Jump to content

Recommended Posts

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:38:25 AM, on 5/10/2011

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17096)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe

c:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Symantec AntiVirus\vpc32.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhodeisland.cox.net/cci/home

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhodeisland.cox.net/cci/home

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: agihelper.AGUtils - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - mscoree.dll (file missing)

O2 - BHO: (no name) - {01ABB845-3133-4E43-9B76-50980563376c} - C:\WINDOWS\system32\atitvo3232.dll

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: agihelper.AGUtils - {0bc6e3fa-78ef-4886-842c-5a1258c4455a} - mscoree.dll (file missing)

O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O2 - BHO: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll

O2 - BHO: (no name) - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll

O2 - BHO: Updater For Simppull Toolbar - {C4B8BAB4-1667-11DF-A242-BA9455D89593} - C:\Program Files\simppulltoolbar\auxi\simppulltoolbAu.dll (file missing)

O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O2 - BHO: (no name) - {E4E6BF2A-1667-11DF-A01F-1F9655D89593} - (no file)

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Yontoo Layers - {FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - C:\Program Files\Yontoo Layers Client\YontooIEClient.dll (file missing)

O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll

O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll

O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Enterprise

O4 - HKLM\..\Run: [sMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')

O4 - Startup: America Online 5.0 Tray Icon.lnk = C:\America Online 5.0a\aoltray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

O20 - AppInit_DLLs: C:\WINDOWS\system32\keymgr32.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: AG Core Services (AGCoreService) - AG Interactive - C:\Program Files\AGI\core\4.2.0.10754\AGCoreService.exe

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--

End of file - 12158 bytes

Link to post
Share on other sites

Hi RIman34

:welcome:

We need to look at some information about what is going on in your computer:

Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool.

    [*]When done, DDS will open two (2) logs

    1. DDS.txt

    2. Attach.txt

    [*] Save both reports to your desktop.

    [*] The instructions here ask you to attach the Attach.txt.

    DDS.jpg

    [*]Instead of attaching, please copy/past both logs into your Thread

    [*]Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.

After downloading the tool, disconnect from the internet and disable all antivirus protection.

Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HEREThen post your DDS (DDS.txt and Attach.txt

Next

Please Download Rootkit Unhooker Save it to your desktop.

  • extract RKUnhooker to your desktop
    • Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
      you can get a free one from here -
    http://www.7-zip.org/

  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.

Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

"just click on Cancel, then Accept".

In your next reply, please include these log(s):

1.DDS.txt

2.Attach.txt

3.RKU log

Link to post
Share on other sites

Here is the attach.txt log

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_11-03-05.01)

.

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume2

Install Date: 12/25/2005 11:19:30 AM

System Uptime: 5/12/2011 11:43:30 AM (0 hours ago)

.

Motherboard: MSI | | AMETHYST-M

Processor: AMD Athlon 64 Processor 3400+ | Socket 939 | 1772/200mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 143 GiB total, 103.33 GiB free.

D: is FIXED (FAT32) - 6 GiB total, 1.176 GiB free.

E: is CDROM ()

F: is Removable

G: is Removable

H: is Removable

I: is Removable

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

3100_3200_3300_Help

3100_3200_3300trb

3200

AbiWord 2.6.4

Acronis

Link to post
Share on other sites

RKU Log

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #1

==============================================

>Drivers

==============================================

0xF1DCB000 C:\WINDOWS\system32\DRIVERS\95937261.sys 5373952 bytes (Kaspersky Lab, Kaspersky Unified Driver)

0xBF0B6000 C:\WINDOWS\System32\ati3duag.dll 2363392 bytes (ATI Technologies Inc. , ati3duag.dll)

0xF6CB0000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2318336 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2154496 bytes

0x804D7000 RAW 2154496 bytes

0x804D7000 WMIxWDM 2154496 bytes

0xBF800000 Win32k 1859584 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xEE8E0000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110511.002\navex15.sys 1388544 bytes (Symantec Corporation, AV Engine)

0xF7060000 C:\WINDOWS\system32\DRIVERS\ati2mtag.sys 1306624 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0xF6EF9000 C:\WINDOWS\system32\DRIVERS\AGRSM.sys 1097728 bytes (Agere Systems, SoftModem Device Driver)

0xF743C000 iaStor.sys 872448 bytes (Intel Corporation, Intel Matrix Storage Manager driver)

0xBF2F7000 C:\WINDOWS\System32\ativvaxx.dll 651264 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0xF7360000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xF2367000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xF72C8000 timntr.sys 438272 bytes (Acronis, Acronis True Image Backup Archive Explorer)

0xF2402000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 401408 bytes (Symantec Corporation, SPBBC Driver)

0xF2309000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)

0xF6B2A000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xF24E9000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xF726F000 tdrpman.sys 364544 bytes (Acronis, Acronis Try&Decide and Restore Points Volume Filter Driver)

0xF2920000 C:\Program Files\Symantec AntiVirus\savrt.sys 360448 bytes (Symantec Corporation, AutoProtect)

0xEF2BF000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xF2575000 C:\WINDOWS\system32\DRIVERS\9593726.sys 331776 bytes (Kaspersky Lab, Klif Mini-Filter [fre_wnet_x86])

0xBF396000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xEEDCE000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xBF012000 C:\WINDOWS\System32\ati2dvag.dll 249856 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xF24AE000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 241664 bytes (Symantec Corporation, Network Dispatch Driver)

0xBF082000 C:\WINDOWS\System32\atikvmag.dll 212992 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xBF04F000 C:\WINDOWS\System32\ati2cqag.dll 208896 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xF7541000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xEF51F000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xF7333000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xEE469000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xF23D7000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xF2486000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xF1DA7000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xF6C8C000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xF7028000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xF7005000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xF2464000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0xF28FE000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 139264 bytes (Symantec Corporation, Symantec Event Library)

0x806E5000 ACPI_HAL 134400 bytes

0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xF7404000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xF7511000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xF22EB000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 122880 bytes (Symantec Corporation, Symantec Eraser Utility Driver)

0xF7251000 snapman.sys 122880 bytes (Acronis, Acronis Snapshot API)

0xF7237000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xF7424000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xF1D8F000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xF73ED000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xF6C61000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xEF63A000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xEE8CC000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110511.002\naveng.sys 81920 bytes (Symantec Corporation, AV Engine)

0xF6C78000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xF28EA000 C:\Program Files\Symantec AntiVirus\Savrtpel.sys 81920 bytes (Symantec Corporation, SAVRTPEL)

0xF704C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xF2542000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xF6EE6000 C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys 77824 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xF7530000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xF6C28000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xEF7DF000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xF7820000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xF7840000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)

0xF7680000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xF6BE8000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)

0xF7850000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xF7830000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xEF79F000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xF7710000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xF7690000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xF7800000 C:\WINDOWS\system32\DRIVERS\AmdK8.sys 57344 bytes (Advanced Micro Devices, AMD Processor Driver)

0xF6C08000 C:\WINDOWS\system32\Drivers\NEOFLTR_550_12857.SYS 57344 bytes (Juniper Networks, NetBIOS Redirector)

0xF76E0000 95937262.sys 53248 bytes (Kaspersky Lab, Kaspersky Lab Boot Guard Driver)

0xF76D0000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xF7860000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xF7870000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xF76B0000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xF27A5000 C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys 49152 bytes (Microsoft Corporation, Family Safety Filter Driver (TDI))

0xF7890000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xF6BB8000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xF7810000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xF76A0000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xF7880000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xF7670000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xF78C0000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xEE7EC000 C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 40960 bytes (Symantec Corporation, Redirector Filter Driver)

0xF78B0000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xF7780000 C:\WINDOWS\system32\DRIVERS\tifsfilt.sys 40960 bytes (Acronis, Acronis True Image File System Filter)

0xF76C0000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xF78A0000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xF6BD8000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xEE5D4000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xF6BF8000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xF79A0000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)

0xF7A58000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xF7990000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xF7A38000 C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\mbr.sys 28672 bytes

0xF78F0000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xF7A08000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)

0xF7998000 C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)

0xF79B8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xF79A8000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xF7A48000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xF79D8000 C:\WINDOWS\system32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))

0xF7A50000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xF79E0000 C:\WINDOWS\system32\DRIVERS\NkVBus.sys 20480 bytes (Nikon Corporation, Virtual Bus Device Driver)

0xF78F8000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xF79B0000 C:\WINDOWS\system32\DRIVERS\PS2.sys 20480 bytes (Hewlett-Packard Company, PS2 SYS)

