Malware/Trojan/rootkit help please

battlerager · July 11, 2010

Hello and thank you in advance for your help

My wife's computer has been very slow for some time but about a week ago the pc started getting what seemed random error meseges.

Example: "lpgniectssd.exe encountered a problem and needs to close"; "A: xdd.exe application errror"

Then "Memory could not be writen" errors began showing up Example:

Explorer.exe application error--The instruction at "0x100119aa" referenced memory at "0x02d6e868". The memory could not be "writen".

TMR64026.exe app error--The exception unknown software exception (0xc000001e) occurred in the application at location 0x0040140e.

And the above xdd.exe error.

When starting to do research on this problem(s) I came across many 'like' issues that suggested malware/trojen/rootkit issues. Topics pointed to Malwarebyte software to help. When i tried to search for the program or web site I started geting redirected away to another page or just getting the cant connect page. I finaly got it downloaded though and when clicking to start nothing happened. I went into the programs folder and tried again from there and still nothing. (I need to say that there are other programs that also wont launch now, as well).

I saw the post about using rootrepeal to get rid of the offending rootkit used the program and it found only 1 .sys item which didnt match the examples on the page.

Another issue that has occured(which may not be related) is if hibernate or standby is used, when the desktop comes back online, none of the icons work and no programs will start. Not even to shut the machine off. have to hard boot it all the time now.

Beginning to set the PC up for Tech help here I have done:

-Run malwarebyte: won't run

-Updated virus protection(Mcafee) and run system scan: done, though very slow--more than 3 hours; 6 virus' caught and removed, 1--coolwebsearch--not able to clean/delete

-Downloaded Defogger and turned off cd emulate: didnt ask to reboot

-I am not sure if I got script blockers off correctly. The Mcafee utility didnt specifically show it so I just turned off virus/spyware protection(realtime protection).

-Downloaded DDS: ran smooth except for 'MC single exe framework' pop up happened. Clicked off and DDS finished and generated reports that i will attach/post

-downloaded GMER rootkit scanner and begon to have problems:

1. Scan ran for close to 3 hours before "Data execution protection" popup occured and anotehr pop up about...4th sector something--i failed to write that one down.

2. Then the system crashed to blue screen: among other things mentioned about 'how to stop it from happening again' (which I didnt follow) was a 'stop' error:

stop: 0x000000F4(0x00000003, 0x8688D3DO, 0x8688D544, 0x805FB146)

After rebooting and thinking to at least try to salvage a partial report(maybe) I reopened the GMER program and saw that it did some kind of scan before I unchecked the necessary boxes. I tried to make a log of that and it crashed my PC again with the same blue screne and error--but with different number adress's.

3. Third crash came almost immediately after opening GMER a third time. Stop error was different: Stop: d0000144 unknown hard error, unknown hard error.

I did get a hijack this scan to complete before I started with the above and will include the log with the other requested reports minus the ark.txt/zip which never generated from the GMER program.

In the end, we still get 'random' errors that sometimes force the pc to shut down. Any time we try to turn off the pc--or it is forced to shut down--we get 'End program' issues. Latest was vprotray.exe wont close. Had to force it. then the machine usually hangs between on and off, forcing a hard reboot.

alot of info, I know, but I hope the more info I can give, the better(if not easier) to help you help me. I am comfortable moving around the pc (had hardware and some some software tech training years ago) though am a bit 'rusty' 7 years out of the game.

Again, thank you for your time and help

DDS.txt:

DDS (Ver_10-03-17.01) - NTFSx86

Run by SarahAnn at 20:19:18.34 on Sat 07/10/2010

Internet Explorer: 7.0.5730.11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.416 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Norton Ghost\Agent\VProTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\TEMP\Xdd.exe

C:\Program Files\Lexmark 2600 Series\lxdnmon.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

svchost.exe

C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\system32\lxdncoms.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\SarahAnn\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uDefault_Page_URL = hxxp://www.dell4me.com/myway

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearch Page =

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mDefault_Page_URL = hxxp://www.yahoo.com/

mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

mSearch Page =

uInternet Settings,ProxyOverride = *.r3.attbi.com;localhost;<local>;*.local

uInternet Settings,ProxyServer = sas.r3.attbi.com:8000

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

mSearchAssistant = hxxp://www.google.com/ie

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100517195704.dll

BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File

TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File

EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\progra~1\yahoo!\common\yhexbmesus.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet

uRun: [search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe

uRun: [anckpvvo] c:\documents and settings\sarahann\local settings\application data\xiiqxvqar\tgtxscftssd.exe

uRun: [Htiwik] rundll32.exe "c:\windows\diaprn.dll",Startup

uRun: [Yahoo! Pager] c:\program files\yahoo!\messenger\ypager.exe -quiet

uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"

uRun: [{558AE35F-F2F4-DAD3-2155-D8F79CC52DA9}] "c:\documents and settings\sarahann\application data\osogh\uqyxs.exe"

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [DVDSentry] c:\windows\system32\DSentry.exe

mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [Nxinukij] rundll32.exe "c:\windows\igojecux.dll",Startup

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"

mRun: [lxdnamon] "c:\program files\lexmark 2600 series\lxdnamon.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

mRun: [bCMSMMSG] BCMSMMSG.exe

dRun: [EWABQAF7KL] c:\windows\temp\Xdd.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: &Google Search

IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm

IE: Backward &Links

IE: Cac&hed Snapshot of Page

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000

IE: Si&milar Pages

IE: Translate into English

IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll

IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: v3cab - hxxp://searchmiracle.com/cab/v3cab.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab

DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan-canvasx.cab

DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} - hxxp://community.webshots.com/html/atx/wsaxcontrol.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} - hxxp://metamorphosis67.spaces.live.com/PhotoUpload/MsnPUpld.cab

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689}

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab

TCP: NameServer = 93.188.162.67,93.188.161.207

TCP: {450FF802-EE9C-4F7D-AA7E-59FEF2BCBBAF} = 93.188.162.67,93.188.161.207

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-2-8 385880]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-15 82952]

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-9-20 206096]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-15 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-15 170144]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-15 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-15 141792]

