TMD
Members-
Posts
19 -
Joined
-
Last visited
Reputation
0 Neutral-
Greetings, Please help. The items on my desktop have vanished!?! I also have no item on the right side of the menu when I press the start button. I have attached dds logs and will await your next move. dds.txt attach.txt
-
I picked up some Malware about 2 weeks ago, ran MBAM in safe mode and it seemed to clear it up. Windows XP F-Secure - Charter Security Suite
-
I can not download windows updates from the Microsoft website. The automatic updates are turned on in my system but I keep getting a popup on my taskbar that says WU is off. Any help would be appreciated.
-
LD, New CF log: ComboFix 11-02-08.02 - tmd 02/08/2011 21:09:14.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.848 [GMT -5:00] Running from: c:\documents and settings\tmd\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\tmd\Desktop\CFScript.txt AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: Charter Security Suite 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: Charter Security Suite 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4} FILE :: "c:\program files\Yontoo Layers Client\YontooIEClient.dll" file zipped: c:\documents and settings\tmd\Application Data\Microsoft\gb_51203.bat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\tmd\Application Data\Microsoft\gb_51203.bat c:\program files\Yontoo Layers Client c:\program files\Yontoo Layers Client\YontooIEClient.dll . ((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 ))))))))))))))))))))))))))))))) . 2011-02-08 00:39 . 2011-02-08 00:39 -------- d-----w- c:\program files\ESET 2011-02-06 13:49 . 2011-02-06 13:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-02-04 21:41 . 2011-02-04 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer 2011-02-04 21:41 . 2011-02-06 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\pEkNnFp15400 2011-02-04 13:33 . 2011-02-04 13:33 -------- d-----w- c:\documents and settings\tmd\Application Data\Malwarebytes 2011-02-04 13:32 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-04 13:32 . 2011-02-04 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-02-04 13:32 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-04 13:32 . 2011-02-06 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-04 13:26 . 2011-02-04 13:26 -------- d-----w- c:\windows\system32\wbem\Repository 2011-02-04 13:04 . 2011-02-04 13:41 -------- d-s---w- c:\documents and settings\NetworkService\UserData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-02 02:27 . 2011-01-02 02:27 1409 ----a-w- c:\windows\QTFont.for 2010-12-16 20:28 . 2010-08-09 02:01 82120 ----a-w- c:\windows\system32\drivers\fsdfw.sys 2010-12-15 13:06 . 2010-08-09 02:02 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys 2010-11-18 18:12 . 2010-08-08 23:53 81920 ----a-w- c:\windows\system32\isign32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] c:\documents and settings\tmd\Start Menu\Programs\Startup\ eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2010-7-2 656896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [8/8/2010 9:02 PM 42664] R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [8/8/2010 9:01 PM 82120] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Charter Security Suite\HIPS\drivers\fshs.sys [8/8/2010 9:01 PM 68064] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [9/5/2010 4:13 PM 401920] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys [8/8/2010 9:01 PM 130728] R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe [8/8/2010 9:01 PM 63992] S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [8/8/2010 7:09 PM 69692] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys [8/8/2010 9:01 PM 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys [8/8/2010 9:01 PM 25184] --- Other Services/Drivers In Memory --- *NewlyCreated* - CFCATCHME *Deregistered* - CFcatchme . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL Trusted Zone: intuit.com\ttlc FF - ProfilePath - c:\documents and settings\tmd\Application Data\Mozilla\Firefox\Profiles\2q1d9hkn.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.search.selectedengine - Bing FF - prefs.js: browser.startup.homepage - hxxp://home.iwon.com/iwon-homepage/home.jhtml FF - prefs.js: keyword.URL - hxxp://www.zstart.com/s/?site=Bing&src=FF-Address&q= FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Browsing Protection: litmus-ff@f-secure.com - c:\program files\Charter Security Suite\NRS\litmus-ff@f-secure.com FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Myibay Firefox extension: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com . - - - - ORPHANS REMOVED - - - - HKLM-Run-EfficientStickyNotes - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-08 21:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(516) c:\windows\system32\Ati2evxx.dll c:\program files\charter security suite\hips\fshook32.dll - - - - - - - > 'lsass.exe'(572) c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL c:\program files\charter security suite\hips\fshook32.dll . Completion time: 2011-02-08 21:22:34 ComboFix-quarantined-files.txt 2011-02-09 02:22 ComboFix2.txt 2011-02-09 00:38 Pre-Run: 140,306,980,864 bytes free Post-Run: 140,294,176,768 bytes free - - End Of File - - 8F5C30E2C9D399DDB13891EB9A277CF5 TMD
-
LD, The Charter Suite no longer shows in the taskbar. The computer is quick with no excessive CPU noted. The intrusion captured some CC#'s and other personal data. Is there protection strong enough to avoid this scenario again? Let me know what to do next. TMD
-
LD, The dll problem seems to be solved. The computer is running fast. I am going to reboot to see if the Charter Security shows in the task bar. Be bask soon!
