Jump to content

Security Suite and Antimalware Doctor Virus's.


Recommended Posts

I first posted several days ago....can't find my post, so I'm going to post again, sorry! Searches for my recent post show nothing.

I'm posting my logs from MWB's, DDS/GMER log files. I will also add McAffe and HJT to the list, as it shows more activity that's going on with my ''Control Panel'' and me not beinfg able to connect to the web at all. My ''network Connections'' folder is empty when in fact it is being hidden from this virus. One more thing; when I run GMER, It takes over 12 hours to complete and even in ''Safe Mode''. I aint doing this. Also, in safe mode when I go to save file, the program ''locks my pc up'' and I need to reboot after say a half hour. Too much time wasted here. I may as well reformat!! Also...I don't see an ''Attach'' for any '' ZIP'' files, so I'll post as I'm able to, when I can and how I can. Please work with me. This is all I ask at this point. Thank You! nO Zip files here....been disabled as well.

DDS FIRST...........................................................................

.....................

DDS (Ver_10-03-17.01) - NTFSx86 MINIMAL

Run by DAVE at 23:16:23.59 on Fri 08/27/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1591 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\system32\svchost.exe -k netsvcs

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\system32\WDBtnMgr.exe

C:\Program Files\Iomega\DriveIcons\ImgIcon.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

C:\Program Files\Iomega\AutoDisk\ADUserMon.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe

C:\Program Files\Common Files\Intellisync\PushSyncService\PushSyncService.exe

C:\Documents and Settings\DAVE\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll

mURLSearchHooks: H - No File

mURLSearchHooks: H - No File

BHO: agihelper.AGUtils: {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Nexus Radio Toolbar: {2462d2d8-b36e-44ab-84bf-c5a9383d2429} - c:\program files\nexus_radio\tbNexu.dll

BHO: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll

TB: Nexus Radio Toolbar: {2462d2d8-b36e-44ab-84bf-c5a9383d2429} - c:\program files\nexus_radio\tbNexu.dll

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

TB: IObitCom Toolbar: {31c7d459-9cc3-44f2-9dca-fc11795309b4} - c:\program files\iobitcom\tbIObi.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {C17590D2-ECB4-4B15-8820-F58798DCC118} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [WD Button Manager] WDBtnMgr.exe

mRun: [updReg] c:\windows\UpdReg.EXE

mRun: [iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe

mRun: [hplampc] c:\windows\system32\hplampc.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART

mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe

mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\yahoo! autosync\AutosyncForYahoo.exe

IE: &Add animation to IncrediMail Style Box - c:\program files\incredimail\bin\resources\WebMenuImg.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll

IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237662207234

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SSODL: hisihiyep - {374d6b46-a170-4216-9956-a2e72151ef47} -

SSODL: rapezawob - {4c2331c7-7e0e-41dc-b777-6477ac040593} -

STS: {374d6b46-a170-4216-9956-a2e72151ef47}: gahurihor

STS: {4c2331c7-7e0e-41dc-b777-6477ac040593}: tokatiluy

STS: {99aacd4c-c413-490c-894e-b95e8f3ceb62} - No File

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

LSA: Notification Packages = vagazodi.dll scecli

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dave\applic~1\mozilla\firefox\profiles\tpgzersa.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/

FF - prefs.js: keyword.URL - hxxp://mystart.incredimail.com/?loc=ff_address_bar_im2_test_v2&search=

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: browser.cache.memory.capacity - 65536

FF - user.js: browser.chrome.favicons - false

FF - user.js: browser.display.show_image_placeholders - true

FF - user.js: browser.turbo.enabled - true

FF - user.js: browser.urlbar.autocomplete.enabled - true

FF - user.js: browser.urlbar.autofill - true

FF - user.js: content.interrupt.parsing - true

FF - user.js: content.max.tokenizing.time - 2250000

FF - user.js: content.notify.backoffcount - 5

FF - user.js: content.notify.interval - 750000

FF - user.js: content.notify.ontimer - true

FF - user.js: content.switch.threshold - 750000

FF - user.js: network.http.max-connections - 48

FF - user.js: network.http.max-connections-per-server - 16

FF - user.js: network.http.max-persistent-connections-per-proxy - 16

FF - user.js: network.http.max-persistent-connections-per-server - 8

FF - user.js: network.http.pipelining - true

FF - user.js: network.http.pipelining.firstrequest - true

FF - user.js: network.http.pipelining.maxrequests - 8

FF - user.js: network.http.proxy.pipelining - true

FF - user.js: network.http.request.max-start-delay - 0

FF - user.js: nglayout.initialpaint.delay - 0

FF - user.js: plugin.expose_full_path - true

FF - user.js: ui.submenuDelay - 0

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-1-20 64288]

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-13 214664]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S2 Auto File Backup Service;AutoBAUP Service;c:\program files\autobaup\autobaup.exe --> c:\program files\autobaup\AutoBAUP.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-12 135664]

S2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-6 312152]

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-6-6 203280]

S2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-6-6 359952]

S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-6-6 144704]

S2 MotoConnect Service;MotoConnect Service;c:\program files\motorola\motoconnectservice\MotoConnectService.exe [2010-4-23 91456]

S2 MSWU-c28badf4;MSWU-c28badf4;c:\windows\system32\c28badf4.exe --> c:\windows\system32\c28badf4.exe [?]

S3 cpuz132;cpuz132;\??\c:\docume~1\dave\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\dave\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 hp4200c;%usbscan.SvcDesc%;c:\windows\system32\drivers\hp4200c.sys [2008-9-22 9312]

S3 mamotou;mamotou;c:\windows\system32\drivers\mamotou.sys --> c:\windows\system32\drivers\mamotou.sys [?]

S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-6-6 606736]

S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-7-21 79816]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-7-21 35272]

S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-7-21 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-7-21 40552]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2010-4-9 42752]

S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-12-2 1181328]

=============== Created Last 30 ================

2010-08-28 03:12:17 0 ----a-w- c:\documents and settings\dave\defogger_reenable

2010-08-25 18:04:32 8212 ----a-w- c:\windows\mfebcdata

2010-08-24 19:57:26 0 d-----w- c:\windows\system32\wbem\Repository

2010-08-24 19:57:00 0 d-----w- C:\New Folder

2010-08-22 22:21:27 120 ----a-w- c:\windows\Ljotagupi.dat

2010-08-22 22:21:27 0 ----a-w- c:\windows\Thepinukifasocu.bin

2010-08-22 22:19:43 784384 ----a-w- c:\windows\system32\drivers\oreikfcz.sys

2010-08-22 22:19:01 0 d-----w- c:\docume~1\dave\applic~1\D87C975A242FF740DED7B5293949138D

2010-08-13 04:52:56 0 d-----w- c:\docume~1\dave\applic~1\BitTorrent

2010-08-13 04:52:49 0 d-----w- c:\program files\BitTorrent

2010-08-13 04:34:14 459112 ----a-w- c:\program files\Miro_Installer.exe

2010-07-31 02:14:29 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS

2010-07-31 01:59:48 0 d-----w- C:\Netgear

==================== Find3M ====================

2010-07-15 19:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll

2010-06-06 20:47:42 103784 ----a-w- c:\documents and settings\dave\GoToAssistDownloadHelper.exe

2003-04-22 01:49:48 669184 ----a-w- c:\program files\msxml4sxs32.msm

2003-04-22 01:49:44 679424 ----a-w- c:\program files\msxml4sys32.msm

2008-09-23 20:03:44 90 --sh--w- c:\windows\cnerolf.dat

2010-02-10 21:28:16 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat

2009-07-02 20:30:18 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009070220090703\index.dat

2010-04-10 21:16:26 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012010041020100411\index.dat

2010-02-10 20:44:18 16384 --sha-w- c:\windows\system32\config\systemprofile\privacie\index.dat

============= FINISH: 23:18:31.60 ===============

ARK, IS NEXT.......................................................

