www.google.com/webhp keeps popping up...

negster22 · November 7, 2010

OK be sure to rename it to iexplore.exe as you download. This infection you have has a lot of self-protection in place.

nick20z71 · November 7, 2010

Yeah, I have renamed it BEFORE download everytime. After I run it once, it gets renamed to combofix automatically. Ran a new downloaded DDS....heres the log....

DDS (Ver_10-11-08.01) - NTFSx86

Run by Nick Kruse at 15:20:04.84 on Sun 11/07/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.651 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

svchost.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Nick Kruse\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262725425720

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nickkr~1\applic~1\mozilla\firefox\profiles\ktceon9z.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.msn.com

FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-9-1 64288]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-12 136176]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1375992]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-21 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-21 8320]

=============== Created Last 30 ================

2010-11-07 18:36:53 -------- d-----w- C:\ComboFix

2010-11-07 16:50:51 -------- d-sha-r- C:\cmdcons

2010-11-07 01:33:10 98816 ----a-w- c:\windows\sed.exe

2010-11-07 01:33:10 88576 ----a-w- c:\windows\MBR.exe

2010-11-07 01:33:10 256512 ----a-w- c:\windows\PEV.exe

2010-11-07 01:33:10 161792 ----a-w- c:\windows\SWREG.exe

2010-11-07 00:36:34 -------- d-----w- c:\docume~1\nickkr~1\applic~1\URSoft

2010-11-07 00:36:28 -------- d-----w- c:\program files\Your Uninstaller 2010

2010-10-14 17:00:27 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-10-14 13:07:08 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-14 13:07:08 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-14 13:07:01 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-10-13 19:21:22 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe

2010-10-13 19:21:21 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-30 14:49:50 398744 ----a-r- c:\windows\system32\cpnprt2.cid

2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-08-12 12:15:20 15880 ----a-w- c:\windows\system32\lsdelete.exe

============= FINISH: 15:20:37.54 ===============

negster22 · November 7, 2010

Hi Nick,

That report curiously looks OK, and it shows that Combofix did fix the items in the script I gave you to process it with.

Please also download MBRCheck to your desktop

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

Double click MBRCheck.exe to run (Vista and Win 7 users should right-click and select Run as Administrator)
It will show a Black screen with some data on it
a report called MBRcheck will be on your desktop
open this report
Right click on the screen and select > Select All
Press Control+C
now please copy that report to this thread

Also, I want you to run TDSSKiller again and post the NEW log back here.

You didn't respond to my question about whether the Recovery Console appears as Windows Startup Menu option when you reboot your computer.

Please respond!!!!

I'd like you to copy/past into your next reply:

1. MBRCheck.txt (on desktop)

2.TDSSKiller Log

3. Is Recovery Console installed and accessible can you boot to it?

4. Copy/Paste this log, too:

C:\Qoobox\ComboFix-quarantined-files.txt

nick20z71 · November 7, 2010

There was no combofix log under C:/ Didn't notice if it gave the windows recovery option or not. Deleted combofix from desktop and downloaded it and renamed it to iexplore.exe before downloading. Moved script into combofiz and it started running. said that the MBR was infected and needed to reboot, let it. Noticed when rebotting that revocery option flashed very quickly. Also when combofix was starting to reboot. Windows error popped up saying that there was some error and needed to shut down. happened to quick for me to catch what it was....

I didn't try to select it to boot from there, because it happened so quick.

Going to work on what you just told me to do right now....

nick20z71 · November 7, 2010

ok....heres the MBR...

MBRCheck, version 1.2.3

Command-line:

Windows Version: Windows XP Professional

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x000003fd

Kernel Drivers (total 129):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806FF000 \WINDOWS\system32\hal.dll

0xF7C3F000 \WINDOWS\system32\KDCOM.DLL

0xF7C43000 \WINDOWS\system32\BOOTVID.dll

0xF77E0000 ACPI.sys

0xF7D2F000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xF77CF000 pci.sys

0xF782F000 isapnp.sys

0xF783F000 ohci1394.sys

0xF784F000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xF7DF7000 PCIIde.sys

0xF7AAF000 \WINDOWS\System32\Drivers\PCIIDEX.SYS

0xF7D31000 intelide.sys

0xF785F000 MountMgr.sys

0xF77B0000 ftdisk.sys

0xF7D33000 dmload.sys

0xF778A000 dmio.sys

0xF7AB7000 PartMgr.sys

0xF786F000 VolSnap.sys

0xF7772000 atapi.sys

0xF787F000 disk.sys

0xF788F000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xF7752000 fltmgr.sys

0xF7740000 sr.sys

0xF789F000 Lbd.sys

0xF78AF000 PxHelp20.sys

0xF7729000 KSecDD.sys

0xF7716000 WudfPf.sys

0xF7689000 Ntfs.sys

0xF765C000 NDIS.sys

0xF7642000 Mup.sys

0xF78BF000 agp440.sys

0xF78FF000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xF7244000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xF7230000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xF7B4F000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xF720C000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xF7B57000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xF790F000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xF7198000 \SystemRoot\system32\DRIVERS\WPN311.sys

0xF791F000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xF7CD7000 \SystemRoot\system32\DRIVERS\itchfltr.sys

0xF7B5F000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xF7B67000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xF792F000 \SystemRoot\system32\DRIVERS\serial.sys

0xF7CDB000 \SystemRoot\system32\DRIVERS\serenum.sys

0xF7B6F000 \SystemRoot\system32\DRIVERS\fdc.sys

0xF7184000 \SystemRoot\system32\DRIVERS\parport.sys

0xF793F000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF794F000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xF795F000 \SystemRoot\system32\DRIVERS\redbook.sys

