Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with something - windows restore, popup windows, computer freezes


  • This topic is locked This topic is locked
20 replies to this topic

#1 sunny456

sunny456

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 21 June 2011 - 08:04 AM

hello
i am requesting help for my laptop please. on 6/8/11 i was infected with the windows restore virus. at the time i was running the free edition of avg & i've always used antimalware bytes. i ran a full virus scan that day and also the malware bytes & removed a few things, but my computer was still not running right. all my start programs were gone, i ran unhide & that helped a bit but didn't fix the problem. i still don't have many items on my start menu, accessories etc. i have redownloaded a few programs so i could use them. ever since then it's been attacked daily, i had the windows restore pop up again & then also something called security shield.

i got rid of avg and downloaded avira and also superantispyware. i update all 3 and run them everynite in safemode, although i can't seem to run the superspyware in safe mode, my computer crashes and gives me a blue screen hard disc error. i can run it it regular mode and it usually finds and removes a lot of things nightly.

right now my internet is running very slow & i get popup windows that open new ie browsers. my ie will also freeze & i can't do anything and need to poweroff with the power button. i also cannot turn on my windows updates, it says it's on, but i have a warning that it's not on. i was also infected with the whitehorse toolbar or something like that, that i uninstalled & then superantispyware found a few bits of that this am and removed it.

i've probably done a bunch of things i shouldn't have, but i didn't find this forum until today. so, now i've done all the things in the checklist & will post my logs here. thank you in advance for any help.



here is the dds log:

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Liz at 8:06:03 on 2011-06-21
.
============== Running Processes ===============
.
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Liz.BULLDOG\Desktop\Defogger.exe
C:\Documents and Settings\Liz.BULLDOG\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080104
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080104
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVZOVgtTlNWVkwtTzRCWlEtUUlNQ0wtUVREQ0gtNElKTUg"&"inst=NzctNTYxNzMxMzM2LVhMKzEtVDMtRlA5KzYtQkFSOUcrMS1UQjkrMi1GTCs5LVhPMzYrMS1GOU03Qys1LUY5TTEwQisxLUxJQysyLUZMMTArMS1TUDErMS1TVVArNC1UVUcrMy1TUDFTMisx"&"prod=90"&"ver=10.0.1382
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www5.snapfish.com/SnapfishActivia3.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://upload.smugmug.com/photos/activex/ImageUploader4-082807.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E2F65414-70F7-4B19-9D31-76D44632750A} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R? MBAMSwissArmy;MBAMSwissArmy
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? avgio;avgio
S? avgntflt;avgntflt
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
.
=============== Created Last 30 ================
.
2011-06-20 23:36:27 -------- d-----w- c:\documents and settings\liz.bulldog\application data\vmntemplate
2011-06-18 21:16:17 -------- d-----w- c:\program files\Ustream
2011-06-17 01:44:59 -------- d-----w- c:\documents and settings\liz.bulldog\application data\Avira
2011-06-17 01:43:11 -------- d-----w- c:\program files\Search Toolbar
2011-06-17 01:38:12 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-16 23:26:39 -------- d-----w- c:\windows\system32\NtmsData
2011-06-16 12:39:56 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-16 12:39:55 -------- d-----w- c:\program files\Avira
2011-06-16 12:39:55 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-06-16 01:16:52 -------- d-----w- C:\Adobe
2011-06-15 23:52:06 0 ----a-w- c:\windows\Qteqikanujuqodih.bin
2011-06-15 23:52:04 -------- d-----w- c:\documents and settings\liz.bulldog\local settings\application data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}
2011-06-15 23:50:24 -------- d-----w- c:\documents and settings\all users\application data\bC28258BjBmL28258
2011-06-14 23:49:41 -------- d-----w- c:\windows\pss
2011-06-09 01:19:46 -------- d-----w- c:\documents and settings\liz.bulldog\application data\SUPERAntiSpyware.com
2011-06-09 01:19:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-09 00:02:51 -------- d-----w- c:\documents and settings\liz.bulldog\application data\Wubu
2011-06-09 00:02:51 -------- d-----w- c:\documents and settings\liz.bulldog\application data\Rohy
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-26 15:52:16 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160821AS rev.3.CDE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A4934D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4997f0]; MOV EAX, [0x8a49986c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A57AAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A502DF8]
\Driver\atapi[0x8A5A03D8] -> IRP_MJ_CREATE -> 0x8A4934D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A49331B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:08:24.21 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 AM

Posted 29 June 2011 - 07:40 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks.

DR

#3 sunny456

sunny456
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 June 2011 - 08:34 AM

hello.

thank you for the reply, yes i am still having multiple problems.

main problems are with internet explorer, i am getting pop ups. i've turned ON popup blocker and that will stop popups in the main ie scren i'm using (no new tabs will pop up), but i do get entire new ie program popups. hopefully that makes sense. also, my computer will just freeze, ie will stop working & i can't seem to even do anything, it just stalls. the only way to solve it is to powerdown w/ the power button. also, my cpu usage for svchost frequently goes to 99/100% - could that be the cause of ie freezing and getting stuck?

since i posted the first time, i've also had the windows security shield virus that disabled me from doing anything, but i think i managed to get that off. i couldn't open malwarebytes, avira, etc.

also, in internet explorer, if i search with yahoo i do get redirected if i click on any of the links, it does not take me to the original link.

my windows update shield is marked at an x that it's off, warns me it's off, but i can't turn it on. when i go to the main windows security window it's marked as turned off, but in the windows update part when i go to try to turn it on, it says on. i can't connect to the windows update website either, to update manually.

my firewall also seems to go from on to off at times as well. also, i'm not sure why, or if it means anything, but it is different, in some programs (like notepad & photoshop) the top bar where file/edit/etc is, is normally light gray with black writing. it's now the same, but at times there is a white box around where file/edit/etc is, with black writing. it comes and goes & that is different then before and not with all programs.

i don't know what is going on and i'm hoping i can fix this without a reformat. i really appreciate the help.

i'm attaching new logs as requested. i've labeled them 2, as this is the 2nd time i'm running the programs.

thank you.


here is the new dds log:


.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Liz at 8:45:49 on 2011-06-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.745 [GMT -4:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jucheck.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080104
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080104
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Search Toolbar: {9d425283-d487-4337-bab6-ab8354a81457} - c:\program files\search toolbar\SearchToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
StartupFolder: c:\documents and settings\liz.bulldog\start menu\programs\startup\igfxtray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www5.snapfish.com/SnapfishActivia3.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} - hxxp://upload.smugmug.com/photos/activex/ImageUploader4-082807.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{E2F65414-70F7-4B19-9D31-76D44632750A} : DhcpNameServer = 192.168.1.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 184.95.59.211 www.google.com
Hosts: 184.95.59.212 search.yahoo.com
Hosts: 184.95.59.212 www.bing.com
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2011-6-16 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2011-6-16 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2011-6-16 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-6-16 61960]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-7-14 39984]
.
=============== Created Last 30 ================
.
2011-06-23 16:25:26 -------- d-----w- c:\documents and settings\all users\application data\jM28601MfPjN28601
2011-06-22 02:35:32 -------- d--h--w- c:\windows\PIF
2011-06-20 23:36:27 -------- d-----w- c:\documents and settings\liz.bulldog\application data\vmntemplate
2011-06-18 21:16:17 -------- d-----w- c:\program files\Ustream
2011-06-17 01:44:59 -------- d-----w- c:\documents and settings\liz.bulldog\application data\Avira
2011-06-17 01:43:11 -------- d-----w- c:\program files\Search Toolbar
2011-06-17 01:38:12 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2011-06-16 23:26:39 -------- d-----w- c:\windows\system32\NtmsData
2011-06-16 12:39:56 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-16 12:39:55 -------- d-----w- c:\program files\Avira
2011-06-16 12:39:55 -------- d-----w- c:\documents and settings\all users\application data\Avira
2011-06-16 01:16:52 -------- d-----w- C:\Adobe
2011-06-15 23:52:06 0 ----a-w- c:\windows\Qteqikanujuqodih.bin
2011-06-15 23:52:04 -------- d-----w- c:\documents and settings\liz.bulldog\local settings\application data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}
2011-06-15 23:50:24 -------- d-----w- c:\documents and settings\all users\application data\bC28258BjBmL28258
2011-06-14 23:49:41 -------- d-----w- c:\windows\pss
2011-06-09 01:19:46 -------- d-----w- c:\documents and settings\liz.bulldog\application data\SUPERAntiSpyware.com
2011-06-09 01:19:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-09 00:02:51 -------- d-----w- c:\documents and settings\liz.bulldog\application data\Wubu
2011-06-09 00:02:51 -------- d-----w- c:\documents and settings\liz.bulldog\application data\Rohy
.
==================== Find3M ====================
.
2011-05-29 13:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160821AS rev.3.CDE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A49D4D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4a37f0]; MOV EAX, [0x8a4a386c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A4C0AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A46F528]
\Driver\atapi[0x8A5A6030] -> IRP_MJ_CREATE -> 0x8A49D4D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A49D31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 8:50:18.67 ===============

Attached Files



#4 sunny456

sunny456
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 June 2011 - 08:36 AM

i forgot to inclue that to get off the security shield virus, the only thing that seemed to work was to run a program called rogue killer, then ran malware bytes, superantispyware & then avira.

i try to run all 3 of those daily. malware bytes frequently finds things & the superspyware always finds hundreds of things.

thank you. any further questions, please ask. i appreciate the help.

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:46 AM

Posted 01 July 2011 - 08:30 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 sunny456

sunny456
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 01 July 2011 - 04:33 PM

hello & thank you for helping me.

i ran the combofix, log is posted below this.

i did need to install the windows recovery, did so & combofix ran.

i opened a browser to come back here to reply & i did get a new internet explorer open with a popup. so that isn't fixed.

also, my avira is no longer showing on the right side, by the clock. however it is on the computer and i can open the program. how do i get it back on the menu there to make sure it's on?

the windows update shield is no longer a red x, but a yellow shield w/ an exclamation point. if i hover over it, it says updates are ready, click to install.

please let me know how to proceed from here. thank you :)


combofix log:

