Jump to content

hjt log - google redirects, possibly desktoplayer.exe the cause?


jnutsy

Recommended Posts

Hi,

I've been having problems with my laptop recently, google results keep redirecting me to suspicious websites or other search engines, and some strange .exe processes seem to be running on startup. Sometimes new tabs open in firefox taking me to suspicious websites. Also system.exe and explorer.exe appear to be using a huge amount of CPU compared to before these problems. Other programs such as firefox and internet explorer also seem to be running in the background, according to task manager, even if I haven't started them up myself.

Below is the most recent Malwarebytes Anti - Malware log, along with dds.txt log. Attached is the attach.txt file as requested. I did try to run GMER Rootkit Scanner, but it kept shutting my laptop down after about 5 minutes of scanning and giving me a blue screen telling me there was something like a 'hard problem'. Rebooting the laptop using the power button allowed me to restart windows though.

Thank you very much in advance, I would really appreciate any help!

p.s please let me know if you want me to post a hijackthis log, I wasn't sure if I was supposed to do this.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4564

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

14/09/2010 14:11:13

mbam-log-2010-09-14 (14-11-13).txt

Scan type: Quick scan

Objects scanned: 160428

Time elapsed: 37 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 3

Registry Data Items Infected: 6

Folders Infected: 0

Files Infected: 7

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{758a8262-b6b2-65fd-92f8-28f444205964} (Spyware.Passwords.XGen) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{d00515b6-c4de-5dd7-a492-e1c9a711015f} (Trojan.ZbotR.Gen) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{db174a6f-bf20-d79f-eae3-29bc55731634} (Trojan.ZbotR.Gen) -> Delete on reboot.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer.Gen) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer.Gen) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Passwords.XGen) -> Data: c:\windows\explorersrv.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: c:\program files\java\jre6\bin\jqsnotifysrv.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\intel\wireless\bin\s24evmonsrv.exe,c:\program files\microsoft\desktoplayer.exe,c:\program files\java\jre6\bin\jqsnotifysrv.exe,c:\windows\explorersrv.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Nuts\Application Data\Noulmi\pivia.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

C:\WINDOWS\ExplorerSrv.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.

C:\Program Files\Java\jre6\bin\jqsnotifySrv.exe (Trojan.PWS) -> Quarantined and deleted successfully.

C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Nuts\Local Settings\Temp\0.011684359799158717.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nuts\Application Data\Vaucb\yvav.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

C:\Documents and Settings\Nuts\Application Data\Igli\upac.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

DDS (Ver_10-03-17.01) - NTFSx86

Run by Nuts at 14:38:48.93 on 14/09/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.332 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe

C:\Program Files\McAfee\MPF\MPFSrv.exe

C:\PROGRA~1\McAfee\MPS\mps.exe

C:\Program Files\McAfee\MSK\MskSrver.exe

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\McAfee\MPS\mpsevh.exe

"C:\WINDOWS\system32\svchost.exe"

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

c:\PROGRA~1\mcafee.com\agent\mcagent.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Creative\Mixer\CTSVolFE.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\McAfee\MSK\MskAgent.exe

C:\Program Files\SiteAdvisor\6172\SiteAdv.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Dell Support\DSAgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Dell Network Assistant\ezi_hnm2.exe

C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

c:\PROGRA~1\mcafee\msc\mcuimgr.exe

C:\Documents and Settings\Nuts\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.bbc.co.uk/football

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\intel\wireless\bin\s24evmonsrv.exe,c:\program files\microsoft\desktoplayer.exe

TB: {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - No File

TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6253\SiteAdv.dll

uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [bhilaho] rundll32.exe "c:\windows\clprvro.dll",Startup

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [igfxtray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [<NO NAME>]

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe

mRun: [siteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [nonep] c:\program files\riv87\oops.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\nuts\startm~1\programs\startup\dellne~1.lnk - c:\program files\dell network assistant\ezi_hnm2.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6253\SiteAdv.dll

Notify: igfxcui - igfxdev.dll

SSODL: considerateness - {4d993022-0899-4599-b4b6-0f887d0802e6} - No File

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

STS: {4d993022-0899-4599-b4b6-0f887d0802e6} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nuts\applic~1\mozilla\firefox\profiles\j57dut8t.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?source=haiu

FF - component: c:\program files\siteadvisor\6253\ff\components\FFHook.dll

FF - plugin: c:\documents and settings\nuts\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: XULRunner: {11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} - c:\documents and settings\nuts\local settings\application data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-2-10 540776]

R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-10 353368]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

R2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-2-10 256096]

R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-10 144960]

R2 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-10 643664]

R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-2-10 71496]

R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-2-10 34184]

R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-2-10 170408]

R3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-2-10 32008]

R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-2-10 37480]

S0 lahkdae;lahkdae;c:\windows\system32\drivers\owikrfa.sys --> c:\windows\system32\drivers\owikrfa.sys [?]

S0 yusvtjej;yusvtjej;c:\windows\system32\drivers\rxtdrj.sys --> c:\windows\system32\drivers\rxtdrj.sys [?]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]

=============== Created Last 30 ================

2010-09-14 13:25:53 53760 ----a-w- c:\windows\ExplorerSrv.exe

2010-09-14 13:23:57 0 ----a-w- c:\documents and settings\nuts\defogger_reenable

2010-09-13 23:52:25 0 d-----w- c:\docume~1\nuts\applic~1\wsInspector

2010-09-13 23:43:25 0 d-----w- c:\program files\Startup Inspector for Windows

2010-09-13 16:58:16 0 d-----w- c:\program files\sys32

2010-09-10 10:14:29 0 d-----w- c:\program files\riv87

2010-09-09 17:00:51 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-09-09 10:40:08 0 d-----w- c:\program files\Trend Micro

