Ranulf

Thanks. Seems all good here on subsequent scans.

I just got one of these this morning. In a temp file for a program setup/installer (EasyTune6) that has been on the machine for months. "ISScript11.Msi" MbamScanNov7.txt

Thanks for the replies, tts AVG9. I've avoided the new versions given bad press they've gotten. Mobo is EP45-UD3P. 5/20/09 Bios. After some testing I'm leaning towards my asus 560Ti video card being the culprit. The system has been stable again for almost a day now with the old 520w PSU and old geforce 7950gt vid card. CPU is running fairly cool compared to the past even with a fanless vid card (7950gt) compared to the dual fan 560. The problem started in late spring when I put in the new vid card and the 750w PSU, (dont think its either corsair psu now). I have a PSU tester so I could test them though. Thanks for the link to nirsoft program and I guess I'll slowly test one thing at a time. Just don't have the time right now to get in depth. Bad enough it wasted 2 hours yesterday.

Over the past few months (3-4) Ive been getting random shutdowns of my system. Win7 64bit, q8400 chip, gigabyte mobo (ep45 model), 4gb ram and a geforce 560ti (old was 7950gt). At first I thought it was the new video card (560ti) and a new powersupply (corsair 750w) but putting the old psu back in, the system ran great until today (6 weeks or so), where it just shut down. Normally it would shut down and then try to reboot, sometimes taking several attempts to get past POST and into win7. Today I put on a new fan/heatsink with fresh paste (used a fan from a new celeron box of same type as q8400) as I thought that might be part of the problem. The cpu would run rather hot in games (pushing 70-75C under load). The system lasted 10 minutes before crashing again, same problem. So I put the old video card back in and the system has been stable for 20mins or so. Long story short, every error in windows logs has shown a kernal power error (power loss) and a "winnit" event ID 11 error that says: "Custom dynamic link libraries are being loaded for every application. The system administrator should review the list of libraries to ensure they are related to trusted applications." The event data sting lists "avgrssta.dll" as well. Any advice? I suppose I should get rid of avg anyway, since its the old version and I've been wary of the new versions and try MSE. TIA

Im getting this on my XP laptop (5249) too. I've not updated the desktop from 5221 or scanned it today. Also, I've been having problems connecting to my wireless router ever since I ran the scan on the laptop earlier today and it has version 5249. The java.exe is still in quarantine and I can't get an IP address on my laptop. Guess I'll restore the quarantine and see if that helps.

Everything seems clear and gone! Eset or the ComboFix uninstall got rid of that last trojan MSE couldn't delete. Mucho thanks again for the help RPMcMurphy.

Bah, reread your instructions. Full log file from Eset (2nd scan): ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=026647e799a99743be5de5a8f2903e7e # end=finished # remove_checked=false # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-11-30 07:49:45 # local_time=2010-11-29 11:49:45 (-0800, Pacific Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1024 16777215 100 0 32348850 32348850 0 0 # compatibility_mode=5891 16776869 100 100 0 20601784 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=59548 # found=3 # cleaned=0 # scan_time=2179 C:\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application 00000000000000000000000000000000 I C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan 00000000000000000000000000000000 I C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP196\A0017769.exe a variant of Win32/Kryptik.INN trojan 00000000000000000000000000000000 I esets_scanner_update returned -1 esets_gle=53251 # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6211 # api_version=3.0.2 # EOSSerial=026647e799a99743be5de5a8f2903e7e # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2010-11-30 08:53:51 # local_time=2010-11-30 12:53:51 (-0800, Pacific Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=1024 16777215 100 0 32351623 32351623 0 0 # compatibility_mode=5891 16776533 100 100 0 20604557 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=58441 # found=2 # cleaned=2 # scan_time=3252 C:\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP201\A0021410.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

It saved the logs for me on my XP system.

System is running better for sure and I appreciate the help greatly. I knew about the java, I suspect my old java and 6.0 acrobat reader are what got me in trouble. That is updated now to 6.22. Malwarebytes updated fine to 1.50 and found a whitesmoke remnant and dumped it to quarantine (saved mbam log before cleaning it for some reason). ESET found 2 trojans and some adware but I forgot to have it auto clean. MSE found 2 trojans later and I think got rid of them (I forgot to turn MSE off while running Eset). One appears to be in the mbr backup from ComboFix. ESET only found 2 items on the second scan, adware stuff. Edit: Ok, MSE finds but gets an error when trying to clean "C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan" (It calls it DOS/Alureon.A) Logs below, ESET then MBAM: ESET First Pass: C:\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP196\A0017769.exe a variant of Win32/Kryptik.INN trojan ESET Second Pass: C:\i386\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application cleaned by deleting - quarantined C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP201\A0021410.ocx probably a variant of Win32/Adware.Agent.LCKGTSG application cleaned by deleting - quarantined MBAM: Malwarebytes' Anti-Malware 1.50 www.malwarebytes.org Database version: 5214 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 11/29/2010 10:46:57 PM mbam-log-2010-11-29 (22-46-54).txt Scan type: Quick scan Objects scanned: 136499 Time elapsed: 4 minute(s), 5 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{52794457-af6c-4c50-9def-f2e24f4c8889} (PUP.WhiteSmoke) -> No action taken. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