ComboFix 11-07-01.01 - Liz 07/01/2011 17:02:49.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1630 [GMT -4:00]
Running from: c:\documents and settings\Liz.BULLDOG\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Liz.BULLDOG\Application Data\Adobe\plugs
c:\documents and settings\Liz.BULLDOG\Application Data\Adobe\shed
c:\documents and settings\Liz.BULLDOG\Application Data\Rohy
c:\documents and settings\Liz.BULLDOG\Application Data\Rohy\ecifp.guh
c:\documents and settings\Liz.BULLDOG\Application Data\Wubu
c:\documents and settings\Liz.BULLDOG\Application Data\Wubu\liapi.exe
c:\documents and settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}
c:\documents and settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}\chrome.manifest
c:\documents and settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}\chrome\content\_cfg.js
c:\documents and settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}\chrome\content\overlay.xul
c:\documents and settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}\install.rdf
c:\documents and settings\Liz.BULLDOG\Start Menu\Programs\Startup\igfxtray.exe
c:\documents and settings\Liz.BULLDOG\Templates\o44x875yv1u87h02h583l0013u6k8pk73
c:\program files\Search Toolbar
c:\program files\Search Toolbar\SearchToolbar.dll
c:\program files\Search Toolbar\SearchToolbarUpdater.exe
c:\windows\system32\BSTIEPrintCtl1.dll
.
----- BITS: Possible infected sites -----
.
hxxp://apnmedia.ask.com
.
((((((((((((((((((((((((( Files Created from 2011-06-01 to 2011-07-01 )))))))))))))))))))))))))))))))
.
.
2011-06-23 16:25 . 2011-06-23 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\jM28601MfPjN28601
2011-06-22 02:35 . 2011-06-22 02:35 -------- d--h--w- c:\windows\PIF
2011-06-21 02:22 . 2011-06-21 02:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-20 23:36 . 2011-06-20 23:36 -------- d-----w- c:\documents and settings\Liz.BULLDOG\Application Data\vmntemplate
2011-06-20 23:35 . 2011-06-20 23:35 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-06-20 23:35 . 2011-06-20 23:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\vmntemplate
2011-06-20 23:35 . 2011-06-20 23:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
2011-06-18 21:16 . 2011-06-18 21:16 -------- d-----w- c:\program files\Ustream
2011-06-18 21:13 . 2011-06-18 21:13 -------- d-----w- c:\program files\Common Files\Apple
2011-06-18 21:13 . 2011-06-18 21:13 -------- d-----w- c:\program files\Apple Software Update
2011-06-17 13:47 . 2011-06-17 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-06-17 01:44 . 2011-06-17 01:44 -------- d-----w- c:\documents and settings\Liz.BULLDOG\Application Data\Avira
2011-06-17 01:38 . 2011-06-17 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-16 23:26 . 2011-06-26 21:08 -------- d-----w- c:\windows\system32\NtmsData
2011-06-16 12:39 . 2011-07-01 10:43 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-16 12:39 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-06-16 12:39 . 2011-07-01 10:43 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-16 12:39 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-06-16 12:39 . 2011-06-16 12:39 -------- d-----w- c:\program files\Avira
2011-06-16 12:39 . 2011-06-16 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-06-16 01:16 . 2011-06-16 01:16 -------- d-----w- C:\Adobe
2011-06-15 23:52 . 2011-06-15 23:52 0 ----a-w- c:\windows\Qteqikanujuqodih.bin
2011-06-15 23:50 . 2011-06-15 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\bC28258BjBmL28258
2011-06-09 23:33 . 2011-06-17 01:38 -------- d-----w- c:\documents and settings\Administrator
2011-06-09 01:19 . 2011-06-09 01:19 -------- d-----w- c:\documents and settings\Liz.BULLDOG\Application Data\SUPERAntiSpyware.com
2011-06-09 01:19 . 2011-06-17 01:39 -------- d-----w- c:\program files\SUPERAntiSpyware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-07-15 03:01 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-07-15 03:01 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-11 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-20 149280]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5700:TCP"= 5700:TCP:*:Disabled:streams
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/16/2011 8:39 AM 136360]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080104
TCP: DhcpNameServer = 192.168.1.1
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www5.snapfish.com/SnapfishActivia3.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-cleanddm - c:\documents and settings\Liz.BULLDOG\Application Data\cleanddm.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-01 17:19
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9160821AS rev.3.CDE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A49B31B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(936)
c:\windows\system32\WININET.dll
.
Completion time: 2011-07-01 17:26:16
ComboFix-quarantined-files.txt 2011-07-01 21:26
.
Pre-Run: 98,100,781,056 bytes free
Post-Run: 98,772,918,272 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 06C1C19065A8F225306581F7DD9413E2

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:46 AM

Posted 01 July 2011 - 06:34 PM

Hello

It looks like the rootkit is still active. I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 sunny456

sunny456
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 02 July 2011 - 08:25 AM

hello.

i ran the tdss killer as requested, i'm attaching the log file.

it found one thing & i clicked cure, then continue. it did require a reboot.

when the computer rebooted, windows did install the updates (i didn't have any options to not install them)

when i rebooted, a bubble popped up on the bottom right that said click here to continue removal, so i clicked. what opened was a windows malicious software removal tool - june 2011. that was the heading on the top, it said to help complete the removal to click the scan results and click finish, so i clicked finish and nothing else happened. wasn't sure if that was supposed to pop up?

i haven't been on the internet much since then, but will browse around now to see if anything has changed.

i also forgot to mention, but did in my first post, that my start/programs/etc. are not working properly and are still not working. some folders like accessories are there, but i am missing a bunch of programs in the menu's (calculator is one) and then in the programs section there is a folder for say, open office, but when i click there it's empty. most things are listed as empty with nothing in them.

thank you for the help. here is the tdss log:

2011/07/02 09:08:24.0421 3888 TDSS rootkit removing tool 2.5.8.0 Jun 28 2011 19:12:16
2011/07/02 09:08:25.0000 3888 ================================================================================
2011/07/02 09:08:25.0000 3888 SystemInfo:
2011/07/02 09:08:25.0000 3888
2011/07/02 09:08:25.0000 3888 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/02 09:08:25.0000 3888 Product type: Workstation
2011/07/02 09:08:25.0000 3888 ComputerName: BULLDOG2
2011/07/02 09:08:25.0000 3888 UserName: Liz
2011/07/02 09:08:25.0000 3888 Windows directory: C:\WINDOWS
2011/07/02 09:08:25.0000 3888 System windows directory: C:\WINDOWS
2011/07/02 09:08:25.0000 3888 Processor architecture: Intel x86
2011/07/02 09:08:25.0000 3888 Number of processors: 2
2011/07/02 09:08:25.0000 3888 Page size: 0x1000
2011/07/02 09:08:25.0000 3888 Boot type: Normal boot
2011/07/02 09:08:25.0000 3888 ================================================================================
2011/07/02 09:08:28.0078 3888 Initialize success
2011/07/02 09:09:30.0046 3652 ================================================================================
2011/07/02 09:09:30.0046 3652 Scan started
2011/07/02 09:09:30.0046 3652 Mode: Manual;
2011/07/02 09:09:30.0046 3652 ================================================================================
2011/07/02 09:09:31.0921 3652 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/07/02 09:09:32.0312 3652 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/02 09:09:32.0734 3652 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/02 09:09:33.0046 3652 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/07/02 09:09:33.0734 3652 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/02 09:09:34.0250 3652 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/07/02 09:09:34.0828 3652 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/02 09:09:35.0156 3652 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/07/02 09:09:35.0703 3652 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/07/02 09:09:36.0000 3652 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/07/02 09:09:36.0421 3652 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/07/02 09:09:37.0093 3652 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/07/02 09:09:37.0390 3652 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/07/02 09:09:37.0968 3652 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/07/02 09:09:38.0265 3652 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/07/02 09:09:38.0843 3652 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/07/02 09:09:39.0218 3652 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/07/02 09:09:39.0750 3652 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/07/02 09:09:40.0296 3652 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/07/02 09:09:40.0796 3652 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/07/02 09:09:41.0078 3652 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/02 09:09:41.0546 3652 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/02 09:09:42.0312 3652 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/02 09:09:42.0875 3652 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/02 09:09:43.0062 3652 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2011/07/02 09:09:43.0703 3652 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2011/07/02 09:09:44.0000 3652 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2011/07/02 09:09:44.0984 3652 BCM43XX (e9ea635b8432d68f0005b3f6cebab837) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/07/02 09:09:45.0406 3652 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/07/02 09:09:45.0453 3652 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/02 09:09:45.0671 3652 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/07/02 09:09:45.0687 3652 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/02 09:09:45.0984 3652 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/02 09:09:46.0015 3652 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/07/02 09:09:46.0062 3652 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/02 09:09:46.0125 3652 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/02 09:09:46.0250 3652 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/02 09:09:46.0343 3652 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/02 09:09:46.0390 3652 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/07/02 09:09:46.0468 3652 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/02 09:09:46.0578 3652 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/07/02 09:09:46.0656 3652 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/07/02 09:09:46.0921 3652 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/07/02 09:09:47.0312 3652 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/02 09:09:47.0437 3652 DLABMFSM (0659e6e0a95564f958d9df7313f7701e) C:\WINDOWS\system32\DLA\DLABMFSM.SYS
2011/07/02 09:09:47.0484 3652 DLABOIOM (8691c78908f0bd66170669db268369f2) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/07/02 09:09:47.0734 3652 DLACDBHM (76167b5eb2dffc729edc36386876b40b) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/07/02 09:09:48.0046 3652 DLADResM (5615744a1056933b90e6ac54feb86f35) C:\WINDOWS\system32\DLA\DLADResM.SYS
2011/07/02 09:09:48.0156 3652 DLAIFS_M (1aeca2afa5005ce4a550cf8eb55a8c88) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/07/02 09:09:48.0312 3652 DLAOPIOM (840e7f6abb885c72b9ffddb022ef5b6d) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/07/02 09:09:48.0421 3652 DLAPoolM (0294d18731ac05da80132ce88f8a876b) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/07/02 09:09:48.0593 3652 DLARTL_M (91886fed52a3f9966207bce46cfd794f) C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
2011/07/02 09:09:48.0640 3652 DLAUDFAM (cca4e121d599d7d1706a30f603731e59) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/07/02 09:09:48.0687 3652 DLAUDF_M (7dab85c33135df24419951da4e7d38e5) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/07/02 09:09:48.0859 3652 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/02 09:09:49.0718 3652 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/02 09:09:49.0890 3652 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/02 09:09:50.0078 3652 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/02 09:09:50.0234 3652 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/07/02 09:09:50.0343 3652 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/02 09:09:50.0500 3652 DRVMCDB (c00440385cf9f3d142917c63f989e244) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/07/02 09:09:50.0875 3652 DRVNDDM (6e6ab29d3c06e64ce81feacda85394b5) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/07/02 09:09:51.0140 3652 DXEC02 (0c8762b91b967a91373e0e022b62acfc) C:\WINDOWS\system32\drivers\dxec02.sys
2011/07/02 09:09:51.0265 3652 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/07/02 09:09:51.0609 3652 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/02 09:09:51.0765 3652 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/02 09:09:51.0953 3652 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
2011/07/02 09:09:52.0203 3652 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/02 09:09:52.0390 3652 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/02 09:09:52.0578 3652 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/02 09:09:52.0859 3652 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/02 09:09:53.0015 3652 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/02 09:09:53.0171 3652 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/02 09:09:53.0250 3652 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/02 09:09:53.0390 3652 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/02 09:09:53.0687 3652 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/07/02 09:09:54.0453 3652 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/07/02 09:09:55.0218 3652 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/07/02 09:09:56.0406 3652 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/02 09:09:56.0750 3652 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/07/02 09:09:56.0812 3652 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/07/02 09:09:56.0890 3652 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/02 09:09:57.0125 3652 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys
2011/07/02 09:09:57.0484 3652 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/02 09:09:58.0000 3652 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/07/02 09:09:58.0250 3652 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/02 09:09:58.0609 3652 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/02 09:09:58.0906 3652 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/02 09:09:59.0046 3652 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/02 09:09:59.0125 3652 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/02 09:09:59.0234 3652 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/02 09:09:59.0328 3652 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/02 09:09:59.0390 3652 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/02 09:09:59.0437 3652 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/02 09:09:59.0500 3652 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/02 09:09:59.0546 3652 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/02 09:09:59.0625 3652 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/02 09:09:59.0734 3652 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
2011/07/02 09:10:00.0062 3652 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
2011/07/02 09:10:01.0718 3652 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/07/02 09:10:01.0781 3652 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/02 09:10:01.0828 3652 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/02 09:10:01.0875 3652 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/02 09:10:02.0250 3652 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/02 09:10:02.0296 3652 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/02 09:10:02.0343 3652 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/07/02 09:10:02.0421 3652 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/02 09:10:02.0546 3652 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/02 09:10:02.0609 3652 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/02 09:10:02.0687 3652 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/02 09:10:02.0718 3652 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/02 09:10:02.0734 3652 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/02 09:10:02.0812 3652 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/02 09:10:02.0937 3652 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/02 09:10:03.0031 3652 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/02 09:10:03.0109 3652 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/02 09:10:03.0406 3652 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/02 09:10:04.0000 3652 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/02 09:10:04.0078 3652 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/02 09:10:04.0140 3652 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/02 09:10:04.0234 3652 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/02 09:10:04.0406 3652 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/02 09:10:04.0484 3652 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/02 09:10:04.0625 3652 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/02 09:10:04.0718 3652 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/07/02 09:10:04.0765 3652 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/02 09:10:05.0109 3652 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/02 09:10:05.0375 3652 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2011/07/02 09:10:05.0687 3652 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/02 09:10:06.0640 3652 nv (e531eaa795a273fc70c9de3f195069c8) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/02 09:10:07.0984 3652 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/02 09:10:08.0031 3652 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/02 09:10:08.0109 3652 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/07/02 09:10:08.0171 3652 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/02 09:10:08.0343 3652 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/02 09:10:08.0468 3652 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/02 09:10:08.0609 3652 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/02 09:10:09.0046 3652 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/02 09:10:09.0328 3652 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/02 09:10:09.0578 3652 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/07/02 09:10:09.0640 3652 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/07/02 09:10:09.0750 3652 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/02 09:10:10.0531 3652 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/02 09:10:11.0046 3652 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/02 09:10:11.0234 3652 PxHelp20 (feffcfdc528764a04c8ed63d5fa6e711) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/02 09:10:11.0406 3652 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/07/02 09:10:11.0546 3652 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/07/02 09:10:11.0640 3652 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/07/02 09:10:11.0703 3652 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/07/02 09:10:11.0750 3652 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/07/02 09:10:11.0843 3652 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/02 09:10:12.0015 3652 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/02 09:10:12.0078 3652 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/02 09:10:12.0140 3652 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/02 09:10:12.0250 3652 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/02 09:10:12.0312 3652 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/02 09:10:12.0390 3652 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/02 09:10:12.0468 3652 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/02 09:10:12.0562 3652 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/02 09:10:12.0703 3652 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/07/02 09:10:12.0968 3652 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2011/07/02 09:10:13.0234 3652 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2011/07/02 09:10:13.0671 3652 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/07/02 09:10:14.0046 3652 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/07/02 09:10:14.0437 3652 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/07/02 09:10:14.0531 3652 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/02 09:10:14.0984 3652 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/02 09:10:15.0265 3652 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/02 09:10:15.0500 3652 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/02 09:10:15.0796 3652 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/07/02 09:10:15.0890 3652 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/02 09:10:15.0953 3652 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/07/02 09:10:16.0062 3652 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/02 09:10:16.0281 3652 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/02 09:10:16.0484 3652 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/02 09:10:17.0140 3652 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2011/07/02 09:10:17.0703 3652 STHDA (58f855684e163466a5c565adf0865536) C:\WINDOWS\system32\drivers\sthda.sys
2011/07/02 09:10:18.0296 3652 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/02 09:10:18.0906 3652 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/02 09:10:19.0750 3652 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/02 09:10:20.0812 3652 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/07/02 09:10:21.0093 3652 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/07/02 09:10:22.0031 3652 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/07/02 09:10:22.0687 3652 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/07/02 09:10:24.0609 3652 SynTP (936cd58395d36659bb798b961ef7357f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/07/02 09:10:25.0562 3652 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/02 09:10:26.0812 3652 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/02 09:10:27.0437 3652 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/02 09:10:27.0875 3652 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/02 09:10:28.0468 3652 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/02 09:10:28.0609 3652 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/07/02 09:10:28.0843 3652 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/02 09:10:28.0937 3652 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/07/02 09:10:29.0406 3652 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/02 09:10:29.0562 3652 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/02 09:10:29.0640 3652 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/02 09:10:29.0703 3652 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/02 09:10:29.0750 3652 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/02 09:10:29.0843 3652 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/02 09:10:29.0921 3652 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/02 09:10:29.0984 3652 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/02 09:10:30.0343 3652 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/07/02 09:10:30.0562 3652 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/02 09:10:30.0843 3652 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/07/02 09:10:31.0265 3652 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/07/02 09:10:31.0531 3652 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/02 09:10:31.0906 3652 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/02 09:10:32.0265 3652 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/07/02 09:10:32.0484 3652 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/02 09:10:32.0578 3652 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/07/02 09:10:32.0734 3652 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/07/02 09:10:32.0875 3652 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/02 09:10:32.0937 3652 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/07/02 09:10:32.0953 3652 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/02 09:10:32.0953 3652 Boot (0x1200) (df420f2a71396caf62b70db800fe4b89) \Device\Harddisk0\DR0\Partition0
2011/07/02 09:10:32.0953 3652 ================================================================================
2011/07/02 09:10:32.0953 3652 Scan finished
2011/07/02 09:10:32.0953 3652 ================================================================================
2011/07/02 09:10:32.0968 3792 Detected object count: 1
2011/07/02 09:10:32.0968 3792 Actual detected object count: 1
2011/07/02 09:12:47.0328 3792 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/02 09:12:47.0328 3792 \Device\Harddisk0\DR0 - ok
2011/07/02 09:12:47.0328 3792 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/02 09:12:51.0750 3436 Deinitialize success