2010-09-08 09:09:57 1598 ----a-w- c:\documents and settings\nuts\.recently-used.xbel

2010-09-07 23:51:59 0 d-sh--w- c:\documents and settings\nuts\IECompatCache

2010-09-07 21:13:46 0 d-sh--w- c:\documents and settings\nuts\IETldCache

2010-09-07 20:15:03 0 d-----w- c:\docume~1\nuts\applic~1\Malwarebytes

2010-09-07 20:14:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-07 20:14:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-09-07 20:14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-07 20:14:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-07 17:01:26 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-07 14:28:55 0 dc-h--w- c:\windows\ie8

2010-09-07 12:26:06 24576 ----a-w- c:\windows\system32\stu2.exe

2010-09-07 00:04:04 120 ----a-w- c:\windows\Tcakuvazi.dat

2010-09-07 00:04:04 0 ----a-w- c:\windows\Hwequyufomo.bin

2010-08-30 23:51:53 0 d-----w- c:\program files\iPod

2010-08-27 10:15:54 44 ----a-w- c:\windows\kdcoms.dll

2010-08-23 09:08:51 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-09-13 23:22:35 53760 ----a-w- c:\windows\inf\unregmp2Srv.exe

2010-09-07 12:26:04 31744 ----a-w- c:\windows\system32\userinit.exe

2007-05-26 23:57:46 251 -c--a-w- c:\program files\wt3d.ini

2009-09-16 11:17:18 88 --sh--r- c:\windows\system32\0C831E6059.sys

2009-02-06 13:44:08 56 --sh--r- c:\windows\system32\59601E830C.sys

2009-09-16 11:17:19 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 14:40:53.70 ===============

Attach.zip

Link to post
Share on other sites

Hi,

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them:
    Click me
    If you can't disable them then just continue on.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites

Hi Gammo,

Thank you very much for your help. I followed your instructions, but halfway through scanning with combofix (after about 6 sections had been completed) the computer crashed and took me to a blue screen. The error message on this page said something along the lines of 'page file error' - although I can't remember exactly what the message was.

Below is the log file from TDDSkiller:

Thanks again, I really appreciate your time.

2010/09/16 19:23:21.0093 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/16 19:23:21.0093 ================================================================================

2010/09/16 19:23:21.0093 SystemInfo:

2010/09/16 19:23:21.0093

2010/09/16 19:23:21.0093 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/16 19:23:21.0093 Product type: Workstation

2010/09/16 19:23:21.0093 ComputerName: JAMES

2010/09/16 19:23:21.0093 UserName: Nuts

2010/09/16 19:23:21.0093 Windows directory: C:\WINDOWS

2010/09/16 19:23:21.0093 System windows directory: C:\WINDOWS

2010/09/16 19:23:21.0093 Processor architecture: Intel x86

2010/09/16 19:23:21.0093 Number of processors: 2

2010/09/16 19:23:21.0093 Page size: 0x1000

2010/09/16 19:23:21.0093 Boot type: Normal boot

2010/09/16 19:23:21.0093 ================================================================================

2010/09/16 19:23:22.0000 Initialize success

2010/09/16 19:23:29.0390 ================================================================================

2010/09/16 19:23:29.0390 Scan started

2010/09/16 19:23:29.0390 Mode: Manual;

2010/09/16 19:23:29.0390 ================================================================================

2010/09/16 19:23:32.0796 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/09/16 19:23:33.0265 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/16 19:23:33.0890 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/16 19:23:34.0468 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/09/16 19:23:35.0046 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/16 19:23:35.0531 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/09/16 19:23:36.0234 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/16 19:23:36.0859 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/09/16 19:23:37.0593 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/09/16 19:23:38.0218 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/09/16 19:23:38.0718 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/09/16 19:23:39.0187 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/09/16 19:23:40.0500 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/09/16 19:23:41.0531 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/09/16 19:23:42.0234 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/09/16 19:23:42.0859 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/09/16 19:23:43.0609 APPDRV (983e5142be54f86ba81557f5d80ebcf0) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

2010/09/16 19:23:43.0609 Suspicious file (Forged): C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS. Real md5: 983e5142be54f86ba81557f5d80ebcf0, Fake md5: ec94e05b76d033b74394e7b2175103cf

2010/09/16 19:23:43.0609 APPDRV - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/09/16 19:23:44.0234 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/09/16 19:23:44.0750 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/09/16 19:23:45.0328 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/09/16 19:23:45.0796 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/09/16 19:23:46.0203 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/16 19:23:46.0296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/16 19:23:47.0312 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/16 19:23:47.0796 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/16 19:23:48.0484 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2010/09/16 19:23:49.0140 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/16 19:23:49.0468 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/09/16 19:23:49.0640 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/16 19:23:50.0093 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/09/16 19:23:50.0250 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/16 19:23:50.0359 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/16 19:23:50.0625 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/16 19:23:51.0125 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/09/16 19:23:51.0390 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/09/16 19:23:51.0843 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/09/16 19:23:52.0390 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/09/16 19:23:52.0687 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2010/09/16 19:23:53.0015 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/09/16 19:23:53.0281 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/09/16 19:23:53.0468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/16 19:23:54.0250 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/16 19:23:54.0781 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/16 19:23:56.0281 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/16 19:23:57.0406 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/16 19:23:58.0046 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2010/09/16 19:23:58.0906 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/09/16 19:23:59.0609 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/16 19:24:00.0109 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys

2010/09/16 19:24:00.0718 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys

2010/09/16 19:24:00.0906 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys

2010/09/16 19:24:01.0656 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/09/16 19:24:02.0296 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/16 19:24:02.0859 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/16 19:24:03.0359 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/16 19:24:03.0937 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/16 19:24:04.0531 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/16 19:24:05.0062 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/16 19:24:06.0281 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/16 19:24:08.0218 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/09/16 19:24:09.0328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/16 19:24:10.0765 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/09/16 19:24:13.0250 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/09/16 19:24:14.0656 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/09/16 19:24:15.0656 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/09/16 19:24:16.0203 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/09/16 19:24:17.0453 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/09/16 19:24:19.0109 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2010/09/16 19:24:19.0937 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/09/16 19:24:20.0656 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/16 19:24:21.0671 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/09/16 19:24:23.0109 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/09/16 19:24:23.0562 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/16 19:24:24.0718 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

2010/09/16 19:24:25.0484 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/16 19:24:26.0750 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/09/16 19:24:28.0859 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/09/16 19:24:30.0234 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/16 19:24:31.0531 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/16 19:24:32.0500 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/16 19:24:33.0171 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/16 19:24:34.0109 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/16 19:24:35.0140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/16 19:24:35.0765 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/16 19:24:36.0265 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/16 19:24:37.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/16 19:24:37.0203 Suspicious service (Hidden): khqlmxop

2010/09/16 19:24:38.0140 khqlmxop (413844bbab192fda33297827a82c02c4) C:\WINDOWS\system32\drivers\oopuhnpkpjv.sys

2010/09/16 19:24:38.0140 Suspicious file (Hidden): C:\WINDOWS\system32\drivers\oopuhnpkpjv.sys. md5: 413844bbab192fda33297827a82c02c4

2010/09/16 19:24:38.0140 khqlmxop - detected Hidden service (1)

2010/09/16 19:24:39.0203 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/16 19:24:39.0656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/16 19:24:40.0781 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/09/16 19:24:41.0218 mfeavfk (f5250976c1334c1e4feceddcdf02353e) C:\WINDOWS\system32\drivers\mfeavfk.sys

2010/09/16 19:24:41.0359 mfebopk (787702627cc0770f45206f4034390580) C:\WINDOWS\system32\drivers\mfebopk.sys

2010/09/16 19:24:41.0750 mfehidk (241c09c7d8c589ea1d72a36e6578e42c) C:\WINDOWS\system32\drivers\mfehidk.sys

2010/09/16 19:24:41.0890 mferkdk (a321c17fadad2665c455c6d39e465fe0) C:\WINDOWS\system32\drivers\mferkdk.sys

2010/09/16 19:24:42.0765 mfesmfk (1fbdd2eb37ce910d6cee60140c400b6a) C:\WINDOWS\system32\drivers\mfesmfk.sys

2010/09/16 19:24:42.0921 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

2010/09/16 19:24:43.0781 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/16 19:24:44.0437 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/16 19:24:45.0031 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/16 19:24:45.0984 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/09/16 19:24:47.0203 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/16 19:24:48.0250 MPFP (b53a1134237a49a10352d5dd54bb2a54) C:\WINDOWS\system32\Drivers\Mpfp.sys

2010/09/16 19:24:48.0875 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/09/16 19:24:49.0531 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/16 19:24:50.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/16 19:24:51.0046 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/16 19:24:51.0828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/16 19:24:52.0578 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/16 19:24:53.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/16 19:24:54.0296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/16 19:24:54.0828 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/16 19:24:55.0578 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/16 19:24:56.0156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/16 19:24:56.0828 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/16 19:24:57.0484 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/16 19:24:58.0531 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/16 19:24:59.0281 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/16 19:25:00.0093 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/16 19:25:00.0843 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/09/16 19:25:01.0484 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/16 19:25:02.0890 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/16 19:25:03.0734 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/16 19:25:04.0437 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/09/16 19:25:05.0218 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/16 19:25:05.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/16 19:25:06.0281 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/09/16 19:25:06.0843 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys

2010/09/16 19:25:07.0562 Packet (8f856dae19383bd69db444004d5d4f50) C:\WINDOWS\system32\DRIVERS\packet.sys

2010/09/16 19:25:07.0968 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/16 19:25:08.0140 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/16 19:25:08.0546 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/16 19:25:09.0062 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/16 19:25:10.0671 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/16 19:25:11.0109 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/16 19:25:12.0500 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/09/16 19:25:12.0968 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/09/16 19:25:13.0906 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/16 19:25:14.0437 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/16 19:25:14.0875 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/16 19:25:15.0656 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/09/16 19:25:15.0937 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/09/16 19:25:16.0062 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/09/16 19:25:16.0718 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/09/16 19:25:17.0812 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/09/16 19:25:18.0031 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/09/16 19:25:18.0265 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/16 19:25:18.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/16 19:25:19.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/16 19:25:19.0078 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/16 19:25:19.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/16 19:25:19.0890 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/16 19:25:20.0343 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/09/16 19:25:20.0890 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/16 19:25:21.0109 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/16 19:25:21.0718 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

2010/09/16 19:25:22.0109 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

2010/09/16 19:25:22.0250 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

2010/09/16 19:25:22.0812 s24trans (2c0e9e777ab1849b43494626c1f308b5) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/09/16 19:25:23.0156 SCDEmu (c23dbd9bfba8b1170706e0896b3cf7da) C:\WINDOWS\system32\drivers\SCDEmu.sys

2010/09/16 19:25:23.0281 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/09/16 19:25:23.0625 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/16 19:25:23.0781 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/16 19:25:24.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/16 19:25:24.0250 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys

2010/09/16 19:25:24.0562 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

2010/09/16 19:25:24.0687 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/16 19:25:25.0609 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/09/16 19:25:25.0734 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/09/16 19:25:26.0125 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/16 19:25:26.0546 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/16 19:25:26.0921 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/16 19:25:27.0312 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys

2010/09/16 19:25:27.0531 ssm_bus (df5c19f053eff7f8ba25d73aea899656) C:\WINDOWS\system32\DRIVERS\ssm_bus.sys