-
LD, New CF log: ComboFix 11-02-08.02 - tmd 02/08/2011 21:09:14.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.848 [GMT -5:00] Running from: c:\documents and settings\tmd\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\tmd\Desktop\CFScript.txt AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: Charter Security Suite 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: Charter Security Suite 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4} FILE :: "c:\program files\Yontoo Layers Client\YontooIEClient.dll" file zipped: c:\documents and settings\tmd\Application Data\Microsoft\gb_51203.bat . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\tmd\Application Data\Microsoft\gb_51203.bat c:\program files\Yontoo Layers Client c:\program files\Yontoo Layers Client\YontooIEClient.dll . ((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 ))))))))))))))))))))))))))))))) . 2011-02-08 00:39 . 2011-02-08 00:39 -------- d-----w- c:\program files\ESET 2011-02-06 13:49 . 2011-02-06 13:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-02-04 21:41 . 2011-02-04 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer 2011-02-04 21:41 . 2011-02-06 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\pEkNnFp15400 2011-02-04 13:33 . 2011-02-04 13:33 -------- d-----w- c:\documents and settings\tmd\Application Data\Malwarebytes 2011-02-04 13:32 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-04 13:32 . 2011-02-04 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-02-04 13:32 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-04 13:32 . 2011-02-06 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-04 13:26 . 2011-02-04 13:26 -------- d-----w- c:\windows\system32\wbem\Repository 2011-02-04 13:04 . 2011-02-04 13:41 -------- d-s---w- c:\documents and settings\NetworkService\UserData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-02 02:27 . 2011-01-02 02:27 1409 ----a-w- c:\windows\QTFont.for 2010-12-16 20:28 . 2010-08-09 02:01 82120 ----a-w- c:\windows\system32\drivers\fsdfw.sys 2010-12-15 13:06 . 2010-08-09 02:02 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys 2010-11-18 18:12 . 2010-08-08 23:53 81920 ----a-w- c:\windows\system32\isign32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] c:\documents and settings\tmd\Start Menu\Programs\Startup\ eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2010-7-2 656896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [8/8/2010 9:02 PM 42664] R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [8/8/2010 9:01 PM 82120] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Charter Security Suite\HIPS\drivers\fshs.sys [8/8/2010 9:01 PM 68064] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [9/5/2010 4:13 PM 401920] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys [8/8/2010 9:01 PM 130728] R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe [8/8/2010 9:01 PM 63992] S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [8/8/2010 7:09 PM 69692] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys [8/8/2010 9:01 PM 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys [8/8/2010 9:01 PM 25184] --- Other Services/Drivers In Memory --- *NewlyCreated* - CFCATCHME *Deregistered* - CFcatchme . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL Trusted Zone: intuit.com\ttlc FF - ProfilePath - c:\documents and settings\tmd\Application Data\Mozilla\Firefox\Profiles\2q1d9hkn.