#9 sunny456

sunny456
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 02 July 2011 - 09:52 AM

wanted to reply since i've been browsing the internet for a bit now.

i no longer am redirected when i search using yahoo and i no longer seem to be getting any popup ads.

also, i haven't seemed to have stalled so far yet today.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:46 AM

Posted 02 July 2011 - 05:38 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\windows\Qteqikanujuqodih.bin

Folder::
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
c:\documents and settings\All Users\Application Data\bC28258BjBmL28258


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 sunny456

sunny456
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 03 July 2011 - 09:12 AM

hello

i did as you requested & am attaching the log to the bottom of the post. combofix did have to update to a newer version, so i clicked yes for that.

since yesterday, the computer has been running ok. i still do not have all my programs in my start menu though, most program folders are listed as empty. i was on the computer a good deal yesterday and didn't seem to get any popup ads, my yahoo search doesn't redirect me any longer. it all seems like it's running much better then before & i didn't stall and have to turn the computer off to be able to do anything.

i do seem to have to type my login and password everytime i go to my email/this forum/etc, before the computer used to remember me, but maybe that's a setting in internet explorer i have to fix, i'm not sure if i changed something when i was trying to fix it myself, prior to posting for help here.

let me know if i should do anything else & thank you again for the help :)

here is the combofix log:

ComboFix 11-07-02.03 - Liz 07/03/2011 9:48.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1474 [GMT -4:00]
Running from: c:\documents and settings\Liz.BULLDOG\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Liz.BULLDOG\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\windows\Qteqikanujuqodih.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\bC28258BjBmL28258
c:\documents and settings\All Users\Application Data\bC28258BjBmL28258\bC28258BjBmL28258
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\setupCfg.xml
c:\windows\Qteqikanujuqodih.bin
c:\windows\TEMP\logishrd\LVPrcInj01.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-06-03 to 2011-07-03 )))))))))))))))))))))))))))))))
.
.
2011-07-01 20:27 . 2011-04-21 13:37 105472 ------w- c:\windows\system32\dllcache\mup.sys
2011-06-23 16:25 . 2011-06-23 17:14 -------- d-----w- c:\documents and settings\All Users\Application Data\jM28601MfPjN28601
2011-06-22 02:35 . 2011-06-22 02:35 -------- d--h--w- c:\windows\PIF
2011-06-21 02:22 . 2011-06-21 02:22 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-06-20 23:36 . 2011-06-20 23:36 -------- d-----w- c:\documents and settings\Liz.BULLDOG\Application Data\vmntemplate
2011-06-20 23:35 . 2011-06-20 23:35 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-06-20 23:35 . 2011-06-20 23:35 -------- d-----w- c:\documents and settings\NetworkService\Application Data\vmntemplate
2011-06-18 21:16 . 2011-06-18 21:16 -------- d-----w- c:\program files\Ustream
2011-06-18 21:13 . 2011-06-18 21:13 -------- d-----w- c:\program files\Common Files\Apple
2011-06-18 21:13 . 2011-06-18 21:13 -------- d-----w- c:\program files\Apple Software Update
2011-06-17 13:47 . 2011-06-17 13:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-06-17 01:44 . 2011-06-17 01:44 -------- d-----w- c:\documents and settings\Liz.BULLDOG\Application Data\Avira
2011-06-17 01:38 . 2011-06-17 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-06-16 23:26 . 2011-06-26 21:08 -------- d-----w- c:\windows\system32\NtmsData
2011-06-16 12:39 . 2011-07-01 10:43 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-16 12:39 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-06-16 12:39 . 2011-07-01 10:43 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-06-16 12:39 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-06-16 12:39 . 2011-06-16 12:39 -------- d-----w- c:\program files\Avira
2011-06-16 12:39 . 2011-06-16 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-06-16 01:16 . 2011-06-16 01:16 -------- d-----w- C:\Adobe
2011-06-09 23:33 . 2011-06-17 01:38 -------- d-----w- c:\documents and settings\Administrator
2011-06-09 01:19 . 2011-06-09 01:19 -------- d-----w- c:\documents and settings\Liz.BULLDOG\Application Data\SUPERAntiSpyware.com
2011-06-09 01:19 . 2011-06-17 01:39 -------- d-----w- c:\program files\SUPERAntiSpyware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-29 13:11 . 2010-07-15 03:01 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 13:11 . 2010-07-15 03:01 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-02 15:31 . 2004-08-10 19:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 18:51 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-10 18:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-10 18:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 18:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 18:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 18:51 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-10 18:51 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-01_21.20.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-03 13:59 . 2011-07-03 13:59 16384 c:\windows\Temp\Perflib_Perfdata_754.dat
+ 2004-08-10 18:51 . 2011-04-25 16:11 66560 c:\windows\system32\mshtmled.dll
- 2004-08-10 18:51 . 2011-02-22 23:06 66560 c:\windows\system32\mshtmled.dll
+ 2007-08-13 23:54 . 2011-04-25 16:11 55296 c:\windows\system32\msfeedsbs.dll
- 2007-08-13 23:54 . 2011-02-22 23:06 55296 c:\windows\system32\msfeedsbs.dll
+ 2004-08-10 18:51 . 2011-04-25 16:11 25600 c:\windows\system32\jsproxy.dll
- 2004-08-10 18:51 . 2011-02-22 23:06 25600 c:\windows\system32\jsproxy.dll
+ 2009-09-12 22:47 . 2011-04-25 16:11 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-09-12 22:47 . 2011-02-22 23:06 12800 c:\windows\system32\dllcache\xpshims.dll
- 2008-01-04 06:17 . 2011-02-22 23:06 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2008-01-04 06:17 . 2011-04-25 16:11 66560 c:\windows\system32\dllcache\mshtmled.dll
- 2008-01-11 19:34 . 2011-02-22 23:06 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-01-11 19:34 . 2011-04-25 16:11 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-08-13 23:44 . 2011-02-22 23:06 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2007-08-13 23:44 . 2011-04-25 16:11 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2008-01-04 06:17 . 2011-04-25 16:11 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2008-01-04 06:17 . 2011-02-22 23:06 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 12800 c:\windows\ie8updates\KB2530548-IE8\xpshims.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 66560 c:\windows\ie8updates\KB2530548-IE8\mshtmled.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 55296 c:\windows\ie8updates\KB2530548-IE8\msfeedsbs.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 43520 c:\windows\ie8updates\KB2530548-IE8\licmgr10.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 25600 c:\windows\ie8updates\KB2530548-IE8\jsproxy.dll
+ 2004-08-10 18:51 . 2010-12-20 17:32 551936 c:\windows\system32\oleaut32.dll
- 2004-08-10 18:51 . 2008-04-14 00:12 551936 c:\windows\system32\oleaut32.dll
+ 2004-08-10 18:51 . 2011-04-25 16:11 206848 c:\windows\system32\occache.dll
- 2004-08-10 18:51 . 2011-02-22 23:06 206848 c:\windows\system32\occache.dll
+ 2004-08-10 18:51 . 2011-04-25 16:11 611840 c:\windows\system32\mstime.dll
- 2004-08-10 18:51 . 2011-02-22 23:06 611840 c:\windows\system32\mstime.dll
+ 2007-08-13 23:54 . 2011-04-25 16:11 602112 c:\windows\system32\msfeeds.dll
- 2007-08-13 23:54 . 2011-02-22 23:06 602112 c:\windows\system32\msfeeds.dll
- 2004-08-10 18:51 . 2011-02-22 23:06 184320 c:\windows\system32\iepeers.dll
+ 2004-08-10 18:51 . 2011-04-25 16:11 184320 c:\windows\system32\iepeers.dll
- 2004-08-10 18:51 . 2011-02-22 23:06 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-10 18:51 . 2011-04-25 16:11 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-10 18:51 . 2011-02-18 11:49 173568 c:\windows\system32\ie4uinit.exe
+ 2004-08-10 18:51 . 2011-04-25 12:01 173568 c:\windows\system32\ie4uinit.exe
- 2004-08-10 18:50 . 2008-10-16 14:43 138496 c:\windows\system32\drivers\afd.sys
+ 2004-08-10 18:50 . 2011-02-16 13:22 138496 c:\windows\system32\drivers\afd.sys