2010/09/16 19:25:27.0968 ssm_mdfl (5347169fa449eabc4d0728ae39fab926) C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys

2010/09/16 19:25:28.0093 ssm_mdm (7aae23dd105eed15c4f45fc269fa42a9) C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys

2010/09/16 19:25:28.0437 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys

2010/09/16 19:25:28.0609 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys

2010/09/16 19:25:29.0031 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/16 19:25:29.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/16 19:25:29.0609 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/09/16 19:25:29.0890 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/09/16 19:25:30.0031 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/09/16 19:25:30.0468 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/09/16 19:25:30.0843 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/09/16 19:25:31.0531 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/16 19:25:32.0156 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/16 19:25:32.0531 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/16 19:25:32.0625 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/16 19:25:32.0984 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/16 19:25:33.0515 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys

2010/09/16 19:25:33.0843 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys

2010/09/16 19:25:33.0984 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys

2010/09/16 19:25:34.0078 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys

2010/09/16 19:25:34.0656 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys

2010/09/16 19:25:35.0125 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys

2010/09/16 19:25:35.0359 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys

2010/09/16 19:25:35.0796 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys

2010/09/16 19:25:35.0921 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys

2010/09/16 19:25:36.0140 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/09/16 19:25:36.0312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/16 19:25:36.0750 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/09/16 19:25:37.0093 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/16 19:25:37.0593 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/09/16 19:25:38.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/16 19:25:39.0171 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/16 19:25:39.0796 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/16 19:25:40.0296 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/09/16 19:25:40.0937 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/16 19:25:41.0046 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/16 19:25:41.0390 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/16 19:25:41.0515 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/16 19:25:41.0875 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/09/16 19:25:42.0531 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/09/16 19:25:43.0093 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/16 19:25:44.0109 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys

2010/09/16 19:25:44.0687 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/16 19:25:45.0187 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys

2010/09/16 19:25:47.0453 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/16 19:25:47.0984 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/09/16 19:25:48.0609 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/09/16 19:25:49.0125 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/09/16 19:25:49.0703 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/16 19:25:50.0421 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/16 19:25:50.0984 ================================================================================

2010/09/16 19:25:50.0984 Scan finished

2010/09/16 19:25:50.0984 ================================================================================

2010/09/16 19:25:51.0000 Detected object count: 2

2010/09/16 19:26:24.0687 APPDRV (983e5142be54f86ba81557f5d80ebcf0) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

2010/09/16 19:26:24.0687 Suspicious file (Forged): C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS. Real md5: 983e5142be54f86ba81557f5d80ebcf0, Fake md5: ec94e05b76d033b74394e7b2175103cf

2010/09/16 19:26:52.0375 Backup copy not found, trying to cure infected file..

2010/09/16 19:26:52.0375 Cure success, using it..

2010/09/16 19:26:52.0468 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS - will be cured after reboot

2010/09/16 19:26:52.0468 Rootkit.Win32.TDSS.tdl3(APPDRV) - User select action: Cure

2010/09/16 19:26:52.0468 Hidden service(khqlmxop) - User select action: Skip

2010/09/16 19:30:07.0812 Deinitialize success

Link to post
Share on other sites

Hi,

Sorry I realised my firewall was still active. I disabled it and combofix worked. Below is the log.

Thanks again for the support with this.

ComboFix 10-09-16.03 - Nuts 17/09/2010 23:16:50.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.595 [GMT 1:00]

Running from: c:\documents and settings\Nuts\Desktop\ComboFix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate

c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd

c:\documents and settings\Nuts\Application Data\Fyruka

c:\documents and settings\Nuts\Application Data\Fyruka\izys.osu

c:\documents and settings\Nuts\Application Data\Fyruka\izys.tmp

c:\documents and settings\Nuts\Application Data\Lixee

c:\documents and settings\Nuts\Application Data\Lixee\xaxao.exe

c:\documents and settings\Nuts\Local Settings\Application Data\Windows Server

c:\documents and settings\Nuts\Local Settings\Application Data\Windows Server\flags.ini

c:\documents and settings\Nuts\Local Settings\Application Data\Windows Server\server.dat

c:\documents and settings\Nuts\Local Settings\Application Data\Windows Server\uses32.dat

c:\program files\Internet Explorer\complete.dat

c:\program files\Internet Explorer\dmlconf.dat

c:\program files\Microsoft\DesktopLayer.exe

c:\windows\acikilomi.dll

c:\windows\clprvro.dll

c:\windows\ExplorerSrv.exe

c:\windows\kdcoms.dll

c:\windows\system32\drivers\str.sys

c:\windows\system32\qtplugin.exe

c:\windows\system32\Thumbs.db

D:\Autorun.inf

c:\windows\system32\drivers\oopuhnpkpjv.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 )))))))))))))))))))))))))))))))

.

2010-09-17 10:38 . 2010-09-17 10:38 -------- d-----w- c:\windows\ie8updates

2010-09-17 07:42 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-09-17 07:42 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-09-17 07:42 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-09-16 14:03 . 2010-09-16 19:55 73856 ----a-w- c:\windows\system32\drivers\oopuhnpkpjv.sys

2010-09-16 13:23 . 2010-09-16 13:23 -------- d-----w- c:\documents and settings\Nuts\Application Data\Tecuo

2010-09-16 12:21 . 2010-09-16 12:21 -------- d-----w- c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}

2010-09-16 11:06 . 2010-09-16 11:06 53760 ----a-w- c:\windows\system32\shmgrateSrv.exe

2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\scripting

2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\l2schemas

2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\en

2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\bits

2010-09-15 22:17 . 2010-09-15 22:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-09-15 11:34 . 2010-09-15 11:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-09-13 23:43 . 2010-09-13 23:50 -------- d-----w- c:\program files\Startup Inspector for Windows