ComboFix log and then Add/remove log, : ---------------------------------------------------- ComboFix 10-11-28.03 - jss 11/29/2010 17:51:00.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.800 [GMT -8:00] Running from: c:\documents and settings\jss\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\jss\Desktop\CFScript.txt AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\nOjOh02094 c:\documents and settings\All Users\Application Data\nOjOh02094\nOjOh02094 c:\documents and settings\jss\Application Data\whitesmoketoolbar c:\documents and settings\jss\Application Data\whitesmoketoolbar\dtx.ini c:\documents and settings\jss\Application Data\whitesmoketoolbar\preferences.dat c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\dtx.ini c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\exeArgs.xml c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\guid.dat c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\setupCfg.xml c:\documents and settings\NetworkService\Application Data\WhiteSmokeTranslator c:\documents and settings\NetworkService\Application Data\WhiteSmokeTranslator\stat.log c:\program files\whitesmoketoolbar c:\program files\whitesmoketoolbar\chrome\content\lib\about.xml c:\program files\whitesmoketoolbar\chrome\content\lib\dtxpanel.xul c:\program files\whitesmoketoolbar\chrome\content\lib\dtxpanelwin.xul c:\program files\whitesmoketoolbar\chrome\content\lib\dtxprefwin.xul c:\program files\whitesmoketoolbar\chrome\content\lib\dtxwin.xul c:\program files\whitesmoketoolbar\chrome\content\lib\emailnotifierproviders.xml c:\program files\whitesmoketoolbar\chrome\content\lib\external.js c:\program files\whitesmoketoolbar\chrome\content\lib\neterror.xhtml c:\program files\whitesmoketoolbar\chrome\content\lib\rsspreview.html c:\program files\whitesmoketoolbar\chrome\content\lib\rsswin.xml c:\program files\whitesmoketoolbar\chrome\content\lib\rsswin.xsl c:\program files\whitesmoketoolbar\chrome\content\lib\vmncode.js c:\program files\whitesmoketoolbar\chrome\content\lib\wmpstreamer.html c:\program files\whitesmoketoolbar\chrome\content\modules\datastore.jsm c:\program files\whitesmoketoolbar\chrome\content\neterror.xhtml c:\program files\whitesmoketoolbar\chrome\content\newtab\images\btn_search.gif c:\program files\whitesmoketoolbar\chrome\content\newtab\images\bullet.gif c:\program files\whitesmoketoolbar\chrome\content\newtab\images\field_bg.gif c:\program files\whitesmoketoolbar\chrome\content\newtab\images\powered_by_yahoo.gif c:\program files\whitesmoketoolbar\chrome\content\newtab\newtab.html c:\program files\whitesmoketoolbar\chrome\content\preferences.xml c:\program files\whitesmoketoolbar\chrome\content\toolbar.htm c:\program files\whitesmoketoolbar\chrome\content\toolbar.xul c:\program files\whitesmoketoolbar\chrome\content\vmncode.js c:\program files\whitesmoketoolbar\chrome\content\vmnrsswin.xml c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\css\dialog.css c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\bg.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\btn-wide-close-over.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\btn-wide-close.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\default.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\transparent.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-left.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-mdl.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-right-resize.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\images\win-btm-right.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\main.html c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\skin\scripts\defscript.js c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\tb_icon.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget.jsw c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget.xml c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Facebook\widget_version.txt c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\css\twitter.css c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-login-over.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-login.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\btn-submit.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\loginbg.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\refresh-over.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\refresh.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-disable.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-down.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom-over.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrollbottom.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-disable.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-down.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop-over.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\scrolltop.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-off-l.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-off-r.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-on-l.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\tab-on-r.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\throbber.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\Thumbs.db c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\twitter-logo48.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\images\twitter_top.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\jquery.js c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\js\scripts.js c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\css\dialog.css c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\bg.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\btn-wide-close-over.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\btn-wide-close.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\default.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\transparent.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-left.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-mdl.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-right-resize.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\images\win-btm-right.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\main.html c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\skin\scripts\defscript.js c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\tb_icon.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\Thumbs.db c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget.jsw c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget.xml c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.Twitter\widget_version.txt c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\css\dialog.css c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\bg.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-search.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-wide-close-over.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\btn-wide-close.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\default.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\Thumbs.db c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\transparent.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-left.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-mdl.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-right-resize.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\images\win-btm-right.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\main.html c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\skin\scripts\defscript.js c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\tb_icon.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget.jsw c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget.xml c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.WebTV\widget_version.txt c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\css\dialog.css c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrow-grey.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-left.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\arrows_grey-right.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search-over.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\btn-search.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\powered-by-youtube.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-disable.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb-down.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollb.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-disable.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt-down.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\scrollt.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-l.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-off-r.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-l.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-on-r.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-l.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-over-r.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-left.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-mdl.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-red-right.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-left.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-mdl.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\tab-white-right.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\throbber.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\Thumbs.db c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\vid-bg.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\images\youtube.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\index.html c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery-1.3.2.min.js c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\js\jquery.autocomplete.min.js c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\css\dialog.css c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\bg.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-search.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close-over.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\btn-wide-close.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\default.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\Thumbs.db c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\transparent.gif c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-left.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-mdl.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right-resize.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\images\win-btm-right.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\main.html c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\skin\scripts\defscript.js c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\tb_icon.png c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.jsw c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget.xml c:\program files\whitesmoketoolbar\chrome\content\widgets\net.vmn.www.YouTube\widget_version.txt c:\program files\whitesmoketoolbar\chrome\data\dynamicElements\vmntoolbar.xsl c:\program files\whitesmoketoolbar\chrome\data\rss\rss.xml c:\program files\whitesmoketoolbar\chrome\data\search\engines.xml c:\program files\whitesmoketoolbar\chrome\data\search\search.xsl c:\program files\whitesmoketoolbar\chrome\data\weather\icons.xml c:\program files\whitesmoketoolbar\chrome\skin\634017460871087500_png c:\program files\whitesmoketoolbar\chrome\skin\about.gif c:\program files\whitesmoketoolbar\chrome\skin\babylon_logo.png c:\program files\whitesmoketoolbar\chrome\skin\bing_16x16.png c:\program files\whitesmoketoolbar\chrome\skin\bing_searchicon_20x22_spaced_hover_png c:\program files\whitesmoketoolbar\chrome\skin\bing_searchicon_20x22_spaced_png c:\program files\whitesmoketoolbar\chrome\skin\blank_png c:\program files\whitesmoketoolbar\chrome\skin\bluelite.gif c:\program files\whitesmoketoolbar\chrome\skin\bluesky.gif c:\program files\whitesmoketoolbar\chrome\skin\btn-search-over.png c:\program files\whitesmoketoolbar\chrome\skin\btn-search.png c:\program files\whitesmoketoolbar\chrome\skin\btn-settings-over.png c:\program files\whitesmoketoolbar\chrome\skin\btn-settings.png c:\program files\whitesmoketoolbar\chrome\skin\btn-widgets-over.png c:\program files\whitesmoketoolbar\chrome\skin\btn-widgets.png c:\program files\whitesmoketoolbar\chrome\skin\btn_settings.png c:\program files\whitesmoketoolbar\chrome\skin\ca.png c:\program files\whitesmoketoolbar\chrome\skin\checkMyText_png c:\program files\whitesmoketoolbar\chrome\skin\checkMyText_png_png c:\program files\whitesmoketoolbar\chrome\skin\dictionary.png c:\program files\whitesmoketoolbar\chrome\skin\Dictionary_png c:\program files\whitesmoketoolbar\chrome\skin\Dictionary_png_png c:\program files\whitesmoketoolbar\chrome\skin\divider.png c:\program files\whitesmoketoolbar\chrome\skin\downloadcom.png c:\program files\whitesmoketoolbar\chrome\skin\dtxlogo.png c:\program files\whitesmoketoolbar\chrome\skin\DTXWizard\skin\icon_library\Basics\folder.png c:\program files\whitesmoketoolbar\chrome\skin\email.png c:\program files\whitesmoketoolbar\chrome\skin\email_on.png c:\program files\whitesmoketoolbar\chrome\skin\eteacher_png c:\program files\whitesmoketoolbar\chrome\skin\facebook.png c:\program files\whitesmoketoolbar\chrome\skin\feed_icon_png c:\program files\whitesmoketoolbar\chrome\skin\feed_icon2_png c:\program files\whitesmoketoolbar\chrome\skin\france_png c:\program files\whitesmoketoolbar\chrome\skin\games.png c:\program files\whitesmoketoolbar\chrome\skin\games_png c:\program files\whitesmoketoolbar\chrome\skin\gamesIcon_png c:\program files\whitesmoketoolbar\chrome\skin\graphred0.png c:\program files\whitesmoketoolbar\chrome\skin\graphred0_5.png c:\program files\whitesmoketoolbar\chrome\skin\graphred1.png c:\program files\whitesmoketoolbar\chrome\skin\graphred1_5.png c:\program files\whitesmoketoolbar\chrome\skin\graphred2.png c:\program files\whitesmoketoolbar\chrome\skin\graphred2_5.png c:\program files\whitesmoketoolbar\chrome\skin\graphred3.png c:\program files\whitesmoketoolbar\chrome\skin\graphred3_5.png c:\program files\whitesmoketoolbar\chrome\skin\graphred4.png c:\program files\whitesmoketoolbar\chrome\skin\graphred4_5.png c:\program files\whitesmoketoolbar\chrome\skin\graphred5.png c:\program files\whitesmoketoolbar\chrome\skin\graphredna.png c:\program files\whitesmoketoolbar\chrome\skin\grey.gif c:\program files\whitesmoketoolbar\chrome\skin\ico-shield.png c:\program files\whitesmoketoolbar\chrome\skin\images.png c:\program files\whitesmoketoolbar\chrome\skin\italy_png c:\program files\whitesmoketoolbar\chrome\skin\lib\add.png c:\program files\whitesmoketoolbar\chrome\skin\lib\aol.png c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-dn.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-right-disabled.