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.search.selectedengine - Bing FF - prefs.js: browser.startup.homepage - hxxp://home.iwon.com/iwon-homepage/home.jhtml FF - prefs.js: keyword.URL - hxxp://www.zstart.com/s/?site=Bing&src=FF-Address&q= FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Browsing Protection: litmus-ff@f-secure.com - c:\program files\Charter Security Suite\NRS\litmus-ff@f-secure.com FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Myibay Firefox extension: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com . - - - - ORPHANS REMOVED - - - - HKLM-Run-EfficientStickyNotes - (no file) ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-08 21:18 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(516) c:\windows\system32\Ati2evxx.dll c:\program files\charter security suite\hips\fshook32.dll - - - - - - - > 'lsass.exe'(572) c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL c:\program files\charter security suite\hips\fshook32.dll . Completion time: 2011-02-08 21:22:34 ComboFix-quarantined-files.txt 2011-02-09 02:22 ComboFix2.txt 2011-02-09 00:38 Pre-Run: 140,306,980,864 bytes free Post-Run: 140,294,176,768 bytes free - - End Of File - - 8F5C30E2C9D399DDB13891EB9A277CF5
-
LD, The code your have has an http. Do you want this copied/pasted? http://forums.malwarebytes.org/index.php?showtopic=74711
-
LD, CF log: ComboFix 11-02-08.02 - tmd 02/08/2011 19:20:26.1.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.916 [GMT -5:00] Running from: c:\documents and settings\tmd\Desktop\ComboFix.exe AV: *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} AV: Charter Security Suite 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15} FW: Charter Security Suite 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\tmd\delme.bat c:\program files\Search Toolbar c:\program files\Search Toolbar\icon.ico c:\program files\Search Toolbar\SearchToolbar.dll c:\program files\Search Toolbar\SearchToolbarUninstall.exe c:\program files\Search Toolbar\SearchToolbarUpdater.exe D:\Autorun.inf . ((((((((((((((((((((((((( Files Created from 2011-01-09 to 2011-02-09 ))))))))))))))))))))))))))))))) . 2011-02-08 00:39 . 2011-02-08 00:39 -------- d-----w- c:\program files\ESET 2011-02-06 13:49 . 2011-02-06 13:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-02-05 02:49 . 2011-02-05 02:49 159 ----a-w- c:\documents and settings\tmd\Application Data\Microsoft\gb_51203.bat 2011-02-04 21:41 . 2011-02-04 21:41 -------- d-----w- c:\program files\Yontoo Layers Client 2011-02-04 21:41 . 2011-02-04 21:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Tarma Installer 2011-02-04 21:41 . 2011-02-06 14:27 -------- d-----w- c:\documents and settings\All Users\Application Data\pEkNnFp15400 2011-02-04 13:33 . 2011-02-04 13:33 -------- d-----w- c:\documents and settings\tmd\Application Data\Malwarebytes 2011-02-04 13:32 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-02-04 13:32 . 2011-02-04 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2011-02-04 13:32 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-02-04 13:32 . 2011-02-06 16:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2011-02-04 13:26 . 2011-02-04 13:26 -------- d-----w- c:\windows\system32\wbem\Repository 2011-02-04 13:04 . 2011-02-04 13:41 -------- d-s---w- c:\documents and settings\NetworkService\UserData . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-01-02 02:27 . 2011-01-02 02:27 1409 ----a-w- c:\windows\QTFont.for 2010-12-16 20:28 . 2010-08-09 02:01 82120 ----a-w- c:\windows\system32\drivers\fsdfw.sys 2010-12-15 13:06 . 2010-08-09 02:02 42664 ----a-w- c:\windows\system32\drivers\fsbts.sys 2010-11-18 18:12 . 2010-08-08 23:53 81920 ----a-w- c:\windows\system32\isign32.dll . <pre> c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray .exe c:\program files\Charter Security Suite\Common\FSM32 .exe c:\program files\Charter Security Suite\FSGUI\TNBUtil .exe c:\program files\Common Files\Java\Java Update\jusched .exe c:\program files\CyberLink\PowerDVD\PDVDServ .exe c:\program files\eFax Messenger 4.4\J2GDllCmd .exe c:\program files\HP\HP Software Update\HPWuSchd2 .exe c:\program files\Microsoft Office\Office12\GrooveMonitor .exe c:\program files\QuickTime\qttask .exe c:\windows\SMINST\RECGUARD .exe c:\windows\system32\rundll32 .exe </pre> ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}] 2010-12-20 18:09 191488 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RTHDCPL"="RTHDCPL.EXE" [2006-04-17 16143872] "EfficientStickyNotes"="" [N/A] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] c:\documents