alfars Posted July 7, 2010 ID:280723 Share Posted July 7, 2010 Folks,First of all I apologize if this is a duplicate post but my system keeps crashing when I hit "Post New Topic". I'm posting this from my work computer now.I could really use some help with this one. I've been fighting it for a few weeks and it's winning.Symptoms: Random computer lock-ups Rogue svchost processes (sometimes exceeding 100mb) MCshield (McAfee) process exceeds 100mb Memory card reader no longer works (shows card but not contents) Browser redirects and pop-ups Google redirects Windows updates seem disabled Redirects when I try to go to Microsoft site Random failures of Win32services Start menu turns greyEvery scan I run shows a change to the registry to %fystemRoot% from %systemRoot%. Malware tries to change it back but it just changes again. Regedit won't allow me to change it.My logs and files are attached but when I try to run GMER the system reboots on it's own before the scan finishes. I have also tried to run it from safe mode but when I hit scan it just shuts down, so I don't have a log from this scan.Thanks for any and all help,DaveMbam Log:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4282Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.137/6/2010 6:40:07 PMmbam-log-2010-07-06 (18-40-07).txtScan type: Full scan (C:\|D:\|J:\|)Objects scanned: 330972Time elapsed: 1 hour(s), 27 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)DDS.txt:DDS (Ver_10-03-17.01) - NTFSx86 Run by Owner at 7:06:47.70 on Wed 07/07/2010Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.432 [GMT -4:00]AV: Defense Center *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exesvchost.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exeC:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exeC:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSsvchost.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\Program Files\Common Files\McAfee\SystemCore\mfefire.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exeC:\WINDOWS\zHotkey.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Digital Media Reader\readericon45G.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\BigFix\bigfix.exeC:\Program Files\Apple Computer\DVD@ccess\DVDAccess.exeC:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exeC:\Program Files\Microsoft Office\Office\FINDFAST.EXEC:\Program Files\Microsoft Office\Office\OSA.EXEC:\WINDOWS\system32\taskmgr.exeC:\Program Files\Common Files\McAfee\SystemCore\mcshield.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\McAfee.com\Agent\mcagent.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Documents and Settings\Owner\Desktop\dds.scr============== Pseudo HJT Report ===============uSearch Bar = hxxp://www.google.com/ieuStart Page = hxxp://www.google.com/uSearch Page = hxxp://www.google.comuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=67qMTGRA6lgqH0ZR7AwIDymzh58uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieuURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dllBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dllBHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100518025104.dllBHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dllBHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dllTB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dlluRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /backgrounduRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exemRun: [Reminder] %WINDIR%\Creator\Remind_XP.exemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [nwiz] nwiz.exe /installmRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"mRun: [CHotkey] zHotkey.exemRun: [Alcmtr] ALCMTR.EXEmRun: [High Definition Audio Property Page Shortcut] HDAShCut.exemRun: [ehTray] c:\windows\ehome\ehtray.exemRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstallmRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [RTHDCPL] RTHDCPL.EXEmRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXEmRun: [readericon] c:\program files\digital media reader\readericon45G.exemRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkeymRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -udRun: [Power2GoExpress] NAStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvd@cc~1.lnk - c:\program files\apple computer\dvd@ccess\DVDAccess.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXEIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.htmlIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cabDPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cabDPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cabDPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - hxxp://www.eaglegps.com/Downloads/Emulators/FishElite_320/isetup.cabDPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cabDPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cabHandler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dllHandler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dllNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLLSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL============= SERVICES / DRIVERS ===============R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-11 385880]R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-5-2 28544]R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-27 82952]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-4-28 12872]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 67656]R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2007-2-3 29156]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-27 271480]R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-27 271480]R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-27 271480]R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-27 271480]R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-27 170144]R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-27 188136]R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-27 141792]R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-27 55456]R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-11 152320]R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-11 51688]R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-27 312616]R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-27 88480]S1 638c3e07;638c3e07;c:\windows\system32\drivers\638c3e07.sys --> c:\windows\system32\drivers\638c3e07.sys [?]S1 a419ce07;a419ce07;c:\windows\system32\drivers\a419ce07.sys --> c:\windows\system32\drivers\a419ce07.sys [?]S1 cfa672ae;cfa672ae;c:\windows\system32\drivers\cfa672ae.sys --> c:\windows\system32\drivers\cfa672ae.sys [?]S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-27 88480]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-27 83496]S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-11 34248]S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-11 40552]S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 12872]S4 iruyaeo;iruyaeo;c:\windows\system32\drivers\pbwiey.sys [2010-6-29 54016]=============== Created Last 30 ================2010-07-07 10:55:37 0 ----a-w- c:\documents and settings\owner\defogger_reenable2010-06-30 02:16:20 0 d-----w- c:\temp\qt-common2010-06-30 02:14:35 54016 ----a-w- c:\windows\system32\drivers\pbwiey.sys2010-06-27 14:30:24 0 d-----w- c:\docume~1\owner\applic~1\MoveFab2010-06-27 12:44:29 0 d-----w- c:\program files\DVDFab 72010-06-18 16:48:22 5632 ----a-w- c:\windows\system32\ptpusb.dll2010-06-18 16:48:21 159232 ----a-w- c:\windows\system32\ptpusd.dll2010-06-18 16:48:21 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys2010-06-18 16:48:21 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys==================== Find3M ====================Attach.zip Link to post Share on other sites More sharing options...
