Jump to content

Recommended Posts

Quite the brutal little infestation-can some of you folks kindly take a look at my HJT log and help me identify any lingering threats? I'm hoping I've failed to rectify some registry or process that's still causing the above symptoms.Slow as death, too; won't boot/shut down without a fight, propensity to redirect websearches to bogus ads(which still pop-up).

Spybot and Ad-Aware keep telling me they've removed high level infections, but they run right into them once again with every scan. Malwarebytes is repeatedly showing clean....you people are the real artists; I have to admit, I'm in wayy over my head with this sucker.

Look forward to hearing from you. Thanks a million.

-Dave

hijackthis.log

Link to post
Share on other sites

OK so I finally read the instructios per the thread starter. Here's my DDS log:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Toni Rosalino at 21:10:20.89 on Mon 04/04/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.350 [GMT -7:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

svchost.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\igfxext.exe

C:\WINDOWS\system32\wscntfy.exe

C:\DOCUME~1\TONIRO~1\LOCALS~1\Temp\RtkBtMnt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\OfferBox\OfferBox.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Documents and Settings\Toni Rosalino\Desktop\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aoa150

uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aoa150

mDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aoa150

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aoa150

uURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll

BHO: OfferBox: {fc0d62c2-9640-4aeb-a5d5-cf25df11fa8c} - c:\program files\offerbox\OfferBoxBHO.dll

TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Qdisitu] rundll32.exe "c:\windows\lndbdbe.dll",Startup

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [LGxJuggkBGegHQ] c:\documents and settings\all users\application data\LGxJuggkBGegHQ.exe

mRun: [LaunchApp] Alaunch

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE

mRun: [PLFSetL] c:\windows\PLFSetL.exe

mRun: [snp2uvc] c:\windows\vsnp2uvc.exe

mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe

mRun: [selectRebates] c:\program files\selectrebates\SelectRebates.exe

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t

StartupFolder: c:\docume~1\toniro~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\interv~1.lnk - c:\program files\intervideo\common\bin\WinCinemaMgr.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1301643650171

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

Notify: igfxcui - igfxdev.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 173.192.170.88 drghwaweg45j4i6u3q32fg2h.com

.

============= SERVICES / DRIVERS ===============

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-3-31 64512]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-3-30 1405384]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-7 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-3-30 15232]

.

=============== Created Last 30 ================

.

2011-04-04 07:04:35 3420 ----a-w- c:\windows\system32\tmp.reg

2011-04-01 07:10:43 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-01 06:00:23 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-04-01 02:07:20 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-04-01 02:07:09 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-04-01 01:58:52 -------- d-----w- c:\docume~1\toniro~1\locals~1\applic~1\Sunbelt Software

2011-04-01 01:22:28 -------- dc-h--w- c:\docume~1\alluse~1\applic~1\{2D59E2A1-9CCB-4414-9B00-67019E74C6FD}

2011-04-01 01:21:23 -------- d-----w- c:\program files\Lavasoft

2011-03-31 08:48:38 -------- d-----w- c:\docume~1\toniro~1\applic~1\Malwarebytes

2011-03-31 08:17:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-31 08:17:04 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-03-31 08:17:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-31 08:17:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-31 08:05:27 525462 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-03-30 07:05:16 -------- d--h--w- c:\docume~1\toniro~1\locals~1\applic~1\{21DC601D-E39C-4AEE-A085-61AFC2FA4250}

2011-03-29 01:46:41 -------- d--h--w- c:\windows\system32\wbem\Repository

2011-03-29 01:46:41 -------- d-----w- c:\windows\system32\wbem\repository\FS

2011-03-28 00:36:39 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2011-03-28 00:36:35 -------- d--h--w- c:\program files\Spybot - Search & Destroy

2011-03-20 06:50:26 0 ---ha-w- c:\windows\Wwowuvebuqa.bin

2011-03-20 06:49:30 -------- d--h--w- c:\docume~1\toniro~1\applic~1\OfferBox

2011-03-20 06:49:29 -------- d--h--w- c:\program files\OfferBox

2011-03-20 05:45:53 5943120 ---ha-w- c:\docume~1\alluse~1\applic~1\microsoft\windows defender\definition updates\{925b67e0-9883-494e-aded-f51b47b02456}\mpengine.dll

2011-03-20 05:43:05 -------- d--h--w- c:\program files\common files\DivX Shared

.

==================== Find3M ====================

.