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-28 23:17:34

Windows 5.1.2600 Service Pack 3

Running: d90zppkg.exe; Driver: C:\DOCUME~1\DAVE\LOCALS~1\Temp\kfndrpow.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766787E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7667BFE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB88C2000, 0x187662, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[732] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[732] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A

.text C:\WINDOWS\Explorer.EXE[732] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:\WINDOWS\Explorer.EXE[732] SHELL32.dll!SHFileOperationW 7CA708E4 5 Bytes JMP 3000141E C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text C:\WINDOWS\Explorer.EXE[732] SHELL32.dll!SHFileOperation 7CA70BCC 5 Bytes JMP 30001430 C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1224] SHELL32.dll!SHFileOperationW 7CA708E4 5 Bytes JMP 3000141E C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text c:\PROGRA~1\mcafee.com\agent\mcagent.exe[1224] SHELL32.dll!SHFileOperation 7CA70BCC 5 Bytes JMP 30001430 C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A

.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A

.text C:\WINDOWS\system32\svchost.exe[1316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

.text C:\WINDOWS\system32\svchost.exe[1316] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 00E4000A

.text C:\WINDOWS\system32\svchost.exe[1316] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 009F000A

.text C:\WINDOWS\system32\WDBtnMgr.exe[1496] SHELL32.dll!SHFileOperationW 7CA708E4 5 Bytes JMP 3000141E C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text C:\WINDOWS\system32\WDBtnMgr.exe[1496] SHELL32.dll!SHFileOperation 7CA70BCC 5 Bytes JMP 30001430 C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text C:\Program Files\Iomega\DriveIcons\ImgIcon.exe[1616] SHELL32.dll!SHFileOperationW 7CA708E4 5 Bytes JMP 3000141E C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text C:\Program Files\Iomega\DriveIcons\ImgIcon.exe[1616] SHELL32.dll!SHFileOperation 7CA70BCC 5 Bytes JMP 30001430 C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text C:\Documents and Settings\DAVE\Desktop\d90zppkg.exe[1756] SHELL32.dll!SHFileOperationW 7CA708E4 5 Bytes JMP 3000141E C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

.text C:\Documents and Settings\DAVE\Desktop\d90zppkg.exe[1756] SHELL32.dll!SHFileOperation 7CA70BCC 5 Bytes JMP 30001430 C:\Program Files\Iomega\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15

ATTACH IS NEXT..................................................

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 9/20/2008 4:54:48 AM

System Uptime: 8/27/2010 11:15:07 PM (0 hours ago)

Motherboard: Dell Inc. | | 0U7084

Processor: Intel® Pentium® 4 CPU 3.40GHz | Microprocessor | 3391/800mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 233 GiB total, 77.98 GiB free.

D: is CDROM ()

E: is CDROM ()

H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description: Mass Storage Controller

Device ID: PCI\VEN_1283&DEV_8212&SUBSYS_00000000&REV_13\4&10416D21&0&18F0

Manufacturer:

Name: Mass Storage Controller

PNP Device ID: PCI\VEN_1283&DEV_8212&SUBSYS_00000000&REV_13\4&10416D21&0&18F0

Service:

==== System Restore Points ===================

RP485: 5/26/2010 11:28:07 PM - Software Distribution Service 3.0

RP486: 5/28/2010 4:55:53 PM - System Checkpoint

RP487: 5/28/2010 5:21:59 PM - Spybot-S&D Spyware removal

RP488: 5/28/2010 5:22:36 PM - Spybot-S&D Spyware removal

RP489: 6/4/2010 1:44:58 PM - Software Distribution Service 3.0

RP490: 6/5/2010 5:27:09 PM - Avg Update

RP491: 6/6/2010 12:06:43 AM - Software Distribution Service 3.0

RP492: 6/6/2010 3:37:51 PM - Removed AVG Free 9.0

RP493: 6/7/2010 2:50:14 PM - Software Distribution Service 3.0

RP494: 6/9/2010 3:28:15 PM - Software Distribution Service 3.0

RP495: 6/9/2010 3:46:39 PM - Installed Motorola RAZR V3xx USB - Handset Manager V9.5

RP496: 6/9/2010 3:50:29 PM - Removed Motorola RAZR V3xx USB - Handset Manager V9.5

RP497: 6/9/2010 3:59:06 PM - Installed Motorola RAZR V3xx USB - Handset Manager V9.5

RP498: 6/9/2010 4:06:09 PM - Removed Motorola RAZR V3xx USB - Handset Manager V9.5

RP499: 6/9/2010 4:13:38 PM - Installed Motorola RAZR V3xx USB - Handset Manager V9.5