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-right.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\arrow-up.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-divider.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-end.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-mdl.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-mdl_ff.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btn-start.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-divider.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-end.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-mdl.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-mdl_ff.png c:\program files\whitesmoketoolbar\chrome\skin\lib\bg-btnover-start.png c:\program files\whitesmoketoolbar\chrome\skin\lib\blank.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\btn-widgets-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\btn-widgets.png c:\program files\whitesmoketoolbar\chrome\skin\lib\btn_slider.png c:\program files\whitesmoketoolbar\chrome\skin\lib\btnback-down-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\btnback-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\btnleft-down-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\btnleft-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\btnright-down-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\btnright-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\button-splitter-down-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\button-splitter-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\checkmark.png c:\program files\whitesmoketoolbar\chrome\skin\lib\chevron.png c:\program files\whitesmoketoolbar\chrome\skin\lib\collapse.png c:\program files\whitesmoketoolbar\chrome\skin\lib\comcast.png c:\program files\whitesmoketoolbar\chrome\skin\lib\dtx.css c:\program files\whitesmoketoolbar\chrome\skin\lib\edit-back-hot.png c:\program files\whitesmoketoolbar\chrome\skin\lib\edit-back.png c:\program files\whitesmoketoolbar\chrome\skin\lib\expand.png c:\program files\whitesmoketoolbar\chrome\skin\lib\found.png c:\program files\whitesmoketoolbar\chrome\skin\lib\gmail.png c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight.png c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_blue.png c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_cyan.png c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_lime.png c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_magenta.png c:\program files\whitesmoketoolbar\chrome\skin\lib\highlight_yellow.png c:\program files\whitesmoketoolbar\chrome\skin\lib\hotmail.png c:\program files\whitesmoketoolbar\chrome\skin\lib\ico-check.png c:\program files\whitesmoketoolbar\chrome\skin\lib\imap.png c:\program files\whitesmoketoolbar\chrome\skin\lib\lastsearch-thumb-back.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\loadingMid.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\lock.png c:\program files\whitesmoketoolbar\chrome\skin\lib\logo-separator.png c:\program files\whitesmoketoolbar\chrome\skin\lib\mailcom.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_bg-basic.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_separator_bar.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menu_separator_white.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitem-splitter.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemback-down-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemback-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemleft-down-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemleft-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemright-down-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\menuitemright-vista.png c:\program files\whitesmoketoolbar\chrome\skin\lib\modify.png c:\program files\whitesmoketoolbar\chrome\skin\lib\move.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\movetarget.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\panels.css c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupAbout.css c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupGames.css c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupRSS.css c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\css\popupWidgets.css c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\css\dialog.css c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\bg.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-search.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-wide-close-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\btn-wide-close.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\default.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-off-l.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-off-r.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-on-l.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\tab-on-r.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\transparent.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-left.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-mdl.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\ttlbar-right.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-left.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-mdl.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-right-resize.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-btm-right.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-left.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\images\win-right.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\main.html c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\default\scripts\defscript.js c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\footer.htm c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gamecategory.xsl c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gameData.js c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gameList.xsl c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\games.xsl c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\gametype.xsl c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-dn.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-sml-drop.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-sml.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrow-up.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\arrowr-bluew5.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-aboutbox.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-btnover.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bg-pnl520x390.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-back.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-close-grey.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-close-greyover.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-drag.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-moredetails.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-next-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-next.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-previous-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-previous.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\btn-search-pnlbtm.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\bullet-orange.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\gamethumb-on.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\gamethumb2-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-calendar.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-download.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-joystick24.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-news24.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-play.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\ico-tags.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-Add.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-download.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-Info.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-play.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\icon-shop.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\menul-bgon.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\menul-bgover.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\panel-botm-noscroll.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-bg-206.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-bg.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scroll-topwin.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-disable.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-down.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollb.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-disable.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-down.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\scrollt.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\searchbox-pnlbtm.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\star_x_grey.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\star_x_orange.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\TRUSTe_about.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-detailed-on.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-detailed-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-thumb-on.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\view-thumb-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets-square-16px.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets-square-24px.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\images\widgets.png c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\initHTML.html c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupGames.html c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupHTML.html c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupRSS.html c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\popupWidgets.html c:\program files\whitesmoketoolbar\chrome\skin\lib\panels\scroll.png c:\program files\whitesmoketoolbar\chrome\skin\lib\pop.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\css\manager.css c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\css\slider.css c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\bg-pnl.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\btn-close-grey.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\btn-close-greyover.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\collapsed_button.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\expanded_button.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation-down.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-playstation.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\ico-radio.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\music-note.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-pause-on.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-pause.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-play-on.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-btn-play.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-bg.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-buffer.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-busy.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-off.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-on.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-eq-warning.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-design-on.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-design.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options-on.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-options.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-0.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-1.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-2.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-3.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\radio-volume-mute.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\scrollbar-handle.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\scrollbar-track.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\slider.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\slideron.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\images\track.png c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\managerpanel.html c:\program files\whitesmoketoolbar\chrome\skin\lib\radio\volumeslider.html c:\program files\whitesmoketoolbar\chrome\skin\lib\reload.png c:\program files\whitesmoketoolbar\chrome\skin\lib\remove.png c:\program files\whitesmoketoolbar\chrome\skin\lib\rename.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\resize-box.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\rss.png c:\program files\whitesmoketoolbar\chrome\skin\lib\rsschannelback.png c:\program files\whitesmoketoolbar\chrome\skin\lib\RSSLogo.png c:\program files\whitesmoketoolbar\chrome\skin\lib\rsstabdivider.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\scroll-left.png c:\program files\whitesmoketoolbar\chrome\skin\lib\scroll-right.png c:\program files\whitesmoketoolbar\chrome\skin\lib\search-go.png c:\program files\whitesmoketoolbar\chrome\skin\lib\search.png c:\program files\whitesmoketoolbar\chrome\skin\lib\text-ellipsis.xml c:\program files\whitesmoketoolbar\chrome\skin\lib\throbber.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\toolbarsplitter.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\transparent_1px.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_02.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_03.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_04.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_06.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_07.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_08.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_09.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_10.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_11.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_12.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_13.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_14.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_15.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_16.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_18.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_19.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_20.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\border_21.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\btn-close-grey.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\btn-close-greyover.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\close-hot.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\close-normal.png c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\loadingMid.