2011-04-01 07:10:24 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-09 13:53:52 270848 ---ha-w- c:\windows\system32\sbe.dll

2011-02-09 13:53:52 186880 ---ha-w- c:\windows\system32\encdec.dll

2011-02-08 19:52:48 145688 ----a-w- c:\windows\system32\MicrosoftUpdateCatalogWebControl.dll

2011-02-02 07:58:35 2067456 ---ha-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57:06 677888 ---ha-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44:37 439296 ---ha-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09:02 290048 ---ha-w- c:\windows\system32\atmfd.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: ST9160310AS rev.0303 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86B17439]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86b1d7d0]; MOV EAX, [0x86b1d84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86B45318]

3 CLASSPNP[0xF77A7FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\0000008c[0x86BAB2F8]

5 ACPI[0xF769E620] -> nt!IofCallDriver[0x804E13B9] -> [0x86B47940]

\Driver\atapi[0x86B55AE8] -> IRP_MJ_CREATE -> 0x86B17439

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST9160310AS_____________________________0303____#5&1f6eb729&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x86B1727F

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 21:12:54.40 ===============

However, one of the issues I received from this strain infection is that my "send to" functionality is totally disabled. Without it, I have no idea how to create zips for the other 2 log file notepads. Please advise if you have a workaround for zip file creation, or if you will allow me to post the 'ark.txt' and 'attach.txt' logs as above. Thanks again,

-Dave

Link to post
Share on other sites

Hello and :welcome:

Unfortunately you have a nasty rootkit on board. Please read the following information before continuing the cleanup process.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Thank you SO much for responding, Elise!! I have changed out all my wife & my passwords, and disconnected the little SOB from the network!

First Things First, I always say. I have done as instructed, and run the "Killer" on the infected Acer. Here's the log:

2011/04/05 18:15:45.0546 2480 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28

2011/04/05 18:15:45.0640 2480 ================================================================================

2011/04/05 18:15:45.0640 2480 SystemInfo:

2011/04/05 18:15:45.0640 2480

2011/04/05 18:15:45.0640 2480 OS Version: 5.1.2600 ServicePack: 3.0

2011/04/05 18:15:45.0640 2480 Product type: Workstation

2011/04/05 18:15:45.0640 2480 ComputerName: DAVE

2011/04/05 18:15:45.0640 2480 UserName: Toni Rosalino

2011/04/05 18:15:45.0640 2480 Windows directory: C:\WINDOWS

2011/04/05 18:15:45.0640 2480 System windows directory: C:\WINDOWS

2011/04/05 18:15:45.0640 2480 Processor architecture: Intel x86

2011/04/05 18:15:45.0640 2480 Number of processors: 2

2011/04/05 18:15:45.0640 2480 Page size: 0x1000

2011/04/05 18:15:45.0640 2480 Boot type: Normal boot

2011/04/05 18:15:45.0640 2480 ================================================================================

2011/04/05 18:15:49.0093 2480 Initialize success

2011/04/05 18:16:04.0546 0408 ================================================================================

2011/04/05 18:16:04.0546 0408 Scan started

2011/04/05 18:16:04.0546 0408 Mode: Manual;

2011/04/05 18:16:04.0546 0408 ================================================================================

2011/04/05 18:16:07.0968 0408 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2011/04/05 18:16:09.0062 0408 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/04/05 18:16:10.0203 0408 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2011/04/05 18:16:11.0265 0408 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2011/04/05 18:16:12.0906 0408 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/04/05 18:16:14.0578 0408 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2011/04/05 18:16:16.0046 0408 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2011/04/05 18:16:17.0109 0408 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2011/04/05 18:16:18.0125 0408 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2011/04/05 18:16:19.0390 0408 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2011/04/05 18:16:20.0781 0408 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2011/04/05 18:16:21.0828 0408 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2011/04/05 18:16:22.0828 0408 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2011/04/05 18:16:23.0734 0408 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2011/04/05 18:16:24.0562 0408 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2011/04/05 18:16:26.0781 0408 AR5416 (7cae93fe5511d0c0688cfa56cf241e31) C:\WINDOWS\system32\DRIVERS\athw.sys

2011/04/05 18:16:29.0125 0408 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2011/04/05 18:16:30.0156 0408 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2011/04/05 18:16:31.0250 0408 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2011/04/05 18:16:32.0296 0408 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/04/05 18:16:33.0390 0408 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/04/05 18:16:35.0546 0408 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/04/05 18:16:36.0671 0408 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/04/05 18:16:38.0078 0408 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/04/05 18:16:39.0125 0408 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2011/04/05 18:16:40.0156 0408 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/04/05 18:16:41.0140 0408 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/04/05 18:16:42.0265 0408 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2011/04/05 18:16:43.0203 0408 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/04/05 18:16:44.0093 0408 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/04/05 18:16:45.0015 0408 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/04/05 18:16:46.0609 0408 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2011/04/05 18:16:47.0343 0408 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2011/04/05 18:16:48.0125 0408 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2011/04/05 18:16:49.0156 0408 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2011/04/05 18:16:50.0343 0408 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2011/04/05 18:16:51.0703 0408 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2011/04/05 18:16:53.0250 0408 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/04/05 18:16:54.0578 0408 DKbFltr (08d30af92c270f2e76787c81589dbad6) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys

2011/04/05 18:16:57.0687 0408 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/04/05 18:17:03.0234 0408 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/04/05 18:17:05.0906 0408 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/04/05 18:17:08.0281 0408 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/04/05 18:17:10.0875 0408 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2011/04/05 18:17:14.0062 0408 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/04/05 18:17:17.0593 0408 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/04/05 18:17:20.0937 0408 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/04/05 18:17:23.0000 0408 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/04/05 18:17:25.0859 0408 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/04/05 18:17:28.0250 0408 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/04/05 18:17:30.0937 0408 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/04/05 18:17:32.0968 0408 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/04/05 18:17:35.0187 0408 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/04/05 18:17:37.0468 0408 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/04/05 18:17:39.0921 0408 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/04/05 18:17:42.0359 0408 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2011/04/05 18:17:45.0125 0408 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/04/05 18:17:48.0312 0408 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2011/04/05 18:17:50.0968 0408 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2011/04/05 18:17:53.0359 0408 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/04/05 18:18:03.0593 0408 ialm (48846b31be5a4fa662ccfde7a1ba86b9) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/04/05 18:18:14.0796 0408 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/04/05 18:18:17.0703 0408 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2011/04/05 18:18:19.0078 0408 int15.sys (4d8d5b1c895ea0f2a721b98a7ce198f1) C:\Acer\Empowering Technology\eRecovery\int15.sys

2011/04/05 18:18:25.0546 0408 IntcAzAudAddService (19afbb8427ce65042599555e578170df) C:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/04/05 18:18:26.0578 0408 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/04/05 18:18:28.0593 0408 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/04/05 18:18:30.0875 0408 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/04/05 18:18:32.0390 0408 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/04/05 18:18:33.0390 0408 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/04/05 18:18:34.0546 0408 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/04/05 18:18:35.0656 0408 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/04/05 18:18:38.0781 0408 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/04/05 18:18:40.0078 0408 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/04/05 18:18:41.0609 0408 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/04/05 18:18:43.0031 0408 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/04/05 18:18:44.0671 0408 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/04/05 18:18:45.0468 0408 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys

2011/04/05 18:18:47.0171 0408 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys

2011/04/05 18:18:50.0781 0408 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/04/05 18:18:52.0031 0408 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/04/05 18:18:53.0171 0408 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/04/05 18:18:54.0718 0408 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/04/05 18:18:55.0953 0408 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/04/05 18:18:56.0875 0408 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2011/04/05 18:18:58.0218 0408 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/04/05 18:19:00.0234 0408 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/04/05 18:19:01.0859 0408 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/04/05 18:19:02.0859 0408 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/04/05 18:19:03.0640 0408 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/04/05 18:19:04.0609 0408 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/04/05 18:19:05.0687 0408 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/04/05 18:19:06.0796 0408 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/04/05 18:19:07.0796 0408 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/04/05 18:19:08.0859 0408 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/04/05 18:19:10.0156 0408 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/04/05 18:19:11.0328 0408 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/04/05 18:19:12.0328 0408 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/04/05 18:19:13.0843 0408 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/04/05 18:19:14.0656 0408 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/04/05 18:19:15.0750 0408 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/04/05 18:19:16.0656 0408 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/04/05 18:19:17.0546 0408 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/04/05 18:19:18.0718 0408 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/04/05 18:19:19.0937 0408 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/04/05 18:19:21.0187 0408 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/04/05 18:19:21.0921 0408 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/04/05 18:19:22.0828 0408 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/04/05 18:19:23.0687 0408 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2011/04/05 18:19:24.0578 0408 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/04/05 18:19:25.0437 0408 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/04/05 18:19:26.0171 0408 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/04/05 18:19:27.0671 0408 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/04/05 18:19:28.0625 0408 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/04/05 18:19:32.0437 0408 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2011/04/05 18:19:33.0375 0408 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2011/04/05 18:19:34.0343 0408 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/04/05 18:19:35.0250 0408 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/04/05 18:19:36.0078 0408 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/04/05 18:19:36.0937 0408 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2011/04/05 18:19:37.0765 0408 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2011/04/05 18:19:38.0671 0408 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2011/04/05 18:19:39.0578 0408 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2011/04/05 18:19:40.0562 0408 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2011/04/05 18:19:41.0500 0408 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/04/05 18:19:42.0734 0408 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/04/05 18:19:43.0687 0408 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/04/05 18:19:44.0546 0408 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/04/05 18:19:45.0609 0408 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/04/05 18:19:46.0703 0408 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/04/05 18:19:47.0734 0408 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/04/05 18:19:48.0984 0408 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/04/05 18:19:50.0156 0408 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/04/05 18:19:51.0437 0408 RTLE8023xp (f0a21c62b9b835e1c96268eaae31d239) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys

2011/04/05 18:19:52.0484 0408 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/04/05 18:19:53.0437 0408 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/04/05 18:19:54.0390 0408 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/04/05 18:19:55.0859 0408 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2011/04/05 18:19:56.0671 0408 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/04/05 18:19:58.0750 0408 SNP2UVC (0302bc619d4a723317e7f8eb0c362bd3) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys

2011/04/05 18:20:00.0906 0408 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2011/04/05 18:20:01.0796 0408 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/04/05 18:20:02.0718 0408 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/04/05 18:20:03.0875 0408 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/04/05 18:20:04.0968 0408 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/04/05 18:20:05.0812 0408 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/04/05 18:20:06.0593 0408 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/04/05 18:20:07.0421 0408 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2011/04/05 18:20:08.0281 0408 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2011/04/05 18:20:09.0109 0408 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2011/04/05 18:20:09.0937 0408 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2011/04/05 18:20:11.0281 0408 SynTP (409f7eeb079d6154ccb26a02e6e27844) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2011/04/05 18:20:12.0718 0408 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/04/05 18:20:14.0375 0408 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/04/05 18:20:15.0343 0408 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/04/05 18:20:16.0187 0408 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/04/05 18:20:17.0000 0408 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/04/05 18:20:17.0906 0408 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2011/04/05 18:20:18.0656 0408 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/04/05 18:20:19.0609 0408 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2011/04/05 18:20:20.0781 0408 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/04/05 18:20:22.0156 0408 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/04/05 18:20:23.0109 0408 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/04/05 18:20:24.0093 0408 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/04/05 18:20:25.0156 0408 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/04/05 18:20:26.0140 0408 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/04/05 18:20:27.0109 0408 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/04/05 18:20:27.0875 0408 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/04/05 18:20:28.0765 0408 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2011/04/05 18:20:29.0437 0408 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/04/05 18:20:30.0250 0408 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/04/05 18:20:30.0328 0408 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)

2011/04/05 18:20:31.0046 0408 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/04/05 18:20:32.0937 0408 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/04/05 18:20:34.0125 0408 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2011/04/05 18:20:35.0031 0408 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/04/05 18:20:36.0000 0408 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/04/05 18:20:36.0406 0408 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2011/04/05 18:20:36.0515 0408 ================================================================================

2011/04/05 18:20:36.0515 0408 Scan finished

2011/04/05 18:20:36.0515 0408 ================================================================================

2011/04/05 18:20:36.0671 0976 Detected object count: 2

2011/04/05 18:21:58.0484 0976 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/04/05 18:21:59.0640 0976 Backup copy found, using it..

2011/04/05 18:21:59.0718 0976 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot

2011/04/05 18:21:59.0718 0976 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure

2011/04/05 18:21:59.0859 0976 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot

2011/04/05 18:21:59.0859 0976 \HardDisk0 - ok

2011/04/05 18:21:59.0859 0976 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2011/04/05 18:22:18.0843 2468 Deinitialize success

Let me know what you glean from the printout, and we can decide from there whether a whole OS reinstall is in order.

Thank you again, for saving my wife and I from a painful separation from our savings!!

Link to post
Share on other sites

Hi again,

That seems to have done the trick. :)

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Beautiful, Elise! I'm totally offline with the Acer, per your warnings of system compromise, but from what I can tell, all previous functionality of the unit has been restored :D

THANK YOU SOOO MUCH FOR THAT!!

Per your request, the combo-fix log is below:

ComboFix 11-04-05.02 - Toni Rosalino 04/05/2011 23:27:45.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.457 [GMT -7:00]

Running from: c:\documents and settings\Toni Rosalino\Desktop\ComboFix.exe

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Start Menu\Programs\OfferBox Browser.lnk

c:\documents and settings\Toni Rosalino\Application Data\Local

c:\documents and settings\Toni Rosalino\Application Data\Local\Temp\DDM\Settings\0.ddi

c:\documents and settings\Toni Rosalino\Application Data\Local\Temp\DDM\Settings\Inception_Trailer_592.divx.ddr

c:\documents and settings\Toni Rosalino\Application Data\Local\Temp\DDM\Settings\settings.ddi

c:\documents and settings\Toni Rosalino\Application Data\Local\Temp\DDM\Settings\Temporary Downloaded Files\Inception_Trailer_592.divx

c:\documents and settings\Toni Rosalino\Application Data\OfferBox

c:\documents and settings\Toni Rosalino\Application Data\OfferBox\config.dat

c:\documents and settings\Toni Rosalino\Application Data\OfferBox\config.xml

c:\documents and settings\Toni Rosalino\Local Settings\Application Data\{21DC601D-E39C-4AEE-A085-61AFC2FA4250}

c:\documents and settings\Toni Rosalino\Local Settings\Application Data\{21DC601D-E39C-4AEE-A085-61AFC2FA4250}\chrome.manifest

c:\documents and settings\Toni Rosalino\Local Settings\Application Data\{21DC601D-E39C-4AEE-A085-61AFC2FA4250}\chrome\content\_cfg.js

c:\documents and settings\Toni Rosalino\Local Settings\Application Data\{21DC601D-E39C-4AEE-A085-61AFC2FA4250}\chrome\content\overlay.xul

c:\documents and settings\Toni Rosalino\Local Settings\Application Data\{21DC601D-E39C-4AEE-A085-61AFC2FA4250}\install.rdf

c:\documents and settings\Toni Rosalino\Start Menu\Programs\Windows Repair

c:\documents and settings\Toni Rosalino\Start Menu\Programs\Windows Repair\Uninstall Windows Repair.lnk

