERFXFX;b:\windows\system32\drivers\CTERFXFX.SYS [x]
R3 CTSBLFX.SYS;CTSBLFX.SYS;b:\windows\System32\drivers\CTSBLFX.SYS [x]
R3 CTSBLFX;CTSBLFX;b:\windows\system32\drivers\CTSBLFX.SYS [x]
R3 gupdatem;Google Update Service (gupdatem);b:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-07 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;b:\program files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-03-25 30969208]
R3 osppsvc;Office Software Protection Platform;b:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);b:\windows\system32\DRIVERS\ssadbus.sys [x]
R3 ssadmdfl;SAMSUNG Android USB Modem (Filter);b:\windows\system32\DRIVERS\ssadmdfl.sys [x]
R3 ssadmdm;SAMSUNG Android USB Modem Drivers;b:\windows\system32\DRIVERS\ssadmdm.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;b:\windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]
R4 AMD External Events Utility;AMD External Events Utility;b:\windows\system32\atiesrxx.exe [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 SASDIFSV;SASDIFSV;b:\program files\SUPERAntiSpyware\SASDIFSV64.SYS [2010-02-17 14920]
S1 SASKUTIL;SASKUTIL;b:\program files\SUPERAntiSpyware\SASKUTIL64.SYS [2010-02-17 12360]
S2 !SASCORE;SAS Core Service;b:\program files\SUPERAntiSpyware\SASCORE64.EXE [2011-05-04 128384]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;b:\windows\system32\drivers\aswMonFlt.sys [x]
S2 SBSDWSCService;SBSD Security Center Service;b:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sensorsview64;sensorsview64;b:\windows\SysWow64\sensorsview32_64.sys [2008-07-26 14544]
S3 amdkmdag;amdkmdag;b:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;b:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;b:\windows\system32\DRIVERS\yk60x64.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-16 b:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- b:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-07 02:06]
.
2011-06-16 b:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- b:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-07 02:06]
.
2011-06-15 b:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-492507254-604505970-1513897927-1000Core.job
- b:\users\MARY\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-12 03:06]
.
2011-06-16 b:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-492507254-604505970-1513897927-1000UA.job
- b:\users\MARY\AppData\Local\Google\Update\GoogleUpdate.exe [2011-06-12 03:06]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 134384 ----a-w- b:\program files\Alwil Software\Avast5\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = b:\windows\system32\blank.htm
mLocal Page = b:\windows\SysWOW64\blank.htm
IE: Google Sidewiki... - b:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
Trusted Zone: hotmail.com\www
Trusted Zone: hp.com
Trusted Zone: yahoo.com\my
TCP: DhcpNameServer = 68.87.85.102 68.87.69.150
CLSID: {603d3801-bd81-11d0-a3a5-00c04fd706ec} - %SystemRoot%\SysWow64\browseui.dll
FF - ProfilePath - b:\users\MARY\AppData\Roaming\Mozilla\Firefox\Profiles\qhgqk4li.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - b:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - b:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: HP Detect: {ab91efd4-6975-4081-8552-1b3922ed79e2} - %profile%\extensions\{ab91efd4-6975-4081-8552-1b3922ed79e2}
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - b:\program files (x86)\Yontoo Layers\YontooIEClient.dll
Wow6432Node-HKCU-Run-WMPNSCFG - b:\program files (x86)\Windows Media Player\WMPNSCFG.exe
WebBrowser-{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3} - (no file)
HKLM-Run-Windows Defender - b:\program files (x86)\Windows Defender\MSASCui.exe
AddRemove-PunkBusterSvc - b:\windows\system32\pbsvc.exe
AddRemove-Unofficial Oblivion Patch_is1 - f:\game files\OBLIVION\Unofficial Oblivion Patch\unins000.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@b:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="b:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="b:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="b:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="b:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="b:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="b:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
b:\program files\Alwil Software\Avast5\AvastSvc.exe
b:\program files (x86)\IObit\Game Booster\gbtray.exe
b:\windows\SysWOW64\PnkBstrA.exe
.