Kenny94 Posted July 7, 2010 ID:280731 Share Posted July 7, 2010 Hi alfars And Welcome to Malwarebytes!Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards...... Please read the following through carefully so that you understand what to do. Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -vIf it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.It may ask you to reboot the computer to complete the process. Allow it to do so.When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here. Link to post Share on other sites More sharing options...
alfars Posted July 7, 2010 Author ID:280890 Share Posted July 7, 2010 Kenny,Thanks for the support,DaveThis is the log from TDSS:17:49:59:851 2596 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:4917:49:59:851 2596 ================================================================================17:49:59:851 2596 SystemInfo:17:49:59:851 2596 OS Version: 5.1.2600 ServicePack: 3.017:49:59:851 2596 Product type: Workstation17:49:59:851 2596 ComputerName: OFFICE-EMACHINE17:49:59:851 2596 UserName: Owner17:49:59:851 2596 Windows directory: C:\WINDOWS17:49:59:851 2596 System windows directory: C:\WINDOWS17:49:59:851 2596 Processor architecture: Intel x8617:49:59:851 2596 Number of processors: 117:49:59:851 2596 Page size: 0x100017:49:59:851 2596 Boot type: Normal boot17:49:59:851 2596 ================================================================================17:50:00:226 2596 Initialize success17:50:00:226 2596 17:50:00:226 2596 Scanning Services ...17:50:00:648 2596 Raw services enum returned 368 services17:50:00:664 2596 17:50:00:664 2596 Scanning Drivers ...17:50:01:164 2596 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS17:50:01:242 2596 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys17:50:01:273 2596 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys17:50:01:304 2596 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys17:50:01:398 2596 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys17:50:01:429 2596 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys17:50:01:476 2596 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys17:50:01:492 2596 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys17:50:01:539 2596 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys17:50:01:617 2596 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys17:50:01:679 2596 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys17:50:01:726 2596 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys17:50:01:820 2596 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys17:50:01:836 2596 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys17:50:01:898 2596 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys17:50:01:961 2596 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys17:50:02:023 2596 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys17:50:02:070 2596 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys17:50:02:132 2596 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys17:50:02:226 2596 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys17:50:02:257 2596 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys17:50:02:351 2596 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys17:50:02:414 2596 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys17:50:02:445 2596 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys17:50:02:492 2596 BVRPMPR5 (2120b6607cbbe426ce821643838ea1d3) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS17:50:02:586 2596 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys17:50:02:601 2596 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys17:50:02:945 2596 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys17:50:03:070 2596 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys17:50:03:148 2596 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys17:50:03:164 2596 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys17:50:03:211 2596 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys17:50:03:226 2596 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys17:50:03:242 2596 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys17:50:03:304 2596 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\WINDOWS\system32\drivers\cfwids.sys17:50:03:398 2596 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys17:50:03:429 2596 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys17:50:03:445 2596 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys17:50:03:461 2596 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys17:50:03:492 2596 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys17:50:03:539 2596 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys17:50:03:586 2596 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys17:50:03:695 2596 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys17:50:03:726 2596 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys17:50:03:757 2596 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys17:50:03:773 2596 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys17:50:03:804 2596 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys17:50:03:836 2596 DVDAccss (937ac237c80b2f0a1b7f88c40bc30334) C:\WINDOWS\system32\drivers\DVDAccss.sys17:50:03:929 2596 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys17:50:04:007 2596 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys17:50:04:039 2596 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys17:50:04:086 2596 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys17:50:04:117 2596 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys17:50:04:164 2596 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys17:50:04:179 2596 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys17:50:04:195 2596 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys17:50:04:242 2596 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys17:50:04:320 2596 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys17:50:04:367 2596 HdAudAddService (2a013e7530beab6e569faa83f517e836) C:\WINDOWS\system32\drivers\HdAudio.sys17:50:04:414 2596 