c:\documents and settings\Toni Rosalino\Start Menu\Programs\Windows Repair\Windows Repair.lnk

c:\program files\OfferBox

c:\program files\OfferBox\OfferBox.exe

c:\program files\OfferBox\OfferBoxBHO.dll

c:\program files\OfferBox\OfferBoxChromeExtension.crx

c:\program files\OfferBox\OfferBoxEngine.dll

c:\program files\OfferBox\offerboxffx@offerbox.com\chrome.manifest

c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content\events.js

c:\program files\OfferBox\offerboxffx@offerbox.com\chrome\content\overlay.xul

c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.dll

c:\program files\OfferBox\offerboxffx@offerbox.com\components\OfferBoxXpCom.xpt

c:\program files\OfferBox\offerboxffx@offerbox.com\install.rdf

c:\program files\OfferBox\OfferBoxLauncher.exe

c:\program files\OfferBox\res\language.xml

c:\program files\OfferBox\res\loader.gif

c:\program files\OfferBox\uninst.exe

c:\program files\SelectRebates

c:\program files\SelectRebates\FFToolbar\chrome.manifest

c:\program files\SelectRebates\FFToolbar\chrome\sahtoolbar.jar

c:\program files\SelectRebates\FFToolbar\defaults\preferences\sahtoolbar.js

c:\program files\SelectRebates\FFToolbar\install.rdf

c:\program files\SelectRebates\SelectAlerts.dat

c:\program files\SelectRebates\SelectRebates.ini

c:\program files\SelectRebates\SelectRebatesA.dat

c:\program files\SelectRebates\SelectRebatesB.dat

c:\program files\SelectRebates\SelectRebatesBT.dat

c:\program files\SelectRebates\SelectRebatesDownload.exe

c:\program files\SelectRebates\Toolbar\AddtoList.bmp

c:\program files\SelectRebates\Toolbar\basis.xml

c:\program files\SelectRebates\Toolbar\Basis.xml.dym

c:\program files\SelectRebates\Toolbar\Blank.bmp

c:\program files\SelectRebates\Toolbar\CashBack.bmp

c:\program files\SelectRebates\Toolbar\Coupons.bmp

c:\program files\SelectRebates\Toolbar\GroceryCoupon.bmp

c:\program files\SelectRebates\Toolbar\i_magnifying.bmp

c:\program files\SelectRebates\Toolbar\icons.bmp

c:\program files\SelectRebates\Toolbar\logo.bmp

c:\program files\SelectRebates\Toolbar\logo_24.bmp

c:\program files\SelectRebates\Toolbar\logo_HotSpots.bmp

c:\program files\SelectRebates\Toolbar\ReviewSite.bmp

c:\program files\SelectRebates\Toolbar\RightControls.dym

c:\program files\SelectRebates\Toolbar\Scissors.bmp

c:\program files\SelectRebates\Toolbar\ShopAtHomeToolbar.dll

c:\windows\system32\404Fix.exe

c:\windows\system32\Agent.OMZ.Fix.exe

c:\windows\system32\dumphive.exe

c:\windows\system32\IEDFix.C.exe

c:\windows\system32\IEDFix.exe

c:\windows\system32\o4Patch.exe

c:\windows\system32\Process.exe

c:\windows\system32\SrchSTS.exe

c:\windows\system32\tmp.reg

c:\windows\system32\tukdtjsr.txt

c:\windows\system32\VACFix.exe

c:\windows\system32\VCCLSID.exe

c:\windows\system32\WS2Fix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NWSAPAGENT

-------\Service_Nwsapagent

.

.

((((((((((((((((((((((((( Files Created from 2011-03-06 to 2011-04-06 )))))))))))))))))))))))))))))))

.

.

2011-04-01 07:14 . 2011-04-01 07:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-04-01 07:10 . 2011-04-01 07:10 472808 ----a-w- c:\windows\system32\deployJava1.dll

2011-04-01 06:00 . 2011-03-31 06:48 16432 ----a-w- c:\windows\system32\lsdelete.exe

2011-04-01 02:07 . 2011-03-31 06:48 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys

2011-04-01 02:07 . 2011-04-01 02:07 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys

2011-04-01 01:58 . 2011-04-01 01:58 -------- d-----w- c:\documents and settings\Toni Rosalino\Local Settings\Application Data\Sunbelt Software

2011-04-01 01:22 . 2011-04-01 01:22 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{2D59E2A1-9CCB-4414-9B00-67019E74C6FD}

2011-04-01 01:21 . 2011-04-01 01:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2011-04-01 01:21 . 2011-04-01 01:21 -------- d-----w- c:\program files\Lavasoft

2011-03-31 09:42 . 2011-03-31 10:36 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe

2011-03-31 08:48 . 2011-03-31 08:48 -------- d-----w- c:\documents and settings\Toni Rosalino\Application Data\Malwarebytes