**************************************************************************
.
Completion time: 2011-06-16 15:46:50 - machine was rebooted
ComboFix-quarantined-files.txt 2011-06-16 22:46
ComboFix2.txt 2011-06-07 23:13
.
Pre-Run: 50,881,794,048 bytes free
Post-Run: 51,206,717,440 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,11
- - End Of File - - D80779B101EBCA7B4755141F8E9CD530

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-16 16:12:13
Windows 6.0.6002 Service Pack 2
Running: 3fyycilp.exe


---- Files - GMER 1.0.15 ----

File B:\## aswSnx private storage 0 bytes
File B:\## aswSnx private storage\snx_rhive 262144 bytes
File B:\## aswSnx private storage\snx_rhive.LOG1 29696 bytes
File B:\## aswSnx private storage\snx_rhive.LOG2 0 bytes
File B:\## aswSnx private storage\snx_rhive{3a8c0b17-7f4d-11e0-b90c-00221516ebd0}.TM.blf 65536 bytes
File B:\## aswSnx private storage\snx_rhive{3a8c0b17-7f4d-11e0-b90c-00221516ebd0}.TMContainer00000000000000000001.regtrans-ms 524288 bytes
File B:\## aswSnx private storage\snx_rhive{3a8c0b17-7f4d-11e0-b90c-00221516ebd0}.TMContainer00000000000000000002.regtrans-ms 524288 bytes
File B:\## aswSnx private storage\webStorage 0 bytes
File B:\## aswSnx private storage\webStorage\attrib 0 bytes
File B:\## aswSnx private storage\webStorage\image 0 bytes
File B:\## aswSnx private storage\webStorage\image\Windows 0 bytes
File B:\## aswSnx private storage\webStorage\image\Windows\Prefetch 0 bytes
File B:\## aswSnx private storage\webStorage\image\Windows\Prefetch\FIREFOX.EXE-95C3D2A3.pf 19184 bytes
File B:\## aswSnx private storage\webStorage\image\Windows\Prefetch\IEXPLORE.EXE-8F1B6CBC.pf 19354 bytes
File B:\## aswSnx private storage\webStorage\snx_fs.dat 612 bytes

---- EOF - GMER 1.0.15 ----


Results of screen317's Security Check version 0.99.13
Windows Vista (UAC is enabled)
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
avast! Free Antivirus
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
Flash Player Out of Date!
Adobe Flash Player 10.2.153.1
Adobe Reader 9.4.4
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.12) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Spybot Teatimer.exe is disabled!
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
``````````End of Log````````````


I haven't noticed a difference yet in my machine, but i will be working in it later. I just wanted to get this out to you.

Again, thank you for your time!

Mary

#4 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:33 AM

Posted 17 June 2011 - 12:58 PM

I didn't see anything questionable in your logs. Let's run some more scans to give us a better look. :wink:

Also, is your system experieincing any of the same error messages as before?

-------------

Please download Malwarebytes' Anti-Malware to your Desktop
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a location you will remember.
  • Copy and Paste that log into your next reply.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK for either of the prompts and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

-------------

Please do the following:
  • Please download aswMBR.exe from here and save it to your Desktop.
  • Double click aswMBR.exe to start the tool. (Vista - Win 7 Rt click to run as Administrator)
  • Click Scan
  • Upon completion of the scan, click Save log and save it to your Desktop, and post that log in your next reply. Do NOT attempt any Fix at this time!
  • This will also create a file on your Desktop named MBR.dat. Right click that file and select Send To->Compressed (zipped) folder. Attach that zipped folder in your next reply as well.

-------------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

-------------

In your next reply, please include:
  • Malwarebytes log
  • aswMBR log and MBR.dat zip file
  • ESET online scan log

How is your computer running now?