0xF79C8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xF7900000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xF79D0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xF79C0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xF7988000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xF7A78000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xF71D7000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xEFB77000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xF7A80000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xF2739000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xF71EB000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xF2851000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xF7BCE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xF7BF4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xF7BC6000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xF7B76000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)

0xF7B70000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xF7BD2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xF7BD4000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xF7B8A000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xF7B8C000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xF7B74000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

0xF7B72000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xF7C89000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xF7CF9000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xF7D03000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xF7C38000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

WARNING: Virus alike driver modification [acpiec.sys]

WARNING: Virus alike driver modification [cpqdap01.sys]

WARNING: Virus alike driver modification [nikedrv.sys]

WARNING: Virus alike driver modification [rio8drv.sys]

WARNING: Virus alike driver modification [riodrv.sys]

WARNING: Virus alike driver modification [ws2ifsl.sys]

WARNING: Virus alike driver modification [fsvga.sys]

WARNING: Virus alike driver modification [cbidf2k.sys]

WARNING: Virus alike driver modification [smclib.sys]

WARNING: Virus alike driver modification [Hdaudio.sys]

WARNING: Virus alike driver modification [wpdusb.sys]

WARNING: Virus alike driver modification [tsbvcap.sys]

WARNING: Virus alike driver modification [cinemst2.sys]

WARNING: Virus alike driver modification [sonyhcs.sys]

WARNING: Virus alike driver modification [atmepvc.sys]

WARNING: Virus alike driver modification [rawwan.sys]

WARNING: Virus alike driver modification [atmuni.sys]

WARNING: Virus alike driver modification [sonyhcc.sys]

WARNING: Virus alike driver modification [tosdvd.sys]

WARNING: Virus alike driver modification [nwlnkspx.sys]

WARNING: Virus alike driver modification [vdmindvd.sys]

WARNING: Virus alike driver modification [rootmdm.sys]

WARNING: Virus alike driver modification [sonyhcb.sys]

WARNING: Virus alike driver modification [nwlnknb.sys]

WARNING: Virus alike driver modification [enum1394.sys]

WARNING: Virus alike driver modification [parvdm.sys]

WARNING: Virus alike driver modification [mcd.sys]

Link to post
Share on other sites

Hi,

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • Click the Report button and copy/paste the contents of it into your next reply

Note:It will also create a log in the C:\ directory.

Next

  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    cfRC_screen_1.png
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    cfRC_screen_2.png
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply with the TDSSKiller log
    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
    ---------------------------------------------------------------------------------------------
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
    ---------------------------------------------------------------------------------------------

Link to post
Share on other sites

TDS Log

2011/05/12 14:10:16.0734 3964 TDSS rootkit removing tool 2.5.0.0 May 1 2011 14:20:16

2011/05/12 14:10:17.0172 3964 ================================================================================

2011/05/12 14:10:17.0172 3964 SystemInfo:

2011/05/12 14:10:17.0172 3964

2011/05/12 14:10:17.0172 3964 OS Version: 5.1.2600 ServicePack: 3.0

2011/05/12 14:10:17.0172 3964 Product type: Workstation

2011/05/12 14:10:17.0172 3964 ComputerName: DADS

2011/05/12 14:10:17.0172 3964 UserName: Compaq_Owner

2011/05/12 14:10:17.0172 3964 Windows directory: C:\WINDOWS

2011/05/12 14:10:17.0172 3964 System windows directory: C:\WINDOWS

2011/05/12 14:10:17.0172 3964 Processor architecture: Intel x86

2011/05/12 14:10:17.0172 3964 Number of processors: 1

2011/05/12 14:10:17.0172 3964 Page size: 0x1000

2011/05/12 14:10:17.0172 3964 Boot type: Normal boot

2011/05/12 14:10:17.0172 3964 ================================================================================

2011/05/12 14:10:17.0594 3964 Initialize success

2011/05/12 14:10:20.0594 2180 ================================================================================

2011/05/12 14:10:20.0594 2180 Scan started

2011/05/12 14:10:20.0594 2180 Mode: Manual;

2011/05/12 14:10:20.0594 2180 ================================================================================

2011/05/12 14:10:22.0468 2180 95937261 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\95937261.sys

2011/05/12 14:10:22.0968 2180 95937262 (a305fad3719c5db0c13d1c2bfd08a04d) C:\WINDOWS\system32\DRIVERS\95937262.sys

2011/05/12 14:10:23.0468 2180 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/05/12 14:10:23.0656 2180 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/05/12 14:10:23.0968 2180 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/05/12 14:10:24.0203 2180 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys

2011/05/12 14:10:24.0484 2180 AgereSoftModem (34f27c7d71f1c49c7d3857f28b42f544) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2011/05/12 14:10:25.0265 2180 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS

2011/05/12 14:10:25.0750 2180 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys

2011/05/12 14:10:26.0125 2180 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/05/12 14:10:26.0812 2180 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/05/12 14:10:27.0046 2180 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/05/12 14:10:27.0406 2180 ati2mtag (b33a281dcdf455b069816790275050a7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/05/12 14:10:27.0687 2180 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/05/12 14:10:27.0874 2180 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/05/12 14:10:28.0078 2180 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/05/12 14:10:28.0359 2180 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/05/12 14:10:28.0702 2180 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/05/12 14:10:28.0921 2180 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/05/12 14:10:29.0124 2180 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/05/12 14:10:30.0155 2180 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/05/12 14:10:30.0437 2180 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/05/12 14:10:30.0687 2180 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/05/12 14:10:30.0890 2180 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/05/12 14:10:31.0109 2180 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/05/12 14:10:31.0546 2180 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/05/12 14:10:31.0718 2180 eeCtrl (5461f01b7def17dc90d90b029f874c3b) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

2011/05/12 14:10:31.0937 2180 EraserUtilRebootDrv (17fcc372d03ba39f3aee85198c0ec594) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

2011/05/12 14:10:32.0187 2180 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/05/12 14:10:32.0421 2180 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/05/12 14:10:32.0655 2180 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/05/12 14:10:32.0874 2180 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/05/12 14:10:33.0093 2180 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2011/05/12 14:10:33.0296 2180 fssfltr (eda991753af03e5b06935be114ba9640) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys

2011/05/12 14:10:33.0530 2180 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/05/12 14:10:33.0749 2180 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/05/12 14:10:34.0108 2180 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2011/05/12 14:10:34.0343 2180 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/05/12 14:10:34.0718 2180 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/05/12 14:10:34.0921 2180 HPFECP15 (b5802e7642220d5b835d2b5925385a21) C:\WINDOWS\System32\drivers\HPFECP15.SYS

2011/05/12 14:10:35.0311 2180 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

2011/05/12 14:10:35.0530 2180 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

2011/05/12 14:10:35.0749 2180 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

2011/05/12 14:10:35.0983 2180 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/05/12 14:10:36.0514 2180 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/05/12 14:10:36.0780 2180 iaStor (79ae2a97c120f282845d854d0f070ea9) C:\WINDOWS\system32\DRIVERS\iaStor.sys

2011/05/12 14:10:37.0030 2180 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/05/12 14:10:37.0436 2180 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2011/05/12 14:10:37.0655 2180 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/05/12 14:10:37.0843 2180 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2011/05/12 14:10:38.0046 2180 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/05/12 14:10:38.0249 2180 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/05/12 14:10:38.0483 2180 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/05/12 14:10:38.0717 2180 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/05/12 14:10:38.0905 2180 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/05/12 14:10:39.0124 2180 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/05/12 14:10:39.0342 2180 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/05/12 14:10:39.0561 2180 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/05/12 14:10:39.0749 2180 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/05/12 14:10:40.0186 2180 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2011/05/12 14:10:40.0420 2180 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/05/12 14:10:40.0624 2180 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/05/12 14:10:40.0827 2180 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/05/12 14:10:41.0061 2180 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/05/12 14:10:41.0420 2180 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/05/12 14:10:41.0639 2180 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/05/12 14:10:41.0889 2180 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/05/12 14:10:42.0077 2180 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/05/12 14:10:42.0264 2180 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/05/12 14:10:42.0467 2180 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/05/12 14:10:42.0655 2180 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/05/12 14:10:42.0889 2180 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2011/05/12 14:10:43.0061 2180 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110512.002\naveng.sys

2011/05/12 14:10:43.0311 2180 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110512.002\navex15.sys