2011-03-31 08:17 . 2010-12-21 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-03-31 08:17 . 2011-03-31 08:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-03-31 08:17 . 2011-03-31 08:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-03-31 08:17 . 2010-12-21 01:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-03-31 08:05 . 2011-03-31 10:07 525462 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2011-03-30 08:29 . 2011-03-31 06:03 -------- d--ha-w- c:\documents and settings\All Users\Application Data\TEMP

2011-03-29 01:46 . 2011-03-29 01:46 -------- d--h--w- c:\windows\system32\wbem\Repository

2011-03-28 00:36 . 2011-03-29 03:46 -------- d--h--w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2011-03-28 00:36 . 2011-03-29 03:50 -------- d--h--w- c:\program files\Spybot - Search & Destroy

2011-03-27 08:21 . 2011-03-29 01:45 -------- d-s---w- c:\documents and settings\Administrator

2011-03-20 06:50 . 2011-03-31 08:50 0 ---ha-w- c:\windows\Wwowuvebuqa.bin

2011-03-20 06:34 . 2011-03-20 06:34 -------- d--h--w- c:\windows\Sun

2011-03-20 05:45 . 2011-02-11 06:54 5943120 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\{925B67E0-9883-494E-ADED-F51B47B02456}\mpengine.dll

2011-03-20 05:43 . 2011-03-20 05:43 -------- d--h--w- c:\program files\Common Files\DivX Shared

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-06 01:23 . 2008-04-15 03:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys

2011-04-01 07:10 . 2010-12-08 15:37 73728 ----a-w- c:\windows\system32\javacpl.cpl

2011-02-11 06:54 . 2009-08-23 20:09 5943120 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll

2011-02-09 13:53 . 2008-04-15 03:00 270848 ---ha-w- c:\windows\system32\sbe.dll

2011-02-09 13:53 . 2008-04-15 03:00 186880 ---ha-w- c:\windows\system32\encdec.dll

2011-02-08 19:52 . 2011-02-08 19:52 145688 ----a-w- c:\windows\system32\MicrosoftUpdateCatalogWebControl.dll

2011-02-02 07:58 . 2008-04-15 03:00 2067456 ---ha-w- c:\windows\system32\mstscax.dll

2011-01-27 11:57 . 2008-04-15 03:00 677888 ---ha-w- c:\windows\system32\mstsc.exe

2011-01-21 14:44 . 2008-04-15 03:00 439296 ---ha-w- c:\windows\system32\shimgvw.dll

2011-01-07 14:09 . 2008-04-15 03:00 290048 ---ha-w- c:\windows\system32\atmfd.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-16 68856]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]

"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]

"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-15 59392]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-15 455168]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]

"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

.

c:\documents and settings\Toni Rosalino\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=

.

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/31/2011 7:07 PM 64512]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/30/2011 11:48 PM 1405384]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/7/2010 6:00 PM 135664]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [3/30/2011 11:48 PM 15232]

.

Contents of the 'Scheduled Tasks' folder

.

2011-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-03-31 06:48]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 00:59]

.

2011-04-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-08 00:59]

.

2011-04-06 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

.

2011-04-06 c:\windows\Tasks\User_Feed_Synchronization-{479C7E99-7F92-404A-A968-D4AB250DDB21}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 01:36]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aoa150

mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=0&o=xph&d=0209&m=aoa150

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{E8DAAA30-6CAA-4b58-9603-8E54238219E2} - (no file)

BHO-{FC0D62C2-9640-4AEB-A5D5-CF25DF11FA8C} - (no file)

HKCU-Run-Qdisitu - c:\windows\lndbdbe.dll

HKCU-Run-LGxJuggkBGegHQ - c:\documents and settings\All Users\Application Data\LGxJuggkBGegHQ.exe

HKLM-Run-snp2uvc - c:\windows\vsnp2uvc.exe

HKLM-Run-SelectRebates - c:\program files\SelectRebates\SelectRebates.exe

SafeBoot-klmdb.sys

SafeBoot-mcmscsvc

SafeBoot-MCODS

AddRemove-OfferBox Browser - c:\program files\OfferBox\uninst.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-04-05 23:50

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3288)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\System32\snmp.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\igfxext.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

.

**************************************************************************

.

Completion time: 2011-04-06 00:02:08 - machine was rebooted

ComboFix-quarantined-files.txt 2011-04-06 07:02

.

Pre-Run: 141,900,832,768 bytes free

Post-Run: 142,339,112,960 bytes free

.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

.

- - End Of File - - E8A9974A0CEE5B35B0BEC54781C05DF5

Sooo-oo, after all this, and after this log analysis, do you think a total re-format/re-install is still necessary?

Thanks again-you've made all my spare hours of fighting this damn thing worthwhile!!!!

Link to post
Share on other sites

Hi again,

At this point all active malware seems gone, so you can reconnect to the internet. Whether or not to reformat is up to you; the infections are gone, but you never know what damage they did to Windows.

Can you please rerun DDS and post me attach.txt?

Link to post
Share on other sites

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 2/16/2009 11:49:50 AM

System Uptime: 4/5/2011 11:46:32 PM (1 hours ago)

.