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#5 MaryFigura

MaryFigura
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 17 June 2011 - 10:10 PM

Hi, as requested:


Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6883

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/17/2011 3:39:11 PM
mbam-log-2011-06-17 (15-39-11).txt

Scan type: Full scan (B:\|C:\|I:\|)
Objects scanned: 524117
Time elapsed: 1 hour(s), 14 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


B:\ProgramData\Spybot - Search & Destroy\Recovery\YontooPagerage33.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
B:\Qoobox\Quarantine\B\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined
B:\Qoobox\Quarantine\B\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
I:\System Volume Information\_restore{A0804B21-CC92-4D6E-91F5-A4B415E54D86}\RP70\A0027721.exe Win32/Toolbar.AskSBar application deleted - quarantined

When I went to use aswmbr, every time i hit scan, it would restart my computer. i couldnt figure out if this was supposed to happen or not.No .dat file was created on the desktop. i checked the compatability mode for xp svcpack2, and run administrator. Still would restart if i hit the scan button.

mary

#6 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:33 AM

Posted 17 June 2011 - 10:16 PM

Please include the ESET Online Scan log as well :).
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#7 MaryFigura

MaryFigura
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 18 June 2011 - 01:44 AM

this is all i get:


B:\ProgramData\Spybot - Search & Destroy\Recovery\YontooPagerage33.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined

B:\Qoobox\Quarantine\B\Program Files (x86)\Search Toolbar\SearchToolbar.dll.vir Win32/Toolbar.Zugo application cleaned by deleting - quarantined

B:\Qoobox\Quarantine\B\ProgramData\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined

I:\System Volume Information\_restore{A0804B21-CC92-4D6E-91F5-A4B415E54D86}\RP70\A0027721.exe Win32/Toolbar.AskSBar application deleted - quarantined

#8 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:33 AM

Posted 18 June 2011 - 08:25 AM

Please run MalwareBytes once more, and choose Remove Selected on the Show Results tab. Then, please post the log it produces.

Edited by D-FRED-BROWN, 18 June 2011 - 08:26 AM.

Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#9 MaryFigura

MaryFigura
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 18 June 2011 - 04:47 PM

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6883

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

6/18/2011 1:58:02 PM
mbam-log-2011-06-18 (13-58-02).txt

Scan type: Full scan (B:\|C:\|I:\|)
Objects scanned: 522841
Time elapsed: 1 hour(s), 10 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:33 AM

Posted 18 June 2011 - 08:57 PM

Hello again. We're making progress :thumbup2: .

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Reglock::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services] [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]


Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#11 MaryFigura

MaryFigura
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 18 June 2011 - 10:24 PM

Hi there! Thanks for taking time out to help me, i really appreciate it. The post was too long and i was booted to another post screen. I attached the log file; i hope you can open it and read it. If not, i will just make two posts.

Once again, thanks!

Attached Files



#12 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:33 AM

Posted 19 June 2011 - 12:34 PM

Do you have the aswMBR log and MBR.dat zip file? If so, please post them here for me to see. :)
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#13 MaryFigura

MaryFigura
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 19 June 2011 - 02:06 PM

I cannot get aswMBR to run. The user interface comes up, but as soon as i hit the scan button, my computer does a hard restart. I can see 2 lines after the initialize success line, but its only for a fraction of a second. I booted in safe mode, same thing. All av is disabled, nothing else is running, up to date on windows, run with and without compatability mode, always as admin. I am at a loss why this program refuses to run.
:unsure:

:killcomp:

Edited by MaryFigura, 19 June 2011 - 02:07 PM.


#14 D-FRED-BROWN

D-FRED-BROWN

    Resident Bracketologist


  • Malware Response Team
  • 834 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Kansas, USA
  • Local time:02:33 AM

Posted 19 June 2011 - 02:12 PM

That's okay, try this program. :)

Please print out these instructions or copy them to a Notepad file for an easier reading and download MBRCheck by a_d_13 to your Desktop from one of these locations:

http://ad13.geekstogo.com/MBRCheck.exe
http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe
http://www.kernelmode.info/MBRCheck.exe

Close all opened programs/ windows and double-click on MBRCheck.exe.