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys17:50:04:445 2596 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys17:50:04:476 2596 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys17:50:04:492 2596 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys17:50:04:586 2596 HSFHWBS2 (c02dc9d4358e43d088f2061c2b2bf30e) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys17:50:04:664 2596 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys17:50:04:789 2596 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys17:50:04:867 2596 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys17:50:04:898 2596 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys17:50:04:914 2596 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys17:50:04:929 2596 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys17:50:04:945 2596 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys17:50:05:132 2596 IntcAzAudAddService (98b7fab86755a42fe8eb04538a4cd6c8) C:\WINDOWS\system32\drivers\RtkHDAud.sys17:50:05:523 2596 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys17:50:05:586 2596 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys17:50:05:632 2596 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys17:50:05:695 2596 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys17:50:05:726 2596 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys17:50:05:757 2596 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys17:50:05:789 2596 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys17:50:05:820 2596 iruyaeo (e6d35f3aa51a65eb35c1f2340154a25e) C:\WINDOWS\system32\drivers\pbwiey.sys17:50:05:945 2596 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys17:50:05:976 2596 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys17:50:05:992 2596 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys17:50:06:039 2596 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys17:50:06:070 2596 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys17:50:06:101 2596 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys17:50:06:164 2596 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys17:50:06:195 2596 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\WINDOWS\system32\drivers\mfeapfk.sys17:50:06:289 2596 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\WINDOWS\system32\drivers\mfeavfk.sys17:50:06:398 2596 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\WINDOWS\system32\drivers\mfebopk.sys17:50:06:476 2596 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\WINDOWS\system32\drivers\mfefirek.sys17:50:06:554 2596 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\WINDOWS\system32\drivers\mfehidk.sys17:50:06:648 2596 mfendisk (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys17:50:06:695 2596 mfendiskmp (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys17:50:06:742 2596 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\WINDOWS\system32\drivers\mferkdet.sys17:50:06:820 2596 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys17:50:06:914 2596 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys17:50:06:992 2596 mfetdi2k (1bfe4c4ccf8cd2d7deaffb424e691196) C:\WINDOWS\system32\drivers\mfetdi2k.sys17:50:07:070 2596 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys17:50:07:195 2596 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys17:50:07:226 2596 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys17:50:07:242 2596 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys17:50:07:289 2596 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys17:50:07:304 2596 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys17:50:07:351 2596 mr7910 (e3274b2b7bbd44391e84d244e8bcc555) C:\WINDOWS\system32\DRIVERS\mr7910.sys17:50:07:476 2596 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys17:50:07:554 2596 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys17:50:07:586 2596 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys17:50:07:632 2596 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys17:50:07:664 2596 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys17:50:07:711 2596 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys17:50:07:726 2596 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys17:50:07:757 2596 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys17:50:07:789 2596 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys17:50:07:820 2596 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys17:50:07:867 2596 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys17:50:07:945 2596 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys17:50:07:976 2596 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys17:50:08:007 2596 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys17:50:08:039 2596 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys17:50:08:070 2596 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys17:50:08:086 2596 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys17:50:08:117 2596 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys17:50:08:132 2596 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys17:50:08:148 2596 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys17:50:08:179 2596 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys17:50:08:195 2596 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys17:50:08:257 2596 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys17:50:08:382 2596 nv (84c65aa58ae1ede93716439267a23d40) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys17:50:08:695 2596 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys17:50:08:757 2596 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys17:50:08:836 2596 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys17:50:08:851 2596 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys17:50:08:898 2596 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys17:50:08:914 2596 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys17:50:08:945 2596 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys17:50:08:992 2596 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys17:50:09:007 2596 pavboot (210a628a0d7b3f45257850efbff27538) C:\WINDOWS\system32\drivers\pavboot.sys17:50:09:117 2596 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys17:50:09:164 2596 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys17:50:09:195 2596 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys17:50:09:242 2596 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys17:50:09:351 2596 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys17:50:09:414 2596 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys17:50:09:461 2596 pfc (d1779c14abb7992f5c20c262ba5c7af2) C:\WINDOWS\system32\drivers\pfc.sys17:50:09:539 2596 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys17:50:09:554 2596 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys17:50:09:570 2596 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys17:50:09:632 2596 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys17:50:09:664 2596 PxHelp20 (f7bb4e7a7c02ab4a2672937e124e306e) C:\WINDOWS\system32\Drivers\PxHelp20.sys17:50:09:726 2596 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys17:50:09:742 2596 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys17:50:09:773 2596 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys17:50:09:789 2596 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys17:50:09:804 2596 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys17:50:09:836 2596 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys17:50:09:882 2596 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys17:50:09:898 2596 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys17:50:09:914 2596 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys17:50:09:945 2596 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys17:50:09:976 2596 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys17:50:10:023 2596 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys17:50:10:054 2596 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys17:50:10:086 2596 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys17:50:10:164 2596 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS17:50:10:195 2596 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS17:50:10:226 2596 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys17:50:10:320 2596 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys17:50:10:367 2596 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys17:50:10:382 2596 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys17:50:10:445 2596 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys17:50:10:476 2596 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys17:50:10:507 2596 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys17:50:10:554 2596 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys17:50:10:570 2596 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys17:50:10:601 2596 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys17:50:10:632 2596 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys17:50:10:679 2596 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys17:50:10:695 2596 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys17:50:10:726 2596 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys17:50:10:789 2596 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys17:50:10:851 2596 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys17:50:10:867 2596 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys17:50:10:945 2596 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys17:50:10:992 2596 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys17:50:11:039 2596 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys17:50:11:086 2596 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys17:50:11:117 2596 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys17:50:11:164 2596 TosIde (d4253fa9f870e6d7c0d3f4c155684b8e) C:\WINDOWS\system32\DRIVERS\toside.sys17:50:11:164 2596 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\toside.sys. Real md5: d4253fa9f870e6d7c0d3f4c155684b8e, Fake md5: f2790f6af01321b172aa62f8e1e187d917:50:11:164 2596 File "C:\WINDOWS\system32\DRIVERS\toside.sys" infected by TDSS rootkit ... 17:50:18:664 2596 Backup copy found, using it..17:50:18:664 2596 will be cured on next reboot17:50:18:789 2596 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys17:50:18:836 2596 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys17:50:18:945 2596 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys17:50:18:976 2596 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys17:50:19:008 2596 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys17:50:19:023 2596 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys17:50:19:039 2596 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys17:50:19:054 2596 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys17:50:19:101 2596 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys17:50:19:133 2596 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS17:50:19:179 2596 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys17:50:19:195 2596 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys17:50:19:226 2596 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys17:50:19:258 2596 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys17:50:19:258 2596 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys17:50:19:289 2596 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys17:50:19:336 2596 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys17:50:19:383 2596 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys17:50:19:461 2596 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys17:50:19:601 2596 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS17:50:19:601 2596 Reboot required for cure complete..17:50:19:851 2596 Cure on reboot scheduled successfully17:50:19:851 2596 17:50:19:851 2596 Completed17:50:19:851 2596 17:50:19:851 2596 Results:17:50:19:851 2596 Registry objects infected / cured / cured on reboot: 0 / 0 / 017:50:19:851 2596 File objects infected / cured / cured on reboot: 1 / 0 / 117:50:19:851 2596 17:50:19:867 2596 KLMD(ARK) unloaded successfully Link to post Share on other sites More sharing options...