- 2008-01-04 06:17 . 2011-02-22 23:06 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-01-04 06:17 . 2011-04-25 16:11 916480 c:\windows\system32\dllcache\wininet.dll
+ 2008-01-04 06:19 . 2011-04-30 03:01 758784 c:\windows\system32\dllcache\vgx.dll
+ 2008-12-05 06:54 . 2011-04-29 17:25 151552 c:\windows\system32\dllcache\schannel.dll
+ 2010-12-20 17:32 . 2010-12-20 17:32 551936 c:\windows\system32\dllcache\oleaut32.dll
+ 2007-08-13 23:44 . 2011-04-25 16:11 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 23:44 . 2011-02-22 23:06 206848 c:\windows\system32\dllcache\occache.dll
- 2008-01-04 06:17 . 2011-02-22 23:06 611840 c:\windows\system32\dllcache\mstime.dll
+ 2008-01-04 06:17 . 2011-04-25 16:11 611840 c:\windows\system32\dllcache\mstime.dll
+ 2008-01-11 19:34 . 2011-04-25 16:11 602112 c:\windows\system32\dllcache\msfeeds.dll
- 2008-01-11 19:34 . 2011-02-22 23:06 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2008-11-26 13:43 . 2011-04-29 16:19 456320 c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-11-26 13:43 . 2011-05-02 15:31 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2008-11-26 13:43 . 2011-03-07 05:33 692736 c:\windows\system32\dllcache\inetcomm.dll
- 2009-09-12 22:47 . 2011-02-22 23:06 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2009-09-12 22:47 . 2011-04-25 16:11 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2008-01-04 06:17 . 2011-02-22 23:06 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2008-01-04 06:17 . 2011-04-25 16:11 184320 c:\windows\system32\dllcache\iepeers.dll
- 2010-06-10 23:35 . 2011-02-22 23:06 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2010-06-10 23:35 . 2011-04-25 16:11 743424 c:\windows\system32\dllcache\iedvtool.dll
+ 2007-08-13 23:39 . 2011-04-25 16:11 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-13 23:39 . 2011-02-22 23:06 387584 c:\windows\system32\dllcache\iedkcs32.dll
- 2007-08-13 23:39 . 2011-02-18 11:49 173568 c:\windows\system32\dllcache\ie4uinit.exe
+ 2007-08-13 23:39 . 2011-04-25 12:01 173568 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-11-26 13:44 . 2008-10-16 14:43 138496 c:\windows\system32\dllcache\afd.sys
+ 2008-11-26 13:44 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
+ 2011-07-02 13:09 . 2009-03-08 08:33 759296 c:\windows\ie8updates\KB2544521-IE8\vgx.dll
+ 2011-07-02 13:09 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2544521-IE8\spuninst\updspapi.dll
+ 2011-07-02 13:09 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2544521-IE8\spuninst\spuninst.exe
+ 2011-07-02 13:10 . 2011-02-22 23:06 916480 c:\windows\ie8updates\KB2530548-IE8\wininet.dll
+ 2011-07-02 13:10 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2530548-IE8\spuninst\updspapi.dll
+ 2011-07-02 13:10 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2530548-IE8\spuninst\spuninst.exe
+ 2011-07-02 13:10 . 2011-02-22 23:06 206848 c:\windows\ie8updates\KB2530548-IE8\occache.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 611840 c:\windows\ie8updates\KB2530548-IE8\mstime.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 602112 c:\windows\ie8updates\KB2530548-IE8\msfeeds.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 247808 c:\windows\ie8updates\KB2530548-IE8\ieproxy.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 184320 c:\windows\ie8updates\KB2530548-IE8\iepeers.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 743424 c:\windows\ie8updates\KB2530548-IE8\iedvtool.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 387584 c:\windows\ie8updates\KB2530548-IE8\iedkcs32.dll
+ 2011-07-02 13:10 . 2011-02-18 11:49 173568 c:\windows\ie8updates\KB2530548-IE8\ie4uinit.exe
+ 2008-11-26 13:43 . 2011-04-29 16:19 456320 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2004-08-10 18:51 . 2011-04-25 16:11 1211904 c:\windows\system32\urlmon.dll
+ 2004-08-10 18:51 . 2011-05-30 22:19 5964800 c:\windows\system32\mshtml.dll
- 2007-08-13 23:34 . 2011-02-22 23:06 1991680 c:\windows\system32\iertutil.dll
+ 2007-08-13 23:34 . 2011-04-25 16:11 1991680 c:\windows\system32\iertutil.dll
+ 2008-01-04 06:17 . 2011-04-25 16:11 1211904 c:\windows\system32\dllcache\urlmon.dll
+ 2008-01-04 06:17 . 2011-05-30 22:19 5964800 c:\windows\system32\dllcache\mshtml.dll
- 2008-01-11 19:34 . 2011-02-22 23:06 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2008-01-11 19:34 . 2011-04-25 16:11 1991680 c:\windows\system32\dllcache\iertutil.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 1210880 c:\windows\ie8updates\KB2530548-IE8\urlmon.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 5962240 c:\windows\ie8updates\KB2530548-IE8\mshtml.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 1991680 c:\windows\ie8updates\KB2530548-IE8\iertutil.dll
+ 2008-01-11 19:31 . 2011-07-02 13:12 47716296 c:\windows\system32\MRT.exe
+ 2007-08-13 23:54 . 2011-04-26 14:11 11081728 c:\windows\system32\ieframe.dll
+ 2008-01-11 19:34 . 2011-04-26 14:11 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-07-02 13:10 . 2011-02-22 23:06 11080704 c:\windows\ie8updates\KB2530548-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-06-11 2424192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-03 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"nwiz"="nwiz.exe" [2007-06-06 1626112]
"NVHotkey"="nvHotkey.dll" [2007-06-06 67584]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-05-14 1191936]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-11 2183168]
"SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 405504]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-10 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-20 149280]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-10-14 2793304]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-28 281768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5700:TCP"= 5700:TCP:*:Disabled:streams
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/16/2011 8:39 AM 136360]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080104
TCP: DhcpNameServer = 192.168.1.1
DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www5.snapfish.com/SnapfishActivia3.cab
DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} - hxxp://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-03 10:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Swearware\backup\winsock2\Parameters]
@DACL=(02 0000)
@SACL=
"WinSock_Registry_Version"="2.0"
"Current_NameSpace_Catalog"="NameSpace_Catalog5"
"Current_Protocol_Catalog"="Protocol_Catalog9"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(4140)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\stsystra.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-07-03 10:05:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-03 14:05
ComboFix2.txt 2011-07-01 21:26
.
Pre-Run: 97,807,540,224 bytes free
Post-Run: 97,898,475,520 bytes free
.
- - End Of File - - 51EF9E7A079ECE8B0A1FC05AE72189D7