2011/05/12 14:10:43.0639 2180 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2011/05/12 14:10:43.0842 2180 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/05/12 14:10:44.0045 2180 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/05/12 14:10:44.0264 2180 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/05/12 14:10:44.0483 2180 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/05/12 14:10:44.0701 2180 NEOFLTR_550_12857 (f9ffbdfc54a7c6890802f71f366faae7) C:\WINDOWS\system32\Drivers\NEOFLTR_550_12857.SYS

2011/05/12 14:10:44.0920 2180 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/05/12 14:10:45.0123 2180 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/05/12 14:10:45.0389 2180 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/05/12 14:10:45.0764 2180 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/05/12 14:10:45.0998 2180 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/05/12 14:10:46.0233 2180 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/05/12 14:10:46.0420 2180 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/05/12 14:10:46.0639 2180 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/05/12 14:10:46.0842 2180 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/05/12 14:10:47.0029 2180 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/05/12 14:10:47.0248 2180 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/05/12 14:10:47.0451 2180 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/05/12 14:10:47.0654 2180 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/05/12 14:10:47.0998 2180 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/05/12 14:10:48.0201 2180 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/05/12 14:10:48.0982 2180 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/05/12 14:10:49.0186 2180 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2011/05/12 14:10:49.0404 2180 Ps2 (390c204ced3785609ab24e9c52054a84) C:\WINDOWS\system32\DRIVERS\PS2.sys

2011/05/12 14:10:49.0607 2180 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/05/12 14:10:49.0842 2180 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/05/12 14:10:50.0045 2180 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2011/05/12 14:10:50.0904 2180 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/05/12 14:10:51.0123 2180 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/05/12 14:10:51.0342 2180 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/05/12 14:10:51.0560 2180 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/05/12 14:10:51.0779 2180 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/05/12 14:10:51.0982 2180 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/05/12 14:10:52.0217 2180 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/05/12 14:10:52.0498 2180 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/05/12 14:10:52.0748 2180 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys

2011/05/12 14:10:52.0967 2180 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS

2011/05/12 14:10:53.0123 2180 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys

2011/05/12 14:10:53.0217 2180 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys

2011/05/12 14:10:53.0498 2180 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/05/12 14:10:53.0716 2180 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys

2011/05/12 14:10:53.0966 2180 setup_9.0.0.722_11.05.2011_15-39drv (66ef49622baa18e4d4f1fe4bae1d51b8) C:\WINDOWS\system32\DRIVERS\9593726.sys

2011/05/12 14:10:54.0185 2180 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/05/12 14:10:54.0560 2180 snapman (bcc773872041aa59bc9a6cf770fb32e2) C:\WINDOWS\system32\DRIVERS\snapman.sys

2011/05/12 14:10:54.0873 2180 SPBBCDrv (ef9760a364d836a0ce6149ebdf71524d) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys

2011/05/12 14:10:55.0138 2180 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/05/12 14:10:55.0373 2180 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/05/12 14:10:55.0607 2180 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/05/12 14:10:55.0857 2180 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/05/12 14:10:56.0076 2180 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/05/12 14:10:56.0607 2180 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

2011/05/12 14:10:56.0826 2180 SYMREDRV (626f733be7f951116c5c0804b068666c) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS

2011/05/12 14:10:57.0060 2180 SYMTDI (cb7cc4ddbe09e224d4cd876760ba982c) C:\WINDOWS\System32\Drivers\SYMTDI.SYS

2011/05/12 14:10:57.0638 2180 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/05/12 14:10:57.0888 2180 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/05/12 14:10:58.0122 2180 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/05/12 14:10:58.0357 2180 tdrpman (eb53ec341458256deae2ad58822c4a17) C:\WINDOWS\system32\DRIVERS\tdrpman.sys

2011/05/12 14:10:58.0591 2180 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/05/12 14:10:58.0810 2180 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/05/12 14:10:59.0044 2180 tifsfilter (b0b3122bff3910e0ba97014045467778) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2011/05/12 14:10:59.0263 2180 timounter (13bfe330880ac0ce8672d00aa5aff738) C:\WINDOWS\system32\DRIVERS\timntr.sys

2011/05/12 14:10:59.0575 2180 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/05/12 14:10:59.0966 2180 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/05/12 14:11:00.0232 2180 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys

2011/05/12 14:11:00.0450 2180 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/05/12 14:11:00.0654 2180 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/05/12 14:11:00.0872 2180 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/05/12 14:11:01.0107 2180 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/05/12 14:11:01.0325 2180 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/05/12 14:11:01.0528 2180 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/05/12 14:11:01.0732 2180 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/05/12 14:11:01.0950 2180 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/05/12 14:11:02.0153 2180 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/05/12 14:11:02.0357 2180 VBus (2f819aa4b3171efc050b648430800dc2) C:\WINDOWS\system32\DRIVERS\NkVBus.sys

2011/05/12 14:11:02.0575 2180 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/05/12 14:11:02.0778 2180 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2011/05/12 14:11:02.0982 2180 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/05/12 14:11:03.0216 2180 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/05/12 14:11:03.0450 2180 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys

2011/05/12 14:11:03.0700 2180 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/05/12 14:11:03.0997 2180 WpdUsb (c1b3d9d75c3fb735f5fa3a5806aded57) C:\WINDOWS\system32\Drivers\wpdusb.sys

2011/05/12 14:11:04.0216 2180 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/05/12 14:11:04.0372 2180 ================================================================================

2011/05/12 14:11:04.0372 2180 Scan finished

2011/05/12 14:11:04.0372 2180 ================================================================================

Link to post
Share on other sites

I ran combofix again and it created the log file. Here it is.

ComboFix 11-05-11.04 - Compaq_Owner 05/12/2011 14:47:05.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.222 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Administrator\WINDOWS

c:\documents and settings\All Users\Application Data\Tarma Installer

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

c:\documents and settings\Compaq_Owner\Application Data\alot

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_0\Button_0.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_0\Button_0.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_1\Button_1.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_1\Button_1.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_10\Button_10.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_10\Button_10.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_11\Button_11.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_11\Button_11.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_2\Button_2.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_2\Button_2.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_3\Button_3.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_3\Button_3.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_4\Button_4.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_4\Button_4.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_5\Button_5.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_5\Button_5.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_6\Button_6.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_6\Button_6.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_7\Button_7.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_7\Button_7.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_8\Button_8.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_8\Button_8.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_9\Button_9.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Button_9\Button_9.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\configurator\configurator.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\configurator\configurator.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\products\products.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\products\products.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_2\images\default_267_alot_ref_refsearch.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_3\images\default_268_alot_ref_research.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\alert-icon.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\alert.png

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\clear.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\cloudy.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\default_281_alot_weather_widget.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\foggy.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\frain.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG119.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG152.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG158.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG162.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG179.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG17F.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG19F.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG1BB.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG1C0.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG1C1.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG1DC.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG1E4.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG201.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG203.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG20E.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG216.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG228.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG247.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG248.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG274.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG275.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG27B.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG27D.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG28B.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG28D.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG29A.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG29B.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2A2.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2A4.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2A6.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2AC.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2B2.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2C1.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2C2.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2C7.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2E1.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG2F3.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG311.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG375.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG37A.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG37B.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG3D8.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG453.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG4AC.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG4D0.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG4E8.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG513.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG5B6.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG86.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMG935.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\IMGEF.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\mcloud.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\nclear.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\ncloudy.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\nfoggy.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\nmcloud.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\npcloud.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\nrain.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\pcloud.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\rain.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\shower.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\snow.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_4\images\tstorm.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_5\images\active_default_417_alot_ref_word.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_5\images\default_417_alot_ref_word.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_6\images\default_319_alot_ref_calculator.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_7\images\default_270_alot_ref_mrkt_book.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Button_7\images\default_270_default_243_alot_news_mrkt_nyt.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\domains.dat

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\alot_brand.png

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\spinner.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_bottom.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_btnmin0.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_btnmin1.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_caption.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_error_close.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp

c:\documents and settings\Compaq_Owner\Application Data\alot\Tem1DD.tmp

c:\documents and settings\Compaq_Owner\Application Data\alot\TimerManager\TimerManager.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\TimerManager\TimerManager.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\toolbar.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\ToolbarSearch\ToolbarSearch.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\alot\Updater\Updater.xml

c:\documents and settings\Compaq_Owner\Application Data\alot\Updater\Updater.xml.backup

c:\documents and settings\Compaq_Owner\Application Data\JuniperSetup.exe

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{6de8b746-4574-41ee-acc5-7d15ac392c49}