Kenny94 Posted July 7, 2010 ID:280901 Share Posted July 7, 2010 As you seen a rootkit play havoc on a Driver that caused redirects. We still have some work to do. Download ComboFix from below:Combofix download* IMPORTANT !!! Place combofix.exe on your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.You can get help on disabling your protection programs hereDouble click on combofix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:The Recovery Console was successfully installed.Click on Yes, to continue scanning for malware.Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next replyNote:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.---------------------------------------------------------------------------------------------Ensure your AntiVirus and AntiSpyware applications are re-enabled.--------------------------------------------------------------------------------------------- Link to post Share on other sites More sharing options...
alfars Posted July 7, 2010 Author ID:280924 Share Posted July 7, 2010 Kenny,It took a little while but seemed to work ok.ThanksDaveLog:ComboFix 10-07-06.05 - Owner 07/07/2010 18:55:21.1.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.553 [GMT -4:00]Running from: c:\documents and settings\Owner\Desktop\ComboFix.exeAV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\811197608.datc:\windows\system32\drivers\pbwiey.sysc:\windows\xpsp1hfm.logD:\Autorun.infJ:\Autorun.infc:\windows\system32\grpconv.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_iruyaeo-------\Service_iruyaeo((((((((((((((((((((((((( Files Created from 2010-06-07 to 2010-07-07 ))))))))))))))))))))))))))))))).2010-07-07 23:00 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe2010-07-07 23:00 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe2010-06-30 02:16 . 2010-06-30 02:16 -------- d-----w- c:\temp\qt-common2010-06-28 21:03 . 2010-06-28 21:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer2010-06-28 21:03 . 2010-06-28 21:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer2010-06-28 05:00 . 2010-06-28 05:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\nosgytuoi.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-07-07 21:52 . 2005-01-12 17:37 4992 ----a-w- c:\windows\system32\drivers\toside.sys2010-07-02 02:17 . 2010-06-19 12:19 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll2010-07-02 02:17 . 2009-05-02 23:29 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2010-07-02 02:16 . 2009-05-02 23:28 -------- d-----w- c:\program files\SUPERAntiSpyware2010-06-27 14:30 . 2010-06-27 14:30 -------- d-----w- c:\documents and settings\Owner\Application Data\MoveFab2010-06-27 13:19 . 2010-06-27 12:44 -------- d-----w- c:\program files\DVDFab 72010-06-27 13:04 . 2006-05-12 03:26 -------- d-----w- c:\program files\Google2010-06-27 12:44 . 2007-01-20 20:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso2010-06-03 14:06 . 2006-05-12 03:40 -------- d-----w- c:\program files\McAfee2010-05-17 09:07 . 2009-05-02 20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-05-11 21:11 . 2010-05-11 21:11 -------- d-----w- c:\program files\The Learning Company2010-04-29 19:39 . 2009-05-02 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-04-29 19:39 . 2009-05-02 20:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-04-27 21:16 . 2010-04-27 22:19 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys2010-04-27 21:16 . 2010-04-27 22:19 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys2010-04-27 21:16 . 2010-04-27 22:19 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys2010-04-27 21:16 . 2010-04-27 22:19 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys2010-04-27 21:16 . 2010-04-27 22:19 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys2010-04-27 21:16 . 2010-04-27 22:19 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys2010-04-27 21:16 . 2010-04-27 22:19 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys2010-04-27 21:16 . 2007-02-11 20:32 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys2010-04-27 21:16 . 2007-02-11 20:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys2010-04-27 21:16 . 2007-02-11 20:32 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-02 2403568]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]"nwiz"="nwiz.exe" [2005-09-17 1519616]"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-02-05 356352]"CHotkey"="zHotkey.exe" [2004-12-09 550912]"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-17 7204864]"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-17 86016]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Power2GoExpress"="NA" [X]c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-8-5 209016]BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-5-11 2168360]DVD@ccess.lnk - c:\program files\Apple Computer\DVD@ccess\DVDAccess.exe [2007-2-3 888832]Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 122880]Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 61440][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-11-16 12:07 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Program Files\\iTunes\\iTunes.