RP500: 6/10/2010 11:17:18 PM - Software Distribution Service 3.0

RP501: 6/14/2010 1:53:57 PM - Software Distribution Service 3.0

RP502: 6/16/2010 3:30:34 PM - System Checkpoint

RP503: 6/17/2010 1:32:00 PM - Software Distribution Service 3.0

RP504: 6/21/2010 1:31:46 PM - Software Distribution Service 3.0

RP505: 6/23/2010 3:51:21 PM - Removed HP Image Zone Express

RP506: 6/23/2010 4:18:39 PM - Software Distribution Service 3.0

RP507: 6/24/2010 12:40:17 PM - Software Distribution Service 3.0

RP508: 6/28/2010 2:26:07 PM - Software Distribution Service 3.0

RP509: 7/1/2010 1:16:33 PM - Software Distribution Service 3.0

RP510: 7/4/2010 3:50:07 PM - System Checkpoint

RP511: 7/5/2010 12:44:29 PM - Software Distribution Service 3.0

RP512: 7/8/2010 2:04:21 PM - Software Distribution Service 3.0

RP513: 7/12/2010 1:11:51 PM - Software Distribution Service 3.0

RP514: 7/13/2010 11:12:11 PM - Software Distribution Service 3.0

RP515: 7/15/2010 11:14:44 AM - Software Distribution Service 3.0

RP516: 7/19/2010 11:41:33 AM - Software Distribution Service 3.0

RP517: 7/22/2010 12:44:56 PM - Software Distribution Service 3.0

RP518: 7/26/2010 1:26:26 PM - Software Distribution Service 3.0

RP519: 7/29/2010 12:48:55 PM - Software Distribution Service 3.0

RP520: 8/1/2010 3:27:18 PM - System Checkpoint

RP521: 8/2/2010 2:37:35 PM - Software Distribution Service 3.0

RP522: 8/5/2010 3:26:39 PM - Software Distribution Service 3.0

RP523: 8/9/2010 2:38:17 PM - Software Distribution Service 3.0

RP524: 8/11/2010 1:10:59 AM - Software Distribution Service 3.0

RP525: 8/12/2010 1:20:01 PM - Software Distribution Service 3.0

RP526: 8/13/2010 1:58:29 PM - Software Distribution Service 3.0

RP527: 8/16/2010 2:57:17 PM - Software Distribution Service 3.0

RP528: 8/19/2010 12:00:22 PM - Software Distribution Service 3.0

RP529: 8/20/2010 8:25:27 PM - System Checkpoint

RP530: 8/21/2010 8:35:42 PM - System Checkpoint

RP531: 8/22/2010 9:48:59 PM - Advanced SystemCare RestorePoint

RP532: 8/24/2010 3:55:55 PM - Restore Operation

RP533: 8/24/2010 4:30:49 PM - Software Distribution Service 3.0

==== Installed Programs ======================

2004_Boeing_PxN Screen Saver

747Boeing_BCA Screen Saver

777Boeing_BCA2 Screen Saver

A300B4-203 1.5

AAC Decoder

Abacus EZ-Libraries

Acrobat.com

Acronis True Image

Active Disk

Active@ UNDELETE

ActiveSky Version 6.5 and ActiveSky Graphics

Ad-Aware

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Photoshop Elements 2.0

Adobe Reader 9.3.3

Advanced SystemCare 3

Afghanistan - Noshaq (Highest Mountains Package 004) for MSFS 2004

Air Canada TravelDesk

Airport's Chart Viewer v5.0 (For FS2004)

Alaska Airlines TravelDesk

Alaska Airlines Update Conduit (English)

American Airlines TravelDesk

AOPA Cherokee Six v1.0

AOPA Commander 112A v1.1

Apple Software Update

ATC Voicepack SDK

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Control Panel

ATI Display Driver

AutoUpdate

Bear Creek Winery to Big Lake VFR Flight Plan

BitTorrent

Boeing 767 LOT Star Alliance

Bonjour

Broadcom Gigabit Integrated Controller

Bush Flight - BCWL to BGQ

Call of Duty Game of the Year Edition

Catalyst Control Center Core Implementation

Catalyst Control Center Graphics Full Existing

Catalyst Control Center Graphics Full New

Catalyst Control Center Graphics Light

Catalyst Control Center Graphics Previews Common

ccc-core-preinstall

ccc-core-static

ccc-utility

CCC Help English

CCleaner (remove only)

Cirrus SR20 V2 Six by GK

CNET TechTracker

Continental Airlines Timetable

Cooliris for Internet Explorer

Creative Audio Console

Creative MediaSource

Critical Update for Windows Media Player 11 (KB959772)

Dell Media Experience

Dell ResourceCD

Destroyer Command

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Plus Web Player

DivX Version Checker

DVD Decrypter (Remove Only)

DVD Shrink 3.2

Earthsim

European Air War

F-16 Fighting Falcon Flying Eddie Mod for MSFS 2004

F15

Falcon 4.0: Allied Force

FileSpecs plug-in for Ad-Aware SE

Flight Environment

Flight One ATR 72-500

Flight1 Downloader

Fly the Legend Screen Saver

FSFlyingSchool 2009

FSMMovingMap

Game Booster

GameSpy Arcade

Ghost Recon

Google Chrome

Google Earth

Google Update Helper

Google Updater

Grabber2k v0.99e

Grolsch Screensaver Int.

Ground Environment Professional

GTA San Andreas

H.264 Decoder

HexDump plug-in for Ad-Aware SE

HijackThis 2.0.2

Holding Pattern Coach Screen Saver

Home Improvement 1-2-3

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB915800-v4)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP PrecisionScan LT Software

IncrediMail

IncrediMail 2.0

IObit Security 360

Iomega Sync

IomegaWare 4.0.2

Jane's Combat Simulations F/A-18

Jane

Link to post
Share on other sites

Hi,

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi,

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillerMain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

THANK YOU, HERE IS MY LOG; ....................................................................

2010/09/05 17:58:01.0812 TDSS rootkit removing tool 2.4.2.0 Sep 3 2010 10:26:06

2010/09/05 17:58:01.0812 ================================================================================

2010/09/05 17:58:01.0812 SystemInfo:

2010/09/05 17:58:01.0812

2010/09/05 17:58:01.0812 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/05 17:58:01.0812 Product type: Workstation

2010/09/05 17:58:01.0812 ComputerName: HOME-0395F5FC51

2010/09/05 17:58:01.0812 UserName: DAVE

2010/09/05 17:58:01.0812 Windows directory: C:\WINDOWS

2010/09/05 17:58:01.0812 System windows directory: C:\WINDOWS

2010/09/05 17:58:01.0812 Processor architecture: Intel x86

2010/09/05 17:58:01.0812 Number of processors: 2

2010/09/05 17:58:01.0812 Page size: 0x1000

2010/09/05 17:58:01.0812 Boot type: Normal boot

2010/09/05 17:58:01.0812 ================================================================================

2010/09/05 17:58:02.0281 Initialize success

2010/09/05 17:58:15.0796 ================================================================================

2010/09/05 17:58:15.0796 Scan started

2010/09/05 17:58:15.0796 Mode: Manual;

2010/09/05 17:58:15.0796 ================================================================================

2010/09/05 17:58:19.0875 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/05 17:58:19.0953 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/05 17:58:20.0140 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/05 17:58:20.0265 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/05 17:58:20.0484 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/09/05 17:58:20.0812 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/05 17:58:20.0859 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/05 17:58:21.0312 ati2mtag (4f1d98c5faa232d89f479aa2f6ef4196) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/09/05 17:58:21.0437 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/05 17:58:21.0562 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/05 17:58:21.0734 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys

2010/09/05 17:58:21.0781 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/05 17:58:22.0015 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS

2010/09/05 17:58:22.0296 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/05 17:58:22.0359 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/05 17:58:22.0437 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/05 17:58:22.0468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/05 17:58:22.0531 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys

2010/09/05 17:58:23.0093 ctac32k (fb06bb39860340c6fa84867f0288d1dd) C:\WINDOWS\system32\drivers\ctac32k.sys

2010/09/05 17:58:23.0140 ctaud2k (b810fa12cf726b200e057834eaebb1ac) C:\WINDOWS\system32\drivers\ctaud2k.sys

2010/09/05 17:58:23.0203 ctdvda2k (c4333325d325efa668888d0d3177c6ff) C:\WINDOWS\system32\drivers\ctdvda2k.sys

2010/09/05 17:58:23.0265 ctprxy2k (1fa95c8cf34b9911e352a07ea7a200fc) C:\WINDOWS\system32\drivers\ctprxy2k.sys

2010/09/05 17:58:23.0312 ctsfm2k (400cb754b91f73bee2655686a57269d2) C:\WINDOWS\system32\drivers\ctsfm2k.sys

2010/09/05 17:58:23.0468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/05 17:58:23.0531 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/05 17:58:23.0656 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/05 17:58:23.0734 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/05 17:58:23.0812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/05 17:58:23.0921 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/05 17:58:23.0984 drvmcdb (24646242310499d75c6db4b32768a3b3) C:\WINDOWS\system32\drivers\drvmcdb.sys

