Prifti
Members-
Posts
5 -
Joined
-
Last visited
Reputation
0 Neutral-
TDL4 infection MBAM not finding it or deleting it
Prifti replied to Prifti's topic in Resolved Malware Removal Logs
Thank you. I thought everything was fixed but I have another virus and my Yahoo account was hacked so I am wondering if I have a keylogger or something now. 1. MBAM Malwarebytes' Anti-Malware 1.51.0.1200 www.malwarebytes.org Database version: 6814 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/8/2011 5:53:50 PM mbam-log-2011-06-08 (17-53-30).txt Scan type: Quick scan Objects scanned: 191916 Time elapsed: 5 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\LOCAL ACCOUNT AUTHORITY SERVICE (Trojan.Agent) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Local Account Authority Service\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) 2. ESET log ESETSmartInstaller@High as CAB hook log: OnlineScanner.ocx - delete file error:Access is denied. OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process. OnlineScanner.ocx - registred OK # version=7 # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339) # OnlineScanner.ocx=1.0.0.6522 # api_version=3.0.2 # EOSSerial=77ff271d863ce64585d7b84c1cf133e4 # end=finished # remove_checked=true # archives_checked=true # unwanted_checked=true # unsafe_checked=false # antistealth_checked=true # utc_time=2011-06-09 03:31:53 # local_time=2011-06-08 11:31:53 (-0500, Eastern Daylight Time) # country="United States" # lang=9 # osver=5.1.2600 NT Service Pack 3 # compatibility_mode=512 16777215 100 0 0 0 0 0 # compatibility_mode=3584 16777215 100 0 0 0 0 0 # compatibility_mode=8192 67108863 100 0 0 0 0 0 # scanned=93223 # found=0 # cleaned=0 # scan_time=5740 3. checkup log Results of screen317's Security Check version 0.99.13 Windows XP Service Pack 3 Internet Explorer 8 `````````````````````````````` Antivirus/Firewall Check: Windows Security Center service is not running! This report may not be accurate! Windows Firewall Disabled! ESET Online Scanner v3 WMI entry may not exist for antivirus; attempting automatic update. ``````````````````````````````` Anti-malware/Other Utilities Check: Malwarebytes' Anti-Malware Java 6 Update 24 Java SE Runtime Environment 6 Update 1 Java 6 Update 3 Java 6 Update 5 Java 6 Update 7 Out of date Java installed! Adobe Flash Player 10.3.181.22 Adobe Reader 9.3.3 Out of date Adobe Reader installed! Mozilla Firefox (3.6.17) Firefox Out of Date! ```````````````````````````````` Process Check: objlist.exe by Laurent ``````````End of Log```````````` Thank you! -
TDL4 infection MBAM not finding it or deleting it
Prifti replied to Prifti's topic in Resolved Malware Removal Logs
3. dds log . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Run by Erin at 23:02:33 on 2011-06-01 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.201 [GMT -4:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost.exe -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Secunia\PSI\PSIA.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\Program Files\Secunia\PSI\sua.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Lexmark X125\LEX125SU.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Secunia\PSI\psi_tray.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\plugin-container.exe F:\dds.scr C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop uInternet Settings,ProxyOverride = *.local BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [MsmqIntCert] regsvr32 /s mqrt.dll mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lexmar~1.lnk - c:\program files\lexmark x125\LEX125SU.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\erin\application data\mozilla\firefox\profiles\wire1zvk.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff . ============= SERVICES / DRIVERS =============== . R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416] R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664] S2 Local Account Authority Service;Local Account Authority Service;c:\windows\temp\localaccountauthority.bat --> c:\windows\temp\LocalAccountAuthority.bat [?] S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664] . =============== Created Last 30 ================ . 2011-06-02 02:07:14 -------- d-sha-r- C:\cmdcons 2011-06-02 01:43:54 98816 ----a-w- c:\windows\sed.exe 2011-06-02 01:43:54 518144 ----a-w- c:\windows\SWREG.exe 2011-06-02 01:43:54 256512 ----a-w- c:\windows\PEV.exe 2011-06-02 01:43:54 208896 ----a-w- c:\windows\MBR.exe 2011-05-25 20:11:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-25 20:08:21 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-05-25 20:08:21 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll 2011-05-25 20:01:54 -------- d-----w- c:\documents and settings\erin\local settings\application data\Secunia PSI 2011-05-25 20:01:39 -------- d-----w- c:\program files\Secunia 2011-05-25 09:56:16 -------- d-----w- c:\documents and settings\all users\application data\iG28601IlPfN28601 2011-05-25 02:18:04 0 ----a-w- c:\windows\Wnafuhuhiqo.bin 2011-05-25 02:16:55 102912 --sha-r- c:\windows\system32\tsbyuvl.dll 2011-05-25 02:16:55 102912 --sha-r- c:\windows\system32\tapisrvk.dll . ==================== Find3M ==================== . 2011-05-25 20:07:30 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-04-21 01:12:57 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll . ============= FINISH: 23:03:48.44 =============== -