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\WINDOWS\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"=R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/2/2009 1:13 PM 28544]R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/27/2010 6:19 PM 82952]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [4/28/2009 11:33 AM 12872]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 67656]R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2/3/2007 6:46 PM 29156]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:19 PM 271480]R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:19 PM 271480]R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:19 PM 271480]R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/27/2010 6:20 PM 188136]R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [4/27/2010 6:19 PM 141792]R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/27/2010 6:19 PM 55456]R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/27/2010 6:19 PM 312616]R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:19 PM 88480]S1 638c3e07;638c3e07;c:\windows\system32\drivers\638c3e07.sys --> c:\windows\system32\drivers\638c3e07.sys [?]S1 a419ce07;a419ce07;c:\windows\system32\drivers\a419ce07.sys --> c:\windows\system32\drivers\a419ce07.sys [?]S1 cfa672ae;cfa672ae;c:\windows\system32\drivers\cfa672ae.sys --> c:\windows\system32\drivers\cfa672ae.sys [?]S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:19 PM 88480]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/27/2010 6:19 PM 83496]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 12872]--- Other Services/Drivers In Memory ---*Deregistered* - mfeavfk01.Contents of the 'Scheduled Tasks' folder2010-06-28 c:\windows\Tasks\My Documents backup.job- c:\windows\system32\ntbackup.exe [2005-01-09 00:12]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=67qMTGRA6lgqH0ZR7AwIDymzh58uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html.- - - - ORPHANS REMOVED - - - -SafeBoot-klmdb.sysMSConfigStartUp-ttool - c:\windows\9129837.exeAddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-07-07 19:07Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1024)c:\program files\SUPERAntiSpyware\SASWINLO.DLL.------------------------ Other Running Processes ------------------------.c:\program files\APC\APC PowerChute Personal Edition\mainserv.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\windows\eHome\ehRecvr.exec:\windows\eHome\ehSched.exec:\program files\LeapFrog\LeapFrog Connect\CommandService.exec:\windows\system32\nvsvc32.exec:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYSc:\program files\Common Files\McAfee\SystemCore\mcshield.exec:\windows\ehome\mcrdsvc.exec:\windows\system32\dllhost.exec:\windows\zHotkey.exec:\windows\RTHDCPL.EXEc:\windows\eHome\ehmsas.exec:\program files\APC\APC PowerChute Personal Edition\apcsystray.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2010-07-07 19:15:45 - machine was rebootedComboFix-quarantined-files.txt 2010-07-07 23:15Pre-Run: 156,810,604,544 bytes freePost-Run: 157,312,946,176 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect- - End Of File - - C72C610B346BFD89F9085C48FFE5DB38 Link to post Share on other sites More sharing options...
Kenny94 Posted July 7, 2010 ID:280952 Share Posted July 7, 2010 Do you know what this folder is Dave:c:\documents and settings\NetworkService\Local Settings\Application Data\nosgytuoi? Link to post Share on other sites More sharing options...
Kenny94 Posted July 8, 2010 ID:280958 Share Posted July 8, 2010 You have or had what has been identified as a flash drive infection.Please download Flash_Disinfector from HERE First, download it to your desktop. Now double click it to run it and will tell it you what to do when you open it. It will temporarily kill explorer.exe and your desktop will go blank. Let Flash_Disinfector do it's job and it will restart explorer.exe for you. It will make a dummy autorun.inf in the root of every drive. You can now delete Flash_Disinfector.exe.NextRun CFScriptClose any open browsers.Open Notepad by click startClick RunType notepad into the box and click enterNotepad will openCopy and Paste everything from the Code box into Notepad:KILLALL::Driver::638c3e07a419ce07cfa672aeSave the file to your desktop and name it CFScript.txt Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next replyNote: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system. Link to post Share on other sites More sharing options...