2010/09/05 17:58:24.0062 drvnddm (2ff629c1c443e25d0149b9dfb77e43a8) C:\WINDOWS\system32\drivers\drvnddm.sys

2010/09/05 17:58:24.0093 emupia (7bb488ec082d40645936d9e583f560dc) C:\WINDOWS\system32\drivers\emupia2k.sys

2010/09/05 17:58:24.0218 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/05 17:58:24.0281 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/05 17:58:24.0312 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/05 17:58:24.0437 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/05 17:58:24.0484 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/05 17:58:24.0640 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/05 17:58:24.0671 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/05 17:58:24.0703 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/05 17:58:24.0937 ha10kx2k (9bb84b1dff8bce7fdddea746f6819fcf) C:\WINDOWS\system32\drivers\ha10kx2k.sys

2010/09/05 17:58:24.0968 hap16v2k (1418833169b29780fbdab127623b8767) C:\WINDOWS\system32\drivers\hap16v2k.sys

2010/09/05 17:58:25.0062 hap17v2k (8b3148391dc121d96d513785d588e75b) C:\WINDOWS\system32\drivers\hap17v2k.sys

2010/09/05 17:58:25.0125 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/05 17:58:25.0218 hp4200c (9add235b564d7b3d27d97cb13ede8c0a) C:\WINDOWS\system32\DRIVERS\hp4200c.sys

2010/09/05 17:58:25.0343 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/05 17:58:25.0421 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/05 17:58:25.0546 iastor (607aa190e423fb937bd9b08cd17cda15) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2010/09/05 17:58:25.0546 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\iaStor.sys. Real md5: 607aa190e423fb937bd9b08cd17cda15, Fake md5: d593517879e65167df35f6015814ac59

2010/09/05 17:58:25.0562 iastor - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/09/05 17:58:25.0750 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/05 17:58:25.0968 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/09/05 17:58:26.0015 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/05 17:58:26.0078 iomdisk (9d7069d72c0c72952f05e1688a5ae89d) C:\WINDOWS\system32\DRIVERS\iomdisk.sys

2010/09/05 17:58:26.0171 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/05 17:58:26.0281 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/05 17:58:26.0328 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/05 17:58:26.0437 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/05 17:58:26.0468 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/05 17:58:26.0531 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/05 17:58:26.0640 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/05 17:58:26.0781 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/05 17:58:26.0796 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/09/05 17:58:26.0890 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/05 17:58:26.0953 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/05 17:58:27.0078 Lbd (713cd5267abfb86fe90a72e384e82a38) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/09/05 17:58:27.0390 MaRdPnp (b51e7eab4baf13b492aa3299bcf52a35) C:\WINDOWS\system32\DRIVERS\MaRdP2K.sys

2010/09/05 17:58:27.0562 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys

2010/09/05 17:58:27.0656 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys

2010/09/05 17:58:27.0734 mfehidk (3f138a1c8a0659f329f242d1e389b2cf) C:\WINDOWS\system32\drivers\mfehidk.sys

2010/09/05 17:58:27.0859 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys

2010/09/05 17:58:27.0953 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys

2010/09/05 17:58:28.0046 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/05 17:58:28.0140 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/05 17:58:28.0250 MotDev (e190ed75bcc7928143f8f2af4c34d91d) C:\WINDOWS\system32\DRIVERS\motodrv.sys

2010/09/05 17:58:28.0531 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/05 17:58:28.0640 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/09/05 17:58:28.0718 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/05 17:58:28.0765 MPFP (bc2a92cff784555ed622f861cb34f2e6) C:\WINDOWS\system32\Drivers\Mpfp.sys

2010/09/05 17:58:28.0921 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/05 17:58:29.0015 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/05 17:58:29.0078 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/05 17:58:29.0187 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/05 17:58:29.0265 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/05 17:58:29.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/05 17:58:29.0390 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/05 17:58:29.0421 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/05 17:58:29.0500 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/05 17:58:29.0546 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/05 17:58:29.0640 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/05 17:58:29.0671 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/05 17:58:29.0687 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/05 17:58:29.0718 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/05 17:58:29.0812 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/05 17:58:29.0953 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/09/05 17:58:30.0015 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/05 17:58:30.0093 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/05 17:58:30.0156 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/05 17:58:30.0234 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/05 17:58:30.0312 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/05 17:58:30.0343 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/09/05 17:58:30.0406 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

2010/09/05 17:58:30.0531 ossrv (01e1ab8249f9dde5978c6b4af18eda7c) C:\WINDOWS\system32\drivers\ctoss2k.sys

2010/09/05 17:58:30.0656 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/05 17:58:30.0687 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/05 17:58:30.0718 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/05 17:58:30.0750 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/05 17:58:30.0828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/05 17:58:30.0937 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/05 17:58:31.0234 PfModNT (fda352035c58a5c0ca6de13e66c0bf80) C:\WINDOWS\system32\drivers\PfModNT.sys

2010/09/05 17:58:31.0281 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/05 17:58:31.0312 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/05 17:58:31.0328 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/05 17:58:31.0390 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/09/05 17:58:31.0750 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/05 17:58:31.0843 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/05 17:58:31.0921 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/05 17:58:31.0937 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/05 17:58:31.0984 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/05 17:58:32.0015 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/05 17:58:32.0078 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/05 17:58:32.0156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/05 17:58:32.0375 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys

2010/09/05 17:58:32.0500 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2010/09/05 17:58:32.0687 SaiClass (dd3bba364c3b89ccb1fd8fd427c7b37f) C:\WINDOWS\system32\drivers\SaiNtBus.sys

2010/09/05 17:58:32.0796 SaiNtHid (a007103ef0e50fb0e0ed08b511d721d7) C:\WINDOWS\system32\DRIVERS\SaiNtHid.sys

2010/09/05 17:58:32.0968 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys

2010/09/05 17:58:33.0093 Secdrv (ba0d892d2f786bcebdf03b0a252b47f3) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/05 17:58:33.0234 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/05 17:58:33.0296 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/05 17:58:33.0421 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/05 17:58:33.0625 snapman (79555b34913cb5d1ea429d295c5a17ac) C:\WINDOWS\system32\DRIVERS\snapman.sys

2010/09/05 17:58:33.0734 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/05 17:58:33.0750 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/05 17:58:33.0859 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/05 17:58:33.0968 sscdbhk5 (1cbd1b58a32de97899f5290b05f856db) C:\WINDOWS\system32\drivers\sscdbhk5.sys

2010/09/05 17:58:34.0046 ssrtln (7fb07ac152d7a87e66204860002bd9a4) C:\WINDOWS\system32\drivers\ssrtln.sys

2010/09/05 17:58:34.0093 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/05 17:58:34.0140 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/05 17:58:34.0421 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/05 17:58:34.0500 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/05 17:58:34.0734 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/05 17:58:34.0828 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/05 17:58:34.0906 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/05 17:58:34.0984 tfsnboio (c89daabdff5bd984181f45adf6ddb24a) C:\WINDOWS\system32\dla\tfsnboio.sys