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{6de8b746-4574-41ee-acc5-7d15ac392c49}\chrome.manifest

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{6de8b746-4574-41ee-acc5-7d15ac392c49}\chrome\xulcache.jar

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{6de8b746-4574-41ee-acc5-7d15ac392c49}\defaults\preferences\xulcache.js

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{6de8b746-4574-41ee-acc5-7d15ac392c49}\install.rdf

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{b18d0e67-fcee-40c6-aed6-b2d68b80e7db}

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{b18d0e67-fcee-40c6-aed6-b2d68b80e7db}\chrome.manifest

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{b18d0e67-fcee-40c6-aed6-b2d68b80e7db}\chrome\xulcache.jar

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{b18d0e67-fcee-40c6-aed6-b2d68b80e7db}\defaults\preferences\xulcache.js

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{b18d0e67-fcee-40c6-aed6-b2d68b80e7db}\install.rdf

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{c5dce11b-4b8b-4b56-8340-1bc238bd3db6}

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{c5dce11b-4b8b-4b56-8340-1bc238bd3db6}\chrome.manifest

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{c5dce11b-4b8b-4b56-8340-1bc238bd3db6}\chrome\xulcache.jar

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{c5dce11b-4b8b-4b56-8340-1bc238bd3db6}\defaults\preferences\xulcache.js

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{c5dce11b-4b8b-4b56-8340-1bc238bd3db6}\install.rdf

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{d55714bc-3f48-43d2-82df-1ea09fb89459}

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{d55714bc-3f48-43d2-82df-1ea09fb89459}\chrome.manifest

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{d55714bc-3f48-43d2-82df-1ea09fb89459}\chrome\xulcache.jar

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{d55714bc-3f48-43d2-82df-1ea09fb89459}\defaults\preferences\xulcache.js

c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{d55714bc-3f48-43d2-82df-1ea09fb89459}\install.rdf

c:\documents and settings\Compaq_Owner\Application Data\PriceGong

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\1.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\a.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\b.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\c.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\d.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\e.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\f.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\g.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\h.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\i.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\J.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\k.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\l.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\m.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\n.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\o.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\p.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\q.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\r.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\s.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\t.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\u.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\v.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\w.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\x.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\y.xml

c:\documents and settings\Compaq_Owner\Application Data\PriceGong\Data\z.xml

c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\1kUJy.jpg

c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\3EbAqV2H.jpg

c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\hJy00FW.jpg

c:\documents and settings\Compaq_Owner\Local Settings\Temporary Internet Files\sWo38.jpg

c:\documents and settings\Compaq_Owner\WINDOWS

c:\documents and settings\Default User\WINDOWS

c:\documents and settings\LocalService\Application Data\alot

c:\documents and settings\LocalService\Application Data\PriceGong

c:\documents and settings\LocalService\Application Data\PriceGong\Data\1.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\a.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\b.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\c.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\d.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\e.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\f.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\g.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\h.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\i.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\J.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\k.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\l.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\m.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\mru.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\n.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\o.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\p.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\q.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\r.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\s.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\t.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\u.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\v.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\w.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\x.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\y.xml

c:\documents and settings\LocalService\Application Data\PriceGong\Data\z.xml

c:\documents and settings\NetworkService\Application Data\alot

c:\windows\desktop

c:\windows\desktop\Try AOL.lnk

c:\windows\ST6UNST.000

c:\windows\system32\config\systemprofile\WINDOWS

c:\windows\system32\curity~1

c:\windows\system32\dll

c:\windows\system32\muzapp.exe

c:\windows\system32\tmp.reg

D:\Autorun.inf

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_6TO4

-------\Legacy_DOMAINSERVICE

-------\Legacy_IAS

-------\Legacy_ITLPERF

-------\Legacy_NPF

-------\Service_6to4

-------\Service_Ias

-------\Service_itlperf

.

.

((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))

.

.

2011-05-12 16:06 . 2011-05-12 16:13 -------- d-----w- C:\temp1

2011-05-12 16:05 . 2011-05-12 16:05 -------- d-----w- c:\program files\7-Zip

2011-05-12 04:24 . 2011-05-12 04:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2011-05-11 22:30 . 2011-05-11 22:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-05-11 13:02 . 2009-10-22 17:54 37392 ----a-w- c:\windows\system32\drivers\95937262.sys

2011-05-11 13:02 . 2009-10-10 03:31 315408 ----a-w- c:\windows\system32\drivers\9593726.sys

2011-05-11 13:02 . 2009-09-25 21:59 128016 ----a-w- c:\windows\system32\drivers\95937261.sys

2011-05-10 20:05 . 2011-05-10 20:05 -------- d-----w- c:\program files\Microsoft ActiveSync

2011-05-10 20:04 . 2011-05-10 20:05 -------- d-----w- c:\windows\ShellNew

2011-05-10 20:04 . 2011-05-10 20:04 -------- d-----w- c:\program files\Common Files\L&H

2011-05-10 18:35 . 2011-05-10 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2011-05-10 15:36 . 2011-05-10 15:36 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-05-10 15:36 . 2011-05-10 15:36 -------- d-----w- c:\program files\Trend Micro

2011-05-08 16:46 . 2011-05-08 16:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\simppulltoolbar

2011-05-06 18:21 . 2011-05-06 18:21 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys

2011-05-06 18:21 . 2011-05-06 18:21 441760 ----a-w- c:\windows\system32\drivers\timntr.sys

2011-05-06 18:20 . 2011-05-06 18:20 129248 ----a-w- c:\windows\system32\drivers\snapman.sys

2011-05-06 18:20 . 2011-05-06 18:20 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys

2011-05-06 18:18 . 2011-05-06 18:19 -------- d-----w- c:\program files\Common Files\Acronis

2011-05-06 18:18 . 2011-05-06 18:18 -------- d-----w- c:\program files\Acronis

2011-05-05 21:27 . 2011-05-10 11:14 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-05-05 14:52 . 2011-05-05 14:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2011-05-04 19:03 . 2011-05-04 19:03 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2011-05-04 19:03 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-04 19:03 . 2011-05-04 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-04 19:03 . 2011-05-04 19:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-04 19:03 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 19:02 . 2011-05-04 19:02 0 ---ha-w- c:\documents and settings\Compaq_Owner\gbseagewxp.tmp

2011-05-04 10:55 . 2011-05-05 14:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-05-03 00:55 . 2011-05-03 00:55 155648 ----a-w- c:\windows\system32\keymgr32.dll

2011-04-29 12:23 . 2011-04-29 12:23 -------- d-----w- c:\program files\HP DeskJet 895C Series

2011-04-27 22:17 . 2011-05-07 04:42 -------- d-----w- c:\program files\Object

2011-04-22 17:18 . 2011-01-20 17:26 43520 ----a-w- c:\windows\system32\sutil32.dll

2011-04-22 17:17 . 2011-05-07 04:42 -------- d-----w- c:\program files\Web Essentials

2011-04-15 01:10 . 2011-05-10 18:10 -------- d-----w- c:\program files\OpenOffice.org 3

2011-04-14 23:08 . 2011-04-14 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier

2011-04-14 23:07 . 2011-04-14 23:07 -------- d-----w- c:\program files\KwiClick LLC

2011-04-14 23:07 . 2011-04-14 23:08 -------- d-----w- c:\program files\AbiSuite2

2011-04-14 03:24 . 2011-04-14 03:29 -------- d-----w- C:\8f88d7a87381f008a3b3ab25b15499dc

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2004-08-04 05:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2004-08-04 05:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 05:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 19:00 . 2004-08-04 05:00 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00 . 2010-03-11 12:38 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00 . 2004-08-04 05:00 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 13:18 . 2004-08-04 05:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2004-08-04 05:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-04-15 12:03 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44 . 2004-08-04 05:00 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56 . 2004-08-04 05:00 290432 ----a-w- c:\windows\system32\atmfd.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]

"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]

.