Motherboard: Acer | |

Processor: Intel® Atom CPU N270 @ 1.60GHz | CPU | 1595/533mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 144 GiB total, 132.6 GiB free.

D: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Atheros AR5007EG Wireless Network Adapter

Device ID: PCI\VEN_168C&DEV_001C&SUBSYS_E008105B&REV_01\4&2803E7C1&0&00E2

Manufacturer: Atheros

Name: Atheros AR5007EG Wireless Network Adapter

PNP Device ID: PCI\VEN_168C&DEV_001C&SUBSYS_E008105B&REV_01\4&2803E7C1&0&00E2

Service: AR5416

.

==== System Restore Points ===================

.

RP1: 3/24/2011 1:09:40 AM - System Checkpoint

RP2: 3/24/2011 1:10:48 AM - Software Distribution Service 3.0

RP3: 3/25/2011 2:06:13 AM - System Checkpoint

RP4: 3/28/2011 1:23:00 AM - System Checkpoint

RP5: 3/28/2011 6:15:50 PM - Installed Java 6 Update 23

RP6: 3/28/2011 6:43:34 PM - Restore Operation

RP7: 3/29/2011 3:00:22 AM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

.

Acer Crystal Eye webcam

Acer ScreenSaver

Acrobat.com

Ad-Aware

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Reader 9

Atheros for Acer Driver v7.6.0.224_Foxconn Installation Program

DivX Web Player

Google Chrome

Google Toolbar for Internet Explorer

Google Update Helper

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

Intel® Graphics Media Accelerator Driver

InterVideo Register Manager

InterVideo WinDVD

Java 6 Update 23

Java 6 Update 3

JMicron JMB38X Flash Media Controller

Launch Manager

Malwarebytes' Anti-Malware

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2416447)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office 2000 Professional

Microsoft Office 2007 Service Pack 2 (SP2)

Microsoft Office Excel MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office Home and Student 2007 Trial

Microsoft Office OneNote MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Suite Activation Assistant

Microsoft Office Web Components

Microsoft Office Word MUI (English) 2007

Microsoft Silverlight

Microsoft Software Update for Web Folders (English) 12

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

Microsoft Works

Move Media Player

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

REALTEK GbE & FE Ethernet PCI-E NIC Driver

Realtek High Definition Audio Driver

Security Update for 2007 Microsoft Office System (KB2288621)

Security Update for 2007 Microsoft Office System (KB2288931)

Security Update for 2007 Microsoft Office System (KB2289158)

Security Update for 2007 Microsoft Office System (KB2344875)

Security Update for 2007 Microsoft Office System (KB2345043)

Security Update for 2007 Microsoft Office System (KB969559)

Security Update for 2007 Microsoft Office System (KB976321)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)

Security Update for Microsoft Office Excel 2007 (KB2345035)

Security Update for Microsoft Office InfoPath 2007 (KB979441)

Security Update for Microsoft Office PowerPoint 2007 (KB982158)

Security Update for Microsoft Office PowerPoint Viewer (KB2413381)

Security Update for Microsoft Office system 2007 (972581)

Security Update for Microsoft Office system 2007 (KB974234)

Security Update for Microsoft Office Visio Viewer 2007 (KB973709)

Security Update for Microsoft Office Word 2007 (KB2344993)

Security Update for Windows Internet Explorer 7 (KB2183461)

Security Update for Windows Internet Explorer 7 (KB2360131)

Security Update for Windows Internet Explorer 7 (KB2416400)

Security Update for Windows Internet Explorer 7 (KB2482017)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 7 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player (KB979402)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2479943)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977165)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978251)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

Spybot - Search & Destroy

Synaptics Pointing Device Driver

Update for 2007 Microsoft Office System (KB967642)

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Office OneNote 2007 (KB980729)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB898461)

Update for Windows XP (KB942763)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.762

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

WebFldrs XP

Windows Defender

Windows Internet Explorer 7

.

==== Event Viewer Messages From Past Week ========

.

4/5/2011 6:26:08 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

4/4/2011 9:32:06 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.

4/4/2011 9:30:41 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.

4/3/2011 3:50:23 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip

4/3/2011 3:50:23 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.

4/3/2011 3:50:23 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.

4/3/2011 3:50:23 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.

4/3/2011 3:50:23 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.

4/2/2011 1:22:11 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

4/1/2011 1:46:40 AM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: Access is denied.

4/1/2011 1:46:40 AM, error: Service Control Manager [7023] - The SAP Agent service terminated with the following error: The specified module could not be found.

4/1/2011 1:46:38 AM, error: SRService [104] - The System Restore initialization process failed.

3/31/2011 4:01:32 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde

3/31/2011 1:46:18 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

3/31/2011 1:09:17 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

3/31/2011 1:06:55 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}

3/31/2011 1:02:51 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm

3/30/2011 11:07:50 PM, error: Service Control Manager [7023] - The Task Scheduler service terminated with the following error: The process cannot access the file because it is being used by another process.

3/30/2011 10:59:45 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the ShellHWDetection service.