TDL4 infection MBAM not finding it or deleting it
Prifti replied to Prifti's topic in Resolved Malware Removal Logs
Thank you so much for your help.. 1. MBAM quick scan log Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6727 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 6/1/2011 9:29:26 PM mbam-log-2011-06-01 (21-28-54).txt Scan type: Quick scan Objects scanned: 127835 Time elapsed: 4 minute(s), 50 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSTEM UPDATER (Trojan.Agent) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Updater\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken. Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\cftnom.bat (Trojan.Agent) -> No action taken. 2. Combofix log ComboFix 11-06-01.04 - Erin 06/01/2011 22:12:29.1.1 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.225 [GMT -4:00] Running from: c:\documents and settings\Erin\Desktop\ComboFix.exe . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\documents and settings\Erin\Application Data\Adobe\plugs c:\documents and settings\Erin\Application Data\Adobe\shed c:\documents and settings\Erin\Local Settings\Application Data\{FA70364B-017D-475D-AC27-0FF15B5C958E} c:\documents and settings\Erin\Local Settings\Application Data\{FA70364B-017D-475D-AC27-0FF15B5C958E}\chrome.manifest c:\documents and settings\Erin\Local Settings\Application Data\{FA70364B-017D-475D-AC27-0FF15B5C958E}\chrome\content\_cfg.js c:\documents and settings\Erin\Local Settings\Application Data\{FA70364B-017D-475D-AC27-0FF15B5C958E}\chrome\content\overlay.xul c:\documents and settings\Erin\Local Settings\Application Data\{FA70364B-017D-475D-AC27-0FF15B5C958E}\install.rdf c:\documents and settings\Erin\My Documents\explorer.exe c:\windows\cftnom.bat c:\windows\system32\User.ini D:\Autorun.inf . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Legacy_6TO4 -------\Legacy_IAS -------\Legacy_INPUT_MANAGER -------\Legacy_ITLPERF -------\Legacy_MOUSEDRIVER -------\Legacy_PLUG_MANAGER -------\Legacy_SYSTEM_UPDATER -------\Service_6to4 -------\Service_Ias -------\Service_Input Manager -------\Service_itlperf -------\Service_MouseDriver -------\Service_Plug Manager -------\Service_System Updater . . ((((((((((((((((((((((((( Files Created from 2011-05-02 to 2011-06-02 ))))))))))))))))))))))))))))))) . . 2011-05-31 01:46 . 2011-05-31 01:48 -------- d-----w- c:\documents and settings\Internet 2011-05-28 16:19 . 2011-05-28 16:21 -------- d-----w- c:\documents and settings\Xtract 2011-05-25 20:11 . 2011-05-25 20:16 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-25 20:08 . 2011-05-25 20:07 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll 2011-05-25 20:08 . 2011-05-25 20:07 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-05-25 20:01 . 2011-05-25 20:01 -------- d-----w- c:\documents and settings\Erin\Local Settings\Application Data\Secunia PSI 2011-05-25 20:01 . 2011-05-25 20:01 -------- d-----w- c:\program files\Secunia 2011-05-25 18:05 . 2011-05-25 18:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2011-05-25 16:30 . 2011-05-25 16:31 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2011-05-25 09:56 . 2011-05-25 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\iG28601IlPfN28601 2011-05-25 02:18 . 2011-05-25 05:23 0 ----a-w- c:\windows\Wnafuhuhiqo.bin 2011-05-25 02:16 . 2011-05-25 02:16 102912 --sha-r- c:\windows\system32\tsbyuvl.dll 2011-05-25 02:16 . 2011-05-25 02:16 102912 --sha-r- c:\windows\system32\tapisrvk.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2011-05-25 20:07 . 2007-07-12 13:32 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-04-21 01:12 . 2006-03-16 04:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys 2011-03-07 05:33 . 2006-03-16 04:00 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37 . 2006-03-16 04:00 420864 ----a-w- c:\windows\system32\vbscript.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-11 39408] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsmqIntCert"="mqrt.dll" [2009-06-25 177152] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888] . c:\documents and settings\Administrator\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A] . c:\documents and settings\Xtract\Start Menu\Programs\Startup\ Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A] . c:\documents and settings\Internet\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680] Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Lexmark X125 Settings Utility.lnk - c:\program files\Lexmark X125\LEX125SU.exe [2007-11-27 1810432] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360] Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2011-4-19 291896] . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk] backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup . [HKLM\~\startupfolder\C:^Documents and Settings^Erin^Start Menu^Programs^StartUp^Vongo Tray.lnk] backup=c:\windows\pss\Vongo Tray.lnkStartup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM] 2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3] 2011-03-22 17:53 2403024 ----a-w- c:\program files\IObit\Advanced SystemCare 3\AWC.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset] 2006-05-30 23:02 40960 ----a-w- c:\program files\Hewlett-Packard\Default Settings\Cpqset.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray] 2005-08-06 04:56 64512 ----a-w- c:\windows\ehome\ehtray.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] 2008-12-08 20:50 54576 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant] 2006-05-04 05:58 458752 ----a-w- c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup] 2005-08-11 23:30 249856 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler] 2005-08-11 23:30 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-04-28 19:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] 2006-08-18 08:00 7585792 ----a-w- c:\windows\system32\nvcpl.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] 2006-08-18 08:00 86016 ----a-w- c:\windows\system32\nvmctray.dll . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] 2006-08-18 08:00 1617920 ----a-w- c:\windows\system32\nwiz.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard] 2005-10-11 17:23 1187840 -c----w- c:\windows\SMINST\Recguard.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware] 2011-03-16 22:24 2423752 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] 2009-02-11 04:13 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh] 2006-04-01 05:01 761946 -c--a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe . [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "gupdate"=3 (0x3) . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\WINDOWS\\system32\\mqsvc.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= . R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [4/19/2011 2:44 AM 993848] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\Secunia\PSI\sua.exe [4/19/2011 2:44 AM 399416] R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 4:30 AM 15544] S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 6:12 PM 135664] S2 Local Account Authority Service;Local Account Authority Service;c:\windows\temp\LocalAccountAuthority.bat --> c:\windows\temp\LocalAccountAuthority.bat [?] S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 4:39 PM 61952] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2010 6:12 PM 135664] . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WUAUSERV . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] getPlusHelper REG_MULTI_SZ getPlusHelper itlsvc REG_MULTI_SZ itlperf . Contents of the 'Scheduled Tasks' folder . 2011-06-02 c:\windows\Tasks\GlaryInitialize.job - c:\program files\Glary Utilities\initialize.exe [2011-04-19 21:24] . 2011-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 22:12] . 2011-06-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 22:12] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html TCP: DhcpNameServer = 192.168.0.1 FF - ProfilePath - c:\documents and settings\Erin\Application Data\Mozilla\Firefox\Profiles\wire1zvk.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= FF - prefs.js: network.proxy.type - 0 FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff . - - - - ORPHANS REMOVED - - - - . Notify-itlntfy - itlnfw32.dll SafeBoot-klmdb.sys MSConfigStartUp-osCheck - c:\program files\Norton 360\osCheck.exe MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2011-06-01 22:32 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Local Account Authority Service] "ImagePath"="%SystemRoot%\temp\LocalAccountAuthority.bat" . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(908) c:\program files\SUPERAntiSpyware\SASWINLO.DLL c:\windows\system32\WININET.dll . - - - - - - - > 'explorer.exe'(3124) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\rundll32.exe c:\windows\system32\msdtc.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\windows\system32\nvsvc32.exe c:\windows\ehome\mcrdsvc.exe c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe . ************************************************************************** . Completion time: 2011-06-01 22:37:13 - machine was rebooted ComboFix-quarantined-files.txt 2011-06-02 02:37 . Pre-Run: 36,738,961,408 bytes free Post-Run: 37,027,577,856 bytes free . - - End Of File - - 87595E738E700FCFA763BB7E6B072B7C -
TDL4 infection MBAM not finding it or deleting it
Prifti replied to Prifti's topic in Resolved Malware Removal Logs