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2002-8-29 5120]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-15 55456]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-2-8 152320]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-15 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-15 88480]

R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]

S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2010-1-6 98984]

S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\turbine\turbine download manager\TurbineMessageService.exe [2010-3-13 271856]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\turbine\turbine download manager\TurbineNetworkService.exe [2010-3-13 218608]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-2-8 51688]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-15 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-15 83496]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-2-8 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-2-8 40552]

=============== Created Last 30 ================

2010-07-11 01:17:50 0 ----a-w- c:\windows\akibuhuwonez.dll

2010-07-11 00:51:56 0 ----a-w- c:\documents and settings\sarahann\defogger_reenable

2010-07-11 00:27:02 0 ----a-w- c:\windows\uzedonotudok.dll

2010-07-11 00:25:30 1520 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-07-11 00:24:26 0 ----a-w- c:\windows\upinerav.dll

2010-07-10 23:04:18 0 ----a-w- c:\windows\ezadefak.dll

2010-07-10 21:02:17 0 ----a-w- c:\windows\uhehejozugi.dll

2010-07-10 19:00:17 0 ----a-w- c:\windows\ejoririfejel.dll

2010-07-10 16:58:26 0 ----a-w- c:\windows\anogikewejoguxa.dll

2010-07-10 16:27:19 0 ----a-w- c:\windows\elorejadanapiqif.dll

2010-07-10 15:52:36 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard

2010-07-10 15:51:27 0 d-----w- c:\program files\common files\iS3

2010-07-10 15:51:26 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!

2010-07-10 15:46:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-10 15:46:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-10 15:46:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-10 14:57:11 0 ----a-w- c:\windows\eyataniqe.dll

2010-07-10 12:55:23 0 ----a-w- c:\windows\oqufisaw.dll

2010-07-10 12:24:11 0 ----a-w- c:\windows\odoperulazex.dll

2010-07-10 04:28:05 0 ----a-w- c:\windows\atehapuhidonok.dll

2010-07-10 02:26:52 0 ----a-w- c:\windows\emarebev.dll

2010-07-10 00:45:01 171034 ----a-w- c:\windows\.exe

2010-07-08 23:55:25 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-07 10:28:15 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-07 02:11:48 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-02 02:16:24 0 ----a-w- c:\windows\Wqinuhuq.dat

2010-07-02 02:16:24 0 ----a-w- c:\windows\Wkejiquc.bin

==================== Find3M ====================

2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe

2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys

2010-04-28 03:35:13 39864 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll

2010-04-16 11:43:25 634656 ------w- c:\windows\system32\dllcache\iexplore.exe

2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll

2009-03-20 13:33:53 1951432 ----a-w- c:\program files\ppviewer.exe

2008-03-12 11:21:00 432552 ----a-w- c:\program files\wpsetup.exe

2007-06-01 13:29:23 2549 -c--a-w- c:\program files\Config.ini

2007-06-01 13:29:23 1372328 -c--a-w- c:\program files\log.txt

2007-06-01 12:46:30 108528 -c--a-w- c:\program files\4414_items11.9.2v3.zip

2007-02-14 02:45:30 517932 -c--a-w- c:\program files\items.csv

2007-02-14 02:31:04 1816576 -c--a-w- c:\program files\wowmodelview.exe

2007-02-12 22:34:18 334788 -c--a-w- c:\program files\npcs.csv

2007-01-21 04:28:06 36808256 -c--a-w- c:\program files\iTunesSetup.exe

2007-01-14 22:15:42 1636 -c--a-w- c:\program files\ridable.csv

2006-07-23 02:50:16 6958 -c--a-w- c:\program files\changelog.txt

2006-07-18 12:44:58 38544896 -c--a-w- c:\program files\booksmart_CNET_r1_1.2.1.8973.exe

2006-07-15 02:03:14 361087 -c--a-w- c:\program files\testitems.csv

2006-05-14 12:39:06 16985 -c--a-w- c:\program files\changelog-Archive.txt

2006-03-29 03:34:38 5846632 -c--a-w- c:\program files\winzip100.exe

2006-03-02 04:22:36 382504 -c--a-w- c:\program files\msgr7us.exe

2006-01-19 21:20:36 1204 -c--a-w- c:\program files\enchants.csv

2006-01-02 08:26:40 3562 -c--a-w- c:\program files\ItemTutorial.txt

2005-12-29 07:28:10 413696 -c--a-w- c:\program files\cximagecrt.dll

2005-09-13 02:44:24 1216 -c--a-w- c:\program files\readme.txt

2005-05-16 05:42:26 188416 -c--a-w- c:\program files\glew32.dll

2004-10-29 04:00:16 4565928 -c--a-w- c:\program files\winamp505_full.exe

2004-07-21 00:33:35 831488 -c--a-w- c:\program files\eqim.exe

2004-07-20 11:36:34 4185744 -c--a-w- c:\program files\Install_AIM.exe

2004-07-10 22:19:35 1740 ----a-w- c:\program files\Adobe Reader 6.0.lnk

2004-07-10 22:18:11 16706160 -c--a-w- c:\program files\AdbeRdr60_enu_full.exe

2004-07-02 13:51:01 486289306 -c--a-w- c:\program files\EVE_1549.exe

2003-11-22 12:45:16 348160 -c--a-r- c:\program files\msvcr71.dll

2003-03-19 16:14:52 499712 -c--a-w- c:\program files\msvcp71.dll

2003-01-08 23:27:18 17992 -c--a-w- c:\program files\COPYING

2008-09-20 21:41:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092020080921\index.dat

============= FINISH: 20:21:46.20 ===============

Hijack-this:

Logfile of HijackThis v1.99.1

Scan saved at 11:10:53 PM, on 7/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17055)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\TEMP\Xdd.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Dell\Media Experience\PCMService.exe

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Norton Ghost\Agent\VProTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Lexmark 2600 Series\lxdnmon.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\DellSupport\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\WINDOWS\system32\lxdncoms.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

C:\Program Files\Norton Ghost\Agent\VProSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Documents and Settings\SarahAnn\Desktop\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlido11custreg?clid=1033