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\proxy.html c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\template.html c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\template.xml c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\templateFF.html c:\program files\whitesmoketoolbar\chrome\skin\lib\uwa\throbber.gif c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\cond999.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\icons.xml c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na-s.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na-t.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\na.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\icons\weather.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\add.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\arrowr-bluew5.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue-whitebg.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\bg-pnl520x350blue.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\box-check.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\box-uncheck.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-grey.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-close-greyover.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-delete.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm-over.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btn-search-pnlbtm.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next-off.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-next.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous-off.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\btnarrow-previous.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-check.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid-s.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\ico-hotandhumid.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\options-weather.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\over-blue.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\over-orange.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\powered-by-weatherbug2.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-checked.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\radio-unchecked.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\searchbox-pnlbtm.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\images\weather-contour.png c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.css c:\program files\whitesmoketoolbar\chrome\skin\lib\weatherbutton\panels\popupWeather.html c:\program files\whitesmoketoolbar\chrome\skin\lib\yahoo.png c:\program files\whitesmoketoolbar\chrome\skin\lichen.gif c:\program files\whitesmoketoolbar\chrome\skin\logo-about.png c:\program files\whitesmoketoolbar\chrome\skin\logo-over.png c:\program files\whitesmoketoolbar\chrome\skin\logo-separator.png c:\program files\whitesmoketoolbar\chrome\skin\logo.png c:\program files\whitesmoketoolbar\chrome\skin\mail.png c:\program files\whitesmoketoolbar\chrome\skin\menuseparatorback.gif c:\program files\whitesmoketoolbar\chrome\skin\modify-save.png c:\program files\whitesmoketoolbar\chrome\skin\modify.png c:\program files\whitesmoketoolbar\chrome\skin\modifyhot.png c:\program files\whitesmoketoolbar\chrome\skin\music.png c:\program files\whitesmoketoolbar\chrome\skin\namespacetoolbar.css c:\program files\whitesmoketoolbar\chrome\skin\networkIcons_png c:\program files\whitesmoketoolbar\chrome\skin\news.png c:\program files\whitesmoketoolbar\chrome\skin\options\options-main.png c:\program files\whitesmoketoolbar\chrome\skin\options\options-search.png c:\program files\whitesmoketoolbar\chrome\skin\options\options-weather.png c:\program files\whitesmoketoolbar\chrome\skin\options\options-widgets.png c:\program files\whitesmoketoolbar\chrome\skin\orange.gif c:\program files\whitesmoketoolbar\chrome\skin\pixsy.png c:\program files\whitesmoketoolbar\chrome\skin\protect-id.png c:\program files\whitesmoketoolbar\chrome\skin\relatedlinks.png c:\program files\whitesmoketoolbar\chrome\skin\rss-collapse.png c:\program files\whitesmoketoolbar\chrome\skin\rss-delete.png c:\program files\whitesmoketoolbar\chrome\skin\rss-expand.png c:\program files\whitesmoketoolbar\chrome\skin\rss-feed.png c:\program files\whitesmoketoolbar\chrome\skin\rss-folder-remove.png c:\program files\whitesmoketoolbar\chrome\skin\rss-folder-rename.png c:\program files\whitesmoketoolbar\chrome\skin\rss-folder.png c:\program files\whitesmoketoolbar\chrome\skin\rss-found.png c:\program files\whitesmoketoolbar\chrome\skin\rss-reload.png c:\program files\whitesmoketoolbar\chrome\skin\rss-subscribe.png c:\program files\whitesmoketoolbar\chrome\skin\rss.png c:\program files\whitesmoketoolbar\chrome\skin\rss_feed_icon_png c:\program files\whitesmoketoolbar\chrome\skin\rssback.gif c:\program files\whitesmoketoolbar\chrome\skin\rsstopback.gif c:\program files\whitesmoketoolbar\chrome\skin\search-over.png c:\program files\whitesmoketoolbar\chrome\skin\search.png c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-left.png c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-middle.png c:\program files\whitesmoketoolbar\chrome\skin\searchbar\searchbar-background-right.png c:\program files\whitesmoketoolbar\chrome\skin\settings.png c:\program files\whitesmoketoolbar\chrome\skin\shopping.png c:\program files\whitesmoketoolbar\chrome\skin\siteinfo.png c:\program files\whitesmoketoolbar\chrome\skin\skin-bluelite.png c:\program files\whitesmoketoolbar\chrome\skin\skin-bluesky.png c:\program files\whitesmoketoolbar\chrome\skin\skin-grey.png c:\program files\whitesmoketoolbar\chrome\skin\skin-lichen.png c:\program files\whitesmoketoolbar\chrome\skin\skin-orange.png c:\program files\whitesmoketoolbar\chrome\skin\skin-yellow.png c:\program files\whitesmoketoolbar\chrome\skin\skin.xml c:\program files\whitesmoketoolbar\chrome\skin\spain_png c:\program files\whitesmoketoolbar\chrome\skin\technorati.png c:\program files\whitesmoketoolbar\chrome\skin\throbber.gif c:\program files\whitesmoketoolbar\chrome\skin\toolbarsplitter.png c:\program files\whitesmoketoolbar\chrome\skin\translate.png c:\program files\whitesmoketoolbar\chrome\skin\Translate_png c:\program files\whitesmoketoolbar\chrome\skin\Translate_png_png c:\program files\whitesmoketoolbar\chrome\skin\TRUSTe_about.png c:\program files\whitesmoketoolbar\chrome\skin\TV_icon3_png c:\program files\whitesmoketoolbar\chrome\skin\tvicon_png c:\program files\whitesmoketoolbar\chrome\skin\tvIcons_png c:\program files\whitesmoketoolbar\chrome\skin\usa_png c:\program files\whitesmoketoolbar\chrome\skin\vmn.css c:\program files\whitesmoketoolbar\chrome\skin\vmn.png c:\program files\whitesmoketoolbar\chrome\skin\web.png c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png_png c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png2_png c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png3_png c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png4_png c:\program files\whitesmoketoolbar\chrome\skin\whtsmke_logo_png5_png c:\program files\whitesmoketoolbar\chrome\skin\wikipedia.png c:\program files\whitesmoketoolbar\chrome\skin\yahoosearch.png c:\program files\whitesmoketoolbar\chrome\skin\yellow.gif c:\program files\whitesmoketoolbar\chrome\skin\youtube.png c:\program files\whitesmoketoolbar\chrome\skin\zoom.png c:\program files\whitesmoketoolbar\components\windowmediator.js c:\program files\whitesmoketoolbar\manifest.xml c:\program files\whitesmoketoolbar\toolbar.xml c:\program files\whitesmoketoolbar\uninstall.exe c:\program files\whitesmoketoolbar\whitesmoketoolbar.dll c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll . ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-30 ))))))))))))))))))))))))))))))) . 2010-11-29 20:32 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{89C59A06-5ED5-49EB-906D-CD64E859CFE8}\mpengine.dll 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla 2010-11-28 17:13 . 2010-11-28 17:13 -------- d-----w- c:\windows\system32\%APPDATA% 2010-11-27 17:04 . 2010-11-27 17:04 0 ----a-w- c:\windows\system32\lsp1D.tmp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-29 21:20 . 2005-03-16 06:36 89680 ----a-w- c:\documents and settings\jss\MSSSerif120.fon 2010-11-10 04:33 . 2010-07-29 03:29 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-10-19 20:51 . 2010-07-27 04:42 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-10-05 04:19 . 2005-03-08 13:24 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys 2010-09-18 19:23 . 2004-08-11 23:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-11 23:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-11 23:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-11 23:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-11 23:00 285824 ----a-w- c:\windows\system32\atmfd.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-23 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-23 507904] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-08 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-08 98304] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-8 24576] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:blizzard downloader R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 12:13 PM 38144] S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 2:12 PM 341504] . Contents of the 'Scheduled Tasks' folder 2010-11-29 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz TCP: {A2BD6FD4-0992-4CD3-8E08-0E5624296127} = 4.2.2.1 FF - ProfilePath - c:\documents and settings\jss\Application Data\Mozilla\Firefox\Profiles\igo20grf.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-29 17:57 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1008) c:\program files\Intel\Wireless\Bin\LgNotify.dll c:\windows\system32\igfxdev.dll . Completion time: 2010-11-29 17:59:05 ComboFix-quarantined-files.txt 2010-11-30 01:59 ComboFix2.txt 2010-11-29 20:30 ComboFix3.txt 2010-11-29 07:03 Pre-Run: 19,192,684,544 bytes free Post-Run: 19,177,304,064 bytes free - - End Of File - - B5253923AF38063BC4059034D2B146C5 ------------------------------------- Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 9.4.0 AutoUpdate Broadcom Management Programs BSPlayer Canon Camera Access Library Canon Camera Support Core Library Canon Camera Window DC_DV 5 for ZoomBrowser EX Canon Camera Window DC_DV 6 for ZoomBrowser EX Canon Camera Window MC 6 for ZoomBrowser EX Canon G.726 WMP-Decoder Canon MovieEdit Task for ZoomBrowser EX Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon Utilities EOS Utility Canon Utilities PhotoStitch Canon Utilities ZoomBrowser EX Conexant D480 MDC V.9x Modem Consumer Complete Care Services Agreement Dell Driver Reset Tool Dell Media Experience Dell Media Experience Update Dell Picture Studio v3.0 Dell Support 5.0.0 (630) Dell System Restore Digital Line Detect DivX EarthLink setup files Eraser Gaim (remove only) Hotfix for Windows XP (KB2158563) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB981793) Intel® Extreme Graphics 2 Driver Intel® PROSet/Wireless Software Internet Explorer Default Page IrfanView (remove only) Jasc Paint Shop Photo Album 5 Jasc Paint Shop Pro Studio, Dell Editon Java 2 Runtime Environment, SE v1.4.2_03 Learn2 Player (Uninstall Only) Macromedia Flash Player Malwarebytes' Anti-Malware mCore mDrWiFi mHlpDell Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB2416447) Microsoft .NET Framework 1.1 Security Update (KB979906) Microsoft Antimalware Microsoft Application Error Reporting Microsoft Internationalized Domain Names Mitigation APIs Microsoft National Language Support Downlevel APIs Microsoft Security Essentials Microsoft Tool Web Package:WntIpcfg.exe Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 mIWA mIWCA mLogView mMHouse Modem Helper Mozilla Firefox (3.5.14) Mozilla Thunderbird (1.0) mPfMgr mPfWiz mProSafe mSSO MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) mToolkit mWlsSafe mXML My Way Search Assistant MySlideShow 2.6.3 mZConfig NetWaiting OpenOffice.org 1.1.4 PCIxx20 Photo Click PowerDVD 5.3 Qualxserve Service Agreement QuickBooks Simple Start Special Edition QuickTime RealPlayer Basic Security Update for Step By Step Interactive Training (KB898458) Security Update for Step By Step Interactive Training (KB923723) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB974455) Security Update for Windows Internet Explorer 8 (KB2183461) Security Update for Windows Internet Explorer 8 (KB2360131) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Internet Explorer 8 (KB982381) Security Update for Windows Media Player (KB2378111) Security Update for Windows Media Player (KB911564) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player (KB975558) Security Update for Windows Media Player (KB978695) Security Update for Windows Media Player (KB979402) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows Media Player 9 (KB911565) Security Update for Windows Media Player 9 (KB917734) Security Update for Windows Media Player 9 (KB936782) Security Update for Windows XP (KB2079403) Security Update for Windows XP (KB2115168) Security Update for Windows XP (KB2121546) Security Update for Windows XP (KB2160329) Security Update for Windows XP (KB2229593) Security Update for Windows XP (KB2259922) Security Update for Windows XP (KB2279986) Security Update for Windows XP (KB2286198) Security Update for Windows XP (KB2296011) Security Update for Windows XP (KB2347290) Security Update for Windows XP (KB2360937) Security Update for Windows XP (KB2387149) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371-v2) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB971961) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975562) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979482) Security Update for Windows XP (KB979559) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB979687) Security Update for Windows XP (KB980195) Security Update for Windows XP (KB980218) Security Update for Windows XP (KB980232) Security Update for Windows XP (KB980436) Security Update for Windows XP (KB981322) Security Update for Windows XP (KB981852) Security Update for Windows XP (KB981957) Security Update for Windows XP (KB981997) Security Update for Windows XP (KB982132) Security Update for Windows XP (KB982214) Security Update for Windows XP (KB982665) Security Update for Windows XP (KB982802) Sonic DLA Sonic RecordNow! Sonic Update Manager Spybot - Search & Destroy Starcraft Synaptics Pointing Device Driver Texas Instruments PCIxx20 drivers. Torchlight Trillian Update for Windows Internet Explorer 8 (KB975364) Update for Windows Internet Explorer 8 (KB976662) Update for Windows XP (KB2141007) Update for Windows XP (KB2345886) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Viewpoint Media Player WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage v1.3.0254.0 Windows Genuine Advantage Validation Tool (KB892130) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows XP Service Pack 3 WinRAR archiver WordPerfect Office 12 XviD MPEG-4 Video Codec ----------------------------------------