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\

America Online 5.0 Tray Icon.lnk - c:\america online 5.0a\aoltray.exe [2006-6-24 32842]

setup_9.0.0.722_11.05.2011_15-39.lnk - c:\documents and settings\Compaq_Owner\Desktop\Virus Removal Tool\setup_9.0.0.722_11.05.2011_15-39\startup.exe [2011-5-11 72208]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\keymgr32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=unipla11.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^DING!.lnk]

path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\DING!.lnk

backup=c:\windows\pss\DING!.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

2005-02-25 22:34 245760 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpfsched]

1999-02-22 09:29 36352 ----a-w- c:\windows\hpfsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-27 23:50 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook]

2011-02-15 23:18 53248 ----a-w- c:\program files\Kiwee Toolbar\3.3\kwtbaim.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]

2009-07-31 18:17 266888 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Smilebox\SmileboxTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-02-14 03:54 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-08-31 06:42 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"YahooAUService"=2 (0x2)

"TryAndDecideService"=2 (0x2)

"SeaPort"=2 (0x2)

"SDService"=2 (0x2)

"sdcoreservice"=3 (0x3)

"sdauxservice"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"NkPtpEnumP2"=2 (0x2)

"MDM"=2 (0x2)

"LightScribeService"=2 (0x2)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"gusvc"=2 (0x2)

"gupdatem"=3 (0x3)

"gupdate1c98e58333f9fe6"=2 (0x2)

"fsssvc"=3 (0x3)

"AGCoreService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1135625788\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Common Files\\AOL\\1135625788\\EE\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1135625788\\EE\\aim6.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

.

R0 95937262;95937262 Boot Guard Driver;c:\windows\system32\drivers\95937262.sys [5/11/2011 9:02 AM 37392]

R1 95937261;95937261;c:\windows\system32\drivers\95937261.sys [5/11/2011 9:02 AM 128016]

R1 NEOFLTR_550_12857;Juniper Networks TDI Filter Driver (NEOFLTR_550_12857);c:\windows\system32\drivers\NEOFLTR_550_12857.sys [3/11/2008 12:07 AM 64144]

R1 setup_9.0.0.722_11.05.2011_15-39drv;setup_9.0.0.722_11.05.2011_15-39drv;c:\windows\system32\drivers\9593726.sys [5/11/2011 9:02 AM 315408]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 1:02 PM 105592]

R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]

S0 hdosetow;hdosetow;c:\windows\system32\drivers\jorvwj.sys --> c:\windows\system32\drivers\jorvwj.sys [?]

S2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [2/16/1999 12:28 PM 52800]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

S3 Normandy;Normandy SR2; [x]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

S4 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [3/12/2011 10:15 PM 20480]

S4 gupdate1c98e58333f9fe6;Google Update Service (gupdate1c98e58333f9fe6);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2009 11:56 PM 133104]

S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2009 11:56 PM 133104]

S4 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 11:11 AM 24064]

S4 SDService;SDService;c:\program files\SpywareDetector\SDService.exe --> c:\program files\SpywareDetector\SDService.exe [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

itlsvc REG_MULTI_SZ itlperf

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-05-12 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-14 19:48]

.

2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 03:56]

.

2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 03:56]

.

2010-04-05 c:\windows\Tasks\Install_NSS.job

- c:\windows\system32\Macromed\Shockwave 10\nssstub.exe [2010-02-24 20:20]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://ww2.cox.com/myconnection/rhodeisland/home.cox

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: FaceTheme - Change your Facebook layout!: {EB132DB0-A4CA-11DF-9732-0E29E0D72085} - c:\program files\Object\facetheme

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: FaceTheme - Change your Facebook layout!: {EB132DB0-A4CA-11DF-9732-0E29E0D72085} - c:\program files\Object\facetheme

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

HKLM-Run-Symantec NetDriver Monitor - c:\progra~1\SYMNET~1\SNDMon.exe

MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe

MSConfigStartUp-PlaxoSysTray - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Plaxo\3.25.0.87\PlaxoSysTray.exe

MSConfigStartUp-PlaxoUpdate - c:\documents and settings\Compaq_Owner\Local Settings\Application Data\Plaxo\3.25.0.87\PlaxoHelper_en.exe

MSConfigStartUp-Srro - c:\docume~1\COMPAQ~1\APPLIC~1\YMANTE~1\dllhost.exe

MSConfigStartUp-Weather - c:\program files\AWS\WeatherBug\Weather.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-12 15:05

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(836)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(1404)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~1\wmpband.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Microsoft Office\Office10\msoffice.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2011-05-12 15:15:37 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-12 19:15

.

Pre-Run: 110,817,296,384 bytes free

Post-Run: 110,845,054,976 bytes free

.

- - End Of File - - AB36C172C0099F52F8DA9E11BF3F6FE3

Link to post
Share on other sites

Hi, I like to look at this file before removal. To make sure.

Check a file/files

Use your browser to go here at Virustotal website

Click the Browse button and then navigate to

c:\windows\system32\keymgr32.dll

then click the Submit button.

The various virus scanners will identify the file and if it is not identified, the AV vendors will then have a copy of it for analysis. Save the results, and post back here in a reply.

Link to post
Share on other sites

Not sure if this is what you wanted?

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: mqad32.dll

Submission date: 2011-05-12 00:30:28 (UTC)

Current status: finished

Result: 1 /43 (2.3%)

VT Community

not reviewed

Safety score: -

Compact Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.05.12.00 2011.05.11 -

AntiVir 7.11.7.240 2011.05.11 -

Antiy-AVL 2.0.3.7 2011.05.11 -

Avast 4.8.1351.0 2011.05.11 -

Avast5 5.0.677.0 2011.05.11 -

AVG 10.0.0.1190 2011.05.12 -

BitDefender 7.2 2011.05.12 -

CAT-QuickHeal 11.00 2011.05.11 -

ClamAV 0.97.0.0 2011.05.11 -

Commtouch 5.3.2.6 2011.05.12 -

Comodo 8668 2011.05.12 -

DrWeb 5.0.2.03300 2011.05.12 -

Emsisoft 5.1.0.5 2011.05.11 -

eSafe 7.0.17.0 2011.05.11 -

eTrust-Vet 36.1.8322 2011.05.12 -

F-Prot 4.6.2.117 2011.05.11 -

F-Secure 9.0.16440.0 2011.05.12 -

Fortinet 4.2.257.0 2011.05.11 -

GData 22 2011.05.12 -

Ikarus T3.1.1.103.0 2011.05.11 -

Jiangmin 13.0.900 2011.05.11 -

K7AntiVirus 9.103.4624 2011.05.11 -

Kaspersky 9.0.0.837 2011.05.11 -

McAfee 5.400.0.1158 2011.05.12 -

McAfee-GW-Edition 2010.1D 2011.05.11 -

Microsoft 1.6802 2011.05.11 -

NOD32 6114 2011.05.11 -

Norman 6.07.07 2011.05.11 -

nProtect 2011-05-11.02 2011.05.11 -

Panda 10.0.3.5 2011.05.11 -

PCTools 7.0.3.5 2011.05.11 -

Prevx 3.0 2011.05.12 -

Rising 23.57.02.05 2011.05.11 -

Sophos 4.65.0 2011.05.12 -

SUPERAntiSpyware 4.40.0.1006 2011.05.12 -

Symantec 20101.3.2.89 2011.05.12 WS.Reputation.1

TheHacker 6.7.0.1.195 2011.05.11 -

TrendMicro 9.200.0.1012 2011.05.11 -

TrendMicro-HouseCall 9.200.0.1012 2011.05.12 -

VBA32 3.12.16.0 2011.05.11 -

VIPRE 9257 2011.05.12 -

ViRobot 2011.5.11.4453 2011.05.11 -

VirusBuster 13.6.349.0 2011.05.11 -

Additional informationShow all

MD5 : 88428aae94d498207712b659fef6108e

SHA1 : 9cd11a5abfe88d6ee3341f1d1e2c24f52ba2fbca

SHA256: 6306f144698e2499b44708855e6cd123a240e4f682f557a352ff0574226998c5

ssdeep: 3072:pwEU9qOq9LoQajegudD0B5yjiSkViuHw3IVlC/PL419MZSM9au:pfcPqGQeeg4QCiS+vw4

vGeMZS

File size : 155648 bytes

First seen: 2011-05-03 00:05:25

Last seen : 2011-05-12 00:30:28

Magic: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

TrID:

Win32 Executable MS Visual C++ (generic) (65.1%)

Win32 Executable Generic (14.7%)

Win32 Dynamic Link Library (generic) (13.1%)

Generic Win/DOS Executable (3.4%)

DOS Executable Generic (3.4%)

sigcheck:

publisher....: AIDEX Team

copyright....: Copyright © 2002-2003 AIDEX Team

product......: AIDEX SDK

description..: AIDEX Runtime

original name: AIDEX.DLL

internal name: aidex

file version.: 1.0.1.52

comments.....:

signers......: -

signing date.: -

verified.....: Unsigned

PEiD: -

PEInfo: PE structure information

[[ basic data ]]

entrypointaddress: 0x6912

timedatestamp....: 0x48EB7CCA (Tue Oct 07 15:14:18 2008)

machinetype......: 0x14C (Intel I386)