0xF7161000 \SystemRoot\system32\DRIVERS\ks.sys

0xF70D0000 \SystemRoot\system32\drivers\ALCXWDM.SYS

0xF70AC000 \SystemRoot\system32\drivers\portcls.sys

0xF796F000 \SystemRoot\system32\drivers\drmk.sys

0xF704C000 \SystemRoot\system32\drivers\ALCXSENS.SYS

0xF7E73000 \SystemRoot\system32\DRIVERS\audstub.sys

0xF797F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xF7CE3000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xF6F95000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xF798F000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xF799F000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xF7B77000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xF6F5C000 \SystemRoot\system32\DRIVERS\psched.sys

0xF79AF000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xF7B8F000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xF7B97000 \SystemRoot\system32\DRIVERS\raspti.sys

0xF6F2C000 \SystemRoot\system32\DRIVERS\rdpdr.sys

0xF79BF000 \SystemRoot\system32\DRIVERS\termdd.sys

0xF7DC9000 \SystemRoot\system32\DRIVERS\swenum.sys

0xF6ECE000 \SystemRoot\system32\DRIVERS\update.sys

0xF7D03000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xF79CF000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF79FF000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xF7DCB000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xF7B9F000 \SystemRoot\system32\DRIVERS\flpydisk.sys

0xF7DD7000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF7ED0000 \SystemRoot\System32\Drivers\Null.SYS

0xF7DD9000 \SystemRoot\System32\Drivers\Beep.SYS

0xF7BAF000 \SystemRoot\System32\drivers\vga.sys

0xF7DDB000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF7DDD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF7BB7000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF7BBF000 \SystemRoot\System32\Drivers\Npfs.SYS

0xF6E96000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xBA705000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xBA6AC000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xBA684000 \SystemRoot\system32\DRIVERS\netbt.sys

0xBA65E000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xF7A3F000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xBA63C000 \SystemRoot\System32\drivers\afd.sys

0xF7A4F000 \SystemRoot\system32\DRIVERS\netbios.sys

0xBA611000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xBA5A1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xF7A6F000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xF7A7F000 \SystemRoot\System32\Drivers\Fips.SYS

0xF7BCF000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xF7BD7000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xF6E66000 \SystemRoot\system32\DRIVERS\usbscan.sys

0xF7BDF000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xF7BE7000 \SystemRoot\system32\DRIVERS\HPZius12.sys

0xF7A9F000 \SystemRoot\system32\DRIVERS\HPZid412.sys

0xF6E5E000 \SystemRoot\system32\DRIVERS\HPZipr12.sys

0xF78EF000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBA589000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xF7DF1000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xF6E56000 \SystemRoot\System32\drivers\Dxapi.sys

0xF7BEF000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF7F63000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF065000 \SystemRoot\System32\ati2cqag.dll

0xBF0FE000 \SystemRoot\System32\atikvmag.dll

0xBF182000 \SystemRoot\System32\atiok3x2.dll

0xBF1CD000 \SystemRoot\System32\ati3duag.dll

0xBF572000 \SystemRoot\System32\ativvaxx.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xB84A1000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xB849D000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xB804C000 \SystemRoot\system32\drivers\wdmaud.sys

0xB81B9000 \SystemRoot\system32\drivers\sysaudio.sys

0xB7DEF000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xF7DE3000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xB7C13000 \SystemRoot\system32\DRIVERS\srv.sys

0xB7868000 \SystemRoot\System32\Drivers\HTTP.sys

0xF7B87000 \??\C:\DOCUME~1\NICKKR~1\LOCALS~1\Temp\mbr.sys

0xB760D000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 28):

0 System Idle Process

4 System

484 C:\WINDOWS\system32\smss.exe

552 csrss.exe

584 C:\WINDOWS\system32\winlogon.exe

628 C:\WINDOWS\system32\services.exe

648 C:\WINDOWS\system32\lsass.exe

812 C:\WINDOWS\system32\ati2evxx.exe

828 C:\WINDOWS\system32\svchost.exe

888 svchost.exe

928 C:\WINDOWS\system32\svchost.exe

968 C:\WINDOWS\system32\svchost.exe

1020 svchost.exe

1076 svchost.exe

1236 C:\WINDOWS\system32\ati2evxx.exe

1376 C:\WINDOWS\system32\spoolsv.exe

2000 C:\WINDOWS\explorer.exe

332 C:\WINDOWS\SOUNDMAN.EXE

340 svchost.exe

352 C:\Program Files\Logitech\iTouch\iTouch.exe

408 C:\WINDOWS\system32\ctfmon.exe

328 C:\WINDOWS\system32\acs.exe

1124 C:\Program Files\Java\jre6\bin\jqs.exe

1556 C:\WINDOWS\system32\svchost.exe

2260 alg.exe

2616 C:\Program Files\Internet Explorer\iexplore.exe

3128 C:\Program Files\Internet Explorer\iexplore.exe

2520 C:\Documents and Settings\Nick Kruse\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000009`c3dcd400 (NTFS)

PhysicalDrive0 Model Number: Maxtor6Y120P0, Rev: YAR41BW0

Size Device Name MBR Status

--------------------------------------------

114 GB \\.\PhysicalDrive0 Unknown MBR code

SHA1: 3DD27C7EE9B2D8B2CB511843C79460E5DB3CA995

Found non-standard or infected MBR.

Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Options:

[1] Dump the MBR of a physical disk to file.

[2] Restore the MBR of a physical disk with a standard boot code.

[3] Exit.

Enter your choice:

Done!

Here's The TDSSkiller log....