3/30/2011 10:59:14 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Netman service.

3/30/2011 10:59:12 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.

3/30/2011 10:58:44 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.

3/30/2011 10:57:56 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.

3/30/2011 10:57:20 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the RasMan service.

3/30/2011 10:56:46 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the W32Time service.

3/30/2011 1:58:24 AM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

.

==== End Of File ===========================

Hope this was ok...you did say, "post", not atttach zip, so wasn't sure.

Hey, Elise, I can't tell you how much I appreciate your expertise. I'd like to know more about exactly what went wrong here to protect against it occuring again. Any chance you could hit me up on my email for a little more in-depth analysis of the compromise, sort of a play-by-play? Maybe what to beef up to defend against it again?

Oh, and I ran that defogger program before our correspondence started...do I have to re-run that to re-enable those CD-ROM mimicking devices, or somthing?

One last thing....my Windows Updates are still disabled on the Security Center. I might be able to figure that out...

HEY EVERYONE.....ELISE R-O-C-K-S!!!!!!!!

Link to post
Share on other sites

Hi again,

Please launch MBAM, update it and run a full scan. Post me the resulting log.

Your version of Adobe Reader is oudated. Older versions have known security vulnerabilities that can be exploited by malware. I recommend you visit Adobe's website and download the latest version (Adobe Reader X).

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Link to post
Share on other sites

OK here's the MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6292

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

4/6/2011 7:18:02 PM

mbam-log-2011-04-06 (19-18-02).txt

Scan type: Full scan (C:\|)

Objects scanned: 208503

Time elapsed: 1 hour(s), 33 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Again, thank you so much, Elise. You're truly a CyberGoddess!

Link to post
Share on other sites

Elise?

I was wondering if you thought any additional action may be necessary for the following MBAM log off my main PC:

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6292

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/6/2011 10:22:11 PM

mbam-log-2011-04-06 (22-22-10).txt

Scan type: Full scan (C:\|D:\|E:\|)

Objects scanned: 228306

Time elapsed: 1 hour(s), 23 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{4D1C4E81-A32A-416B-BCDB-33B3EF3617D3} (Adware.Need2Find) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494E6CEC-7483-A4EE-0938-895519A84BC7} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

c:\program files\accessories\Common (Trojan.Logger) -> Quarantined and deleted successfully.

c:\program files\accessories\Common\WC (Trojan.Logger) -> Quarantined and deleted successfully.

Files Infected:

c:\documents and settings\D-Nice\local settings\Temp\att-sst_installer\Setup\motiveclient\AXB.exe (Adware.BHO) -> Quarantined and deleted successfully.

c:\WINDOWS\temp\tmp00000003577b422b2a50c5c4 (Trojan.Dropper) -> Quarantined and deleted successfully.

And also, I tried with everything I know how to do to get my automatic updates installed again. I can't even install them manually from the windows website. I restored default security settings in IE Internet Options as it recommends, and I tried to enter the Windows URL into Trusted Sites, but it indicates "must use the https://prefix", for safe connection. I'm at a loss again, here....any ideas?

Thanks again.

Link to post
Share on other sites

Hi, please help me understand here, the first log is from this computer and the second from another? If so, to avoid confusion, please start a new topic for the second computer. You can post me the link and I'll reply to it. Working on two different computers in one topic causes confusion because it can be hard to determine which log is from which computer.

Is the update problem on the computer we are cleaning here? If so, follow the steps here and see if it works afterwards.

Link to post
Share on other sites

I'm glad to hear that. :)

Lets do one last scan to check for leftovers before calling it clean.

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

OK been out of town for the weekend. I found these results with the log:

C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\39\5bca41a7-70dacaae multiple threats deleted - quarantined

C:\Documents and Settings\Toni Rosalino\Application Data\Sun\Java\Deployment\cache\6.0\25\4898c5d9-663ba405 Java/TrojanDownloader.Agent.NCM trojan deleted - quarantined

C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP6\A0004601.dll a variant of Win32/Kryptik.KNA trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{D24A3BE8-4CBB-48D0-81AD-ACAFA6A6C48B}\RP7\A0014934.dll a variant of Win32/Kryptik.MHG trojan cleaned by deleting - quarantined

I'm glad you had me check with this. Let me know what I should do next. Rats-I'm a little discouraged it found anything; it's running so much better...:-(

Link to post
Share on other sites

Don't worry, two items were leftovers, the other two java cache objects, nothing to worry about. :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Um...actually, Elise...there is one more thing.

Since all the repairs, my volume has been FRIED. Almost sounds like a blown internal speaker.

I had used that defogger before we talked as suggested on this site to disable drivers, etc, that run like cd roms.

I've just re-enabled those witht the fogger, and am now going to restart and see if that was it.

Do you have any ideas on what the culprit could be?

You know when the system is unresponsive while using the volume control-then it jumps into action abruptly, and you hear all the volume queues in rapid succession? Sounds like that every time I adjust the volume.

?

Thanks(again-sigh..!)

d

Link to post
Share on other sites

  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.