2010-09-10 10:18 . 2010-09-15 10:17 -------- d-----w- c:\documents and settings\Nuts\Local Settings\Application Data\Temp

2010-09-09 17:00 . 2010-09-09 17:00 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-09-09 10:40 . 2010-09-09 10:40 -------- d-----w- c:\program files\Trend Micro

2010-09-07 21:19 . 2010-09-07 21:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-09-07 21:13 . 2010-09-07 21:13 -------- d-sh--w- c:\documents and settings\Nuts\IETldCache

2010-09-07 21:13 . 2010-09-07 21:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-09-07 20:15 . 2010-09-07 20:15 -------- d-----w- c:\documents and settings\Nuts\Application Data\Malwarebytes

2010-09-07 20:14 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-07 20:14 . 2010-09-07 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-07 20:14 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-07 20:14 . 2010-09-07 20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-07 17:01 . 2010-09-15 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-07 14:28 . 2010-09-07 14:37 -------- dc-h--w- c:\windows\ie8

2010-09-07 14:13 . 2010-09-07 14:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird

2010-09-07 14:13 . 2010-09-07 14:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird

2010-09-07 12:27 . 2010-09-07 12:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-09-07 12:26 . 2004-08-10 04:00 24576 ----a-w- c:\windows\system32\stu2.exe

2010-09-07 12:25 . 2010-09-07 12:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-09-07 00:04 . 2010-09-17 10:04 120 ----a-w- c:\windows\Tcakuvazi.dat

2010-09-07 00:04 . 2010-09-17 07:26 0 ----a-w- c:\windows\Hwequyufomo.bin

2010-08-30 23:51 . 2010-08-30 23:51 -------- d-----w- c:\program files\iPod

2010-08-23 09:08 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-17 22:33 . 2007-02-06 11:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-17 22:32 . 2009-10-29 20:25 -------- d-----w- c:\program files\Microsoft

2010-09-17 16:30 . 2009-04-01 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-09-17 16:29 . 2006-09-08 13:53 -------- d-----w- c:\program files\Microsoft Works

2010-09-17 09:25 . 2009-03-28 13:57 -------- d-----w- c:\documents and settings\Nuts\Application Data\Spotify

2010-09-17 09:10 . 2010-05-10 12:17 712704 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll

2010-09-17 09:10 . 2010-05-10 12:17 339968 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll

2010-09-17 09:10 . 2010-05-10 12:17 266240 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_dsp.dll

2010-09-17 07:24 . 2009-10-29 20:28 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-16 18:35 . 2006-09-08 13:38 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS

2010-09-16 11:21 . 2007-12-18 14:09 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-09-16 11:11 . 2005-08-16 03:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-09-13 23:22 . 2010-09-13 23:16 53760 ----a-w- c:\windows\inf\unregmp2Srv.exe

2010-09-13 23:14 . 2007-01-10 13:45 -------- d-----w- c:\program files\Windows Media Connect 2

2010-09-08 13:06 . 2006-09-08 13:54 -------- d-----w- c:\program files\Dell Support

2010-09-08 13:05 . 2006-09-08 13:47 -------- d-----w- c:\program files\QuickTime

2010-09-07 22:22 . 2009-03-09 11:35 167936 ----a-w- c:\documents and settings\Nuts\Application Data\U3\temp\cleanup.exe

2010-09-07 22:22 . 2009-10-27 22:23 207872 ----a-w- c:\documents and settings\Nuts\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

2010-09-07 22:20 . 2006-09-08 13:54 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\HTML\fix\DellSupportLauncher.exe

2010-09-07 22:20 . 2006-09-08 13:54 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\DellSupportLauncher.exe

2010-09-07 22:20 . 2006-09-08 13:54 119808 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\RunGdp.exe

2010-09-07 22:20 . 2006-10-10 21:13 119808 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\item_templ\coach\RunGdp.exe

2010-09-07 22:20 . 2007-03-30 10:42 94208 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\DellSommelierFix.exe

2010-09-07 22:20 . 2006-10-10 21:13 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\fix\DellSupportLauncher.exe

2010-09-07 22:20 . 2009-12-28 20:07 199168 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

2010-09-07 22:20 . 2009-12-28 20:07 168960 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

2010-09-07 22:20 . 2006-09-12 15:41 128000 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\CIP\DellSupportODBK.exe

2010-08-30 23:54 . 2010-07-11 16:36 -------- d-----w- c:\program files\iTunes

2010-08-30 23:51 . 2007-07-01 23:09 -------- d-----w- c:\program files\Common Files\Apple

2010-08-30 23:33 . 2010-08-30 23:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-08-17 13:17 . 2005-08-16 03:18 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-22 15:49 . 2005-08-16 03:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-16 20:39 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-06-30 12:31 . 2005-08-16 03:18 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2005-08-16 03:18 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2005-08-16 03:18 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2005-08-16 03:18 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2007-05-26 23:57 . 2007-05-26 23:57 251 -c--a-w- c:\program files\wt3d.ini

2008-04-25 13:32 . 2008-04-25 13:32 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2009-09-16 11:17 . 2006-09-12 12:51 88 --sh--r- c:\windows\system32\0C831E6059.sys

2009-02-06 13:44 . 2006-09-12 20:57 56 --sh--r- c:\windows\system32\59601E830C.sys

2009-09-16 11:17 . 2006-09-12 12:51 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2010-09-09 444416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]

"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2010-09-09 114688]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2010-09-08 307200]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2010-09-08 139264]

"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]