and settings\tmd\Start Menu\Programs\Startup\ eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2010-7-2 656896] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= R0 fsbts;fsbts;c:\windows\system32\drivers\fsbts.sys [8/8/2010 9:02 PM 42664] R0 FSFW;F-Secure Firewall Driver;c:\windows\system32\drivers\fsdfw.sys [8/8/2010 9:01 PM 82120] R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\Charter Security Suite\HIPS\drivers\fshs.sys [8/8/2010 9:01 PM 68064] R2 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [9/5/2010 4:13 PM 401920] R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys [8/8/2010 9:01 PM 130728] R3 FSORSPClient;F-Secure ORSP Client;c:\program files\Charter Security Suite\ORSP Client\fsorsp.exe [8/8/2010 9:01 PM 63992] S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [8/8/2010 7:09 PM 69692] S4 F-Secure Filter;F-Secure File System Filter;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsfilter.sys [8/8/2010 9:01 PM 39776] S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\Charter Security Suite\Anti-Virus\win2k\fsrec.sys [8/8/2010 9:01 PM 25184] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 LSP: c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL Trusted Zone: intuit.com\ttlc FF - ProfilePath - c:\documents and settings\tmd\Application Data\Mozilla\Firefox\Profiles\2q1d9hkn.default\ FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.search.selectedengine - Bing FF - prefs.js: browser.startup.homepage - hxxp://home.iwon.com/iwon-homepage/home.jhtml FF - prefs.js: keyword.URL - hxxp://www.zstart.com/s/?site=Bing&src=FF-Address&q= FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} FF - Ext: Browsing Protection: litmus-ff@f-secure.com - c:\program files\Charter Security Suite\NRS\litmus-ff@f-secure.com FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b} FF - Ext: Myibay Firefox extension: firefox1@myibay.com - %profile%\extensions\firefox1@myibay.com FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com FF - Ext: Search Toolbar: searchtoolbar@zugo.com - %profile%\extensions\searchtoolbar@zugo.com . - - - - ORPHANS REMOVED - - - - AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-02-08 19:32 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(516) c:\windows\system32\Ati2evxx.dll c:\program files\charter security suite\hips\fshook32.dll - - - - - - - > 'lsass.exe'(572) c:\program files\Charter Security Suite\FSPS\program\FSLSP.DLL c:\program files\charter security suite\hips\fshook32.dll - - - - - - - > 'explorer.exe'(564) c:\program files\charter security suite\hips\fshook32.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\Ati2evxx.exe c:\windows\system32\Ati2evxx.exe c:\windows\RTHDCPL.EXE c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe c:\program files\Charter Security Suite\Anti-Virus\fsgk32st.exe c:\program files\Charter Security Suite\Common\FSMA32.EXE c:\program files\Charter Security Suite\Anti-Virus\FSGK32.EXE c:\program files\Charter Security Suite\Common\FSHDLL32.EXE c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\HPZipm12.exe c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS c:\windows\system32\msiexec.exe c:\program files\Charter Security Suite\FWES\Program\fsdfwd.exe c:\program files\Charter Security Suite\Anti-Virus\fssm32.exe c:\program files\Charter Security Suite\Anti-Virus\fsav32.exe c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe c:\windows\system32\HPZinw12.exe . ************************************************************************** . Completion time: 2011-02-08 19:38:34 - machine was rebooted ComboFix-quarantined-files.txt 2011-02-09 00:38 Pre-Run: 140,186,632,192 bytes free Post-Run: 140,320,841,728 bytes free WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons UnsupportedDebug="do not select this" /debug multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect - - End Of File - - 7FADE09D1997AA58701DC50C04EDAF58
-
At once....I will be back!!!