Thanks for the quick reply!

How many machines does the pro license cover? Just one? Oh, and is Fry's the only retail store carrying malwarebytes? Thanks.

Whitesmoke seems to have uninstalled fine, it tried to go online to a page via IE but I had wireless turned off hardware level and closed IE out. I did get a AP/dll error in windows after the uninstall (add/remove screen froze till I closed it out). Then I ran combofix with the custom commands file. Also, MSE found another trojan last night and cleaned it on boot up today, a Dynamer!dtc. That was before uninstalling Whitesmoke and running CF. ----------------------- ComboFix 10-11-28.03 - jss 11/29/2010 12:24:04.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.823 [GMT -8:00] Running from: c:\documents and settings\jss\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\jss\Desktop\CFScript.txt AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 ))))))))))))))))))))))))))))))) . 2010-11-29 07:17 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{2CDA4681-E533-4CFA-AA74-2A7EFFDA6FD0}\mpengine.dll 2010-11-28 21:45 . 2010-11-29 20:18 -------- d-----w- c:\documents and settings\jss\Application Data\whitesmoketoolbar 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WhiteSmokeTranslator 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\program files\whitesmoketoolbar 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla 2010-11-28 17:13 . 2010-11-28 17:13 -------- d-----w- c:\windows\system32\%APPDATA% 2010-11-27 17:04 . 2010-11-27 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\nOjOh02094 2010-11-27 17:04 . 2010-11-27 17:04 0 ----a-w- c:\windows\system32\lsp1D.tmp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-10 04:33 . 2010-07-29 03:29 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-10-19 20:51 . 2010-07-27 04:42 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-10-05 04:19 . 2005-03-08 13:24 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys 2010-09-18 19:23 . 2004-08-11 23:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-11 23:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-11 23:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-11 23:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-11 23:00 285824 ----a-w- c:\windows\system32\atmfd.dll . (((((((((((((((((((((((((((((((((((((((((((( Look ))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ---- Directory of c:\documents and settings\All Users\Application Data\nOjOh02094 ---- 2010-11-27 17:04 . 2010-11-27 17:13 112 ----a-w- c:\documents and settings\All Users\Application Data\nOjOh02094\nOjOh02094 ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52794457-af6c-4c50-9def-f2e24f4c8889}] 2010-11-28 17:13 81920 ----a-w- c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{52794457-af6c-4c50-9def-f2e24f4c8889}"= "c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll" [2010-11-28 81920] [HKEY_CLASSES_ROOT\clsid\{52794457-af6c-4c50-9def-f2e24f4c8889}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-23 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-23 507904] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-08 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-08 98304] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-8 24576] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:blizzard downloader R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 12:13 PM 38144] S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 2:12 PM 341504] . Contents of the 'Scheduled Tasks' folder 2010-11-29 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz TCP: {A2BD6FD4-0992-4CD3-8E08-0E5624296127} = 4.2.2.1 FF - ProfilePath - c:\documents and settings\jss\Application Data\Mozilla\Firefox\Profiles\igo20grf.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-29 12:28 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1008) c:\program files\Intel\Wireless\Bin\LgNotify.dll c:\windows\system32\igfxdev.dll - - - - - - - > 'explorer.exe'(3760) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . Completion time: 2010-11-29 12:30:09 ComboFix-quarantined-files.txt 2010-11-29 20:30 ComboFix2.txt 2010-11-29 07:03 Pre-Run: 19,197,755,392 bytes free Post-Run: 19,183,939,584 bytes free - - End Of File - - F66496CB5CA53DBD7B637C8C1A4C8C1A