"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-01-17 36904]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Default User\Start Menu\Programs\Startup\

hyto.exe [2010-9-15 116224]

uxniar.exe [2010-9-17 108032]

yzzop.exe [2010-9-8 105984]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

uvyze.exe [2010-9-17 108032]

uwyqse.exe [2010-9-15 116224]

zywa.exe [2010-9-8 105984]

c:\documents and settings\Richard\Start Menu\Programs\Startup\

esazu.exe [2010-9-15 116224]

woage.exe [2010-9-8 105984]

ymyp.exe [2010-9-17 108032]

c:\documents and settings\Nuts\Start Menu\Programs\Startup\

Dell Network Assistant.lnk - c:\program files\Dell Network Assistant\ezi_hnm2.exe [2007-8-27 1082664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-9-8 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\intel\wireless\bin\wlkeepersrv.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nuts^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Nuts\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-07-13 14:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2005-05-31 04:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2005-12-09 19:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX110 Series]

2008-09-26 23:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFBE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-06-04 00:07 136176 ----atw- c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]

2007-08-03 22:33 582992 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2010-09-08 09:33 225280 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-07 23:41 479232 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

S0 khqlmxop;khqlmxop;c:\windows\system32\drivers\oopuhnpkpjv.sys [16/09/2010 15:03 73856]

S0 lahkdae;lahkdae;c:\windows\system32\drivers\owikrfa.sys --> c:\windows\system32\drivers\owikrfa.sys [?]

S0 yusvtjej;yusvtjej;c:\windows\system32\drivers\rxtdrj.sys --> c:\windows\system32\drivers\rxtdrj.sys [?]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 16:06 11520]

.

Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4287233673-3878696775-4131652522-1005Core.job

- c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 00:07]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4287233673-3878696775-4131652522-1005UA.job

- c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 00:07]

2010-09-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 12:32]

2010-09-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 12:32]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.bbc.co.uk/football

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

FF - ProfilePath - c:\documents and settings\Nuts\Application Data\Mozilla\Firefox\Profiles\j57dut8t.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?source=haiu

FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll

FF - plugin: c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

FF - HiddenExtension: XULRunner: {11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} - c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Bhilaho - c:\windows\clprvro.dll

HKCU-Run-{758A8262-B6B2-65FD-92F8-28F444205964} - c:\documents and settings\Nuts\Application Data\Lixee\xaxao.exe

HKLM-Run-Qfabowetureto - c:\windows\acikilomi.dll

SafeBoot-klmdb.sys

MSConfigStartUp-Bhilaho - c:\windows\clprvro.dll

MSConfigStartUp-Qfabowetureto - c:\windows\acikilomi.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-17 23:33

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\

Link to post
Share on other sites

Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

File::
c:\windows\system32\drivers\owikrfa.sys
c:\windows\system32\drivers\rxtdrj.sys
c:\windows\system32\drivers\oopuhnpkpjv.sys
c:\windows\system32\shmgrateSrv.exe
c:\windows\system32\stu2.exe
c:\windows\Tcakuvazi.dat
c:\windows\Hwequyufomo.bin
c:\windows\inf\unregmp2Srv.exe
c:\windows\system32\0C831E6059.sys
c:\windows\system32\59601E830C.sys
c:\documents and settings\Default User\Start Menu\Programs\Startup\hyto.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\uxniar.exe
c:\documents and settings\Default User\Start Menu\Programs\Startup\yzzop.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\uvyze.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\uwyqse.exe
c:\documents and settings\Administrator\Start Menu\Programs\Startup\zywa.exe
c:\documents and settings\Richard\Start Menu\Programs\Startup\esazu.exe
c:\documents and settings\Richard\Start Menu\Programs\Startup\woage.exe
c:\documents and settings\Richard\Start Menu\Programs\Startup\ymyp.exe
c:\program files\intel\wireless\bin\wlkeepersrv.exe

Folder::
c:\documents and settings\Nuts\Application Data\Tecuo
c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\Userinit.exe,"

Driver::
khqlmxop
lahkdae
yusvtjej

Firefox::
FF - ProfilePath - c:\documents and settings\Nuts\Application Data\Mozilla\Firefox\Profiles\j57dut8t.default\
FF - HiddenExtension: XULRunner: {11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} - c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}

KillAll::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi Gammo,

I followed your instructions and the log file produced is below.

In terms of performance, the google search result redirects seem to have ceased, and neither explorer.exe nor system seem to be using unusual levels of CPU. However upon startup some programs such as iexplore.exe and firefox.exe still seem to be running in the background without me actually starting them

Thank you.

ComboFix 10-09-16.03 - Nuts 18/09/2010 15:43:40.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.608 [GMT 1:00]

Running from: c:\documents and settings\Nuts\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Nuts\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\documents and settings\Administrator\Start Menu\Programs\Startup\uvyze.exe"

"c:\documents and settings\Administrator\Start Menu\Programs\Startup\uwyqse.exe"

"c:\documents and settings\Administrator\Start Menu\Programs\Startup\zywa.exe"

"c:\documents and settings\Default User\Start Menu\Programs\Startup\hyto.exe"

"c:\documents and settings\Default User\Start Menu\Programs\Startup\uxniar.exe"

"c:\documents and settings\Default User\Start Menu\Programs\Startup\yzzop.exe"

"c:\documents and settings\Richard\Start Menu\Programs\Startup\esazu.exe"

"c:\documents and settings\Richard\Start Menu\Programs\Startup\woage.exe"

"c:\documents and settings\Richard\Start Menu\Programs\Startup\ymyp.exe"

"c:\program files\intel\wireless\bin\wlkeepersrv.exe"

"c:\windows\Hwequyufomo.bin"

"c:\windows\inf\unregmp2Srv.exe"

"c:\windows\system32\0C831E6059.sys"

"c:\windows\system32\59601E830C.sys"

"c:\windows\system32\drivers\oopuhnpkpjv.sys"

"c:\windows\system32\drivers\owikrfa.sys"

"c:\windows\system32\drivers\rxtdrj.sys"