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:46 AM

Posted 03 July 2011 - 02:16 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\ComboFix-quarantined-files.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 sunny456

sunny456
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 03 July 2011 - 03:19 PM

2011-07-03 14:01:46 . 2011-07-03 14:01:46 54,019 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Temp\logishrd\_LVPrcInj01_.dll.zip
2011-07-03 13:48:31 . 2011-07-03 13:48:31 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2011-07-03 13:38:25 . 2009-10-07 05:47:22 109,080 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Temp\logishrd\LVPrcInj01.dll.vir
2011-07-01 21:23:41 . 2011-07-01 21:23:41 80 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-cleanddm.reg.dat
2011-07-01 21:23:23 . 2011-07-01 21:23:23 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-07-01 21:23:19 . 2011-07-01 21:23:20 132 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829}.reg.dat
2011-07-01 21:23:15 . 2011-07-01 21:23:15 118 ----a-w- C:\Qoobox\Quarantine\Registry_backups\URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C}.reg.dat
2011-07-01 21:14:00 . 2011-07-03 13:56:40 8,362 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-07-01 20:37:10 . 2011-07-01 20:37:10 512 ----a-w- C:\Qoobox\Quarantine\MBR_HardDisk0.mbr
2011-07-01 20:17:23 . 2011-07-03 14:01:51 441 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-06-20 23:35:14 . 2011-06-20 23:35:14 269 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\whitesmoketoolbar\setupCfg.xml.vir
2011-06-20 23:35:14 . 2011-06-20 23:35:23 15 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\whitesmoketoolbar\dtx.ini.vir
2011-06-20 23:35:11 . 2011-06-20 23:35:11 38 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService\Application Data\whitesmoketoolbar\guid.dat.vir
2011-06-20 02:42:15 . 2011-06-20 02:42:22 1,492 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Liz.BULLDOG\Templates\o44x875yv1u87h02h583l0013u6k8pk73.vir
2011-06-16 12:26:05 . 2010-04-08 14:52:20 45,744 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbarUpdater.exe.vir
2011-06-16 12:26:05 . 2010-04-08 14:52:20 271,024 ----a-w- C:\Qoobox\Quarantine\C\Program Files\Search Toolbar\SearchToolbar.dll.vir
2011-06-15 23:52:06 . 2011-06-15 23:52:06 0 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Qteqikanujuqodih.bin.vir
2011-06-15 23:52:05 . 2011-06-15 23:52:05 5,954 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}\chrome\content\overlay.xul.vir
2011-06-15 23:52:05 . 2011-06-15 23:52:05 2,126 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}\chrome\content\_cfg.js.vir
2011-06-15 23:52:05 . 2011-06-15 23:52:05 764 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}\install.rdf.vir
2011-06-15 23:52:04 . 2011-06-15 23:52:04 122 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Liz.BULLDOG\Local Settings\Application Data\{392F0C2C-AC4B-49C2-9A00-9B71836FD079}\chrome.manifest.vir
2011-06-15 23:50:31 . 2011-06-15 23:50:35 192 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\bC28258BjBmL28258\bC28258BjBmL28258.vir
2011-06-09 00:02:52 . 2011-06-09 00:02:52 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Liz.BULLDOG\Application Data\Rohy\ecifp.guh.vir
2011-06-09 00:02:51 . 2011-06-09 00:02:51 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Liz.BULLDOG\Application Data\Wubu\liapi.exe.vir
2009-07-16 21:37:46 . 2009-07-16 21:37:46 466,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\BSTIEPrintCtl1.dll.vir
2008-01-09 02:56:24 . 2011-07-01 20:28:52 6,862 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2008-01-09 02:56:24 . 2011-07-01 20:28:52 6,448 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2004-08-10 18:51:23 . 2008-04-14 00:12:36 0 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Liz.BULLDOG\Start Menu\Programs\Startup\igfxtray.exe.vir

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:46 AM

Posted 03 July 2011 - 04:21 PM

Hello

this virus moves the things from the start menu and moves it to a folder in the temp folder - if you have run any temp cleaner then they have been removed

we can try these two things to see if anything is left to replace

run this first - http://download.bleepingcomputer.com/grinler/unhide.exe

You can restore the defaults for the Start Menu, Accessories and Administrative Tools as follows:
Posted Image
  • Then click on the Restore button.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 8.1.3
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 3
Java™ 6 Update 5


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.
[/list]
Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache

  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 sunny456

sunny456
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 03 July 2011 - 05:43 PM

hello.

i've done everything as requested. i started first with the unhide program (i have run that before) & nothing changed. it said turning off the antivirus may allow it to work better or something, so i did turn it off & run it again, but nothing changed. am i to assume i'm simply out of luck and will have to remove then reinstall the programs to get them to show up again in the start menu?

when i turned back on avira guard, a pop up said something was found "tr/trash.gen" in file c:/windows/temp/logishrd/LVPrcInj01.dll
i clicked remove, avira did some quick scan and that was it.

i ran the accessories tool thing & that restored my accessories to the start panel.

next i uninstalled the programs as requested & rebooted. i had no trouble with that.

next i redownloaded adobe reader (there was no prompt for downloading the photoshop starter edition).
i updated java and then deleted the cache.

i ran the tfc cleaner & then rebooted.

next i updated & ran malwarebytes (nothing was found), then downloaded hijack this and ran that. the logs for both are below.

thank you for the help & please let me know what to do from here.




here is the malwarebytes logfile:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7013

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/3/2011 6:31:51 PM
mbam-log-2011-07-03 (18-31-51).txt

Scan type: Quick scan
Objects scanned: 176070
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



and here is the hijackthis logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:35:23 PM, on 7/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=3080104
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe" /hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.1.1
O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} (CanvasX Class) - http://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} (Snapfish Activia3) - http://www5.snapfish.com/SnapfishActivia3.cab
O16 - DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.5.1.0-082608.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://upload.smugmug.com/photos/activex/ImageUploader4-082807.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://cdn.smugmug.com/photos/activex/ImageUploader5-5.0.30.0-080212.cab
O16 - DPF: {BEA7310D-06C4-4339-A784-DC3804819809} (Photo Upload Plugin Class) - http://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8861 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users