2010/11/07 18:17:20.0656 TDSS rootkit removing tool 2.4.6.0 Nov 3 2010 10:11:43

2010/11/07 18:17:20.0656 ================================================================================

2010/11/07 18:17:20.0656 SystemInfo:

2010/11/07 18:17:20.0656

2010/11/07 18:17:20.0656 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/07 18:17:20.0656 Product type: Workstation

2010/11/07 18:17:20.0656 ComputerName: NICK-PC

2010/11/07 18:17:20.0656 UserName: Nick Kruse

2010/11/07 18:17:20.0656 Windows directory: C:\WINDOWS

2010/11/07 18:17:20.0656 System windows directory: C:\WINDOWS

2010/11/07 18:17:20.0656 Processor architecture: Intel x86

2010/11/07 18:17:20.0656 Number of processors: 2

2010/11/07 18:17:20.0656 Page size: 0x1000

2010/11/07 18:17:20.0656 Boot type: Normal boot

2010/11/07 18:17:20.0656 ================================================================================

2010/11/07 18:17:20.0843 Initialize success

2010/11/07 18:17:25.0375 ================================================================================

2010/11/07 18:17:25.0375 Scan started

2010/11/07 18:17:25.0375 Mode: Manual;

2010/11/07 18:17:25.0375 ================================================================================

2010/11/07 18:17:27.0046 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/07 18:17:27.0093 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/07 18:17:27.0140 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/07 18:17:27.0187 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/11/07 18:17:27.0218 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/07 18:17:27.0250 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/07 18:17:27.0343 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS

2010/11/07 18:17:27.0390 ALCXWDM (bc5c55b49c4bd1fdfaaa128fe21f9fea) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/07 18:17:27.0500 AR5211 (08e03e8ab837dc9dd2737930ecd19fbc) C:\WINDOWS\system32\DRIVERS\WPN311.sys

2010/11/07 18:17:27.0578 AR5416 (00e031fe2d849be503fc4a47271f1ea5) C:\WINDOWS\system32\DRIVERS\athw.sys

2010/11/07 18:17:27.0640 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/07 18:17:27.0734 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/07 18:17:27.0750 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/07 18:17:27.0890 ati2mtag (c51608bba3248be2f6d21b132910752a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/11/07 18:17:27.0937 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/07 18:17:27.0968 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/07 18:17:28.0015 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/07 18:17:28.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/07 18:17:28.0187 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/07 18:17:28.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/07 18:17:28.0234 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/07 18:17:28.0359 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/07 18:17:28.0421 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/07 18:17:28.0468 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/07 18:17:28.0484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/07 18:17:28.0531 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/07 18:17:28.0593 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/07 18:17:28.0625 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/07 18:17:28.0640 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/07 18:17:28.0671 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/07 18:17:28.0703 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/07 18:17:28.0734 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/07 18:17:28.0765 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/07 18:17:28.0796 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/07 18:17:28.0812 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/07 18:17:28.0890 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/11/07 18:17:28.0937 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/11/07 18:17:28.0968 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/11/07 18:17:29.0015 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/07 18:17:29.0093 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/07 18:17:29.0109 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/07 18:17:29.0140 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/07 18:17:29.0171 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/07 18:17:29.0203 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/07 18:17:29.0234 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/07 18:17:29.0265 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/07 18:17:29.0312 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/07 18:17:29.0343 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/07 18:17:29.0375 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/07 18:17:29.0406 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/07 18:17:29.0437 itchfltr (8f1ba487b35f0c8f637e05113aa815f8) C:\WINDOWS\system32\DRIVERS\itchfltr.sys

2010/11/07 18:17:29.0468 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/07 18:17:29.0515 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/07 18:17:29.0546 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/07 18:17:29.0609 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/11/07 18:17:29.0671 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/07 18:17:29.0718 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/07 18:17:29.0750 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys

2010/11/07 18:17:29.0781 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys

2010/11/07 18:17:29.0796 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/07 18:17:29.0812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/07 18:17:29.0843 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/07 18:17:29.0890 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/07 18:17:29.0921 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/07 18:17:29.0968 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/07 18:17:29.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/07 18:17:30.0015 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/07 18:17:30.0046 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/07 18:17:30.0078 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/07 18:17:30.0093 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/07 18:17:30.0125 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/07 18:17:30.0156 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/07 18:17:30.0171 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/07 18:17:30.0203 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/07 18:17:30.0218 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/07 18:17:30.0234 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/07 18:17:30.0281 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/07 18:17:30.0296 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/07 18:17:30.0328 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/07 18:17:30.0390 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/07 18:17:30.0437 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/07 18:17:30.0453 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/07 18:17:30.0468 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/07 18:17:30.0500 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/07 18:17:30.0515 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/07 18:17:30.0546 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/07 18:17:30.0562 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/07 18:17:30.0593 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2010/11/07 18:17:30.0625 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/07 18:17:30.0765 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/07 18:17:30.0796 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/07 18:17:30.0812 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/07 18:17:30.0828 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/07 18:17:30.0937 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/07 18:17:30.0953 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/07 18:17:30.0984 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/07 18:17:31.0000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/07 18:17:31.0046 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/07 18:17:31.0062 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/07 18:17:31.0093 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/07 18:17:31.0140 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/07 18:17:31.0171 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/07 18:17:31.0234 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/07 18:17:31.0265 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/07 18:17:31.0296 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/07 18:17:31.0328 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/07 18:17:31.0406 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/07 18:17:31.0437 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/07 18:17:31.0484 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/07 18:17:31.0531 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/07 18:17:31.0546 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/07 18:17:31.0656 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/07 18:17:31.0718 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/07 18:17:31.0750 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/07 18:17:31.0781 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/07 18:17:31.0812 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/07 18:17:31.0875 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/07 18:17:31.0937 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/07 18:17:31.0968 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/07 18:17:31.0984 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/07 18:17:32.0000 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/07 18:17:32.0015 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/07 18:17:32.0046 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/07 18:17:32.0062 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/07 18:17:32.0093 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/07 18:17:32.0125 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/07 18:17:32.0156 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/07 18:17:32.0171 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/07 18:17:32.0234 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/11/07 18:17:32.0296 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/07 18:17:32.0390 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/11/07 18:17:32.0406 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/07 18:17:32.0437 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/07 18:17:32.0468 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/11/07 18:17:32.0468 ================================================================================

2010/11/07 18:17:32.0468 Scan finished

2010/11/07 18:17:32.0468 ================================================================================

2010/11/07 18:17:32.0484 Detected object count: 1

2010/11/07 18:17:35.0312 \HardDisk0 - will be cured after reboot

2010/11/07 18:17:35.0312 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/11/07 18:17:45.0640 Deinitialize success

3.) YES i can boot to Recovery Console

4.)Combo fix files....I see no file named ComboFix-quarantined-files.txt

under C:/Qoobox, but there is a quarantined folder...??

negster22 · November 8, 2010

Is this still happening?

www.google.com/webhp keeps popping up

Is D: your recovery partition, and if so, do you have your XP Installation CD?