[[ 8 section(s) ]]

name, viradd, virsiz, rawdsiz, ntropy, md5

.text, 0x1000, 0x7000, 0x6200, 5.88, 2cf2dd5b37e465288124caa8a3d98ec9

.data, 0x8000, 0xF000, 0xE600, 7.56, 68548beb5686374dc45c385b0b7441b5

.rdata, 0x17000, 0xF000, 0xEA00, 7.48, 9d21658d3ffa8bfab866a92b457de07e

.bss, 0x26000, 0x4000, 0x0, 0.0, d41d8cd98f00b204e9800998ecf8427e

.edata, 0x2A000, 0x1000, 0x200, 4.91, 1bc9a5e14dbb5aad4636be22501f072e

.idata, 0x2B000, 0x1000, 0x800, 4.63, f4eb1e2d95422309e58b265a79fef913

.rsrc, 0x2C000, 0x2000, 0x1600, 3.27, 4d864e64dc7f0ffc217003b2ab231b1a

.reloc, 0x2E000, 0x993, 0xA00, 6.46, ea237d8a4e6c68ea8d333cc1f20c1da8

[[ 10 import(s) ]]

advapi32.dll: ChangeServiceConfigW, CloseEventLog, RegEnumKeyExW, BuildTrusteeWithObjectsAndNameW

comctl32.dll: ImageList_SetDragCursorImage, -

kernel32.dll: GetProcAddress, InterlockedIncrement, LoadLibraryA, GetModuleHandleA, VirtualFree, ExitProcess, VirtualAlloc, GetEnvironmentStringsW

msvcrt.dll: __p__commode, __getmainargs, exit, time, fprintf, __set_app_type

ole32.dll: CLSIDFromString, CoCreateGuid, IsValidPtrIn, CoGetMalloc, CoFileTimeNow

oleacc.dll: GetRoleTextW, AccessibleChildren

olepro32.dll: -, -, -, -, -, -, -

security.dll: RevertSecurityContext, ImpersonateSecurityContext

setupapi.dll: SetupInstallFilesFromInfSectionW, SetupDiCreateDevRegKeyA, SetupRenameErrorA

user32.dll: ToUnicodeEx, TileWindows, SetThreadDesktop, SendNotifyMessageW, EnumDisplayDevicesW, RegisterDeviceNotificationA, PostMessageA, IsCharUpperA, GetUserObjectInformationW, GetMonitorInfoW, GetMonitorInfoA, GetKeyboardLayout, GetClipboardViewer, OpenWindowStationW

[[ 14 export(s) ]]

CompressedFileWriterObjectWrite, DiscAtOnceRawPWFromFileAudioUnicode, FileMemoryCreate, FileMemoryUnicodeCreate, GetDVDRegionMask, GetLastTrack, GetMediaTrayStatus, GrabDVD, ISO9660JolietFileTreeGetNodeSystemTime, IsDiscBlank, Read10, SetBUP, TrackAtOnceFromMemoryEx, VolumeUnicodeCreate

ExifTool:

file metadata

CharacterSet: Windows, Latin1

CodeSize: 28672

Comments:

CompanyName: AIDEX Team

EntryPoint: 0x6912

FileDescription: AIDEX Runtime

FileFlagsMask: 0x003f

FileOS: Win32

FileSize: 152 kB

FileSubtype: 0

FileType: Win32 DLL

FileVersion: 1.0.1.52

FileVersionNumber: 1.0.1.52

ImageVersion: 1.0

InitializedDataSize: 170496

InternalName: aidex

LanguageCode: English (U.S.)

LegalCopyright: Copyright © 2002-2003 AIDEX Team

LegalTrademarks:

LinkerVersion: 2.38

MIMEType: application/octet-stream

MachineType: Intel 386 or later, and compatibles

OSVersion: 4.0

ObjectFileType: Dynamic link library

OriginalFilename: AIDEX.DLL

PEType: PE32

ProductName: AIDEX SDK

ProductVersion: 1.0.1.52

ProductVersionNumber: 1.0.1.52

Subsystem: Windows GUI

SubsystemVersion: 4.0

TimeStamp: 2008:10:07 17:14:18+02:00

UninitializedDataSize: 16384

Link to post
Share on other sites

I ran it one more time because the file name didn't match the file i put in, here are the new results:

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.

File name: keymgr32.dll

Submission date: 2011-05-12 21:49:47 (UTC)

Current status: queued queued analysing finished

Result: 1/ 42 (2.4%)

VT Community

not reviewed

Safety score: -

Compact Print results

Antivirus Version Last Update Result

AhnLab-V3 2011.05.13.00 2011.05.12 -

AntiVir 7.11.7.254 2011.05.12 -

Antiy-AVL 2.0.3.7 2011.05.12 -

Avast 4.8.1351.0 2011.05.12 -

Avast5 5.0.677.0 2011.05.12 -

AVG 10.0.0.1190 2011.05.12 -

BitDefender 7.2 2011.05.12 -

CAT-QuickHeal 11.00 2011.05.12 -

ClamAV 0.97.0.0 2011.05.12 -

Commtouch 5.3.2.6 2011.05.12 -

Comodo 8678 2011.05.12 -

DrWeb 5.0.2.03300 2011.05.12 -

eSafe 7.0.17.0 2011.05.12 -

eTrust-Vet 36.1.8324 2011.05.12 -

F-Prot 4.6.2.117 2011.05.12 -

F-Secure 9.0.16440.0 2011.05.12 -

Fortinet 4.2.257.0 2011.05.12 -

GData 22 2011.05.12 -

Ikarus T3.1.1.103.0 2011.05.12 -

Jiangmin 13.0.900 2011.05.12 -

K7AntiVirus 9.103.4632 2011.05.12 -

Kaspersky 9.0.0.837 2011.05.11 -

McAfee 5.400.0.1158 2011.05.12 -

McAfee-GW-Edition 2010.1D 2011.05.12 -

Microsoft 1.6802 2011.05.12 -

NOD32 6117 2011.05.12 -

Norman 6.07.07 2011.05.12 -

nProtect 2011-05-12.01 2011.05.12 -

Panda 10.0.3.5 2011.05.12 -

PCTools 7.0.3.5 2011.05.12 -

Prevx 3.0 2011.05.12 -

Rising 23.57.03.05 2011.05.12 -

Sophos 4.65.0 2011.05.12 -

SUPERAntiSpyware 4.40.0.1006 2011.05.12 -

Symantec 20101.3.2.89 2011.05.12 WS.Reputation.1

TheHacker 6.7.0.1.195 2011.05.11 -

TrendMicro 9.200.0.1012 2011.05.12 -

TrendMicro-HouseCall 9.200.0.1012 2011.05.12 -

VBA32 3.12.16.0 2011.05.12 -

VIPRE 9263 2011.05.12 -

ViRobot 2011.5.12.4455 2011.05.12 -

VirusBuster 13.6.351.0 2011.05.12 -

Additional informationShow all

MD5 : 88428aae94d498207712b659fef6108e

SHA1 : 9cd11a5abfe88d6ee3341f1d1e2c24f52ba2fbca

SHA256: 6306f144698e2499b44708855e6cd123a240e4f682f557a352ff0574226998c5

Link to post
Share on other sites

Those files are fine. By the way, Combofix log resides in your C: Drive. We still have some work to do.... :)

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

KILLALL::

File::
c:\windows\system32\drivers\95937262.sys
c:\windows\system32\drivers\9593726.sys
c:\windows\system32\drivers\95937261.sys

Folder::
C:\temp1
C:\8f88d7a87381f008a3b3ab25b15499dc

Driver::
hdosetow

Firefox::
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\

DDS::
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

here is the new combofix log

ComboFix 11-05-11.04 - Compaq_Owner 05/12/2011 18:51:10.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.415 [GMT -4:00]

Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\cfscript.txt

AV: Symantec AntiVirus Corporate Edition *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

FILE ::

"c:\windows\system32\drivers\9593726.sys"

"c:\windows\system32\drivers\95937261.sys"

"c:\windows\system32\drivers\95937262.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\8f88d7a87381f008a3b3ab25b15499dc

C:\temp1

c:\temp1\K7a4m.exe

c:\temp1\RkUnhooker.chm

c:\temp1\unins000.dat

c:\temp1\unins000.exe

c:\windows\system32\drivers\9593726.sys

c:\windows\system32\drivers\95937261.sys

c:\windows\system32\drivers\95937262.sys

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_hdosetow

-------\Legacy_95937261

-------\Legacy_95937262

-------\Legacy_setup_9.0.0.722_11.05.2011_15-39drv

-------\Service_95937261

-------\Service_95937262

-------\Service_setup_9.0.0.722_11.05.2011_15-39drv

.