alfars Posted July 8, 2010 Author ID:281100 Share Posted July 8, 2010 Do you know what this folder is Dave:c:\documents and settings\NetworkService\Local Settings\Application Data\nosgytuoi?I actually don't see the folder NetworkServices under documents and settings even though I have show hidden files and folders checked. A search doesn't find "nosgytuoi"No idea what it is.My system is much more stable now. Definatly making some progressThanks for all the help,DaveNew Log:ComboFix 10-07-07.01 - Owner 07/08/2010 5:06.2.1 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.895.416 [GMT -4:00]Running from: c:\documents and settings\Owner\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Owner\Desktop\CFScript.txtAV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_638c3e07-------\Service_a419ce07-------\Service_cfa672ae((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 ))))))))))))))))))))))))))))))).2010-07-08 08:55 . 2010-07-08 08:55 -------- d-sh--w- c:\documents and settings\Owner\UserData2010-07-07 23:00 . 2008-04-14 00:12 39424 -c--a-w- c:\windows\system32\dllcache\grpconv.exe2010-07-07 23:00 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe2010-06-30 02:16 . 2010-06-30 02:16 -------- d-----w- c:\temp\qt-common2010-06-28 21:03 . 2010-06-28 21:03 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple Computer2010-06-28 21:03 . 2010-06-28 21:03 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer2010-06-28 05:00 . 2010-06-28 05:00 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\nosgytuoi.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2010-07-07 21:52 . 2005-01-12 17:37 4992 ----a-w- c:\windows\system32\drivers\toside.sys2010-07-02 02:17 . 2010-06-19 12:19 63488 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll2010-07-02 02:17 . 2009-05-02 23:29 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2010-07-02 02:16 . 2009-05-02 23:28 -------- d-----w- c:\program files\SUPERAntiSpyware2010-06-27 14:30 . 2010-06-27 14:30 -------- d-----w- c:\documents and settings\Owner\Application Data\MoveFab2010-06-27 13:19 . 2010-06-27 12:44 -------- d-----w- c:\program files\DVDFab 72010-06-27 13:04 . 2006-05-12 03:26 -------- d-----w- c:\program files\Google2010-06-27 12:44 . 2007-01-20 20:24 -------- d-----w- c:\documents and settings\Owner\Application Data\Vso2010-06-03 14:06 . 2006-05-12 03:40 -------- d-----w- c:\program files\McAfee2010-05-17 09:07 . 2009-05-02 20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2010-05-11 21:11 . 2010-05-11 21:11 -------- d-----w- c:\program files\The Learning Company2010-04-29 19:39 . 2009-05-02 20:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-04-29 19:39 . 2009-05-02 20:55 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-04-27 21:16 . 2010-04-27 22:19 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys2010-04-27 21:16 . 2010-04-27 22:19 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys2010-04-27 21:16 . 2010-04-27 22:19 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys2010-04-27 21:16 . 2010-04-27 22:19 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys2010-04-27 21:16 . 2010-04-27 22:19 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys2010-04-27 21:16 . 2010-04-27 22:19 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys2010-04-27 21:16 . 2010-04-27 22:19 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys2010-04-27 21:16 . 2007-02-11 20:32 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys2010-04-27 21:16 . 2007-02-11 20:32 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys2010-04-27 21:16 . 2007-02-11 20:32 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-02 2403568]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]"nwiz"="nwiz.exe" [2005-09-17 1519616]"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-02-05 356352]"CHotkey"="zHotkey.exe" [2004-12-09 550912]"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-17 7204864]"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-17 86016]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-21 1193336][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"Power2GoExpress"="NA" [X]c:\documents and settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-8-5 209016]BigFix.lnk - c:\program files\BigFix\bigfix.exe [2006-5-11 2168360]DVD@ccess.lnk - c:\program files\Apple Computer\DVD@ccess\DVDAccess.exe [2007-2-3 888832]Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-7-11 122880]Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-7-11 61440][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-11-16 12:07 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]@=""[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"c:\\Program Files\\iTunes\\iTunes.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\WINDOWS\\system32\\sessmgr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"=R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [5/2/2009 1:13 PM 28544]R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/27/2010 6:19 PM 82952]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [4/28/2009 11:33 AM 12872]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 67656]R2 DVDAccss;DVDAccss;c:\windows\system32\drivers\DVDAccss.sys [2/3/2007 6:46 PM 29156]R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:19 PM 271480]R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:19 PM 271480]R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/27/2010 6:19 PM 271480]R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/27/2010 6:20 PM 188136]R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [4/27/2010 6:19 PM 141792]R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/27/2010 6:19 PM 55456]R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/27/2010 6:19 PM 312616]R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:19 PM 88480]S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/27/2010 6:19 PM 88480]S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/27/2010 6:19 PM 83496]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 12872]--- Other Services/Drivers In Memory ---*Deregistered* - mfeavfk01.Contents of the 'Scheduled Tasks' folder2010-06-28 c:\windows\Tasks\My Documents backup.job- c:\windows\system32\ntbackup.exe [2005-01-09 00:12]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = hxxp://127.0.0.1:4664/first_usage&s=67qMTGRA6lgqH0ZR7AwIDymzh58uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%sIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2010-07-08 05:16Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1020)c:\program files\SUPERAntiSpyware\SASWINLO.DLL.------------------------ Other Running Processes ------------------------.c:\program files\APC\APC PowerChute Personal Edition\mainserv.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\windows\eHome\ehRecvr.exec:\windows\eHome\ehSched.exec:\program files\LeapFrog\LeapFrog Connect\CommandService.exec:\windows\system32\nvsvc32.exec:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYSc:\program files\Common Files\McAfee\SystemCore\mcshield.exec:\windows\ehome\mcrdsvc.exec:\windows\system32\dllhost.exec:\windows\system32\wscntfy.exec:\windows\zHotkey.exec:\windows\RTHDCPL.EXEc:\windows\eHome\ehmsas.exec:\program files\APC\APC PowerChute Personal Edition\apcsystray.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2010-07-08 05:23:19 - machine was rebootedComboFix-quarantined-files.txt 2010-07-08 09:23ComboFix2.txt 2010-07-07 23:15Pre-Run: 157,570,662,400 bytes freePost-Run: 157,541,756,928 bytes free- - End Of File - - ABB0F73EC0E41EED266E64DE3C9482B8 Link to post Share on other sites More sharing options...