Thank you! I was away from my computer for the weekend and so am just doing these scans now. I am attaching the two logs you requested. 1. MBAM log Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6727 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/30/2011 11:37:49 PM mbam-log-2011-05-30 (23-37-41).txt Scan type: Full scan (C:\|D:\|E:\|F:\|) Objects scanned: 286298 Time elapsed: 50 minute(s), 42 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\1U0WFOHZPQ (Trojan.FakeAlert.SA) -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSTEM UPDATER (Trojan.Agent) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\System Updater\ImagePath (Trojan.Agent) -> Value: ImagePath -> No action taken. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\cftnom.bat (Trojan.Agent) -> No action taken. 2. dds log . DDS (Ver_11-05-19.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24 Run by Erin at 23:41:18 on 2011-05-30 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.479.244 [GMT -4:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\rundll32.exe svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Secunia\PSI\PSIA.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\Program Files\Secunia\PSI\sua.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Lexmark X125\LEX125SU.exe C:\Program Files\Secunia\PSI\psi_tray.exe F:\dds.scr C:\WINDOWS\system32\WSCRIPT.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.yahoo.com/ uSearch Page = uSearch Bar = uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop uInternet Settings,ProxyOverride = *.local mSearchAssistant = BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [MsmqIntCert] regsvr32 /s mqrt.dll mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lexmar~1.lnk - c:\program files\lexmark x125\LEX125SU.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000 IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: itlnfw32 - itlnfw32.dll Notify: itlntfy - itlnfw32.dll SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL LSA: Notification Packages = . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\erin\application data\mozilla\firefox\profiles\wire1zvk.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q= FF - prefs.js: network.proxy.type - 0 FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff FF - Ext: XULRunner: {FA70364B-017D-475D-AC27-0FF15B5C958E} - c:\documents and settings\erin\local settings\application data\{FA70364B-017D-475D-AC27-0FF15B5C958E} . ============= SERVICES / DRIVERS =============== . R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872] R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328] R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2011-4-19 993848] R2 Secunia Update Agent;Secunia Update Agent;c:\program files\secunia\psi\sua.exe [2011-4-19 399416] R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664] S2 Ias;MicroSoft Logging Utility;c:\windows\system32\svchost.exe -k netsvcs [2006-3-16 14336] S2 Input Manager;Input Manager;c:\windows\temp\Input.bat [2011-5-24 45] S2 itlperf;Intel CPU;c:\windows\system32\svchost.exe -k itlsvc [2006-3-16 14336] S2 Local Account Authority Service;Local Account Authority Service;c:\windows\temp\LocalAccountAuthority.bat [2011-5-24 44] S2 System Updater;System Updater;c:\windows\cftnom.bat [2011-5-24 39] S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-8 135664] S3 rootrepeal3;rootrepeal3;c:\windows\system32\drivers\rootrepeal3.sys [2011-4-19 34816] . =============== Created Last 30 ================ . 2011-05-25 20:11:29 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2011-05-25 20:08:21 472808 ----a-w- c:\windows\system32\deployJava1.dll 2011-05-25 20:08:21 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll 2011-05-25 20:01:54 -------- d-----w- c:\documents and settings\erin\local settings\application data\Secunia PSI 2011-05-25 20:01:39 -------- d-----w- c:\program files\Secunia 2011-05-25 09:56:16 -------- d-----w- c:\documents and settings\all users\application data\iG28601IlPfN28601 2011-05-25 02:20:07 39 ---h--w- c:\windows\cftnom.bat 2011-05-25 02:18:04 0 ----a-w- c:\windows\Wnafuhuhiqo.bin 2011-05-25 02:18:01 -------- d-----w- c:\documents and settings\erin\local settings\application data\{FA70364B-017D-475D-AC27-0FF15B5C958E} 2011-05-25 02:16:55 102912 --sha-r- c:\windows\system32\tsbyuvl.dll 2011-05-25 02:16:55 102912 --sha-r- c:\windows\system32\tapisrvk.dll . ==================== Find3M ==================== . 2011-05-25 20:07:30 73728 ----a-w- c:\windows\system32\javacpl.cpl 2011-04-21 01:12:57 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys 2011-04-19 14:49:54 34816 ----a-w- c:\windows\system32\drivers\rootrepeal3.sys 2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll 2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll 2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys . ============= FINISH: 23:42:08.82 =============== I hope this is helpful. Thank you so much.