-
I have not run the ComboFix due to the inability to disable the Charter Security Suite. The HP issue is only at startup TMD
-
LD, I have encountered my first problems. - When I get to the desktop, my HP Product Assistant attempts to load from a TEMP file. The load is unsuccessful and I have to cancel it at least 10x - I cannot find how to disable my Charter Security Suite. The taskbar icon has disappeared. - I also get an error message when I attempt to open the Add/Remove Programs task. The error message is as follows: Windows cannot find rundll32.exe. I await your advice.
-
LD, Here is the Eset log: ESETSmartInstaller@High as downloader log: all ok # version=7 # OnlineScannerApp.exe=1.0.0.1 # OnlineScanner.ocx=1.0.0.6419 # api_version=3.0.2 # EOSSerial=00015232905e1d4998a67d860bb7761a # end=finished # remove_checked=true # archives_checked=false # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-02-08 01:35:59 # local_time=2011-02-07 08:35:59 (-0500, Eastern Standard Time) # country="United States" # lang=1033 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=2304 16777175 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=84941 # found=9 # cleaned=9 # scan_time=3214 C:\Documents and Settings\tmd\My Documents\Downloads\media.player.codec.pack.v3.9.6.setup.exe Win32/Adware.Toolbar.Dealio application (deleted - quarantined) 00000000000000000000000000000000 C C:\Program Files\Charter Security Suite\Common\FSM32.EXE Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Charter Security Suite\FSGUI\TNBUtil.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Common Files\Java\Java Update\jusched.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\HP\HP Software Update\HPWuSchd2.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\Program Files\QuickTime\qttask.exe Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C C:\WINDOWS\SMINST\RECGUARD.EXE Win32/TrojanDownloader.Unruy.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
-
Ran the TDSS Killer again. No infection found.
-
LD, The computer is running much quicker. The CPU usage is now between 0 - 13% and the all search engines work as they should. Here are the logs of the scans: GooredFix by jpshortstuff (03.07.10.1) Log created at 17:59 on 07/02/2011 (tmd) Firefox version 3.6.13 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [23:55 08/08/2010] {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [00:50 23/10/2010] C:\Documents and Settings\tmd\Application Data\Mozilla\Firefox\Profiles\2q1d9hkn.default\extensions\ firefox1@myibay.com [00:26 27/08/2010] plugin@yontoo.com [21:41 04/02/2011] searchtoolbar@zugo.com [21:41 04/02/2011] {20a82645-c095-46ed-80e3-08825760534b} [19:41 15/08/2010] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "litmus-ff@f-secure.com"="C:\Program Files\Charter Security Suite\NRS\litmus-ff@f-secure.com" [02:01 09/08/2010] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [02:33 10/08/2010] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:50 23/10/2010] -=E.O.F=- 2011/02/07 18:02:23.0859 2888 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03 2011/02/07 18:02:24.0218 2888 ================================================================================ 2011/02/07 18:02:24.0218 2888 SystemInfo: 2011/02/07 18:02:24.0218 2888 2011/02/07 18:02:24.0218 2888 OS Version: 5.1.2600 ServicePack: 3.0 2011/02/07 18:02:24.0218 2888 Product type: Workstation 2011/02/07 18:02:24.0218 2888 ComputerName: TDPC 2011/02/07 18:02:24.0218 2888 UserName: tmd 2011/02/07 18:02:24.0218 2888 Windows directory: C:\WINDOWS 2011/02/07 18:02:24.0218 2888 System windows directory: C:\WINDOWS 2011/02/07 18:02:24.0218 2888 Processor architecture: Intel x86 2011/02/07 18:02:24.0218 2888 Number of processors: 1 2011/02/07 18:02:24.0218 2888 Page size: 0x1000 2011/02/07 18:02:24.0218 2888 Boot type: Normal boot 2011/02/07 18:02:24.0218 2888 ================================================================================ 2011/02/07 18:02:24.0500 2888 Initialize success 2011/02/07 18:02:38.0062 3380 ================================================================================ 2011/02/07 18:02:38.0062 3380 Scan started 2011/02/07 18:02:38.0062 3380 Mode: Manual; 2011/02/07 18:02:38.0062 3380 ================================================================================ 2011/02/07 18:02:40.0015 3380 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2011/02/07 18:02:40.0093 3380 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2011/02/07 18:02:40.0125 3380 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys 2011/02/07 18:02:40.0171 3380 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2011/02/07 18:02:40.0234 3380 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2011/02/07 18:02:40.0328 3380 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2011/02/07 18:02:40.0546 3380 AgereSoftModem (b7d2103eb2ecb765b2b7106bad089ab1) C:\WINDOWS\system32\DRIVERS\AGRSM.sys 2011/02/07 18:02:40.0843 3380 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2011/02/07 18:02:40.0859 3380 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2011/02/07 18:02:40.0921 3380 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2011/02/07 