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r3.attbi.com:8000

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r3.attbi.com;localhost;<local>;*.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100517195704.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKLM\..\Run: [Nxinukij] rundll32.exe "C:\WINDOWS\igojecux.dll",Startup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [lxdnmon.exe] "C:\Program Files\Lexmark 2600 Series\lxdnmon.exe"

O4 - HKLM\..\Run: [lxdnamon] "C:\Program Files\Lexmark 2600 Series\lxdnamon.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

O4 - HKCU\..\Run: [anckpvvo] C:\Documents and Settings\SarahAnn\Local Settings\Application Data\xiiqxvqar\tgtxscftssd.exe

O4 - HKCU\..\Run: [Htiwik] rundll32.exe "C:\WINDOWS\diaprn.dll",Startup

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [{558AE35F-F2F4-DAD3-2155-D8F79CC52DA9}] "C:\Documents and Settings\SarahAnn\Application Data\Osogh\uqyxs.exe"

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {28B66320-9687-4B13-8757-36F901887AB5} (CanvasX Class) - http://www.seehere.com/ips-opdata/layout/f...dan-canvasx.cab

O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...90/mcinsctl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://metamorphosis67.spaces.live.com/Pho...ad/MsnPUpld.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} (Image Uploader Control) - http://community.weightwatchers.com/Script...geUploader6.cab

O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} -

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} (Java Plug-in 1.4.2) -

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx2.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{450FF802-EE9C-4F7D-AA7E-59FEF2BCBBAF}: NameServer = 93.188.162.67,93.188.161.207

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.67,93.188.161.207

O17 - HKLM\System\CS1\Services\Tcpip\..\{450FF802-EE9C-4F7D-AA7E-59FEF2BCBBAF}: NameServer = 93.188.162.67,93.188.161.207

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 93.188.162.67,93.188.161.207

O17 - HKLM\System\CS3\Services\Tcpip\..\{450FF802-EE9C-4F7D-AA7E-59FEF2BCBBAF}: NameServer = 93.188.162.67,93.188.161.207

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.67,93.188.161.207

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe

O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Turbine, Inc. - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: lxdnCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdnserv.exe

O23 - Service: lxdn_device - - C:\WINDOWS\system32\lxdncoms.exe

O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc (file missing)

O23 - Service: McAfee Services (mcmscsvc) - Unknown owner - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc (file missing)

O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - Unknown owner - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc (file missing)

O23 - Service: McAfee Network Agent (McNASvc) - Unknown owner - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc (file missing)

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - Unknown owner - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc (file missing)

O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - Unknown owner - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc (file missing)

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe

O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe

Attach.zip

Elise · July 11, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

battlerager · July 11, 2010

Hello Elise

I turned off McAfee's virus and spyware apps and made sure Windows firewall was off. As the infection wouldnt allow me to go to BleepingComputers site, I downloaded Combofix from my other computer and thumb drived-it over to the infected one. But as with Malwarebytes own program, the Combofix program wont run. The first 2-3 times I double click a small 'loading' box appears rigth over the icon--and one along the task bar--then both disappear before either reach the end of the 'loading bar'(if thats what that is). All other double clicks fail to do anything, even after restarting the PC, which sometimes works for launching other programs.

Elise · July 11, 2010

Can you please try to launch it in Safe Mode?

battlerager · July 11, 2010

Combo fix did start in safe mode but couldnt download the recovery console as there is no internet in safe mode. I shut off Combofix at this point do to warnings about not having the console installed past this point. Restarting the machine in full mode I tried to download a copy from a web site and something made the site window shut down back to desk top. I have downloaded a 'cd' copy of the console(put it on a thumb drive) from my working PC and could probably install it manually that way and then go back to safe mode to run Combofix.

Let me know what you think

Elise · July 12, 2010

Just run combofix in safe mode and do not install the Recovery Console. Continue after the message that the recovery console was not installed.

battlerager · July 12, 2010

ComboFix 10-07-10.02 - SarahAnn 07/12/2010 8:46.2.1 - x86 MINIMAL

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.783 [GMT -5:00]

Running from: c:\documents and settings\SarahAnn\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

The following files were disabled during the run:

c:\windows\system32\dpvsdnih.dll

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Favorites\_favdata.dat

c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server

c:\documents and settings\SarahAnn\Application Data\c3055c95.exe

c:\documents and settings\SarahAnn\Application Data\Osogh

c:\documents and settings\SarahAnn\Application Data\Osogh\uqyxs.exe

c:\documents and settings\SarahAnn\Local Settings\Application Data\{1E846F37-EC84-4E86-82EA-113BBC241419}

c:\documents and settings\SarahAnn\Local Settings\Application Data\{1E846F37-EC84-4E86-82EA-113BBC241419}\chrome.manifest

c:\documents and settings\SarahAnn\Local Settings\Application Data\{1E846F37-EC84-4E86-82EA-113BBC241419}\chrome\content\_cfg.js

c:\documents and settings\SarahAnn\Local Settings\Application Data\{1E846F37-EC84-4E86-82EA-113BBC241419}\chrome\content\overlay.xul

c:\documents and settings\SarahAnn\Local Settings\Application Data\{1E846F37-EC84-4E86-82EA-113BBC241419}\install.rdf

c:\documents and settings\SarahAnn\Local Settings\Application Data\Windows Server

c:\program files\Shared

c:\windows\adogewuxiqeniwa.dll

c:\windows\akibuhuwonez.dll

c:\windows\amiveham.dll

c:\windows\anogikewejoguxa.dll

c:\windows\anopewuk.dll

c:\windows\atehapuhidonok.dll

c:\windows\ayumaquden.dll

c:\windows\diaprn.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\ejoririfejel.dll

c:\windows\elorejadanapiqif.dll

c:\windows\emarebev.dll

c:\windows\etb

c:\windows\etb\etb.ini

c:\windows\etb\etl

c:\windows\etb\xml\adult.tbr

c:\windows\etb\xml\default.tbr

c:\windows\etb\xml\search.mnu

c:\windows\eyataniqe.dll

c:\windows\ezadefak.dll

c:\windows\ibimukedom.dll

c:\windows\igiboqax.dll

c:\windows\igojecux.dll

c:\windows\iqoguhim.dll

c:\windows\ixuvoxad.dll

c:\windows\obanilerihehafil.dll

c:\windows\ocebazuk.dll

c:\windows\odoperulazex.dll

c:\windows\oqepoberebe.dll

c:\windows\oqufisaw.dll

c:\windows\system32\ernel32.dll

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

c:\windows\ubebewere.dll

c:\windows\udowamik.dll

c:\windows\uhehejozugi.dll

c:\windows\umujatazaleb.dll

c:\windows\upinerav.dll

c:\windows\utixiwuv.dll

c:\windows\uzedonotudok.dll

c:\windows\xpsp1hfm.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_ZESOFT

((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))

.