Kenny94 Posted July 8, 2010 ID:281116 Share Posted July 8, 2010 Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button.Click Exit on the Main menu to close the program. NextUpdate Run MalwarebytesLaunch Malwarebytes' Anti-MalwareIf an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly. Link to post Share on other sites More sharing options...
alfars Posted July 8, 2010 Author ID:281216 Share Posted July 8, 2010 Kenny,Do you ever sleep?Latest scans look good. Should I run the flash drive scan on every flash drive/memory card that I have?Thanks,DaveLog:Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4291Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.137/8/2010 8:00:21 AMmbam-log-2010-07-08 (08-00-21).txtScan type: Quick scanObjects scanned: 137022Time elapsed: 4 minute(s), 53 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
Kenny94 Posted July 8, 2010 ID:281218 Share Posted July 8, 2010 Do you ever sleep?I try, but can't....... Should I run the flash drive scan on every flash drive/memory card that I have?Just the flash Drives...... There are some older versions of Java on your computer. These can be a source of infection. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.Scroll down to where it says Java SE Runtime Environment (JRE) - JRE 6 Update 20 -Click the Download button to the right.Select the Windows platform from the dropdown menu.Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6u16 with JavaFX 1 License Agreement. Click on Continue.The page will refresh.Click on the link to download Windows Offline Installation and save the file to your desktop.Close any programs you may have running - especially your web browser.Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java versions.Reboot your computer once all Java components are removed.Then from your desktop double-click on jre-6u120 -windows-i586-p.exe to install the newest version.After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.Next, click on the Delete Files buttonThere are two options in the window to clear the cache - Leave BOTH CheckedApplications and AppletsTrace and Log Files[*]Click OK on Delete Temporary Files WindowNote: This deletes ALL the Downloaded Applications and Applets from the CACHE.[*]Click OK to leave the Temporary Files Window[*]Click OK to leave the Java Control Panel.To test your Java Run-time, you may go to this page http://www.java.com/en/download/help/testvm.xmlWhen all is well, you should see Java Version: 1.6.0_20 from Sun Microsystems Inc.-------------------------------------------------------------------Your Computer is CleanSome final items:Follow these steps to uninstall Combofix and tools used in the removal of malwarePlease press the Windows Key and R on your keyboard. This will bring up the Run... command.Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)Please follow the prompts to uninstall Combofix.You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.This will uninstall Combofix and anything assoicated with it.Here are some additional links for you to check out to help you with your computer security. BrowsersJust because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE. If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.Make your Internet Explorer more secure - This can be done by following these simple instructions:From within Internet Explorer click on the Tools menu and then click on Options.Click once on the Security tabClick once on the Internet icon so it becomes highlighted.Click once on the Custom Level button.Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialize and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK buttonIf it prompts you as to whether or not you want to save the settings, press the Yes button.Next press the Apply button and then the OK to exit the Internet Properties page.Additional Security MeasuresVisit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.Secunia software inspector & update checker Visit My Blog for Malware and Spyware TipsIt was a pleasure working with you. And Thank You for your visit here. Link to post Share on other sites More sharing options...
Recommended Posts