There's conflicting information in your logs so I need you to create and upload a file for me using MBRCheck

You'll be running MBRCheck again, but this time from the command prompt.

Open a Command Prompt (Start -> Run -> Type cmd, and hit Enter)

Copy/paste the following (exactly as it is written) at the command line, and then hit Enter:

cd "%userprofile%\desktop"

Copy/paste the following (exactly as it is written) and hit Enter:

MBRCheck.exe -s 0 -d dump.dat

MBRCheck will run and you'll get this message:

Dumping \\.\PhysicalDrive0 to dump.dat...
Dumped successfully!
Done!
Press ENTER to exit...

Press Enterto finish.

Locate the following file MBRCheck created on your Desktop:

dump.dat

Can you please visit this submission webpage

In the "Link to topic where this file was requested: " box, copy/paste the url to this topic as follows:

http://forums.malwarebytes.org/index.php?s...=66928&st=0

Next, in the "Browse to the file you want to submit:" box, browse to this file (on your desktop):

c:\documents and settings\Nick Kruse\Desktop\dump.dat

Then click 'Send File'

Let me know when that has been done.

nick20z71 · November 8, 2010

Done!!

D:\ is not a recovery partition. I use it for music, pictures, misc. storage. But YES, I do have my XP Installation CD....

nick20z71 · November 8, 2010

Oh, also, I haven't noticed the pop-ups, but I also haven't been using the PC a lot. I've been using hte laptop, because I didn't want to mess any progress up we were doing. The pop-ups only happened a few times a day. I'll start using it more now to see if the problem is still there. Also, what do you recommend to keep these nasty rootkit virus' off the computer in the 1st place? Or should I say, what do YOU run on your personal PC?

negster22 · November 8, 2010

You aren't out of the clear yet because some of your logs detect the symptoms of the TDL4 variant of the MBR Bootkit:

Your MBR dump analysis should confirm that, so you should use the laptop in the interim.

Now, that I know D: is not a Recovery Partition, I feel OK about having You run "Fixmbr" from the Recovery Console. If You did have a Recovery Partition on D:, using that command would overwrite the infected MBR with a default Windows XP MBR and You would lose access to that partition. However, it will NOT impact your being able to access your "music, pictures, misc. storage" on the D: drive.

I'll get back to you after the analysis is complete.

In the meantime please download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a rootkit scan:

Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When this "quick" scan is finished (a few seconds), copy the quick scan report to the windows clipboard, save it as ARKQ.txt and paste it in a reply back here

As far as security programs go -

I use ESET Smart Security and I recommend it highly.

The following AV's are also excellent:

1. Microsoft Security Essentials (Free AV from Microsoft)

2. Avira Antivir (Free to Home Users)

3. Avast (Free to Home Users)

I just retrieved the file your uploaded and it is the mbr.log that MBRCheck created during its run.

I need the following file which is a copy of your MBR uploaded:

C:\Documents and Settings\Nick Kruse\Desktop\dump.dat

It's only 512 bytes in size.

Can You please upload it to my channel here:

http://www.bleepingcomputer.com/submit-mal....php?channel=75

Thanks!!

nick20z71 · November 9, 2010

is this what you are looking for...

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit quick scan 2010-11-08 20:24:27

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y120P0 rev.YAR41BW0

Running: sz7rjsxx.exe; Driver: C:\DOCUME~1\NICKKR~1\LOCALS~1\Temp\kxtdqpoc.sys

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- EOF - GMER 1.0.15 ----

negster22 · November 9, 2010

Now, we have to perform a more in depth anti-rootkit scan:

Disable your antivirus and anti-malware programs
Double-click the randomly name EXE located in the C:\ARK folder that you previously downloaded to run the program.
When the program opens, it will automatically initiate a very fast scan of common rootkit hiding places.
When the "Quick scan" is done, a few seconds, if you're notified of "Rootkit Activity and asked to perform a Full Scan say "No" so we can configure the scan options first.
In the right pane, UNCHECK the following options:
- IAT/EAT
- Drives/Partition other than Systemdrive, which is typically C:\
- Show All (This is important, so do not miss it.)
[*]Once, configured according to the above, select the Scan button.
[*]Leave your system completely idle while this longer scan is in progress.
[*]When the scan is done, save the scan log to the Windows clipboard
[*]Open Notepad or a similar text editor
[*]Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
[*]Exit the Program
[*]Save the Scan log as ARKFullScan.txt and post it in your next reply. If the log is very long attach it please.

Please upload dump.dat as described previously, too!

Thanks!

nick20z71 · November 9, 2010

here ya go....

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-11-09 15:47:58

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6Y120P0 rev.YAR41BW0

Running: sz7rjsxx.exe; Driver: C:\DOCUME~1\NICKKR~1\LOCALS~1\Temp\kxtdqpoc.sys

---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF789F87E]

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF789FBFE]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF7245000, 0x1C5D38, 0xE8000020]

init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF5DC1510]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 09: copy of MBR

---- EOF - GMER 1.0.15 ----

nick20z71 · November 9, 2010

Forumn says I'm not allowed to upload dump.dat. Says "Upload failed. You are not permitted to upload this type of file." Do you want it renamed??

nick20z71 · November 9, 2010

Nevermind, I'm retarted. File sent.

nick20z71 · November 9, 2010

"Retarded" :lol: Can ya tell I just woke up??

negster22 · November 9, 2010

OK Thanks for all the requested items.