.

((((((((((((((((((((((((( Files Created from 2011-04-12 to 2011-05-12 )))))))))))))))))))))))))))))))

.

.

2011-05-12 16:05 . 2011-05-12 16:05 -------- d-----w- c:\program files\7-Zip

2011-05-12 04:24 . 2011-05-12 04:24 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2011-05-11 22:30 . 2011-05-11 22:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2011-05-10 20:05 . 2011-05-10 20:05 -------- d-----w- c:\program files\Microsoft ActiveSync

2011-05-10 20:04 . 2011-05-10 20:05 -------- d-----w- c:\windows\ShellNew

2011-05-10 20:04 . 2011-05-10 20:04 -------- d-----w- c:\program files\Common Files\L&H

2011-05-10 18:35 . 2011-05-10 18:35 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2011-05-10 15:36 . 2011-05-10 15:36 388096 ----a-r- c:\documents and settings\Compaq_Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2011-05-10 15:36 . 2011-05-10 15:36 -------- d-----w- c:\program files\Trend Micro

2011-05-08 16:46 . 2011-05-08 16:46 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\simppulltoolbar

2011-05-06 18:21 . 2011-05-06 18:21 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys

2011-05-06 18:21 . 2011-05-06 18:21 441760 ----a-w- c:\windows\system32\drivers\timntr.sys

2011-05-06 18:20 . 2011-05-06 18:20 129248 ----a-w- c:\windows\system32\drivers\snapman.sys

2011-05-06 18:20 . 2011-05-06 18:20 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys

2011-05-06 18:18 . 2011-05-06 18:19 -------- d-----w- c:\program files\Common Files\Acronis

2011-05-06 18:18 . 2011-05-06 18:18 -------- d-----w- c:\program files\Acronis

2011-05-05 21:27 . 2011-05-10 11:14 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

2011-05-05 14:52 . 2011-05-05 14:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM

2011-05-04 19:03 . 2011-05-04 19:03 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\Malwarebytes

2011-05-04 19:03 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-04 19:03 . 2011-05-04 19:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2011-05-04 19:03 . 2011-05-04 19:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-04 19:03 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-04 19:02 . 2011-05-04 19:02 0 ---ha-w- c:\documents and settings\Compaq_Owner\gbseagewxp.tmp

2011-05-04 10:55 . 2011-05-05 14:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2011-05-03 00:55 . 2011-05-03 00:55 155648 ----a-w- c:\windows\system32\keymgr32.dll

2011-04-29 12:23 . 2011-04-29 12:23 -------- d-----w- c:\program files\HP DeskJet 895C Series

2011-04-27 22:17 . 2011-05-07 04:42 -------- d-----w- c:\program files\Object

2011-04-22 17:18 . 2011-01-20 17:26 43520 ----a-w- c:\windows\system32\sutil32.dll

2011-04-22 17:17 . 2011-05-07 04:42 -------- d-----w- c:\program files\Web Essentials

2011-04-15 01:10 . 2011-05-10 18:10 -------- d-----w- c:\program files\OpenOffice.org 3

2011-04-14 23:08 . 2011-04-14 23:08 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier

2011-04-14 23:07 . 2011-04-14 23:07 -------- d-----w- c:\program files\KwiClick LLC

2011-04-14 23:07 . 2011-04-14 23:08 -------- d-----w- c:\program files\AbiSuite2

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-03-07 05:33 . 2004-08-04 05:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:45 . 2004-08-04 05:00 434176 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:21 . 2004-08-04 05:00 1857920 ----a-w- c:\windows\system32\win32k.sys

2011-02-17 19:00 . 2004-08-04 05:00 832512 ----a-w- c:\windows\system32\wininet.dll

2011-02-17 19:00 . 2010-03-11 12:38 1830912 ------w- c:\windows\system32\inetcpl.cpl

2011-02-17 19:00 . 2004-08-04 05:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2011-02-17 19:00 . 2004-08-04 05:00 17408 ----a-w- c:\windows\system32\corpol.dll

2011-02-17 13:18 . 2004-08-04 05:00 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys

2011-02-17 13:18 . 2004-08-04 05:00 357888 ----a-w- c:\windows\system32\drivers\srv.sys

2011-02-17 12:32 . 2009-04-15 12:03 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-17 11:44 . 2004-08-04 05:00 389120 ----a-w- c:\windows\system32\html.iec

2011-02-15 12:56 . 2004-08-04 05:00 290432 ----a-w- c:\windows\system32\atmfd.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-03-15 125632]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]

"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]

"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-21 52840]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-22 47904]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]

.

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\

America Online 5.0 Tray Icon.lnk - c:\america online 5.0a\aoltray.exe [2006-6-24 32842]

setup_9.0.0.722_11.05.2011_15-39.lnk - c:\documents and settings\Compaq_Owner\Desktop\Virus Removal Tool\setup_9.0.0.722_11.05.2011_15-39\startup.exe [2011-5-11 72208]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\keymgr32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"midi1"=unipla11.dll

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *

.

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^DING!.lnk]

path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\DING!.lnk

backup=c:\windows\pss\DING!.lnkStartup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

2005-02-25 22:34 245760 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpfsched]

1999-02-22 09:29 36352 ----a-w- c:\windows\hpfsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

2004-07-27 23:50 221184 -c--a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiweeHook]

2011-02-15 23:18 53248 ----a-w- c:\program files\Kiwee Toolbar\3.3\kwtbaim.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmileboxTray]

2009-07-31 18:17 266888 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\Smilebox\SmileboxTray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2009-02-14 03:54 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

2005-08-31 06:42 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"YahooAUService"=2 (0x2)

"TryAndDecideService"=2 (0x2)

"SeaPort"=2 (0x2)

"SDService"=2 (0x2)

"sdcoreservice"=3 (0x3)

"sdauxservice"=3 (0x3)

"ose"=3 (0x3)

"odserv"=3 (0x3)

"NkPtpEnumP2"=2 (0x2)

"MDM"=2 (0x2)

"LightScribeService"=2 (0x2)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"gusvc"=2 (0x2)

"gupdatem"=3 (0x3)

"gupdate1c98e58333f9fe6"=2 (0x2)

"fsssvc"=3 (0x3)

"AGCoreService"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=

"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=

"c:\\Program Files\\America Online 9.0\\waol.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=

"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=

"c:\\Program Files\\Common Files\\AOL\\1135625788\\EE\\AOLServiceHost.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=

"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=

"c:\\Program Files\\Common Files\\AOL\\1135625788\\EE\\aolsoftware.exe"=

"c:\\Program Files\\Common Files\\AOL\\1135625788\\EE\\aim6.exe"=

"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

.

R1 NEOFLTR_550_12857;Juniper Networks TDI Filter Driver (NEOFLTR_550_12857);c:\windows\system32\drivers\NEOFLTR_550_12857.sys [3/11/2008 12:07 AM 64144]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2011 1:02 PM 105592]

R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [6/17/2005 11:11 AM 17664]

S2 HPFECP15;HPFECP15;c:\windows\system32\drivers\HPFecp15.sys [2/16/1999 12:28 PM 52800]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

S3 Normandy;Normandy SR2; [x]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/14/2007 8:48 PM 116416]

S4 AGCoreService;AG Core Services;c:\program files\AGI\core\4.2.0.10754\AGCoreService.exe [3/12/2011 10:15 PM 20480]

S4 gupdate1c98e58333f9fe6;Google Update Service (gupdate1c98e58333f9fe6);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2009 11:56 PM 133104]

S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/13/2009 11:56 PM 133104]

S4 NkPtpEnumP2;NkPtpEnumP2;c:\program files\Nikon\Wireless Camera Setup Utility\NkPtpEnum.exe [6/17/2005 11:11 AM 24064]

S4 SDService;SDService;c:\program files\SpywareDetector\SDService.exe --> c:\program files\SpywareDetector\SDService.exe [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

itlsvc REG_MULTI_SZ itlperf

.

Contents of the 'Scheduled Tasks' folder

.