It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.
Proud graduate of SpywareInfo Bootcamp
Follow me on Twitter! @dfredbrown
Posted Image
Unified Network of Instructors and Trained Eliminators

I volunteer my free time to help you. Please consider making a donation so I can continue helping people like you.
Posted Image
Thank you!

#15 MaryFigura

MaryFigura
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 19 June 2011 - 03:50 PM

Hi there!

As requested:


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Ultimate Edition
Windows Information: Service Pack 2 (build 6002), 64-bit
Base Board Manufacturer: ASUSTeK Computer INC.
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: System manufacturer
System Product Name: System Product Name
Logical Drives Mask: 0x000003ff

Kernel Drivers (total 153):
0x02E54000 \SystemRoot\system32\ntoskrnl.exe
0x02E0E000 \SystemRoot\system32\hal.dll
0x00607000 \SystemRoot\system32\kdcom.dll
0x00611000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x0064C000 \SystemRoot\system32\PSHED.dll
0x00660000 \SystemRoot\system32\CLFS.SYS
0x006BD000 \SystemRoot\system32\CI.dll
0x0080C000 \SystemRoot\system32\drivers\Wdf01000.sys
0x008E6000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x008F4000 \SystemRoot\system32\drivers\acpi.sys
0x0094A000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00953000 \SystemRoot\system32\drivers\msisadrv.sys
0x0095D000 \SystemRoot\system32\drivers\pci.sys
0x0098D000 \SystemRoot\System32\drivers\partmgr.sys
0x009A2000 \SystemRoot\system32\drivers\volmgr.sys
0x0076F000 \SystemRoot\System32\drivers\volmgrx.sys
0x009B6000 \SystemRoot\system32\drivers\pciide.sys
0x009BD000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x009CD000 \SystemRoot\System32\drivers\mountmgr.sys
0x009E0000 \SystemRoot\system32\drivers\atapi.sys
0x007D5000 \SystemRoot\system32\drivers\ataport.SYS
0x00A0D000 \SystemRoot\system32\drivers\fltmgr.sys
0x00A54000 \SystemRoot\system32\drivers\fileinfo.sys
0x00A68000 \SystemRoot\System32\Drivers\ksecdd.sys
0x00C0C000 \SystemRoot\system32\drivers\ndis.sys
0x00AEF000 \SystemRoot\system32\drivers\msrpc.sys
0x00B3F000 \SystemRoot\system32\drivers\NETIO.SYS
0x00E0C000 \SystemRoot\System32\drivers\tcpip.sys
0x00F82000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0100C000 \SystemRoot\System32\Drivers\Ntfs.sys
0x0118C000 \SystemRoot\system32\drivers\volsnap.sys
0x011D0000 \SystemRoot\System32\Drivers\spldr.sys
0x011D8000 \SystemRoot\System32\Drivers\mup.sys
0x00FAE000 \SystemRoot\System32\drivers\ecache.sys
0x00DCF000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x011EA000 \SystemRoot\system32\drivers\disk.sys
0x00B98000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x01000000 \SystemRoot\system32\drivers\crcdisk.sys
0x00FE8000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x00FF4000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x00BC4000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x02600000 \SystemRoot\system32\DRIVERS\atikmpag.sys
0x02808000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x02EB2000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x02F95000 \SystemRoot\System32\drivers\watchdog.sys
0x02636000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x02FA5000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x02FB1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x02723000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x02734000 \SystemRoot\system32\DRIVERS\yk60x64.sys
0x02799000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x027AB000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x027BB000 \SystemRoot\system32\DRIVERS\fdc.sys
0x02FF7000 \SystemRoot\system32\DRIVERS\ASACPI.sys
0x027C8000 \SystemRoot\system32\DRIVERS\serial.sys
0x027E5000 \SystemRoot\system32\DRIVERS\serenum.sys
0x00BD7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x03008000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x03041000 \SystemRoot\system32\DRIVERS\storport.sys