2010/09/05 17:58:35.0015 tfsncofs (f093906c27fc9c59bd03d84807266107) C:\WINDOWS\system32\dla\tfsncofs.sys

2010/09/05 17:58:35.0031 tfsndrct (9294575cdad17d1dadfcd98a2ca26e7a) C:\WINDOWS\system32\dla\tfsndrct.sys

2010/09/05 17:58:35.0062 tfsndres (cdcc394cbaac183f9bdebf6d2f97c5c6) C:\WINDOWS\system32\dla\tfsndres.sys

2010/09/05 17:58:35.0093 tfsnifs (0a6c7c989dd76bb8989fd958ac5601d0) C:\WINDOWS\system32\dla\tfsnifs.sys

2010/09/05 17:58:35.0125 tfsnopio (92a17c0d73500f9b9c3028da9e4cdba6) C:\WINDOWS\system32\dla\tfsnopio.sys

2010/09/05 17:58:35.0140 tfsnpool (15ab1a2bb2b35eb1dcda39405114afc6) C:\WINDOWS\system32\dla\tfsnpool.sys

2010/09/05 17:58:35.0171 tfsnudf (370d2779668bf3b8d14f34356c41ab9c) C:\WINDOWS\system32\dla\tfsnudf.sys

2010/09/05 17:58:35.0203 tfsnudfa (4564799868c4bcdf28c8efc6d4c48c4b) C:\WINDOWS\system32\dla\tfsnudfa.sys

2010/09/05 17:58:35.0265 tifsfilter (f38ada64542ceb7d019925f83324ea85) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2010/09/05 17:58:35.0312 timounter (74f3c4c59e23749f9fdcd423b97c6a91) C:\WINDOWS\system32\DRIVERS\timntr.sys

2010/09/05 17:58:35.0406 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/05 17:58:35.0500 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/05 17:58:35.0656 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/05 17:58:35.0687 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/05 17:58:35.0718 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/05 17:58:35.0750 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/09/05 17:58:35.0812 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/05 17:58:35.0906 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/05 17:58:35.0953 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/05 17:58:35.0968 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/05 17:58:36.0062 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/05 17:58:36.0125 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/05 17:58:36.0250 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/09/05 17:58:36.0312 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/05 17:58:36.0390 WD_FireWire_HID (0aac22d28116e45b85e16021fd988a3a) C:\WINDOWS\system32\DRIVERS\wdfwhid.sys

2010/09/05 17:58:36.0531 WmBEnum (7ef08e65a586ea95c5b80190a9cfebe6) C:\WINDOWS\system32\drivers\WmBEnum.sys

2010/09/05 17:58:36.0656 WmVirHid (0be14bb79e41feafcce33714e4176ae8) C:\WINDOWS\system32\drivers\WmVirHid.sys

2010/09/05 17:58:36.0671 WmXlCore (0638cd7c72f5b026638221dc2e84d448) C:\WINDOWS\system32\drivers\WmXlCore.sys

2010/09/05 17:58:37.0062 Wpsnuio (b5dd05445274a4385d9fe485e50d49d5) C:\WINDOWS\system32\DRIVERS\wpsnuio.sys

2010/09/05 17:58:37.0187 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/05 17:58:37.0265 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/05 17:58:37.0343 ================================================================================

2010/09/05 17:58:37.0343 Scan finished

2010/09/05 17:58:37.0343 ================================================================================

2010/09/05 17:58:37.0359 Detected object count: 1

2010/09/05 18:01:18.0875 iastor (607aa190e423fb937bd9b08cd17cda15) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2010/09/05 18:01:18.0875 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\iaStor.sys. Real md5: 607aa190e423fb937bd9b08cd17cda15, Fake md5: d593517879e65167df35f6015814ac59

2010/09/05 18:01:19.0671 Backup copy found, using it..

2010/09/05 18:01:19.0687 C:\WINDOWS\system32\DRIVERS\iaStor.sys - will be cured after reboot

2010/09/05 18:01:19.0687 Rootkit.Win32.TDSS.tdl3(iastor) - User select action: Cure

2010/09/05 18:01:53.0921 Deinitialize success

................................................................................

.

Now, I ran the ComboFix as directed-AV is turned off as well. After it scanned and rebooted my pc, I saw this;

Blue screen at desktop said;

''Please wait.

grep: writing output: Bad file descriptor''

with a flashing curser''.

Nothing is happening here for around 25 minutes. I'm in a jam here and I just closed it out-what else could I do?

Now no log file was produced at all. Exactly how many times can you run ComboFix? I won't do a thing until I hear from you.

Also, I must say this; I've noticed that I have all my things back in working order, for now. I can connect to the internet, I have my sound back, my Anivirus now works and I have control over the things I lost....spyware programs and all. I'm checking everything out at the moment-updates only. I won't run anything until you say go! My folders appear to be normal and I have control over other things as well. I tried CF on another drive and it produced a log file. Why wouldn't it on the infected drive?

Regards,

Dave

Link to post
Share on other sites

Hi,

Try running CF again.

-------------------------------------------------------------------------------------------------------------------------------------------

Here it is;

ComboFix 10-09-04.06 - DAVE 09/06/2010 14:48:50.5.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1446 [GMT -4:00]

Running from: c:\documents and settings\DAVE\Desktop\COMBOFIX.EXE

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

c:\documents and settings\Administrator\Local Settings\Application Data\{EDEEF249-B0F7-4F1E-9F24-7A312D50E64C}

c:\documents and settings\Administrator\Local Settings\Application Data\{EDEEF249-B0F7-4F1E-9F24-7A312D50E64C}\chrome\content\_cfg.js

c:\documents and settings\Administrator\Local Settings\Application Data\{EDEEF249-B0F7-4F1E-9F24-7A312D50E64C}\chrome\content\overlay.xul

c:\documents and settings\Administrator\Local Settings\Application Data\{EDEEF249-B0F7-4F1E-9F24-7A312D50E64C}\install.rdf

c:\documents and settings\DAVE\GoToAssistDownloadHelper.exe

c:\documents and settings\DAVE\Local Settings\Application Data\{F783DFA0-0E5D-435D-9C41-E2C6074479B4}

c:\documents and settings\DAVE\Local Settings\Application Data\{F783DFA0-0E5D-435D-9C41-E2C6074479B4}\chrome\content\_cfg.js

c:\documents and settings\DAVE\Local Settings\Application Data\{F783DFA0-0E5D-435D-9C41-E2C6074479B4}\chrome\content\overlay.xul

c:\documents and settings\DAVE\Local Settings\Application Data\{F783DFA0-0E5D-435D-9C41-E2C6074479B4}\install.rdf

c:\documents and settings\DJ Backup Account\Local Settings\Application Data\{72D46C4E-391F-42DB-965A-8B6BECA568AD}

c:\documents and settings\DJ Backup Account\Local Settings\Application Data\{72D46C4E-391F-42DB-965A-8B6BECA568AD}\chrome\content\_cfg.js

c:\documents and settings\DJ Backup Account\Local Settings\Application Data\{72D46C4E-391F-42DB-965A-8B6BECA568AD}\chrome\content\overlay.xul

c:\documents and settings\DJ Backup Account\Local Settings\Application Data\{72D46C4E-391F-42DB-965A-8B6BECA568AD}\install.rdf

c:\documents and settings\HONDA\Local Settings\Application Data\{4A4A922E-8248-482D-93A8-32D9A697D8E7}

c:\documents and settings\HONDA\Local Settings\Application Data\{4A4A922E-8248-482D-93A8-32D9A697D8E7}\chrome\content\_cfg.js

c:\documents and settings\HONDA\Local Settings\Application Data\{4A4A922E-8248-482D-93A8-32D9A697D8E7}\chrome\content\overlay.xul

c:\documents and settings\HONDA\Local Settings\Application Data\{4A4A922E-8248-482D-93A8-32D9A697D8E7}\install.rdf

c:\program files\Search Toolbar

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\SearchToolbar.dll

c:\program files\Search Toolbar\SearchToolbarUninstall.exe

c:\program files\Search Toolbar\SearchToolbarUpdater.exe

c:\windows\system\msvbvm60.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))

.