Thanks for the reply! ComboFix seemed to work fine but had a snag. It downloaded an updated version and the console fine. There was a generic host services error while it was first creating a restore point. It did lead to a blue screen on a reboot but seemed to pick up just fine after a power off/on via switch. The damn whitesmoke translator splash screen popped up after the final reboot, I waited until the log file had been created and CF closed to kill it via task manager. Log file: ComboFix 10-11-28.03 - jss 11/28/2010 22:47:49.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1262.811 [GMT -8:00] Running from: c:\documents and settings\jss\Desktop\ComboFix.exe AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\jss\Local Settings\Temporary Internet Files\cookies.sqlite c:\windows\system32\bszip.dll . \\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_FAD ((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 ))))))))))))))))))))))))))))))) . 2010-11-28 21:45 . 2010-11-28 21:45 -------- d-----w- c:\documents and settings\jss\Application Data\whitesmoketoolbar 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\WhiteSmokeTranslator 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\program files\whitesmoketoolbar 2010-11-28 17:14 . 2010-11-28 17:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla 2010-11-28 17:13 . 2010-11-28 17:13 -------- d-----w- c:\program files\WhiteSmoke Translator 2010-11-28 17:13 . 2010-11-28 17:13 -------- d-----w- c:\windows\system32\%APPDATA% 2010-11-27 18:29 . 2010-11-10 04:33 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B6A7545E-A4FE-42B7-8C01-6534099AE6F5}\mpengine.dll 2010-11-27 17:04 . 2010-11-27 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\nOjOh02094 2010-11-27 17:04 . 2010-11-27 17:04 0 ----a-w- c:\windows\system32\lsp1D.tmp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-11-10 04:33 . 2010-07-29 03:29 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll 2010-10-19 20:51 . 2010-07-27 04:42 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-10-05 04:19 . 2005-03-08 13:24 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys 2010-09-18 19:23 . 2004-08-11 23:00 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53 . 2004-08-11 23:00 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53 . 2004-08-11 23:00 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53 . 2004-08-11 23:00 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58 . 2004-08-11 23:00 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58 . 2004-08-11 23:00 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51 . 2004-08-11 23:00 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42 . 2004-08-11 23:00 1852800 ----a-w- c:\windows\system32\win32k.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{52794457-af6c-4c50-9def-f2e24f4c8889}] 2010-11-28 17:13 81920 ----a-w- c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{52794457-af6c-4c50-9def-f2e24f4c8889}"= "c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll" [2010-11-28 81920] [HKEY_CLASSES_ROOT\clsid\{52794457-af6c-4c50-9def-f2e24f4c8889}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-04-23 98304] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-04-23 507904] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016] "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592] "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-03-08 26112] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-03-08 98304] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-15 1094224] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-3-8 24576] Launch Whitesmoke Translator.lnk - c:\program files\WhiteSmoke Translator\WSTrayDictMode.exe [2010-11-28 671744] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] 2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Starcraft\\StarCraft.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:blizzard downloader R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 12:13 PM 38144] S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 2:12 PM 341504] . Contents of the 'Scheduled Tasks' folder 2010-11-29 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2010-03-26 04:40] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> TCP: {A2BD6FD4-0992-4CD3-8E08-0E5624296127} = 4.2.2.1 FF - ProfilePath - c:\documents and settings\jss\Application Data\Mozilla\Firefox\Profiles\igo20grf.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava11.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava12.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava13.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava14.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJava32.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPJPI142_03.dll FF - plugin: c:\program files\Java\j2re1.4.2_03\bin\NPOJI610.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} . - - - - ORPHANS REMOVED - - - - AddRemove-Total Annihilation - c:\cavedog\TOTALA\setup.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-11-28 22:58 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1008) c:\program files\Intel\Wireless\Bin\LgNotify.dll - - - - - - - > 'explorer.exe'(2628) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Microsoft Security Essentials\MsMpEng.exe c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKeeper.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Canon\CAL\CALMAIN.exe c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe c:\windows\system32\wscntfy.exe c:\progra~1\Intel\Wireless\Bin\1XConfig.exe c:\windows\system32\igfxsrvc.exe c:\program files\WhiteSmoke Translator\WhiteSmokeDictRegistration.exe . ************************************************************************** . Completion time: 2010-11-28 23:03:39 - machine was rebooted ComboFix-quarantined-files.txt 2010-11-29 07:03 Pre-Run: 18,696,278,016 bytes free Post-Run: 19,089,178,624 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - BB9BC98CE33B56AD85D43CFA9192C332