18:02:40.0968 3380 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2011/02/07 18:02:41.0000 3380 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2011/02/07 18:02:41.0046 3380 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2011/02/07 18:02:41.0078 3380 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2011/02/07 18:02:41.0125 3380 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2011/02/07 18:02:41.0156 3380 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2011/02/07 18:02:41.0203 3380 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2011/02/07 18:02:41.0328 3380 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2011/02/07 18:02:41.0343 3380 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2011/02/07 18:02:41.0375 3380 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2011/02/07 18:02:41.0468 3380 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys 2011/02/07 18:02:41.0578 3380 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2011/02/07 18:02:41.0625 3380 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2011/02/07 18:02:41.0843 3380 ati2mtag (1caba9ea8adc5e9a5eba3882f6a90f9b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2011/02/07 18:02:41.0953 3380 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2011/02/07 18:02:42.0046 3380 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2011/02/07 18:02:42.0171 3380 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2011/02/07 18:02:42.0218 3380 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2011/02/07 18:02:42.0265 3380 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2011/02/07 18:02:42.0296 3380 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2011/02/07 18:02:42.0328 3380 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2011/02/07 18:02:42.0375 3380 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2011/02/07 18:02:42.0437 3380 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys 2011/02/07 18:02:42.0500 3380 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys 2011/02/07 18:02:42.0656 3380 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2011/02/07 18:02:42.0796 3380 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 2011/02/07 18:02:42.0875 3380 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2011/02/07 18:02:43.0031 3380 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys 2011/02/07 18:02:43.0078 3380 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2011/02/07 18:02:43.0125 3380 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2011/02/07 18:02:43.0156 3380 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2011/02/07 18:02:43.0218 3380 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2011/02/07 18:02:43.0343 3380 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2011/02/07 18:02:43.0468 3380 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2011/02/07 18:02:43.0546 3380 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2011/02/07 18:02:43.0625 3380 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2011/02/07 18:02:43.0671 3380 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 2011/02/07 18:02:43.0734 3380 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2011/02/07 18:02:43.0843 3380 el575nd5 (23f6b9cf432f492ebbd8105d78cb008c) C:\WINDOWS\system32\DRIVERS\el575nd5.sys 2011/02/07 18:02:44.0015 3380 F-Secure Filter (d4980588ed87f8bb16be43ddd0fbd5fe) C:\Program Files\Charter Security Suite\Anti-Virus\Win2K\FSfilter.sys 2011/02/07 18:02:44.0171 3380 F-Secure Gatekeeper (ba3a72b0d43954f8a92c6d896183017d) C:\Program Files\Charter Security Suite\Anti-Virus\minifilter\fsgk.sys 2011/02/07 18:02:44.0328 3380 F-Secure HIPS (f5aca65237c7511d5803cdc5e7003d75) C:\Program Files\Charter Security Suite\HIPS\drivers\fshs.sys 2011/02/07 18:02:44.0406 3380 F-Secure Recognizer (6ce1195511533c9359f91a9e63792f5e) C:\Program Files\Charter Security Suite\Anti-Virus\Win2K\FSrec.sys 2011/02/07 18:02:44.0562 3380 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2011/02/07 18:02:44.0656 3380 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys 2011/02/07 18:02:44.0687 3380 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2011/02/07 18:02:44.0875 3380 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys 2011/02/07 18:02:44.0921 3380 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2011/02/07 18:02:44.0968 3380 fsbts (0e3e5d0486c4e2128b9f0e1c2fd410c4) C:\WINDOWS\system32\Drivers\fsbts.sys 2011/02/07 18:02:45.0046 3380 FSFW (aca3910a53a057b8c3a6ebf4ef788c7c) C:\WINDOWS\system32\drivers\fsdfw.sys 2011/02/07 18:02:45.0234 3380 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2011/02/07 18:02:45.0281 3380 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2011/02/07 18:02:45.0359 3380 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2011/02/07 18:02:45.0406 3380 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2011/02/07 18:02:45.0500 3380 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2011/02/07 18:02:45.0640 3380 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 2011/02/07 18:02:45.0796 3380 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2011/02/07 18:02:45.0984 3380 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 