2010-07-11 16:06 . 2010-07-11 16:06 47616 ----a-w- c:\windows\system32\dpvsdnih.dll

2010-07-11 04:49 . 2010-07-11 04:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\rvfnvmarn

2010-07-11 04:45 . 2010-07-11 04:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\txmonbvvq

2010-07-10 16:18 . 2010-07-10 16:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ulxvhhwgx

2010-07-10 15:52 . 2010-07-10 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2010-07-10 15:51 . 2010-07-10 15:51 -------- d-----w- c:\program files\Common Files\iS3

2010-07-10 15:51 . 2010-07-11 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

2010-07-10 15:46 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-10 15:46 . 2010-07-10 15:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-10 15:46 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-10 00:46 . 2010-07-10 00:46 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ptjfdtwty

2010-07-09 00:49 . 2010-07-09 00:49 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\pxynfcqwr

2010-07-08 23:56 . 2010-07-08 23:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\gbqvxakps

2010-07-08 23:55 . 2010-07-08 23:55 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-07-07 10:28 . 2010-07-11 23:22 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-07 02:11 . 2010-07-07 02:11 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-07-06 21:10 . 2010-07-06 21:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\fbkqijrvs

2010-07-02 05:58 . 2010-07-09 00:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-02 02:16 . 2010-07-12 01:05 0 ----a-w- c:\windows\Wqinuhuq.dat

2010-07-02 02:16 . 2010-07-09 12:46 0 ----a-w- c:\windows\Wkejiquc.bin

2010-07-01 00:22 . 2010-07-01 00:22 -------- d-----w- c:\documents and settings\SarahAnn\Local Settings\Application Data\xiiqxvqar

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-11 00:26 . 2010-07-11 00:25 1520 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-07-10 17:06 . 2004-08-19 07:29 -------- d-----w- c:\documents and settings\SarahAnn\Application Data\Tuyqky

2010-07-10 13:11 . 2005-02-22 02:30 -------- d-----w- c:\program files\World of Warcraft

2010-07-07 02:13 . 2004-02-15 15:18 -------- d-----w- c:\program files\Common Files\Java

2010-07-07 02:12 . 2010-07-07 02:12 61440 ----a-w- c:\documents and settings\SarahAnn\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-102f602e-n\decora-sse.dll

2010-07-07 02:12 . 2010-07-07 02:12 503808 ----a-w- c:\documents and settings\SarahAnn\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48a46916-n\msvcp71.dll

2010-07-07 02:12 . 2010-07-07 02:12 499712 ----a-w- c:\documents and settings\SarahAnn\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48a46916-n\jmc.dll

2010-07-07 02:12 . 2010-07-07 02:12 348160 ----a-w- c:\documents and settings\SarahAnn\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-48a46916-n\msvcr71.dll

2010-07-07 02:12 . 2010-07-07 02:12 12800 ----a-w- c:\documents and settings\SarahAnn\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-102f602e-n\decora-d3d.dll

2010-07-07 02:11 . 2004-02-15 15:18 -------- d-----w- c:\program files\Java

2010-06-26 15:40 . 2005-12-23 21:54 -------- d-----w- c:\program files\XoftSpy

2010-06-25 17:29 . 2009-08-20 00:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

2010-06-05 12:45 . 2010-04-18 17:00 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-04 17:20 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll

2010-05-02 05:22 . 2002-08-29 11:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-28 03:35 . 2010-01-14 03:06 39864 ---ha-w- c:\windows\system32\mlfcache.dat

2010-04-27 22:16 . 2010-04-15 05:38 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-04-27 22:16 . 2010-04-15 05:38 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-04-27 22:16 . 2010-04-15 05:38 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-04-27 22:16 . 2010-04-15 05:38 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-04-27 22:16 . 2010-04-15 05:38 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-04-27 22:16 . 2010-04-15 05:38 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-04-27 22:16 . 2010-04-15 05:38 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-04-27 22:16 . 2007-02-08 12:19 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-04-27 22:16 . 2007-02-08 12:19 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-04-27 22:16 . 2007-02-08 12:19 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-04-20 10:04 . 2004-02-17 19:14 46704 -c--a-w- c:\documents and settings\SarahAnn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-20 05:30 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2009-03-20 13:33 . 2009-03-20 13:33 1951432 ----a-w- c:\program files\ppviewer.exe

2008-03-12 11:21 . 2008-03-12 11:20 432552 ----a-w- c:\program files\wpsetup.exe

2007-06-01 13:29 . 2006-09-14 01:53 2549 -c--a-w- c:\program files\Config.ini

2007-06-01 13:29 . 2006-09-14 01:53 1372328 -c--a-w- c:\program files\log.txt

2007-06-01 12:46 . 2007-06-01 12:46 108528 -c--a-w- c:\program files\4414_items11.9.2v3.zip

2007-02-14 02:45 . 2007-02-14 02:45 517932 -c--a-w- c:\program files\items.csv

2007-02-14 02:31 . 2007-02-14 02:31 1816576 -c--a-w- c:\program files\wowmodelview.exe

2007-02-12 22:34 . 2007-02-12 22:34 334788 -c--a-w- c:\program files\npcs.csv

2007-01-21 04:28 . 2006-04-08 12:14 36808256 -c--a-w- c:\program files\iTunesSetup.exe