0x0309E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x030AB000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x030CE000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x030DA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x0310B000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x0311B000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x03139000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x03151000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x031EB000 \SystemRoot\system32\DRIVERS\termdd.sys
0x027F1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x00E00000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x031FE000 \SystemRoot\system32\DRIVERS\swenum.sys
0x0320B000 \SystemRoot\system32\DRIVERS\ks.sys
0x0323F000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x0324A000 \SystemRoot\system32\DRIVERS\umbus.sys
0x0325A000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x032A2000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0x032AD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x032C1000 \SystemRoot\system32\drivers\AtiHdmi.sys
0x032E3000 \SystemRoot\system32\drivers\portcls.sys
0x0331E000 \SystemRoot\system32\drivers\drmk.sys
0x03341000 \SystemRoot\system32\drivers\ksthunk.sys
0x03347000 \SystemRoot\system32\drivers\ADIHdAud.sys
0x03E05000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x03E9D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x03EA7000 \SystemRoot\System32\Drivers\Null.SYS
0x03ED1000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x03ED9000 \SystemRoot\System32\drivers\vga.sys
0x03EE7000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x03F0C000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x03F24000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x03F26000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x03F2F000 \SystemRoot\system32\drivers\rdpencdd.sys
0x03F38000 \SystemRoot\System32\Drivers\Msfs.SYS
0x03F43000 \SystemRoot\System32\Drivers\Npfs.SYS
0x03F54000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x03F5D000 \SystemRoot\system32\DRIVERS\tdx.sys
0x03F7A000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x03F8A000 \SystemRoot\system32\DRIVERS\smb.sys
0x0400C000 \SystemRoot\system32\drivers\afd.sys
0x04077000 \SystemRoot\System32\Drivers\aswRdr.SYS
0x04081000 \SystemRoot\System32\DRIVERS\netbt.sys
0x040C5000 \SystemRoot\system32\DRIVERS\pacer.sys
0x040E3000 \SystemRoot\system32\DRIVERS\netbios.sys
0x040F2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x0410D000 \??\B:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
0x04117000 \??\B:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
0x04121000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x0416E000 \SystemRoot\system32\drivers\nsiproxy.sys
0x0417A000 \SystemRoot\system32\drivers\csc.sys
0x03FA5000 \SystemRoot\System32\Drivers\dfsc.sys
0x0420D000 \SystemRoot\System32\Drivers\aswSP.SYS
0x0425A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x04276000 \SystemRoot\system32\DRIVERS\usbscan.sys
0x04286000 \SystemRoot\system32\DRIVERS\usbprint.sys
0x04291000 \SystemRoot\System32\Drivers\fastfat.SYS
0x042D4000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x042DD000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x042EF000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x042FA000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x00070000 \SystemRoot\System32\win32k.sys
0x04305000 \SystemRoot\System32\drivers\Dxapi.sys
0x04311000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00460000 \SystemRoot\System32\TSDDD.dll
0x04324000 \SystemRoot\system32\drivers\luafv.sys
0x04346000 \??\B:\Windows\system32\drivers\aswMonFlt.sys
0x04380000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x006F0000 \SystemRoot\System32\cdd.dll
0x06A03000 \SystemRoot\system32\drivers\spsys.sys