2011/02/07 18:02:46.0031 3380 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 2011/02/07 18:02:46.0078 3380 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2011/02/07 18:02:46.0156 3380 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\IASTOR.SYS 2011/02/07 18:02:46.0234 3380 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2011/02/07 18:02:46.0328 3380 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 2011/02/07 18:02:46.0625 3380 IntcAzAudAddService (71ae838a88b07268d732f596fc17ced5) C:\WINDOWS\system32\drivers\RtkHDAud.sys 2011/02/07 18:02:46.0968 3380 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2011/02/07 18:02:47.0015 3380 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2011/02/07 18:02:47.0109 3380 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2011/02/07 18:02:47.0187 3380 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2011/02/07 18:02:47.0375 3380 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2011/02/07 18:02:47.0421 3380 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2011/02/07 18:02:47.0468 3380 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2011/02/07 18:02:47.0531 3380 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2011/02/07 18:02:47.0609 3380 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2011/02/07 18:02:47.0671 3380 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2011/02/07 18:02:47.0968 3380 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2011/02/07 18:02:48.0046 3380 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2011/02/07 18:02:48.0187 3380 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2011/02/07 18:02:48.0281 3380 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2011/02/07 18:02:48.0328 3380 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2011/02/07 18:02:48.0406 3380 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2011/02/07 18:02:48.0468 3380 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2011/02/07 18:02:48.0562 3380 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 2011/02/07 18:02:48.0640 3380 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2011/02/07 18:02:48.0750 3380 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2011/02/07 18:02:48.0828 3380 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2011/02/07 18:02:48.0890 3380 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2011/02/07 18:02:48.0953 3380 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2011/02/07 18:02:49.0000 3380 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2011/02/07 18:02:49.0125 3380 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2011/02/07 18:02:49.0171 3380 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2011/02/07 18:02:49.0250 3380 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2011/02/07 18:02:49.0296 3380 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2011/02/07 18:02:49.0421 3380 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2011/02/07 18:02:49.0468 3380 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2011/02/07 18:02:49.0531 3380 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys 2011/02/07 18:02:49.0671 3380 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2011/02/07 18:02:49.0812 3380 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2011/02/07 18:02:49.0921 3380 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2011/02/07 18:02:49.0984 3380 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2011/02/07 18:02:50.0031 3380 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2011/02/07 18:02:50.0156 3380 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2011/02/07 18:02:50.0250 3380 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2011/02/07 18:02:50.0296 3380 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2011/02/07 18:02:50.0421 3380 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2011/02/07 18:02:50.0484 3380 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2011/02/07 18:02:50.0546 3380 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2011/02/07 18:02:50.0625 3380 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2011/02/07 18:02:50.0703 3380 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2011/02/07 18:02:50.0765 3380 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2011/02/07 18:02:50.0828 3380 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys 2011/02/07 18:02:51.0046 3380 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 2011/02/07 18:02:51.0093 3380 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 2011/02/07 18:02:51.0265 3380 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2011/02/07 18:02:51.0312 3380 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2011/02/07 18:02:51.0359 3380 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2011/02/07 18:02:51.0437 3380 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2011/02/07 18:02:51.0468 3380 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 2011/02/07 18:02:51.0500 3380 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 2011/02/07 18:02:51.0531 3380 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 2011/02/07 18:02:51.0578 3380 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 