2007-01-14 22:15 . 2007-01-14 22:15 1636 -c--a-w- c:\program files\ridable.csv

2006-07-23 02:50 . 2006-07-23 02:50 6958 -c--a-w- c:\program files\changelog.txt

2006-07-18 12:44 . 2006-07-18 12:43 38544896 -c--a-w- c:\program files\booksmart_CNET_r1_1.2.1.8973.exe

2006-07-15 02:03 . 2006-07-15 02:03 361087 -c--a-w- c:\program files\testitems.csv

2006-05-14 12:39 . 2006-05-14 12:39 16985 -c--a-w- c:\program files\changelog-Archive.txt

2006-03-29 03:34 . 2006-03-29 03:34 5846632 -c--a-w- c:\program files\winzip100.exe

2006-03-02 04:22 . 2006-03-02 04:22 382504 -c--a-w- c:\program files\msgr7us.exe

2006-01-19 21:20 . 2006-01-19 21:20 1204 -c--a-w- c:\program files\enchants.csv

2006-01-02 08:26 . 2006-01-02 08:26 3562 -c--a-w- c:\program files\ItemTutorial.txt

2005-12-29 07:28 . 2005-12-29 07:28 413696 -c--a-w- c:\program files\cximagecrt.dll

2005-09-13 02:44 . 2005-09-13 02:44 1216 -c--a-w- c:\program files\readme.txt

2005-05-16 05:42 . 2005-05-16 05:42 188416 -c--a-w- c:\program files\glew32.dll

2004-10-29 04:00 . 2004-10-29 04:00 4565928 -c--a-w- c:\program files\winamp505_full.exe

2004-07-21 00:33 . 2004-07-21 00:33 831488 -c--a-w- c:\program files\eqim.exe

2004-07-20 11:36 . 2004-07-20 11:36 4185744 -c--a-w- c:\program files\Install_AIM.exe

2004-07-10 22:19 . 2004-07-10 22:19 1740 ----a-w- c:\program files\Adobe Reader 6.0.lnk

2004-07-10 22:18 . 2004-07-10 22:16 16706160 -c--a-w- c:\program files\AdbeRdr60_enu_full.exe

2004-07-02 13:51 . 2004-07-02 13:51 486289306 -c--a-w- c:\program files\EVE_1549.exe

2003-11-22 12:45 . 2003-11-22 12:45 348160 -c--a-r- c:\program files\msvcr71.dll

2003-03-19 16:14 . 2003-03-19 16:14 499712 -c--a-w- c:\program files\msvcp71.dll

2003-01-08 23:27 . 2003-01-08 23:27 17992 -c--a-w- c:\program files\COPYING

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 344064]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741]

"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]

"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-07-01 53248]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

"Norton Ghost 14.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-20 2245984]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-25 1193848]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-17 185896]

"lxdnmon.exe"="c:\program files\Lexmark 2600 Series\lxdnmon.exe" [2009-08-31 660136]

"lxdnamon"="c:\program files\Lexmark 2600 Series\lxdnamon.exe" [2009-08-31 16040]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

akofyt.exe [2010-7-7 118272]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

exana.exe [2010-7-7 118272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-5-6 113664]

HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Bonjour Service"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"ctfmon.exe"=c:\windows\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"Remndr"="c:\program files\CasinoOnline\CsRemnd.exe"

"BCMSMMSG"=BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\KODAK\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\KODAK\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\UnrealTournament\\System\\UnrealTournament.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9806-to-3.1.1.9835-enUS-downloader.exe"=

"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10192-to-3.2.0.10314-enUS-downloader.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.0.10314-to-3.2.2.10482-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.2.2.10482-to-3.2.2.10505-enUS-downloader.exe"=

"c:\\WINDOWS\\SYSTEM32\\lxdncoms.exe"=

"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdnpswx.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdntime.exe"=

"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\lxdnjswx.exe"=

"c:\\Program Files\\Lexmark 2600 Series\\frun.exe"=

"c:\\Program Files\\Lexmark 2600 Series\\lxdnlscn.exe"=

"c:\\Program Files\\Turbine\\Dungeons and Dragons Online - Eberron Unlimited\\dndclient.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineMessageService.exe"=

"c:\\Program Files\\Turbine\\Turbine Download Manager\\TurbineNetworkService.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"c:\\WINDOWS\\SYSTEM32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:WoW

"6112:TCP"= 6112:TCP:wow

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"59027:TCP"= 59027:TCP:Pando Media Booster

"59027:UDP"= 59027:UDP:Pando Media Booster

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [4/15/2010 12:38 AM 82952]

R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/20/2008 5:22 PM 206096]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/15/2010 12:38 AM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/15/2010 12:38 AM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/15/2010 12:38 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/15/2010 12:38 AM 141792]

R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\SYSTEM32\dllhost.exe [8/29/2002 6:00 AM 5120]

R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [4/15/2010 12:38 AM 55456]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [4/15/2010 12:38 AM 312616]

R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/15/2010 12:38 AM 88480]

R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [12/20/2007 5:13 PM 1553896]

S2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\lxdnserv.exe [1/6/2010 5:28 PM 98984]

S3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe [3/13/2010 10:13 PM 271856]

S3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe [3/13/2010 10:13 PM 218608]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [4/15/2010 12:38 AM 88480]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [4/15/2010 12:38 AM 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2010-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-11 c:\windows\Tasks\XoftSpy.job

- c:\program files\XoftSpy\XoftSpy.exe [2007-04-26 19:39]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.r3.attbi.com;localhost;<local>;*.local

uInternet Settings,ProxyServer = sas.r3.attbi.com:8000

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: &Google Search

IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm

IE: Backward &Links

IE: Cac&hed Snapshot of Page

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Si&milar Pages

IE: Translate into English

IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm

IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm

IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm

DPF: v3cab - hxxp://searchmiracle.com/cab/v3cab.cab

DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan-canvasx.cab

DPF: {895D1291-D5BD-4982-BA84-AD11D29C1D6A} - hxxp://community.weightwatchers.com/Scripts/ImageUploader6.cab

DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689}

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)

HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe

HKCU-Run-anckpvvo - c:\documents and settings\SarahAnn\Local Settings\Application Data\xiiqxvqar\tgtxscftssd.exe

HKCU-Run-Htiwik - c:\windows\diaprn.dll

HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe

HKCU-Run-{558AE35F-F2F4-DAD3-2155-D8F79CC52DA9} - c:\documents and settings\SarahAnn\Application Data\Osogh\uqyxs.exe

HKLM-Run-Nxinukij - c:\windows\igojecux.dll

MSConfigStartUp-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe

AddRemove-mIRC - c:\program files\mIRC\mirc.exe

AddRemove-Viewpoint Manager - c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe

AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-12 09:01

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x871F9EC5]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7886f28

\Driver\ACPI -> ACPI.sys @ 0xf77f9cb8

\Driver\atapi -> atapi.sys @ 0xf77b1852

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615

ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0615

ParseProcedure -> ntoskrnl.exe @ 0x8056c3ac

NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf762bbb0

PacketIndicateHandler -> NDIS.sys @ 0xf7638a21

SendHandler -> NDIS.sys @ 0xf761687b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1112)

c:\windows\system32\WININET.dll

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1172)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3560)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lxdncoms.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Norton Ghost\Agent\VProSvc.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\McAfee\SystemCore\mcshield.exe

c:\windows\BCMSMMSG.exe

c:\program files\Microsoft ActiveSync\wcescomm.exe

c:\program files\Lexmark 2600 Series\lxdnMsdMon.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

c:\windows\System32\msdtc.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-07-12 09:13:18 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-12 14:12

Pre-Run: 182,128,975,872 bytes free

Post-Run: 181,608,570,880 bytes free

- - End Of File - - 8DA84D083E21E7D062A0B4E3CC8CC29A

Elise · July 12, 2010

That took care of a lot already, but still some infections left. First lets take care of the rootkit that apparently is there.

Please download TDSSKiller.zip and save it to your desktop.
Extract the zip file to your desktop (important, before continuing, make sure the file is located on your desktop, otherwise the following steps will not work!). Do NOT run the file yet!
Click Start > Run and copy paste the following bolded text in the run box
"%userprofile%\desktop\tdsskiller.exe" -l report.txt
When it finished press any key to continue.
If needed reboot the computer.

A logfile (report.txt) will be created on your desktop. Please post its contents in your next reply.

battlerager · July 12, 2010

09:57:02:875 3524 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49

09:57:02:875 3524 ================================================================================

09:57:02:875 3524 SystemInfo:

09:57:02:875 3524 OS Version: 5.1.2600 ServicePack: 3.0

09:57:02:875 3524 Product type: Workstation

09:57:02:875 3524 ComputerName: SARAH

09:57:02:875 3524 UserName: SarahAnn

09:57:02:875 3524 Windows directory: C:\WINDOWS

09:57:02:875 3524 System windows directory: C:\WINDOWS

09:57:02:875 3524 Processor architecture: Intel x86

09:57:02:875 3524 Number of processors: 1

09:57:02:875 3524 Page size: 0x1000

09:57:02:875 3524 Boot type: Normal boot

09:57:02:875 3524 ================================================================================

09:57:03:171 3524 Initialize success

09:57:03:171 3524

09:57:03:171 3524 Scanning Services ...

09:57:03:593 3524 Raw services enum returned 407 services

09:57:03:625 3524

09:57:03:625 3524 Scanning Drivers ...

09:57:04:125 3524 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS

09:57:04:156 3524 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

09:57:04:203 3524 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

09:57:04:218 3524 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys

09:57:04:312 3524 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

09:57:04:359 3524 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

09:57:04:390 3524 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

09:57:04:421 3524 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys

09:57:04:453 3524 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

09:57:04:500 3524 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys

09:57:04:546 3524 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys

09:57:04:562 3524 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys

09:57:04:593 3524 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys

09:57:04:625 3524 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys

09:57:04:656 3524 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys

09:57:04:703 3524 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys

09:57:04:718 3524 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys

09:57:04:796 3524 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys

09:57:04:796 3524 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys

09:57:04:859 3524 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

09:57:04:906 3524 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

09:57:05:000 3524 ati2mtag (aae41c74db4dd34e8e97cb3a7a92c0b6) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

09:57:05:062 3524 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

09:57:05:109 3524 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

09:57:05:187 3524 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys

09:57:05:250 3524 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

09:57:05:312 3524 bvrp_pci (73458867c8963c76260c18d7bdb15625) C:\WINDOWS\system32\drivers\bvrp_pci.sys

09:57:05:359 3524 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys

09:57:05:375 3524 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

09:57:05:406 3524 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

09:57:05:468 3524 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys

09:57:05:484 3524 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

09:57:05:515 3524 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

09:57:05:546 3524 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

09:57:05:593 3524 cfwids (44e4a7dded054dd55ae995c3aed719ae) C:\WINDOWS\system32\drivers\cfwids.sys

09:57:05:625 3524 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys

09:57:05:640 3524 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys

09:57:05:671 3524 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys

09:57:05:703 3524 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys

09:57:05:718 3524 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

09:57:05:765 3524 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

09:57:05:812 3524 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

09:57:05:843 3524 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

09:57:05:859 3524 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

09:57:05:890 3524 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys

09:57:05:937 3524 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

09:57:05:984 3524 drvmcdb (7f056a52bcba3102d2d37a4a2646c807) C:\WINDOWS\system32\drivers\drvmcdb.sys

09:57:06:000 3524 drvnddm (d3c1e501ed42e77574b3095309dd4075) C:\WINDOWS\system32\drivers\drvnddm.sys