0x06A9D000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x06AB1000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x06AC9000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x06AD4000 \SystemRoot\system32\drivers\HTTP.sys
0x06B77000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x06BA0000 \SystemRoot\system32\DRIVERS\bowser.sys
0x06BBE000 \SystemRoot\System32\drivers\mpsdrv.sys
0x06BD8000 \SystemRoot\system32\drivers\mrxdav.sys
0x04389000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x043B2000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x03FC2000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x033BE000 \SystemRoot\System32\DRIVERS\srv2.sys
0x07208000 \SystemRoot\System32\DRIVERS\srv.sys
0x0729B000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x072B7000 \SystemRoot\system32\drivers\mqac.sys
0x072E5000 \SystemRoot\system32\drivers\peauth.sys
0x0739B000 \SystemRoot\System32\Drivers\secdrv.SYS
0x073A6000 \??\B:\Windows\SysWow64\sensorsview32_64.sys
0x073AD000 \SystemRoot\System32\drivers\tcpipreg.sys
0x073BD000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x073DD000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x08004000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x08033000 \SystemRoot\system32\DRIVERS\umpass.sys
0x0803D000 \??\B:\Users\MARY\AppData\Local\Temp\aswMBR.sys
0x77980000 \Windows\System32\ntdll.dll

Processes (total 54):
0 System Idle Process
4 System
480 B:\Windows\System32\smss.exe
552 csrss.exe
628 B:\Windows\System32\wininit.exe
648 csrss.exe
684 B:\Windows\System32\services.exe
696 B:\Windows\System32\lsass.exe
704 B:\Windows\System32\lsm.exe
856 B:\Windows\System32\svchost.exe
932 B:\Windows\System32\svchost.exe
996 B:\Windows\System32\svchost.exe
212 B:\Windows\System32\winlogon.exe
364 B:\Windows\System32\svchost.exe
488 B:\Windows\System32\svchost.exe
528 B:\Windows\System32\svchost.exe
1012 B:\Windows\System32\audiodg.exe
1048 B:\Windows\System32\svchost.exe
1096 B:\Windows\System32\SLsvc.exe
1172 B:\Windows\System32\svchost.exe
1264 B:\Windows\System32\svchost.exe
1396 B:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1836 B:\Windows\System32\spoolsv.exe
1860 B:\Windows\System32\svchost.exe
928 B:\Program Files\SUPERAntiSpyware\SASCore64.exe
1136 B:\Windows\System32\AEADISRV.EXE
804 B:\Windows\System32\svchost.exe
1572 B:\Windows\System32\CISVC.EXE
2060 B:\Windows\System32\svchost.exe
2124 B:\Windows\System32\mqsvc.exe
2304 B:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
2436 svchost.exe
2464 B:\Windows\SysWOW64\PnkBstrA.exe
2512 B:\Windows\System32\svchost.exe
2540 B:\Windows\System32\svchost.exe
2588 B:\Windows\System32\svchost.exe
2608 B:\Windows\System32\svchost.exe
2948 B:\Windows\System32\taskeng.exe
2980 WUDFHost.exe
2712 B:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
3280 B:\Windows\System32\alg.exe
3444 B:\Windows\System32\taskeng.exe
3416 B:\Windows\System32\dwm.exe
1576 B:\Windows\explorer.exe
3536 B:\Windows\ehome\ehtray.exe
3852 B:\Program Files\Windows Media Player\wmpnscfg.exe
748 B:\Windows\ehome\ehmsas.exe
832 B:\Program Files\Alwil Software\Avast5\AvastUI.exe
3432 B:\Program Files\Windows Media Player\wmpnetwk.exe
1316 B:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
3932 B:\Windows\System32\svchost.exe
1032 B:\Windows\System32\svchost.exe
3840 B:\Windows\System32\notepad.exe
1156 B:\Users\MARY\Downloads\MBRCheck.exe

\\.\B: --> \\.\PhysicalDrive0 at offset 0x0000004d`68700000 (NTFS)
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)
\\.\I: --> \\.\PhysicalDrive6 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: WDCWD5000AADS-00S9B0, Rev: 01.00A01
PhysicalDrive6 Model Number: WD3200AAV External, Rev: 1.65

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
298 GB \\.\PhysicalDrive6 Legit MBR code detected
SHA1: B8F40F94231153EDC0AB83C01C49ACAC82866309


Done!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users