I hope you're awake now!

When You ran TDSSKiller the second time in Post #30 above - did you have to power down and up to restart your PC again?:

2010/11/07 18:17:32.0484 Detected object count: 1
2010/11/07 18:17:35.0312 \HardDisk0 - will be cured after reboot
2010/11/07 18:17:35.0312 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2010/11/07 18:17:45.0640 Deinitialize success

nick20z71 · November 10, 2010

Umm, I can't say that I remember for sure, but I'm going to guess that I did because I tried to boot to Recovery console.

Yeah I'm awake now! Thats the life of working 3rd shift!!

negster22 · November 10, 2010

Things are looking good BUT I need you to verify something for me.

Delete TDSSKiller.exe on your desktop.

Download a new copy of TDSSKiller to your Desktop from here:

http://support.kaspersky.com/downloads/utils/tdsskiller.exe

Run it as before, by following these directions and choosing the suggested default actions that TDSSKiller recommends.

Please post back the TDSSKiller log.

nick20z71 · November 10, 2010

Deleeted old TDSS, downloaded new from location. Ran and it said it detected nothing!! heres the log...

2010/11/10 16:00:09.0259 TDSS rootkit removing tool 2.4.7.0 Nov 8 2010 10:52:22

2010/11/10 16:00:09.0259 ================================================================================

2010/11/10 16:00:09.0259 SystemInfo:

2010/11/10 16:00:09.0259

2010/11/10 16:00:09.0259 OS Version: 5.1.2600 ServicePack: 3.0

2010/11/10 16:00:09.0259 Product type: Workstation

2010/11/10 16:00:09.0259 ComputerName: NICK-PC

2010/11/10 16:00:09.0259 UserName: Nick Kruse

2010/11/10 16:00:09.0259 Windows directory: C:\WINDOWS

2010/11/10 16:00:09.0259 System windows directory: C:\WINDOWS

2010/11/10 16:00:09.0259 Processor architecture: Intel x86

2010/11/10 16:00:09.0259 Number of processors: 2

2010/11/10 16:00:09.0259 Page size: 0x1000

2010/11/10 16:00:09.0259 Boot type: Normal boot

2010/11/10 16:00:09.0259 ================================================================================

2010/11/10 16:00:09.0509 Initialize success

2010/11/10 16:00:13.0087 ================================================================================

2010/11/10 16:00:13.0087 Scan started

2010/11/10 16:00:13.0087 Mode: Manual;

2010/11/10 16:00:13.0087 ================================================================================

2010/11/10 16:00:14.0822 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/10 16:00:14.0869 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/10 16:00:14.0916 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/10 16:00:14.0962 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/11/10 16:00:14.0994 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/10 16:00:15.0025 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/10 16:00:15.0119 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS

2010/11/10 16:00:15.0150 ALCXWDM (bc5c55b49c4bd1fdfaaa128fe21f9fea) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/10 16:00:15.0275 AR5211 (08e03e8ab837dc9dd2737930ecd19fbc) C:\WINDOWS\system32\DRIVERS\WPN311.sys

2010/11/10 16:00:15.0353 AR5416 (00e031fe2d849be503fc4a47271f1ea5) C:\WINDOWS\system32\DRIVERS\athw.sys

2010/11/10 16:00:15.0431 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/10 16:00:15.0509 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/10 16:00:15.0541 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/10 16:00:15.0681 ati2mtag (c51608bba3248be2f6d21b132910752a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/11/10 16:00:15.0791 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/10 16:00:15.0822 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/10 16:00:15.0869 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/10 16:00:16.0025 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/10 16:00:16.0056 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/10 16:00:16.0087 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/10 16:00:16.0103 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/10 16:00:16.0228 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/10 16:00:16.0291 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/10 16:00:16.0337 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/10 16:00:16.0353 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/10 16:00:16.0416 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/10 16:00:16.0462 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/10 16:00:16.0494 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/10 16:00:16.0509 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/10 16:00:16.0541 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/10 16:00:16.0556 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/10 16:00:16.0603 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/10 16:00:16.0619 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/10 16:00:16.0634 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/10 16:00:16.0666 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/10 16:00:16.0744 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/11/10 16:00:16.0759 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/11/10 16:00:16.0775 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/11/10 16:00:16.0822 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/10 16:00:16.0884 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/10 16:00:16.0900 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/10 16:00:16.0947 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/10 16:00:16.0994 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/10 16:00:17.0009 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/10 16:00:17.0025 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/10 16:00:17.0041 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/10 16:00:17.0087 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/10 16:00:17.0103 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/10 16:00:17.0119 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/10 16:00:17.0150 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/10 16:00:17.0166 itchfltr (8f1ba487b35f0c8f637e05113aa815f8) C:\WINDOWS\system32\DRIVERS\itchfltr.sys

2010/11/10 16:00:17.0181 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/10 16:00:17.0228 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/10 16:00:17.0259 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/10 16:00:17.0306 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/11/10 16:00:17.0369 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/10 16:00:17.0384 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/10 16:00:17.0416 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys

2010/11/10 16:00:17.0431 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys

2010/11/10 16:00:17.0447 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/10 16:00:17.0462 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/10 16:00:17.0509 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/10 16:00:17.0556 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/10 16:00:17.0587 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/10 16:00:17.0634 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/10 16:00:17.0650 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/10 16:00:17.0666 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/10 16:00:17.0697 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/10 16:00:17.0712 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/10 16:00:17.0744 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/10 16:00:17.0759 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/10 16:00:17.0775 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/10 16:00:17.0791 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/10 16:00:17.0806 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/10 16:00:17.0822 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/10 16:00:17.0853 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/10 16:00:17.0900 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/10 16:00:17.0916 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/10 16:00:17.0947 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/10 16:00:17.0994 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/10 16:00:18.0025 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/10 16:00:18.0041 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/10 16:00:18.0056 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/10 16:00:18.0087 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/10 16:00:18.0103 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/10 16:00:18.0119 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/10 16:00:18.0134 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/10 16:00:18.0181 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2010/11/10 16:00:18.0212 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/10 16:00:18.0400 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/10 16:00:18.0431 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/10 16:00:18.0462 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/10 16:00:18.0494 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/10 16:00:18.0619 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/10 16:00:18.0634 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/10 16:00:18.0650 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/10 16:00:18.0666 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/10 16:00:18.0712 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/10 16:00:18.0728 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/10 16:00:18.0744 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/10 16:00:18.0775 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/10 16:00:18.0806 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/10 16:00:18.0869 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/10 16:00:18.0900 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/10 16:00:18.0916 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/10 16:00:18.0947 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/10 16:00:19.0025 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/10 16:00:19.0056 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/10 16:00:19.0087 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/10 16:00:19.0119 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/10 16:00:19.0134 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/10 16:00:19.0228 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/10 16:00:19.0291 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/10 16:00:19.0306 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/10 16:00:19.0322 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/10 16:00:19.0337 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/10 16:00:19.0400 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/10 16:00:19.0447 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/10 16:00:19.0478 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/10 16:00:19.0509 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/10 16:00:19.0525 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/10 16:00:19.0541 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/10 16:00:19.0572 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/10 16:00:19.0603 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/10 16:00:19.0619 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/10 16:00:19.0634 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/10 16:00:19.0666 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/10 16:00:19.0697 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/10 16:00:19.0759 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/11/10 16:00:19.0822 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/10 16:00:19.0884 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/11/10 16:00:19.0916 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/10 16:00:19.0931 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/10 16:00:20.0072 ================================================================================

2010/11/10 16:00:20.0072 Scan finished

2010/11/10 16:00:20.0072 ================================================================================

2010/11/10 16:01:00.0416 ================================================================================

2010/11/10 16:01:00.0416 Scan started

2010/11/10 16:01:00.0416 Mode: Manual;

2010/11/10 16:01:00.0416 ================================================================================

2010/11/10 16:01:00.0681 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/11/10 16:01:00.0728 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/11/10 16:01:00.0806 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/11/10 16:01:00.0853 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/11/10 16:01:00.0900 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/11/10 16:01:00.0947 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/11/10 16:01:01.0087 ALCXSENS (fbbcb95f677cbaa924140b6ea2d9a97b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS

2010/11/10 16:01:01.0119 ALCXWDM (bc5c55b49c4bd1fdfaaa128fe21f9fea) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2010/11/10 16:01:01.0244 AR5211 (08e03e8ab837dc9dd2737930ecd19fbc) C:\WINDOWS\system32\DRIVERS\WPN311.sys

2010/11/10 16:01:01.0322 AR5416 (00e031fe2d849be503fc4a47271f1ea5) C:\WINDOWS\system32\DRIVERS\athw.sys

2010/11/10 16:01:01.0384 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/11/10 16:01:01.0494 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/11/10 16:01:01.0541 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/11/10 16:01:01.0728 ati2mtag (c51608bba3248be2f6d21b132910752a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/11/10 16:01:01.0775 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/11/10 16:01:01.0822 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/11/10 16:01:01.0884 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/11/10 16:01:02.0025 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/11/10 16:01:02.0087 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/11/10 16:01:02.0134 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/11/10 16:01:02.0166 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/11/10 16:01:02.0337 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/11/10 16:01:02.0400 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/11/10 16:01:02.0431 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/11/10 16:01:02.0462 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/11/10 16:01:02.0509 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/11/10 16:01:02.0587 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/11/10 16:01:02.0634 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/11/10 16:01:02.0666 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/11/10 16:01:02.0712 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/11/10 16:01:02.0744 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/11/10 16:01:02.0791 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/11/10 16:01:02.0822 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/11/10 16:01:02.0853 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/11/10 16:01:02.0884 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/11/10 16:01:02.0978 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2010/11/10 16:01:03.0025 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2010/11/10 16:01:03.0056 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2010/11/10 16:01:03.0119 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/11/10 16:01:03.0212 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/11/10 16:01:03.0259 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/11/10 16:01:03.0322 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/11/10 16:01:03.0353 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/11/10 16:01:03.0384 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/11/10 16:01:03.0416 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/11/10 16:01:03.0447 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/11/10 16:01:03.0478 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/11/10 16:01:03.0525 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/11/10 16:01:03.0556 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/11/10 16:01:03.0587 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/11/10 16:01:03.0634 itchfltr (8f1ba487b35f0c8f637e05113aa815f8) C:\WINDOWS\system32\DRIVERS\itchfltr.sys

2010/11/10 16:01:03.0666 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/11/10 16:01:03.0712 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/11/10 16:01:03.0744 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/11/10 16:01:03.0806 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2010/11/10 16:01:03.0900 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/11/10 16:01:03.0947 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/11/10 16:01:03.0994 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys

2010/11/10 16:01:04.0025 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys

2010/11/10 16:01:04.0056 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/11/10 16:01:04.0072 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/11/10 16:01:04.0134 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/11/10 16:01:04.0197 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/11/10 16:01:04.0244 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/11/10 16:01:04.0291 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/11/10 16:01:04.0306 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/11/10 16:01:04.0337 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/11/10 16:01:04.0384 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/11/10 16:01:04.0400 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/11/10 16:01:04.0447 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/11/10 16:01:04.0478 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/11/10 16:01:04.0494 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/11/10 16:01:04.0525 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/11/10 16:01:04.0556 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/11/10 16:01:04.0587 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/11/10 16:01:04.0619 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/11/10 16:01:04.0666 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/11/10 16:01:04.0697 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/11/10 16:01:04.0728 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/11/10 16:01:04.0775 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/11/10 16:01:04.0837 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/11/10 16:01:04.0869 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/11/10 16:01:04.0900 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/11/10 16:01:04.0931 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/11/10 16:01:04.0947 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/11/10 16:01:04.0994 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/11/10 16:01:05.0025 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/11/10 16:01:05.0103 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys

2010/11/10 16:01:05.0166 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/11/10 16:01:05.0369 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/11/10 16:01:05.0400 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/11/10 16:01:05.0431 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/11/10 16:01:05.0478 PxHelp20 (0457e25bb122b854e267cf552dcdc370) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/11/10 16:01:05.0666 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/11/10 16:01:05.0697 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/11/10 16:01:05.0728 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/11/10 16:01:05.0775 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/11/10 16:01:05.0822 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/11/10 16:01:05.0837 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/11/10 16:01:05.0884 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/11/10 16:01:05.0931 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/11/10 16:01:05.0978 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/11/10 16:01:06.0041 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/11/10 16:01:06.0087 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/11/10 16:01:06.0119 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/11/10 16:01:06.0166 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/11/10 16:01:06.0275 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/11/10 16:01:06.0306 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/11/10 16:01:06.0353 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/11/10 16:01:06.0400 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/11/10 16:01:06.0416 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/11/10 16:01:06.0556 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/11/10 16:01:06.0619 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/11/10 16:01:06.0666 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/11/10 16:01:06.0697 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/11/10 16:01:06.0728 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/11/10 16:01:06.0791 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/11/10 16:01:06.0869 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/11/10 16:01:06.0900 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/11/10 16:01:06.0931 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/11/10 16:01:06.0962 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/11/10 16:01:06.0994 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/11/10 16:01:07.0025 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/11/10 16:01:07.0072 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/11/10 16:01:07.0103 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/11/10 16:01:07.0134 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/11/10 16:01:07.0181 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/11/10 16:01:07.0228 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/11/10 16:01:07.0291 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2010/11/10 16:01:07.0353 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/11/10 16:01:07.0447 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/11/10 16:01:07.0509 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/11/10 16:01:07.0556 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/11/10 16:01:07.0681 ================================================================================

2010/11/10 16:01:07.0681 Scan finished

2010/11/10 16:01:07.0681 ================================================================================

2010/11/10 16:02:50.0369 Deinitialize success

negster22 · November 10, 2010

Ran and it said it detected nothing!! heres the log...

Yes - that is what your MBR (dump.dat) , and the Gmer and DDS logs also show.

Now, you should be able to download and run combofix without interference because there may be some residual infected elements.

Please do that by following the instructions in my reply #21 and post back the log:

C:\Combofix.txt

nick20z71 · November 11, 2010

Should I just run combpfix or should I drag the "CFScript" notepad code into it??

negster22 · November 11, 2010

Just run it without the CFscript for now, to see if it will complete a run and produce a log.

Judging from your DDS.txt, Combofix did the necessary deletions it was supposed to do, though I won't know the full extent to which that was accomplished, until I see combofix.txt.

Make sure your antivirus is disabled before You launch Combofix.

nick20z71 · November 11, 2010

Heres the report, Combofix finished this time. Also, I'm sure its something Combofix does, but I was wondering why everytime I've run it, Windows Internet Explorer gets put back onto my desktop?? No big deal, just curious....

ComboFix 10-11-10.01 - Nick Kruse 11/11/2010 7:30.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.575 [GMT -5:00]

Running from: c:\documents and settings\Nick Kruse\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_AVG9WD

-------\Legacy_AVG_SECURITY_TOOLBAR_SERVICE

-------\Service_AVG Security Toolbar Service

-------\Service_avg9wd

-------\Service_xvffes

-------\Service_yquwkuue

((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 )))))))))))))))))))))))))))))))

.

2010-11-09 01:21 . 2010-11-09 01:21 -------- d-----w- C:\ARK

2010-11-07 00:36 . 2010-11-07 00:36 -------- d-----w- c:\documents and settings\Nick Kruse\Application Data\URSoft

2010-11-07 00:36 . 2010-11-07 01:26 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-11-07 00:36 . 2010-11-07 00:37 -------- d-----w- c:\program files\Your Uninstaller 2010

2010-10-14 17:00 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll

2010-10-14 13:07 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll

2010-10-14 13:07 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll

2010-10-14 13:07 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll

2010-10-13 19:21 . 2010-10-30 10:56 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe

2010-10-13 19:21 . 2010-10-30 10:56 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-11-03 12:11 . 2010-08-31 17:11 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2010-09-18 16:23 . 2004-08-04 05:56 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2004-08-04 05:56 974848 ----a-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2001-08-23 08:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2001-08-23 08:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-10 05:58 . 2004-08-04 05:56 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2004-08-04 05:56 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-10 05:58 . 2004-08-04 05:56 43520 ----a-w- c:\windows\system32\licmgr10.dll

2010-09-01 11:51 . 2004-08-04 05:56 285824 ----a-w- c:\windows\system32\atmfd.dll

2010-09-01 11:34 . 2004-08-04 04:07 68224 ----a-w- c:\windows\system32\drivers\pci.sys

2010-08-31 13:42 . 2004-08-04 04:17 1852800 ----a-w- c:\windows\system32\win32k.sys

2010-08-30 14:49 . 2010-05-14 18:07 398744 ----a-r- c:\windows\system32\cpnprt2.cid

2010-08-27 08:02 . 2004-08-04 05:56 119808 ----a-w- c:\windows\system32\t2embed.dll

2010-08-27 05:57 . 2004-08-04 05:56 99840 ----a-w- c:\windows\system32\srvsvc.dll

2010-08-26 13:39 . 2004-08-04 04:14 357248 ----a-w- c:\windows\system32\drivers\srv.sys

2010-08-26 12:52 . 2010-01-05 21:09 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-08-23 16:12 . 2004-08-04 05:56 617472 ----a-w- c:\windows\system32\comctl32.dll

2010-08-17 13:17 . 2004-08-04 05:56 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-16 08:45 . 2004-08-04 05:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll

.