09:57:06:078 3524 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

09:57:06:109 3524 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys

09:57:06:156 3524 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys

09:57:06:187 3524 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

09:57:06:234 3524 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

09:57:06:265 3524 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

09:57:06:281 3524 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

09:57:06:312 3524 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

09:57:06:343 3524 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

09:57:06:359 3524 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

09:57:06:390 3524 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

09:57:06:421 3524 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

09:57:06:453 3524 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

09:57:06:468 3524 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

09:57:06:500 3524 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys

09:57:06:562 3524 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

09:57:06:578 3524 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

09:57:06:609 3524 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys

09:57:06:640 3524 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

09:57:06:687 3524 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys

09:57:06:718 3524 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys

09:57:06:750 3524 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys

09:57:06:765 3524 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys

09:57:06:796 3524 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys

09:57:06:828 3524 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys

09:57:06:859 3524 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys

09:57:06:875 3524 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys

09:57:06:921 3524 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys

09:57:06:953 3524 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys

09:57:07:000 3524 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

09:57:07:062 3524 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys

09:57:07:109 3524 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys

09:57:07:156 3524 intelppm (2589f15ea4f78799527e00eed1b88083) C:\WINDOWS\system32\DRIVERS\intelppm.sys

09:57:07:171 3524 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\intelppm.sys. Real md5: 2589f15ea4f78799527e00eed1b88083, Fake md5: 8c953733d8f36eb2133f5bb58808b66b

09:57:07:171 3524 File "C:\WINDOWS\system32\DRIVERS\intelppm.sys" infected by TDSS rootkit ... 09:57:09:046 3524 Backup copy found, using it..

09:57:09:109 3524 will be cured on next reboot

09:57:09:281 3524 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

09:57:09:343 3524 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

09:57:09:406 3524 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

09:57:09:468 3524 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

09:57:09:500 3524 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

09:57:09:546 3524 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

09:57:09:578 3524 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

09:57:09:609 3524 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

09:57:09:640 3524 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys

09:57:09:703 3524 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

09:57:09:750 3524 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

09:57:09:812 3524 mfeapfk (b77e959e1c50d3e3a9d9ef423be62e09) C:\WINDOWS\system32\drivers\mfeapfk.sys

09:57:09:828 3524 mfeavfk (e84596fcb591117f5597498a5f82ad97) C:\WINDOWS\system32\drivers\mfeavfk.sys

09:57:09:906 3524 mfebopk (d40ce01e2d3fe0c079cd2d6b3e4b823b) C:\WINDOWS\system32\drivers\mfebopk.sys

09:57:09:937 3524 mfefirek (3962c6a9e35c4319dcdab0497614fd69) C:\WINDOWS\system32\drivers\mfefirek.sys

09:57:09:968 3524 mfehidk (e7ecf7872bf8f2897ae5a696d908c2f7) C:\WINDOWS\system32\drivers\mfehidk.sys

09:57:10:031 3524 mfendisk (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

09:57:10:031 3524 mfendiskmp (554dbbdc8c3b4f380b21269239bd29bb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

09:57:10:062 3524 mferkdet (e411594ac94baef7f8ea991cc8f47fd1) C:\WINDOWS\system32\drivers\mferkdet.sys

09:57:10:109 3524 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys

09:57:10:156 3524 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys

09:57:10:203 3524 mfetdi2k (1bfe4c4ccf8cd2d7deaffb424e691196) C:\WINDOWS\system32\drivers\mfetdi2k.sys

09:57:10:250 3524 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

09:57:10:312 3524 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

09:57:10:359 3524 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

09:57:10:359 3524 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

09:57:10:390 3524 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

09:57:10:437 3524 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys

09:57:10:468 3524 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

09:57:10:515 3524 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

09:57:10:546 3524 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

09:57:10:578 3524 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

09:57:10:593 3524 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

09:57:10:640 3524 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

09:57:10:671 3524 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

09:57:10:703 3524 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

09:57:10:718 3524 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

09:57:10:765 3524 MxlW2k (a1520761f42dbb06db7929d6fa9753ea) C:\WINDOWS\system32\drivers\MxlW2k.sys

09:57:10:796 3524 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

09:57:10:843 3524 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

09:57:10:875 3524 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

09:57:10:906 3524 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

09:57:10:921 3524 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

09:57:10:953 3524 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

09:57:10:984 3524 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

09:57:11:000 3524 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

09:57:11:015 3524 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

09:57:11:062 3524 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

09:57:11:078 3524 NPPTNT (074e989e9ea12230a9a44df435d30a39) C:\WINDOWS\System32\npptNT.sys

09:57:11:125 3524 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

09:57:11:156 3524 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

09:57:11:234 3524 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

09:57:11:312 3524 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

09:57:11:328 3524 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

09:57:11:359 3524 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys

09:57:11:406 3524 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys

09:57:11:437 3524 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

09:57:11:453 3524 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

09:57:11:468 3524 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

09:57:11:500 3524 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

09:57:11:546 3524 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

09:57:11:562 3524 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

09:57:11:640 3524 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys

09:57:11:656 3524 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys

09:57:11:703 3524 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

09:57:11:718 3524 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

09:57:11:734 3524 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

09:57:11:750 3524 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

09:57:11:796 3524 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys

09:57:11:828 3524 QCDonner (fddd1aeb9f81ef1e6e48ae1edc2a97d6) C:\WINDOWS\system32\DRIVERS\OVCD.sys

09:57:11:843 3524 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys

09:57:11:859 3524 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys

09:57:11:875 3524 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys

09:57:11:890 3524 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys

09:57:11:906 3524 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys

09:57:11:937 3524 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

09:57:11:953 3524 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

09:57:11:968 3524 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

09:57:11:984 3524 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

09:57:12:015 3524 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

09:57:12:031 3524 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

09:57:12:078 3524 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

09:57:12:109 3524 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

09:57:12:140 3524 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

09:57:12:187 3524 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

09:57:12:234 3524 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

09:57:12:250 3524 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

09:57:12:265 3524 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

09:57:12:328 3524 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys

09:57:12:375 3524 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

09:57:12:484 3524 smwdm (5018a9db5eb62e3edb3110f82f556285) C:\WINDOWS\system32\drivers\smwdm.sys