2010-09-05 21:05 . 2010-09-05 21:07 -------- d-----w- C:\msdownld.tmp

2010-08-25 20:01 . 2010-08-25 20:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Active Disk

2010-08-24 19:57 . 2010-08-24 19:57 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-24 04:07 . 2010-08-24 04:08 -------- d-----w- c:\documents and settings\HONDA\Application Data\Ahead

2010-08-24 04:07 . 2010-08-24 04:07 55256 ----a-w- c:\documents and settings\HONDA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-24 04:07 . 2010-08-24 04:07 -------- d-----w- c:\documents and settings\HONDA\Local Settings\Application Data\Ahead

2010-08-24 03:56 . 2010-08-24 03:56 -------- d-----w- c:\documents and settings\HONDA\Application Data\Leadertech

2010-08-24 03:53 . 2010-08-24 03:53 -------- d-sh--w- c:\documents and settings\HONDA\IETldCache

2010-08-24 03:35 . 2010-08-24 03:35 -------- d-----w- c:\documents and settings\DJ Backup Account\Application Data\Ahead

2010-08-24 03:35 . 2010-08-24 04:27 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Ahead

2010-08-23 19:12 . 2010-08-23 19:12 52512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 19:10 . 2010-08-24 19:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\AutoSync for Yahoo

2010-08-23 04:33 . 2010-08-23 04:33 -------- d-----w- c:\documents and settings\DJ Backup Account\Application Data\PushSyncData

2010-08-23 04:32 . 2010-08-25 19:56 -------- d-----w- c:\documents and settings\DJ Backup Account\Application Data\AutoSync for Yahoo

2010-08-23 03:31 . 2010-08-23 03:31 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Identities

2010-08-23 03:28 . 2010-08-23 03:28 -------- d-----w- c:\documents and settings\DJ Backup Account\IECompatCache

2010-08-23 03:12 . 2010-08-24 20:11 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\IM

2010-08-23 02:06 . 2010-08-23 02:06 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Mozilla

2010-08-23 01:40 . 2010-08-23 01:40 -------- d-----w- c:\documents and settings\DJ Backup Account\Application Data\Malwarebytes

2010-08-23 01:35 . 2010-08-23 01:35 -------- d-sh--w- c:\documents and settings\DJ Backup Account\PrivacIE

2010-08-23 01:35 . 2010-08-23 01:35 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Conduit

2010-08-23 01:20 . 2010-08-23 01:20 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Cooliris

2010-08-23 01:19 . 2010-08-24 20:11 52512 ----a-w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 01:19 . 2010-08-24 20:17 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\IObitCom

2010-08-23 01:17 . 2010-08-23 01:17 -------- d-sh--w- c:\documents and settings\DJ Backup Account\IETldCache

2010-08-22 22:21 . 2010-08-24 04:25 0 ----a-w- c:\windows\Thepinukifasocu.bin

2010-08-22 22:21 . 2010-08-23 04:49 120 ----a-w- c:\windows\Ljotagupi.dat

2010-08-22 22:19 . 2010-08-24 19:58 784384 ----a-w- c:\windows\system32\drivers\oreikfcz.sys

2010-08-13 04:52 . 2010-08-24 19:57 -------- d-----w- c:\documents and settings\DAVE\Application Data\BitTorrent

2010-08-13 04:52 . 2010-08-19 04:10 -------- d-----w- c:\program files\BitTorrent

2010-08-13 04:34 . 2010-08-13 04:34 459112 ----a-w- c:\program files\Miro_Installer.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-06 01:35 . 2010-04-13 01:02 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-09-06 01:19 . 2008-09-20 20:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-06 01:19 . 2008-09-20 20:22 -------- d-----w- c:\program files\SpywareBlaster

2010-09-05 23:02 . 2010-06-06 21:04 -------- d-----w- c:\program files\McAfee

2010-09-05 22:56 . 2008-10-14 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-09-05 22:02 . 2005-04-25 15:28 871040 ----a-w- c:\windows\system32\drivers\iaStor.sys

2010-08-30 19:33 . 2004-08-04 12:00 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys

2010-08-30 17:30 . 2008-09-22 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect

2010-08-25 17:53 . 2008-09-20 06:41 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-24 20:18 . 2009-10-30 04:26 -------- d-----w- c:\program files\IObitCom

2010-08-22 19:59 . 2008-09-22 18:46 -------- d-----w- c:\program files\Windows Media Connect 2

2010-08-18 20:09 . 2010-06-16 18:44 -------- d-----w- c:\documents and settings\DAVE\Application Data\PCF-VLC

2010-08-13 04:48 . 2010-06-16 18:50 -------- d-----w- c:\program files\Miro

2010-08-13 04:37 . 2008-09-22 23:01 -------- d-----w- c:\program files\Participatory Culture Foundation

2010-07-20 19:00 . 2009-10-02 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-19 15:43 . 2008-09-20 08:11 -------- d-----w- c:\program files\IncrediMail

2010-07-15 19:18 . 2010-06-06 21:05 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-30 19:53 . 2010-06-23 20:05 1480 ----a-w- c:\windows\AUTOLNCH.REG

2010-06-30 12:31 . 2009-07-02 19:31 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2009-07-02 19:31 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2009-07-02 19:31 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2008-09-20 08:51 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2003-04-22 01:49 . 2003-04-22 01:49 669184 ----a-w- c:\program files\msxml4sxs32.msm

2003-04-22 01:49 . 2003-04-22 01:49 679424 ----a-w- c:\program files\msxml4sys32.msm

2008-09-23 20:03 . 2008-09-23 20:03 90 --sh--w- c:\windows\cnerolf.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-07 297808]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]

[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2462d2d8-b36e-44ab-84bf-c5a9383d2429}]

2007-08-28 18:19 1440792 ----a-w- c:\program files\Nexus_Radio\tbNexu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

2009-10-01 21:29 2166296 ----a-w- c:\program files\IObitCom\tbIObi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{2462d2d8-b36e-44ab-84bf-c5a9383d2429}"= "c:\program files\Nexus_Radio\tbNexu.dll" [2007-08-28 1440792]

"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-10-01 2166296]