Long story short: Whitesmoke translater software auto installed, nothing shows up on basic scans but I'm getting browser search redirects as well. ------- This is not my weekend. I get two family/friends laptops laden with spyware/hardware issues to fix and now my own laptop has had trojan/malware issues since yesterday. Always update java/adobe stuff, that or I got something from the laptops while working on them. Gonna be watching this desktop now. I thought I'd cleared everything off yesterday but apparently something is hidden still. Earlier this morning I had whitesmoke translator auto install on my machine while web surfing and I'm getting google/link re directs while surfing in firefox. As of this posting, MSE finds nothing, MBM finds nothing, spybot found nothing. TDSS says it found a rootkit but I skipped repairing it for now. I also have a OTL log and running GMER now. Advice appreciated on best procedure to get rid of this and whitesmoke (offers an uninstall in start menu & add/remove programs list). TIA ---------- MBM, DDS, TDSS logs below: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 5202 Windows 5.1.2600 Service Pack 3 (Safe Mode) Internet Explorer 8.0.6001.18702 11/28/2010 9:38:31 AM mbam-log-2010-11-28 (09-38-31).txt Scan type: Quick scan Objects scanned: 171594 Time elapsed: 19 minute(s), 49 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) ----------------------------------------- DDS (Ver_10-11-27.01) - NTFSx86 MINIMAL Run by jss at 12:35:45.74 on Sun 11/28/2010 Internet Explorer: 8.0.6001.18702 ============== Running Processes =============== c:\Program Files\Microsoft Security Essentials\MsMpEng.exe C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Microsoft Security Essentials\msseces.exe C:\WINDOWS\system32\igfxsrvc.exe C:\misctemp\MalUtil\dds.scr C:\WINDOWS\system32\svchost.exe -k netsvcs ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz uInternet Settings,ProxyServer = http=127.0.0.1:5555 uInternet Settings,ProxyOverride = <local> BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll TB: WhiteSmoke Toolbar: {52794457-af6c-4c50-9def-f2e24f4c8889} - c:\program files\whitesmoketoolbar\whitesmoketoolbarX.dll EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [<NO NAME>] mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120083630481 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: {A2BD6FD4-0992-4CD3-8E08-0E5624296127} = 4.2.2.1 Notify: igfxcui - igfxdev.dll Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\jss\applic~1\mozilla\firefox\profiles\igo20grf.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava11.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava12.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava13.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava14.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJava32.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPOJI610.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} ============= SERVICES / DRIVERS =============== R? EAPPkt;Realtek EAPPkt Protocol R? MpFilter;Microsoft Malware Protection Driver R? RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver =============== Created Last 30 ================ 2010-11-28 17:14:10 -------- d-----w- c:\program files\whitesmoketoolbar 2010-11-28 17:13:57 -------- d-----w- c:\program files\WhiteSmoke Translator 2010-11-28 17:13:50 -------- d-----w- c:\windows\system32\%APPDATA% 2010-11-27 18:29:29 6273872 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{b6a7545e-a4fe-42b7-8c01-6534099ae6f5}\mpengine.dll 2010-11-27 17:04:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\nOjOh02094 2010-11-27 17:04:34 0 ----a-w- c:\windows\system32\lsp1D.tmp ==================== Find3M ==================== 2010-10-19 20:51:33 222080 ------w- c:\windows\system32\MpSigStub.exe 2010-09-18 19:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll 2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll 2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll 2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll 2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll 2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll 2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl 2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll 2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys =================== ROOTKIT ==================== Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net Windows 5.1.2600 Disk: WDC_WD400VE-75HDT0 rev.09.07D09 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3 device: opened successfully user: MBR read successfully Disk trace: called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A015446]<< _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a01b504]; MOV EAX, [0x8a01b580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; } 1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A05AAB8] 3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000078[0x8A044968] 5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E37D5] -> [0x8A043940] \Driver\atapi[0x89FDF030] -> IRP_MJ_CREATE -> 0x8A015446 kernel: MBR read successfully _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; } detected disk devices: \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400VE-75HDT0______________________09.07D09#5&2bb2d393&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found detected hooks: \Driver\atapi DriverStartIo -> 0x8A015292 user != kernel MBR !!! sectors 78140158 (+255): user != kernel Warning: possible TDL4 rootkit infection ! TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix. ============= FINISH: 12:39:18.04 =============== 2010/11/28 12:32:06.0403 TDSS rootkit removing tool 2.4.9.0 Nov 26 2010 15:38:31 2010/11/28 12:32:06.0403 ================================================================================ 2010/11/28 12:32:06.0403 SystemInfo: 2010/11/28 12:32:06.0403 2010/11/28 12:32:06.0403 OS Version: 5.1.2600 ServicePack: 3.0 2010/11/28 12:32:06.0403 Product type: Workstation 2010/11/28 12:32:06.0403 ComputerName: BEBOPM 2010/11/28 12:32:06.0403 UserName: jss 2010/11/28 12:32:06.0403 Windows directory: C:\WINDOWS 2010/11/28 12:32:06.0403 System windows directory: C:\WINDOWS 2010/11/28 12:32:06.0403 Processor architecture: Intel x86 2010/11/28 12:32:06.0403 Number of processors: 1 2010/11/28 12:32:06.0403 Page size: 0x1000 2010/11/28 12:32:06.0403 Boot type: Safe boot 2010/11/28 12:32:06.0403 ================================================================================ 2010/11/28 12:32:06.0793 Initialize success 2010/11/28 12:32:09.0948 ================================================================================ 2010/11/28 12:32:09.0948 Scan started 2010/11/28 12:32:09.0948 Mode: Manual; 2010/11/28 12:32:09.0948 ================================================================================ 2010/11/28 12:32:14.0124 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2010/11/28 12:32:14.0454 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/11/28 12:32:14.0745 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys 2010/11/28 12:32:15.0005 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2010/11/28 12:32:15.0335 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/11/28 12:32:15.0646 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2010/11/28 12:32:15.0966 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/11/28 12:32:16.0297 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2010/11/28 12:32:16.0597 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2010/11/28 12:32:16.0878 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2010/11/28 12:32:17.0118 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2010/11/28 12:32:17.0378 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2010/11/28 12:32:17.0729 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2010/11/28 12:32:18.0019 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2010/11/28 12:32:18.0460 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2010/11/28 12:32:18.0700 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2010/11/28 12:32:19.0001 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/11/28 12:32:19.0281 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2010/11/28 12:32:19.0572 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2010/11/28 12:32:19.0842 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2010/11/28 12:32:20.0142 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys 2010/11/28 12:32:20.0453 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/11/28 12:32:20.0743 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/11/28 12:32:21.0224 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/11/28 12:32:21.0524 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/11/28 12:32:21.0815 bcm4sbxp (78123f44be9e4768852a3a017e02d637) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 2010/11/28 12:32:22.0055 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/11/28 12:32:22.0556 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2010/11/28 12:32:22.0816 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/11/28 12:32:23.0157 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2010/11/28 12:32:23.0387 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/11/28 12:32:23.0667 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/11/28 12:32:23.0958 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/11/28 12:32:24.0439 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 2010/11/28 12:32:24.0699 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2010/11/28 12:32:25.0039 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys 2010/11/28 12:32:25.0360 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2010/11/28 12:32:25.0670 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2010/11/28 12:32:25.0931 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2010/11/28 12:32:25.0951 Scan interrupted by user! 2010/11/28 12:32:25.0951 Scan interrupted by user! 2010/11/28 12:32:25.0951 ================================================================================ 2010/11/28 12:32:25.0951 Scan finished 2010/11/28 12:32:25.0951 ================================================================================ 2010/11/28 12:32:32.0200 ================================================================================ 2010/11/28 12:32:32.0200 Scan started 2010/11/28 12:32:32.0200 Mode: Manual; 2010/11/28 12:32:32.0200 ================================================================================ 2010/11/28 12:32:33.0191 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2010/11/28 12:32:33.0482 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/11/28 12:32:33.0712 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys 2010/11/28 12:32:33.0962 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2010/11/28 12:32:34.0263 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/11/28 12:32:34.0553 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2010/11/28 12:32:34.0924 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/11/28 12:32:35.0204 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2010/11/28 12:32:35.0444 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2010/11/28 12:32:35.0665 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2010/11/28 12:32:35.0895 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2010/11/28 12:32:36.0125 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2010/11/28 12:32:36.0376 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2010/11/28 12:32:36.0626 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2010/11/28 12:32:36.0876 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2010/11/28 12:32:37.0097 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2010/11/28 12:32:37.0357 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/11/28 12:32:37.0628 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2010/11/28 12:32:37.0928 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2010/11/28 12:32:38.0168 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2010/11/28 12:32:38.0409 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys 2010/11/28 12:32:38.0709 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/11/28 12:32:38.0979 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/11/28 12:32:39.0470 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/11/28 12:32:39.0761 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/11/28 12:32:40.0061 bcm4sbxp (78123f44be9e4768852a3a017e02d637) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 2010/11/28 12:32:40.0301 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/11/28 12:32:40.0782 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2010/11/28 12:32:41.0012 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/11/28 12:32:41.0273 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2010/11/28 12:32:41.0493 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/11/28 12:32:41.0733 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/11/28 12:32:41.0984 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/11/28 12:32:42.0454 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 2010/11/28 12:32:42.0685 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2010/11/28 12:32:42.0895 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys 2010/11/28 12:32:43.0145 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2010/11/28 12:32:43.0426 