09:57:12:531 3524 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys

09:57:12:593 3524 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

09:57:12:625 3524 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

09:57:12:671 3524 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

09:57:12:718 3524 sscdbhk5 (328e8bb94ec58480f60458fb4b8437a7) C:\WINDOWS\system32\drivers\sscdbhk5.sys

09:57:12:734 3524 ssrtln (7ec8b427cee5c0cdac066320b93f1355) C:\WINDOWS\system32\drivers\ssrtln.sys

09:57:12:796 3524 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

09:57:12:859 3524 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

09:57:12:890 3524 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

09:57:12:921 3524 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys

09:57:12:953 3524 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys

09:57:13:015 3524 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys

09:57:13:046 3524 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys

09:57:13:078 3524 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys

09:57:13:093 3524 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

09:57:13:156 3524 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

09:57:13:218 3524 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys

09:57:13:265 3524 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

09:57:13:296 3524 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

09:57:13:343 3524 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

09:57:13:421 3524 tfsnboio (c229bf90443be8d3bd2b65d7f3ac0f35) C:\WINDOWS\system32\dla\tfsnboio.sys

09:57:13:437 3524 tfsncofs (79ee9fcd7728e54ab8fbc30962f0416f) C:\WINDOWS\system32\dla\tfsncofs.sys

09:57:13:453 3524 tfsndrct (9efb37e7de17d783a059b653f7e8afad) C:\WINDOWS\system32\dla\tfsndrct.sys

09:57:13:515 3524 tfsndres (130254995ebedcb34d62e8d78ec9dbd0) C:\WINDOWS\system32\dla\tfsndres.sys

09:57:13:531 3524 tfsnifs (9b40e1e4aeed849812a2e43a388a7e77) C:\WINDOWS\system32\dla\tfsnifs.sys

09:57:13:546 3524 tfsnopio (818047ad850b312705aa17ca96b9427d) C:\WINDOWS\system32\dla\tfsnopio.sys

09:57:13:562 3524 tfsnpool (4603e813bcc6dd465cd8d2afd37fa90d) C:\WINDOWS\system32\dla\tfsnpool.sys

09:57:13:578 3524 tfsnudf (6fc2cd904a9a55acfdfc780a611a75ed) C:\WINDOWS\system32\dla\tfsnudf.sys

09:57:13:593 3524 tfsnudfa (d4afa4d00f8db3fd1c15b3fe49c3a96c) C:\WINDOWS\system32\dla\tfsnudfa.sys

09:57:13:625 3524 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys

09:57:13:656 3524 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys

09:57:13:687 3524 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

09:57:13:734 3524 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys

09:57:13:750 3524 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

09:57:13:796 3524 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

09:57:13:828 3524 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

09:57:13:875 3524 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

09:57:13:890 3524 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

09:57:13:921 3524 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

09:57:13:937 3524 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

09:57:13:968 3524 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

09:57:14:000 3524 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

09:57:14:015 3524 usb_rndisx (b6cc50279d6cd28e090a5d33244adc9a) C:\WINDOWS\system32\DRIVERS\usb8023x.sys

09:57:14:046 3524 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys

09:57:14:062 3524 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

09:57:14:093 3524 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys

09:57:14:187 3524 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys

09:57:14:390 3524 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

09:57:14:640 3524 VProEventMonitor (e78781b2c86c92a0a738df566460f716) C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys

09:57:14:906 3524 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

09:57:14:968 3524 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

09:57:15:031 3524 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\WINDOWS\system32\DRIVERS\wimfltr.sys

09:57:15:093 3524 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

09:57:15:125 3524 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

09:57:15:125 3524 Reboot required for cure complete..

09:57:15:484 3524 Cure on reboot scheduled successfully

09:57:15:484 3524

09:57:15:484 3524 Completed

09:57:15:484 3524

09:57:15:484 3524 Results:

09:57:15:484 3524 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

09:57:15:515 3524 File objects infected / cured / cured on reboot: 1 / 0 / 1

09:57:15:515 3524

09:57:15:531 3524 KLMD(ARK) unloaded successfully

Elise · July 12, 2010

That did the trick. However, before continuing, please consider the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and cleaned, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please rerun Combofix and post me the new log.

battlerager · July 13, 2010

My wife and I have been discussing what to do here and we have mostly decided to finish cleaning the system and use it but any important thing--banking, buying--would be done on mine(the one I've been posting from). But from what you said about may not ever be safe, and the bit of research I've done on general back-door trojans(since I dont know which it is) brings me to this place: It may be 'easier' to clean her system and hope for the best(she has hundreds, maybe thousands of pic's on there) but is it the right thing to do--info talking about remote usage of all her info.

I guess what I dont understand, and cant find information about, is if the trojan is cleaned off her system how would it still be vulnerable? Is there always going to be something that the removal tools cant get at?

Do you have an opinion(are you alowd to give one ) ? It seems to me now, that for everyones sake--all our friends and family and folks we dont know that we should wipe the drive and start over completely taking out the risk.

Let me know what you can. this is a big decision.

Elise · July 13, 2010

I guess what I dont understand, and cant find information about, is if the trojan is cleaned off her system how would it still be vulnerable? Is there always going to be something that the removal tools cant get at?

The rootkit that had infected this computer, uses a backdoor to "phone home" so to say.

This means, it creates a vulnerability in your windows installation that allows it to connect to its remote server. The threat is now removed from the system, but the security vulnerability remains.

It is not said that this will be used by malware, but it is possible that it may be exploited by future malware.

For now I would recommend to go through with the cleanup and take your time to think it over.

battlerager · July 13, 2010

Ok, I think I understand now. The trojan created the hole and even though the trojan is gone now, the hole remains and can only be reliably closed with a reformat and re-install. More protection could hold off other malware from using that hole but it is not a guaranteed fix/solution to that breach.

Thanks for explaining

Here's the report:

ComboFix 10-07-10.02 - SarahAnn 07/13/2010 7:53.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.561 [GMT -5:00]

Running from: c:\documents and settings\SarahAnn\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2010-06-13 to 2010-07-13 )))))))))))))))))))))))))))))))