[HKEY_CLASSES_ROOT\clsid\{2462d2d8-b36e-44ab-84bf-c5a9383d2429}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{2462D2D8-B36E-44AB-84BF-C5A9383D2429}"= "c:\program files\Nexus_Radio\tbNexu.dll" [2007-08-28 1440792]

"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-10-01 2166296]

[HKEY_CLASSES_ROOT\clsid\{2462d2d8-b36e-44ab-84bf-c5a9383d2429}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WD Button Manager"="WDBtnMgr.exe" [2009-06-06 360448]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"hplampc"="c:\windows\System32\hplampc.exe" [2002-01-17 40448]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]

"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]

"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-6-23 113664]

Yahoo! Autosync.lnk - c:\program files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-8-21 391680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Alaska Airlines Update Conduit.lnk]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Alaska Airlines Update Conduit.lnk

backup=c:\windows\pss\Alaska Airlines Update Conduit.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Screen Saver Control.lnk]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Screen Saver Control.lnk

backup=c:\windows\pss\Screen Saver Control.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^United Airlines Timetable Update Application.lnk]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\United Airlines Timetable Update Application.lnk

backup=c:\windows\pss\United Airlines Timetable Update Application.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Webshots.lnk]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Webshots.lnk

backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoBAUP_FilesBackup_2]

AUTOBAUP2 [X]

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ratasatuh

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]

2008-09-22 23:42 90112 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis

Link to post
Share on other sites

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=61753

File::
c:\windows\Thepinukifasocu.bin
c:\windows\Ljotagupi.dat

Collect::
c:\windows\system32\drivers\oreikfcz.sys
c:\windows\system32\c28badf4.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ratasatuh]

Driver::
oreikfcz
MSWU-c28badf4

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

http://forums.malwarebytes.org/index.php?showtopic=61753

File::
c:\windows\Thepinukifasocu.bin
c:\windows\Ljotagupi.dat

Collect::
c:\windows\system32\drivers\oreikfcz.sys
c:\windows\system32\c28badf4.exe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ratasatuh]

Driver::
oreikfcz
MSWU-c28badf4

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

-----------------------------------------------------------------------------------------------------------------------------------------

Ok, here it is with AV and the rest disabled:

ComboFix 10-09-04.06 - DAVE 09/06/2010 17:11:26.6.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1400 [GMT -4:00]

Running from: g:\documents and settings\DJ\My Documents\Downloads\Firewalls, Spyware,AV and Malware\ComboFix.exe

Command switches used :: c:\documents and settings\DAVE\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\Ljotagupi.dat"

"c:\windows\Thepinukifasocu.bin"

file zipped: c:\windows\system32\drivers\oreikfcz.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Ljotagupi.dat

c:\windows\system32\drivers\oreikfcz.sys

c:\windows\Thepinukifasocu.bin

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_MSWU-C28BADF4

-------\Service_MSWU-c28badf4

((((((((((((((((((((((((( Files Created from 2010-08-06 to 2010-09-06 )))))))))))))))))))))))))))))))

.

2010-09-05 21:05 . 2010-09-05 21:07 -------- d-----w- C:\msdownld.tmp

2010-08-25 20:01 . 2010-08-25 20:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\Active Disk

2010-08-24 19:57 . 2010-08-24 19:57 -------- d-----w- c:\windows\system32\wbem\Repository

2010-08-24 04:07 . 2010-08-24 04:08 -------- d-----w- c:\documents and settings\HONDA\Application Data\Ahead

2010-08-24 04:07 . 2010-08-24 04:07 55256 ----a-w- c:\documents and settings\HONDA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-24 04:07 . 2010-08-24 04:07 -------- d-----w- c:\documents and settings\HONDA\Local Settings\Application Data\Ahead

2010-08-24 03:56 . 2010-08-24 03:56 -------- d-----w- c:\documents and settings\HONDA\Application Data\Leadertech

2010-08-24 03:53 . 2010-08-24 03:53 -------- d-sh--w- c:\documents and settings\HONDA\IETldCache

2010-08-24 03:35 . 2010-08-24 03:35 -------- d-----w- c:\documents and settings\DJ Backup Account\Application Data\Ahead

2010-08-24 03:35 . 2010-08-24 04:27 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Ahead

2010-08-23 19:12 . 2010-08-23 19:12 52512 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 19:10 . 2010-08-24 19:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\AutoSync for Yahoo

2010-08-23 04:33 . 2010-08-23 04:33 -------- d-----w- c:\documents and settings\DJ Backup Account\Application Data\PushSyncData

2010-08-23 04:32 . 2010-08-25 19:56 -------- d-----w- c:\documents and settings\DJ Backup Account\Application Data\AutoSync for Yahoo

2010-08-23 03:31 . 2010-08-23 03:31 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Identities

2010-08-23 03:28 . 2010-08-23 03:28 -------- d-----w- c:\documents and settings\DJ Backup Account\IECompatCache

2010-08-23 03:12 . 2010-08-24 20:11 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\IM

2010-08-23 02:06 . 2010-08-23 02:06 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Mozilla

2010-08-23 01:40 . 2010-08-23 01:40 -------- d-----w- c:\documents and settings\DJ Backup Account\Application Data\Malwarebytes

2010-08-23 01:35 . 2010-08-23 01:35 -------- d-sh--w- c:\documents and settings\DJ Backup Account\PrivacIE

2010-08-23 01:35 . 2010-08-23 01:35 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Conduit

2010-08-23 01:20 . 2010-08-23 01:20 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\Cooliris

2010-08-23 01:19 . 2010-08-24 20:11 52512 ----a-w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-23 01:19 . 2010-08-24 20:17 -------- d-----w- c:\documents and settings\DJ Backup Account\Local Settings\Application Data\IObitCom

2010-08-23 01:17 . 2010-08-23 01:17 -------- d-sh--w- c:\documents and settings\DJ Backup Account\IETldCache

2010-08-13 04:52 . 2010-08-24 19:57 -------- d-----w- c:\documents and settings\DAVE\Application Data\BitTorrent

2010-08-13 04:52 . 2010-08-19 04:10 -------- d-----w- c:\program files\BitTorrent

2010-08-13 04:34 . 2010-08-13 04:34 459112 ----a-w- c:\program files\Miro_Installer.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-06 19:20 . 2010-04-13 01:02 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-09-06 01:19 . 2008-09-20 20:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-06 01:19 . 2008-09-20 20:22 -------- d-----w- c:\program files\SpywareBlaster

2010-09-05 23:02 . 2010-06-06 21:04 -------- d-----w- c:\program files\McAfee

2010-09-05 22:56 . 2008-10-14 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater

2010-09-05 22:02 . 2005-04-25 15:28 871040 ----a-w- c:\windows\system32\drivers\iaStor.sys

2010-08-30 19:33 . 2004-08-04 12:00 12400 ----a-w- c:\windows\system32\drivers\secdrv.sys

2010-08-30 17:30 . 2008-09-22 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect

2010-08-25 17:53 . 2008-09-20 06:41 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2010-08-24 20:18 . 2009-10-30 04:26 -------- d-----w- c:\program files\IObitCom

2010-08-22 19:59 . 2008-09-22 18:46 -------- d-----w- c:\program files\Windows Media Connect 2