2011/02/07 18:02:51.0609 3380 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 2011/02/07 18:02:51.0640 3380 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2011/02/07 18:02:51.0671 3380 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2011/02/07 18:02:51.0718 3380 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2011/02/07 18:02:51.0750 3380 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2011/02/07 18:02:51.0796 3380 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2011/02/07 18:02:51.0890 3380 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2011/02/07 18:02:51.0937 3380 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2011/02/07 18:02:52.0031 3380 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2011/02/07 18:02:52.0078 3380 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2011/02/07 18:02:52.0171 3380 RTL8023xp (7988bfe882bcd94199225b5c3482f1bd) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 2011/02/07 18:02:52.0265 3380 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS 2011/02/07 18:02:52.0468 3380 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys 2011/02/07 18:02:52.0562 3380 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2011/02/07 18:02:52.0609 3380 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2011/02/07 18:02:52.0750 3380 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2011/02/07 18:02:52.0921 3380 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2011/02/07 18:02:53.0046 3380 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 2011/02/07 18:02:53.0234 3380 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 2011/02/07 18:02:53.0328 3380 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2011/02/07 18:02:53.0515 3380 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2011/02/07 18:02:53.0687 3380 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys 2011/02/07 18:02:53.0906 3380 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys 2011/02/07 18:02:53.0968 3380 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2011/02/07 18:02:54.0062 3380 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2011/02/07 18:02:54.0203 3380 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 2011/02/07 18:02:54.0281 3380 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 2011/02/07 18:02:54.0328 3380 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 2011/02/07 18:02:54.0359 3380 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 2011/02/07 18:02:54.0421 3380 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2011/02/07 18:02:54.0578 3380 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2011/02/07 18:02:54.0750 3380 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2011/02/07 18:02:54.0812 3380 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2011/02/07 18:02:54.0859 3380 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2011/02/07 18:02:54.0953 3380 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 2011/02/07 18:02:55.0015 3380 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2011/02/07 18:02:55.0078 3380 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 2011/02/07 18:02:55.0171 3380 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2011/02/07 18:02:55.0390 3380 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2011/02/07 18:02:55.0515 3380 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2011/02/07 18:02:55.0562 3380 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2011/02/07 18:02:55.0593 3380 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys 2011/02/07 18:02:55.0656 3380 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2011/02/07 18:02:55.0750 3380 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2011/02/07 18:02:55.0812 3380 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2011/02/07 18:02:55.0906 3380 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2011/02/07 18:02:56.0015 3380 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 2011/02/07 18:02:56.0078 3380 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2011/02/07 18:02:56.0125 3380 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2011/02/07 18:02:56.0187 3380 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2011/02/07 18:02:56.0250 3380 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys 2011/02/07 18:02:56.0375 3380 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2011/02/07 18:02:56.0562 3380 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2011/02/07 18:02:56.0593 3380 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2011/02/07 18:02:56.0671 3380 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0) 2011/02/07 18:02:56.0687 3380 ================================================================================ 2011/02/07 18:02:56.0687 3380 Scan finished 2011/02/07 18:02:56.0687 3380 ================================================================================ 2011/02/07 18:02:56.0703 1188 Detected object count: 1 2011/02/07 18:03:22.0125 1188 \HardDisk0 - will be cured after reboot 2011/02/07 18:03:22.0125 1188 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure 2011/02/07 18:03:26.0312 2900 Deinitialize success Let me know what to do next