"c:\windows\system32\shmgrateSrv.exe"

"c:\windows\system32\stu2.exe"

"c:\windows\Tcakuvazi.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Start Menu\Programs\Startup\uvyze.exe

c:\documents and settings\Administrator\Start Menu\Programs\Startup\uwyqse.exe

c:\documents and settings\Administrator\Start Menu\Programs\Startup\zywa.exe

c:\documents and settings\Default User\Start Menu\Programs\Startup\hyto.exe

c:\documents and settings\Default User\Start Menu\Programs\Startup\uxniar.exe

c:\documents and settings\Default User\Start Menu\Programs\Startup\yzzop.exe

c:\documents and settings\Nuts\Application Data\Esekas\voley.exe

c:\documents and settings\Nuts\Application Data\Tecuo

c:\documents and settings\Nuts\Application Data\Tecuo\epoc.sue

c:\documents and settings\Nuts\Application Data\Tecuo\epoc.tmp

c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}

c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}\chrome.manifest

c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}\chrome\content\_cfg.js

c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}\chrome\content\overlay.xul

c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}\install.rdf

c:\documents and settings\Richard\Start Menu\Programs\Startup\esazu.exe

c:\documents and settings\Richard\Start Menu\Programs\Startup\woage.exe

c:\documents and settings\Richard\Start Menu\Programs\Startup\ymyp.exe

c:\program files\intel\wireless\bin\wlkeepersrv.exe

c:\program files\Internet Explorer\complete.dat

c:\program files\Internet Explorer\dmlconf.dat

c:\program files\Microsoft\DesktopLayer.exe

c:\windows\clprvro.dll

c:\windows\ExplorerSrv.exe

c:\windows\Hwequyufomo.bin

c:\windows\inf\unregmp2Srv.exe

c:\windows\system32\0C831E6059.sys

c:\windows\system32\59601E830C.sys

c:\windows\system32\drivers\oopuhnpkpjv.sys

c:\windows\system32\shmgrateSrv.exe

c:\windows\system32\stu2.exe

c:\windows\Tcakuvazi.dat

c:\program files\Microsoft\DesktopLayer.exe . . . .

c:\windows\system32\drivers\oopuhnpkpjv.sys . . . is infected!! . . . Failed to find a valid replacement.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_khqlmxop

-------\Service_lahkdae

-------\Service_yusvtjej

((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 )))))))))))))))))))))))))))))))

.

2010-09-17 22:54 . 2010-09-18 14:25 -------- d-----w- c:\program files\sys32

2010-09-17 22:54 . 2010-09-18 14:25 -------- d-----w- c:\program files\riv87

2010-09-17 10:38 . 2010-09-17 10:38 -------- d-----w- c:\windows\ie8updates

2010-09-17 07:42 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll

2010-09-17 07:42 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll

2010-09-17 07:42 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\scripting

2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\l2schemas

2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\en

2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\bits

2010-09-15 22:17 . 2010-09-15 22:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-09-15 11:34 . 2010-09-15 11:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2010-09-13 23:43 . 2010-09-13 23:50 -------- d-----w- c:\program files\Startup Inspector for Windows

2010-09-10 10:18 . 2010-09-15 10:17 -------- d-----w- c:\documents and settings\Nuts\Local Settings\Application Data\Temp

2010-09-09 17:00 . 2010-09-09 17:00 552 ----a-w- c:\windows\system32\d3d8caps.dat

2010-09-09 10:40 . 2010-09-09 10:40 -------- d-----w- c:\program files\Trend Micro

2010-09-07 21:19 . 2010-09-07 21:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2010-09-07 21:13 . 2010-09-07 21:13 -------- d-sh--w- c:\documents and settings\Nuts\IETldCache

2010-09-07 21:13 . 2010-09-07 21:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-09-07 20:15 . 2010-09-07 20:15 -------- d-----w- c:\documents and settings\Nuts\Application Data\Malwarebytes

2010-09-07 20:14 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-07 20:14 . 2010-09-07 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-07 20:14 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-07 20:14 . 2010-09-07 20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-07 17:01 . 2010-09-15 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-09-07 14:28 . 2010-09-07 14:37 -------- dc-h--w- c:\windows\ie8

2010-09-07 14:13 . 2010-09-07 14:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird

2010-09-07 14:13 . 2010-09-07 14:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird

2010-09-07 12:27 . 2010-09-07 12:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2010-09-07 12:25 . 2010-09-07 12:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-08-30 23:51 . 2010-08-30 23:51 -------- d-----w- c:\program files\iPod

2010-08-23 09:08 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 15:05 . 2007-02-06 11:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-09-18 15:03 . 2009-10-29 20:25 -------- d-----w- c:\program files\Microsoft

2010-09-18 14:57 . 2009-03-10 04:43 -------- d-----w- c:\documents and settings\Nuts\Application Data\Esekas

2010-09-18 14:26 . 2006-10-11 06:48 -------- d-----w- c:\documents and settings\Nuts\Application Data\Ufaf

2010-09-17 16:30 . 2009-04-01 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-09-17 16:29 . 2006-09-08 13:53 -------- d-----w- c:\program files\Microsoft Works

2010-09-17 09:25 . 2009-03-28 13:57 -------- d-----w- c:\documents and settings\Nuts\Application Data\Spotify

2010-09-17 09:10 . 2010-05-10 12:17 712704 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll

2010-09-17 09:10 . 2010-05-10 12:17 339968 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll

2010-09-17 09:10 . 2010-05-10 12:17 266240 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_dsp.dll

2010-09-17 07:24 . 2009-10-29 20:28 -------- d-----w- c:\program files\Microsoft Silverlight

2010-09-16 18:35 . 2006-09-08 13:38 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS

2010-09-16 11:21 . 2007-12-18 14:09 -------- d-----w- c:\program files\Mozilla Thunderbird