<pre>
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
</pre>

((((((((((((((((((((((((((((( SnapShot@2010-11-07_13.08.13 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-11-11 12:36 . 2010-11-11 12:36 16384 c:\windows\temp\Perflib_Perfdata_4a0.dat

- 2010-01-12 02:05 . 2010-10-14 16:56 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 90112 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\xlicons.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 45056 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\wordicon.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 22528 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\unbndico.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 30720 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\pptico.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 16384 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\PEicons.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 34304 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\misc.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 81920 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\fpicon.exe

- 2010-10-14 17:00 . 2010-10-14 17:00 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

+ 2010-11-10 08:02 . 2010-11-10 08:02 34632 c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 3584 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\opwicon.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 8192 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\mspicons.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 2560 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 114688 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\outicon.exe

- 2010-01-12 02:05 . 2010-10-14 16:56 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe

+ 2010-01-12 02:05 . 2010-11-10 08:02 167936 c:\windows\Installer\{90280409-6000-11D3-8CFE-0050048383C9}\accicons.exe

+ 2010-09-17 11:04 . 2010-09-17 11:04 9401856 c:\windows\Installer\c277fb5.msp

+ 2010-10-04 21:00 . 2010-10-04 21:00 7973888 c:\windows\Installer\c277fac.msp

+ 2010-10-04 18:55 . 2010-10-04 18:55 9629696 c:\windows\Installer\c277f97.msp

+ 2010-01-05 22:27 . 2010-11-10 08:00 35758536 c:\windows\system32\MRT.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2010-01-08 65536]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk

backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2006-02-19 07:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [9/1/2010 7:18 AM 64288]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/12/2010 1:45 AM 136176]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 7:15 AM 1375992]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/21/2008 11:49 PM 18688]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/21/2008 11:49 PM 8320]

.

Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 12:10]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-12 06:44]

2010-11-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-12 06:44]

2010-11-11 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = <local>

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

FF - ProfilePath - c:\documents and settings\Nick Kruse\Application Data\Mozilla\Firefox\Profiles\ktceon9z.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.msn.com

FF - prefs.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - Google

FF - user.js: browser.search.order.1 - Google

FF - user.js: keyword.URL - hxxp://search.search-go.net/?sid=10101052100&s=

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-11-11 07:37

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2556)

c:\windows\system32\WININET.dll

c:\program files\Logitech\iTouch\iTchHk.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\acs.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\SOUNDMAN.EXE

.

**************************************************************************

.

Completion time: 2010-11-11 07:39:35 - machine was rebooted

ComboFix-quarantined-files.txt 2010-11-11 12:39

ComboFix2.txt 2010-11-07 13:10

Pre-Run: 24,982,130,688 bytes free

Post-Run: 25,192,247,296 bytes free

- - End Of File - - 86EC841C7AA0FE1A0F02B2621A846E10

negster22 · November 11, 2010

Not sure about why IE appears on the desktop, but if it is just a short-cut to IE (the icon contains an arrow), you can just delete it.

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

mbr.exe -s -tDFR > "%userprofile%\desktop\mbr.log"

Open the log it created by double-clicking mbr.log

Copy and paste the contents of mbr.log into your next reply.

--------------

Please perform a scan with the ESET online virus scanner. You can expect some detections in Combofix's quarantine (Qoobox) and system volume information. They will not represent active malware so don't worry:

http://www.eset.com/onlinescan/index.php

You need to disable your Lavasoft AV's auto-protection feature before beginning the scan to avoid conflicts and system hangs
Use Internet Explorer to navigate to the scanner website because you must approve install an ActiveX add-on to complete the scan.
Check the "Yes, I accept the terms of use" box.
Click Start
Approve the installation of the ActiveX control that's required to enable scanning
Make sure the box to
- Remove found threats. is CHECKED!!
- Click Start
[*]Allow the definition data base to install
[*]Click "Scan"

When the scan is done, please post the scan report in your next reply. It can be found in this location:

C:\Program Files\EsetOnlineScanner\log.txt

nick20z71 · November 12, 2010

ok...I tried to run that code from the command prompt 3 times and everytime the computer restarted right away. Again this wasn't a windows shut down process. Computer just went black and rebooted. Could this be a hardware error or software error, just doesn't seem like its from a virus, but I obviously don't know what I'm talking about so...

Heres the ESEP log...

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Olmarik.ADA trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\imuxubex.dll.vir Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\iwapuhuhiqopu.dll.vir Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\ohinufeworit.dll.vir Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\umitulivihanofow.dll.vir Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

C:\System Volume Information\_restore{E9C17D4C-02CA-45D1-8F28-86329134B7E5}\RP1\A0000068.dll Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

C:\System Volume Information\_restore{E9C17D4C-02CA-45D1-8F28-86329134B7E5}\RP1\A0000069.dll Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

C:\System Volume Information\_restore{E9C17D4C-02CA-45D1-8F28-86329134B7E5}\RP1\A0000070.dll Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

C:\System Volume Information\_restore{E9C17D4C-02CA-45D1-8F28-86329134B7E5}\RP1\A0000072.dll Win32/Adware.SpywareProtect2009 application cleaned by deleting - quarantined

www.google.com/webhp keeps popping up...

Recommended Posts

Link to post

Share on other sites

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information