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2010/11/28 12:32:43.0636 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2010/11/28 12:32:43.0927 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/11/28 12:32:44.0407 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2010/11/28 12:32:44.0898 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2010/11/28 12:32:45.0238 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/11/28 12:32:45.0519 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/11/28 12:32:45.0829 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 2010/11/28 12:32:46.0100 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/11/28 12:32:46.0380 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys 2010/11/28 12:32:46.0691 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys 2010/11/28 12:32:46.0961 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys 2010/11/28 12:32:47.0291 EAPPkt (c47e7c5e7410c7de98f7219e3008c23d) C:\WINDOWS\system32\DRIVERS\EAPPkt.sys 2010/11/28 12:32:47.0642 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/11/28 12:32:47.0942 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2010/11/28 12:32:48.0173 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2010/11/28 12:32:48.0443 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2010/11/28 12:32:48.0723 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/11/28 12:32:49.0004 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/11/28 12:32:49.0244 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/11/28 12:32:49.0545 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/11/28 12:32:49.0805 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/11/28 12:32:50.0105 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 2010/11/28 12:32:50.0416 HPZid412 (863cc3a82c63c9f60acf2e85d5310620) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2010/11/28 12:32:50.0696 HPZipr12 (08cb72e95dd75b61f2966b311d0e4366) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2010/11/28 12:32:51.0017 HPZius12 (ca990306ed4ef732af9695bff24fc96f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2010/11/28 12:32:51.0307 HSFHWICH (c2a7d9109b7f10a455d13b2432837b16) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys 2010/11/28 12:32:51.0868 HSF_DP (9a0d0c461ef2b3d80cb7875b4b995e47) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys 2010/11/28 12:32:52.0559 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/11/28 12:32:52.0879 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 2010/11/28 12:32:53.0120 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 2010/11/28 12:32:53.0380 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/11/28 12:32:53.0991 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 2010/11/28 12:32:54.0572 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/11/28 12:32:54.0842 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 2010/11/28 12:32:55.0163 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2010/11/28 12:32:55.0403 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/11/28 12:32:55.0653 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/11/28 12:32:55.0924 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/11/28 12:32:56.0184 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/11/28 12:32:56.0475 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/11/28 12:32:56.0765 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/11/28 12:32:57.0025 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/11/28 12:32:57.0316 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/11/28 12:32:57.0676 IWCA (872d090ca5c306f62d1982bce6302376) C:\WINDOWS\system32\DRIVERS\iwca.sys 2010/11/28 12:32:57.0997 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/11/28 12:32:58.0287 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/11/28 12:32:58.0598 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/11/28 12:32:59.0148 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 2010/11/28 12:32:59.0399 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/11/28 12:32:59.0669 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2010/11/28 12:32:59.0920 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/11/28 12:33:00.0160 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/11/28 12:33:00.0430 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/11/28 12:33:00.0721 MpFilter (c98301ad8173a2235a9ab828955c32bb) C:\WINDOWS\system32\DRIVERS\MpFilter.sys 2010/11/28 12:33:01.0061 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 2010/11/28 12:33:01.0362 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/11/28 12:33:01.0782 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/11/28 12:33:02.0173 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/11/28 12:33:02.0463 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/11/28 12:33:02.0744 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/11/28 12:33:03.0054 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/11/28 12:33:03.0355 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/11/28 12:33:03.0655 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/11/28 12:33:03.0975 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/11/28 12:33:04.0246 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/11/28 12:33:04.0516 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/11/28 12:33:04.0767 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/11/28 12:33:05.0057 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/11/28 12:33:05.0297 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/11/28 12:33:05.0608 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/11/28 12:33:05.0978 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2010/11/28 12:33:06.0229 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/11/28 12:33:06.0629 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/11/28 12:33:07.0040 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/11/28 12:33:07.0801 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2010/11/28 12:33:08.0602 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/11/28 12:33:08.0872 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/11/28 12:33:09.0153 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2010/11/28 12:33:09.0443 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys 2010/11/28 12:33:09.0734 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2010/11/28 12:33:09.0984 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/11/28 12:33:10.0214 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/11/28 12:33:10.0435 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/11/28 12:33:10.0885 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/11/28 12:33:11.0136 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys 2010/11/28 12:33:12.0247 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 2010/11/28 12:33:12.0518 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 2010/11/28 12:33:12.0848 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/11/28 12:33:13.0109 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/11/28 12:33:13.0349 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/11/28 12:33:13.0579 PxHelp20 (30cbae0a34359f1cd19d1576245149ed) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/11/28 12:33:13.0880 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 2010/11/28 12:33:14.0130 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 2010/11/28 12:33:14.0380 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 2010/11/28 12:33:14.0631 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 2010/11/28 12:33:14.0881 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 2010/11/28 12:33:15.0121 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/11/28 12:33:15.0402 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/11/28 12:33:15.0662 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/11/28 12:33:15.0893 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/11/28 12:33:16.0183 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/11/28 12:33:16.0453 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/11/28 12:33:16.0774 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/11/28 12:33:17.0224 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/11/28 12:33:17.0575 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/11/28 12:33:18.0016 RTL8187B (de4635e8b7975d2b5d961299469a7462) C:\WINDOWS\system32\DRIVERS\wg111v3.sys 2010/11/28 12:33:18.0376 s24trans (81aa6f0d6a2be1c550f814b036215888) C:\WINDOWS\system32\DRIVERS\s24trans.sys 2010/11/28 12:33:18.0697 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/11/28 12:33:19.0047 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/11/28 12:33:19.0307 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/11/28 12:33:19.0578 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2010/11/28 12:33:20.0109 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 2010/11/28 12:33:20.0389 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 2010/11/28 12:33:20.0659 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/11/28 12:33:20.0920 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/11/28 12:33:21.0290 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/11/28 12:33:21.0671 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys 2010/11/28 12:33:21.0971 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys 2010/11/28 12:33:22.0282 STAC97 (5813d453ef8ce49d607c255cf128aceb) C:\WINDOWS\system32\drivers\stac97.sys 2010/11/28 12:33:22.0632 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/11/28 12:33:22.0923 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/11/28 12:33:23.0243 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 2010/11/28 12:33:23.0483 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 2010/11/28 12:33:23.0724 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 2010/11/28 12:33:23.0954 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 2010/11/28 12:33:24.0295 SynTP (36460e94bbb8c1a1a1c22e45a28fb955) C:\WINDOWS\system32\DRIVERS\SynTP.sys 2010/11/28 12:33:24.0595 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/11/28 12:33:25.0026 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/11/28 12:33:25.0376 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/11/28 12:33:25.0607 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/11/28 12:33:25.0857 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/11/28 12:33:26.0157 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys 2010/11/28 12:33:26.0388 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys 2010/11/28 12:33:26.0598 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys 2010/11/28 12:33:26.0898 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys 2010/11/28 12:33:27.0159 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys 2010/11/28 12:33:27.0399 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys 2010/11/28 12:33:27.0609 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys 2010/11/28 12:33:27.0900 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys 2010/11/28 12:33:28.0210 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys 2010/11/28 12:33:28.0591 tifm (2ed3f87d603df22e776b0097c8c7fe3e) C:\WINDOWS\system32\drivers\tifm.sys 2010/11/28 12:33:28.0881 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 2010/11/28 12:33:29.0182 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/11/28 12:33:29.0462 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 2010/11/28 12:33:29.0833 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/11/28 12:33:30.0193 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys 2010/11/28 12:33:30.0453 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/11/28 12:33:30.0704 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/11/28 12:33:30.0944 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/11/28 12:33:31.0215 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/11/28 12:33:31.0485 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/11/28 12:33:31.0755 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/11/28 12:33:31.0976 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/11/28 12:33:32.0236 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/11/28 12:33:32.0516 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 2010/11/28 12:33:32.0817 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2010/11/28 12:33:33.0117 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/11/28 12:33:34.0279 w29n51 (f0f902220910c4fbe42a51964bd33599) C:\WINDOWS\system32\DRIVERS\w29n51.sys 2010/11/28 12:33:35.0471 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/11/28 12:33:36.0182 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/11/28 12:33:36.0672 winachsf (ce545a84bf3411e7516fa8da51ad9d93) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 2010/11/28 12:33:37.0444 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2010/11/28 12:33:37.0614 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0) 2010/11/28 12:33:37.0654 ================================================================================ 2010/11/28 12:33:37.0654 Scan finished 2010/11/28 12:33:37.0654 ================================================================================ 2010/11/28 12:33:37.0694 Detected object count: 1 2010/11/28 12:34:22.0809 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Skip 2010/11/28 12:34:40.0224 Deinitialize success -------------------