2010-09-16 11:11 . 2005-08-16 03:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat

2010-09-13 23:14 . 2007-01-10 13:45 -------- d-----w- c:\program files\Windows Media Connect 2

2010-09-08 13:06 . 2006-09-08 13:54 -------- d-----w- c:\program files\Dell Support

2010-09-08 13:05 . 2006-09-08 13:47 -------- d-----w- c:\program files\QuickTime

2010-09-07 22:22 . 2009-03-09 11:35 167936 ----a-w- c:\documents and settings\Nuts\Application Data\U3\temp\cleanup.exe

2010-09-07 22:22 . 2009-10-27 22:23 207872 ----a-w- c:\documents and settings\Nuts\Application Data\Sun\Java\jre1.6.0_16\lzma.dll

2010-09-07 22:20 . 2006-09-08 13:54 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\HTML\fix\DellSupportLauncher.exe

2010-09-07 22:20 . 2006-09-08 13:54 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\DellSupportLauncher.exe

2010-09-07 22:20 . 2006-09-08 13:54 119808 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\RunGdp.exe

2010-09-07 22:20 . 2006-10-10 21:13 119808 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\item_templ\coach\RunGdp.exe

2010-09-07 22:20 . 2007-03-30 10:42 94208 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\DellSommelierFix.exe

2010-09-07 22:20 . 2006-10-10 21:13 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\fix\DellSupportLauncher.exe

2010-09-07 22:20 . 2009-12-28 20:07 199168 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE

2010-09-07 22:20 . 2009-12-28 20:07 168960 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

2010-09-07 22:20 . 2006-09-12 15:41 128000 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\CIP\DellSupportODBK.exe

2010-08-30 23:54 . 2010-07-11 16:36 -------- d-----w- c:\program files\iTunes

2010-08-30 23:51 . 2007-07-01 23:09 -------- d-----w- c:\program files\Common Files\Apple

2010-08-30 23:33 . 2010-08-30 23:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

2010-08-17 13:17 . 2005-08-16 03:18 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-22 15:49 . 2005-08-16 03:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-04-16 20:39 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-06-30 12:31 . 2005-08-16 03:18 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2005-08-16 03:18 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2005-08-16 03:18 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2005-08-16 03:18 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2007-05-26 23:57 . 2007-05-26 23:57 251 -c--a-w- c:\program files\wt3d.ini

2008-04-25 13:32 . 2008-04-25 13:32 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll

2009-09-16 11:17 . 2006-09-12 12:51 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2010-09-09 444416]

"Bhilaho"="c:\windows\clprvro.dll" [bU]

"{758A8262-B6B2-65FD-92F8-28F444205964}"="c:\documents and settings\Nuts\Application Data\Esekas\voley.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]

"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182]

"CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2010-09-09 114688]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2010-09-08 307200]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2010-09-08 139264]

"MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144]

"SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-01-17 36904]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Nuts\Start Menu\Programs\Startup\

Dell Network Assistant.lnk - c:\program files\Dell Network Assistant\ezi_hnm2.exe [2007-8-27 1082664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-9-8 7168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk

backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nuts^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Nuts\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]

2010-07-13 14:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]

2005-05-31 04:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2005-12-09 19:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX110 Series]

2008-09-26 23:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFBE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-06-04 00:07 136176 ----atw- c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe]

2007-08-03 22:33 582992 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]

2010-09-08 09:33 225280 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-07 23:41 479232 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol

"10426:UDP"= 10426:UDP:SingleClick ICC

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 16:06 11520]

.

Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4287233673-3878696775-4131652522-1005Core.job

- c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 00:07]

2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4287233673-3878696775-4131652522-1005UA.job

- c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 00:07]

2010-09-15 c:\windows\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 12:32]

2010-09-01 c:\windows\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 12:32]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uStart Page = hxxp://www.bbc.co.uk/football

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab

FF - ProfilePath - c:\documents and settings\Nuts\Application Data\Mozilla\Firefox\Profiles\j57dut8t.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?source=haiu

FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll

FF - plugin: c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-18 16:05

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\

Link to post
Share on other sites

Hi,

Two programs to download

First

ISOBurner this will allow you to burn drweb.iso to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions

Second

  • Download Dr.Web LiveCD and burn it to a CD using ISO Burner. NOTE: This file is 90Mb in size so it may take some time to download.
  • When downloaded, double click the file and this will then open ISOBurner to burn the file to a CD.
  • Reboot your system using the Dr.Web Live CD.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here .
  • As loading starts, a dialogue window will prompt you to choose between the standard and safe modes.
  • Use arrow keys to select to select DrWeb-LiveCD (Default) and press "Enter".
  • The operating system will detect all available disk drives automatically. It will also try to connect to the local network, if available.
  • When the system is loaded, click on the green circle button at the top and let it update.
  • After it is done updating, check the disks or folders you want to scan (which is all of them) and click the "Start" button.
  • Then select what drives (should be all) so we can disinfect all partitions.
  • After the scan is complete, and if the scan found stuff:
    • Click "Select All" and the click "Cure" NOTE: Make double sure to click CURE and NOT Delete!
    • Let Dr.Web RENAME the files that can't be cured.
    • After that, please reboot your PC.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please click here to download AVP Tool by Kaspersky.

  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the
    F8
    key until a menu appears.

    Use your up arrow key to highlight SafeMode then hit
    enter
    .


  • Double click the setup file to run it.
  • Click Next to continue.
  • Accept the Licence agreement and click on next
  • It will by default install it to your desktop folder.Click Next.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.


  • Hidden Startup Objects

  • System Memory

  • Disk Boot Sectors.

  • My Computer.

  • Also any other drives (Removable that you may have)

Leave the rest of the settings as they appear as default.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.