2010-08-18 20:09 . 2010-06-16 18:44 -------- d-----w- c:\documents and settings\DAVE\Application Data\PCF-VLC

2010-08-13 04:48 . 2010-06-16 18:50 -------- d-----w- c:\program files\Miro

2010-08-13 04:37 . 2008-09-22 23:01 -------- d-----w- c:\program files\Participatory Culture Foundation

2010-07-20 19:00 . 2009-10-02 20:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-07-19 15:43 . 2008-09-20 08:11 -------- d-----w- c:\program files\IncrediMail

2010-07-15 19:18 . 2010-06-06 21:05 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys

2010-06-30 19:53 . 2010-06-23 20:05 1480 ----a-w- c:\windows\AUTOLNCH.REG

2010-06-30 12:31 . 2009-07-02 19:31 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2009-07-02 19:31 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2009-07-02 19:31 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2004-08-04 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2008-09-20 08:51 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2004-08-04 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll

2003-04-22 01:49 . 2003-04-22 01:49 669184 ----a-w- c:\program files\msxml4sxs32.msm

2003-04-22 01:49 . 2003-04-22 01:49 679424 ----a-w- c:\program files\msxml4sys32.msm

2008-09-23 20:03 . 2008-09-23 20:03 90 --sh--w- c:\windows\cnerolf.dat

.

((((((((((((((((((((((((((((( SnapShot@2010-09-06_19.03.38 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-09-06 21:32 . 2010-09-06 21:32 16384 c:\windows\temp\Perflib_Perfdata_6f8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{0BC6E3FA-78EF-4886-842C-5A1258C4455A}"= "mscoree.dll" [2009-11-07 297808]

[HKEY_CLASSES_ROOT\clsid\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]

[HKEY_CLASSES_ROOT\agihelper.AGUtils]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0bc6e3fa-78ef-4886-842c-5a1258c4455a}]

2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2462d2d8-b36e-44ab-84bf-c5a9383d2429}]

2007-08-28 18:19 1440792 ----a-w- c:\program files\Nexus_Radio\tbNexu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

2009-10-01 21:29 2166296 ----a-w- c:\program files\IObitCom\tbIObi.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{2462d2d8-b36e-44ab-84bf-c5a9383d2429}"= "c:\program files\Nexus_Radio\tbNexu.dll" [2007-08-28 1440792]

"{31c7d459-9cc3-44f2-9dca-fc11795309b4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-10-01 2166296]

[HKEY_CLASSES_ROOT\clsid\{2462d2d8-b36e-44ab-84bf-c5a9383d2429}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{2462D2D8-B36E-44AB-84BF-C5A9383D2429}"= "c:\program files\Nexus_Radio\tbNexu.dll" [2007-08-28 1440792]

"{31C7D459-9CC3-44F2-9DCA-FC11795309B4}"= "c:\program files\IObitCom\tbIObi.dll" [2009-10-01 2166296]

[HKEY_CLASSES_ROOT\clsid\{2462d2d8-b36e-44ab-84bf-c5a9383d2429}]

[HKEY_CLASSES_ROOT\clsid\{31c7d459-9cc3-44f2-9dca-fc11795309b4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WD Button Manager"="WDBtnMgr.exe" [2009-06-06 360448]

"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]

"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]

"hplampc"="c:\windows\System32\hplampc.exe" [2002-01-17 40448]

"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]

"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]

"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]

"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]

"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-03-16 127037]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]

"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2010-6-23 113664]

Yahoo! Autosync.lnk - c:\program files\Yahoo!\Yahoo! Autosync\AutosyncForYahoo.exe [2007-8-21 391680]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Alaska Airlines Update Conduit.lnk]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Alaska Airlines Update Conduit.lnk

backup=c:\windows\pss\Alaska Airlines Update Conduit.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe

backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Screen Saver Control.lnk]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Screen Saver Control.lnk

backup=c:\windows\pss\Screen Saver Control.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^United Airlines Timetable Update Application.lnk]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\United Airlines Timetable Update Application.lnk

backup=c:\windows\pss\United Airlines Timetable Update Application.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^DAVE^Start Menu^Programs^Startup^Webshots.lnk]

path=c:\documents and settings\DAVE\Start Menu\Programs\Startup\Webshots.lnk

backup=c:\windows\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoBAUP_FilesBackup_2]

AUTOBAUP2 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]

2008-09-22 23:42 90112 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis

Link to post
Share on other sites

Hi,

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Hi,

Download TFC to your desktop

  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Start Malwarebytes' Anti-Malware

  • Once the program has loaded, click the "Update" tab and click the "Check For updates" button.
  • Once the updates were downloaded, click the "Scanner" tab, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    11. Push the esetBack.png button.
    12. Push esetFinish.png


      --------------------------------------------------------------------------------------------------------------------------------------------
      Ok, here it is.
      Malwarebytes' Anti-Malware 1.46
      www.malwarebytes.org
      Database version: 4578
      Windows 5.1.2600 Service Pack 3
      Internet Explorer 8.0.6001.18702
      9/9/2010 12:08:17 AM
      mbam-log-2010-09-09 (00-08-17).txt
      Scan type: Quick scan
      Objects scanned: 162484
      Time elapsed: 6 minute(s), 35 second(s)
      Memory Processes Infected: 0
      Memory Modules Infected: 0
      Registry Keys Infected: 0
      Registry Values Infected: 0
      Registry Data Items Infected: 0
      Folders Infected: 0
      Files Infected: 0
      Memory Processes Infected:
      (No malicious items detected)
      Memory Modules Infected:
      (No malicious items detected)
      Registry Keys Infected:
      (No malicious items detected)
      Registry Values Infected:
      (No malicious items detected)
      Registry Data Items Infected:
      (No malicious items detected)
      Folders Infected:
      (No malicious items detected)
      Files Infected:
      (No malicious items detected)
      BTW, Can I enable through DeFogger, my CD - Emulation drivers?
      Regards,
      DJ
Link to post
Share on other sites

Hi,

Have you run the ESET online scan? If so, did it find anything?

Yes, you can.

ESETSCAN is here;

C:\Documents and Settings\DAVE\My Documents\Downloads\PAYWARE\Nero Burner\Nero 7 Ultra\Nero-7.11.10.0_Online.exe Win32/Toolbar.AskSBar application

C:\Qoobox\Quarantine\[4]-Submit_2010-09-06_17.11.18.zip a variant of Win32/Bubnix.AZ trojan

Why the 5-6 hour long scan?

DJ

Link to post
Share on other sites

Hi,

Your logs appears to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. ;)

Remove Combofix now that we're done with it.

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download JavaRa to your desktop and unzip it to its own folder

  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files

Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall

You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated

It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.

  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?

If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,

Gammo ;)

Link to post
Share on other sites

Hi,

Your logs appears to be clean now. There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. :)

Remove Combofix now that we're done with it.

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download JavaRa to your desktop and unzip it to its own folder

  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files

Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall

You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated

It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.

  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?

If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,

Gammo :)

Thank you so much. I really appreciate your help. My PC seems to be fine now. I ran the ulilities clean up program well.

Thanks again. Cheers!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.