2011-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

.

2011-05-12 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-14 19:48]

.

2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 03:56]

.

2011-05-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 03:56]

.

2010-04-05 c:\windows\Tasks\Install_NSS.job

- c:\windows\system32\Macromed\Shockwave 10\nssstub.exe [2010-02-24 20:20]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

IE: eBay Search - c:\program files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html

FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://ww2.cox.com/myconnection/rhodeisland/home.cox

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - Ext: FaceTheme - Change your Facebook layout!: {EB132DB0-A4CA-11DF-9732-0E29E0D72085} - c:\program files\Object\facetheme

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: FaceTheme - Change your Facebook layout!: {EB132DB0-A4CA-11DF-9732-0E29E0D72085} - c:\program files\Object\facetheme

FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

FF - user.js: yahoo.ytff.general.dontshowhpoffer - true

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-05-12 19:08

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

.

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

.

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(828)

c:\windows\system32\Ati2evxx.dll

.

- - - - - - - > 'explorer.exe'(3420)

c:\windows\system32\WININET.dll

c:\progra~1\WINDOW~1\wmpband.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\program files\Common Files\Acronis\Schedule2\schedul2.exe

c:\program files\Common Files\AOL\ACS\AOLAcsd.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe

c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\windows\system32\wdfmgr.exe

c:\documents and settings\Compaq_Owner\Desktop\Virus Removal Tool\setup_9.0.0.722_11.05.2011_15-39\setup_9.0.0.722_11.05.2011_15-39.exe

c:\program files\Microsoft Office\Office10\msoffice.exe

c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\msiexec.exe

.

**************************************************************************

.

Completion time: 2011-05-12 19:15:24 - machine was rebooted

ComboFix-quarantined-files.txt 2011-05-12 23:15

ComboFix2.txt 2011-05-12 19:15

.

Pre-Run: 110,744,260,608 bytes free

Post-Run: 110,748,151,808 bytes free

.

- - End Of File - - 4FC012FCE93F29C68114A5A4709B8433

Link to post
Share on other sites

Smile we are getting closer. Nice job you done there!

There are some older versions of Java and Adobe Acrobat Reader on your computer. These can be a source of infection.

Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel

Adobe Reader 7.1.0

Java

Link to post
Share on other sites

Malwarebytes log

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6564

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

5/12/2011 9:09:39 PM

mbam-log-2011-05-12 (21-09-39).txt

Scan type: Quick scan

Objects scanned: 173278

Time elapsed: 10 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Could you tell me how you learned how to clean up malware? I'm not working at the current time so I would like to learn.

Thanks, RIman

Link to post
Share on other sites

Could you tell me how you learned how to clean up malware? I'm not working at the current time so I would like to learn.

I graduated at Geeks to Go back in 2007. Here's the list of schools at:

http://forums.malwarebytes.org/index.php?showtopic=12264

Please run this online scan to help look for remnants.

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:

    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Link to post
Share on other sites

Eset online scan

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=7.00.6000.17096 (vista_gdr.110211-1830)

# OnlineScanner.ocx=1.0.0.6427

# api_version=3.0.2

# EOSSerial=9ddf57380b0bf84c94181bc8005d184e

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2011-05-13 04:32:18

# local_time=2011-05-13 12:32:18 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=512 16777215 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=115343

# found=28

# cleaned=0

# scan_time=8566

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fgihgjieblocpfnailimafjagdaphlhd\contentscript.js Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\frostwire-4.20.7.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I

C:\Documents and Settings\Compaq_Owner\My Documents\FrostWire\Saved\frostwire-4.21.2.windows.exe Win32/OpenCandy application (unable to clean) 00000000000000000000000000000000 I

C:\Program Files\Mozilla Firefox\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I

C:\Program Files\Mozilla Firefox\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I

C:\Program Files\Trend Micro\HiJackThis\backups\backup-20110510-120819-435.dll a variant of Win32/Kryptik.NHY trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{6de8b746-4574-41ee-acc5-7d15ac392c49}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{6de8b746-4574-41ee-acc5-7d15ac392c49}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{b18d0e67-fcee-40c6-aed6-b2d68b80e7db}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{b18d0e67-fcee-40c6-aed6-b2d68b80e7db}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{c5dce11b-4b8b-4b56-8340-1bc238bd3db6}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{c5dce11b-4b8b-4b56-8340-1bc238bd3db6}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{d55714bc-3f48-43d2-82df-1ea09fb89459}\chrome.manifest.vir Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\Qoobox\Quarantine\C\Documents and Settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\miblguyq.default\extensions\{d55714bc-3f48-43d2-82df-1ea09fb89459}\chrome\xulcache.jar.vir JS/Agent.NCP trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0001129.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0001130.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0001131.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP1\A0001132.manifest Win32/TrojanDownloader.Tracur.F trojan (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{C315F0C9-4E51-47F2-80C9-592203754487}\RP58\A0021150.ini Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{C315F0C9-4E51-47F2-80C9-592203754487}\RP58\A0021151.ini Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I

C:\System Volume Information\_restore{C315F0C9-4E51-47F2-80C9-592203754487}\RP58\A0021152.ini Win32/Adware.Virtumonde.NEO application (unable to clean) 00000000000000000000000000000000 I

C:\tools\Tools\SmitfraudFix.exe multiple threats (unable to clean) 00000000000000000000000000000000 I

C:\tools\Tools\VirtumundoBeGone.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I

C:\tools\Tools\SmitfraudFix\Process.exe Win32/PrcView application (unable to clean) 00000000000000000000000000000000 I

C:\tools\Tools\SmitfraudFix\restart.exe Win32/Shutdown.NAA application (unable to clean) 00000000000000000000000000000000 I

C:\WINDOWS\system32\keymgr32.dll a variant of Win32/Kryptik.NHY trojan (unable to clean) 00000000000000000000000000000000 I

${Memory} a variant of Win32/Kryptik.NHY trojan 00000000000000000000000000000000 I

Link to post
Share on other sites

Please download the OTM by OldTimer.

  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Vista users, please right click on OTM.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Services

    :Reg

    :Files
    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fgihgjieblocpfnailimafjagdaphlhd\contentscript.js
    C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\frostwire-4.20.7.windows.exe
    C:\WINDOWS\system32\keymgr32.dll

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]

  • Return to OTM, right click in the "Paste instructions for items to be Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTM\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTM

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Link to post
Share on other sites

OTM log

All processes killed

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

========== FILES ==========

C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Google\Chrome\User Data\Default\Default\fgihgjieblocpfnailimafjagdaphlhd\contentscript.js moved successfully.

C:\Documents and Settings\Compaq_Owner\My Documents\Downloads\frostwire-4.20.7.windows.exe moved successfully.

LoadLibrary failed for C:\WINDOWS\system32\keymgr32.dll

C:\WINDOWS\system32\keymgr32.dll moved successfully.

========== COMMANDS ==========

C:\Documents and Settings\Compaq_Owner\Application Data\?ymantec\?ymantec folder moved successfully.

C:\Documents and Settings\Compaq_Owner\Application Data\?ymantec folder moved successfully.

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Compaq_Owner

->Temp folder emptied: 160572 bytes

->Temporary Internet Files folder emptied: 36509176 bytes

->Java cache emptied: 82257475 bytes

->FireFox cache emptied: 56333307 bytes

->Google Chrome cache emptied: 819568 bytes

->Flash cache emptied: 2225628 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32969 bytes

->Flash cache emptied: 56507 bytes

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 390354 bytes

->Flash cache emptied: 495 bytes

User: mark r powell

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

->Flash cache emptied: 15999 bytes

User: Timmy P

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 2577 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 1398674 bytes

RecycleBin emptied: 0 bytes

Total Files Cleaned = 172.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.17.2 log created on 05132011_093111

Files moved on Reboot...

Registry entries deleted on Reboot...

Question for you: Is the OTM process used to get rid of the virus's found by ESET? Or will we rerun ESET again? Thanks

Link to post
Share on other sites

OTM is a tool for the helper to add files and so forth what needs to be removed. The others are in System restore and Qoobox (ComboFix. We'll remove them now.

Your Computer is Clean

mr-clean.gif

Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

To remove all of the tools we used and the files and folders they created, please do the following:

Please download OTC.exe by OldTimer:

  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Here are some additional links for you to check out to help you with your computer security.

Browsers

Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Secunia software inspector & update checker

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Auslogics Disc Defrag or JKDefrag - Two good disc defragmenters for you to choose from to help speed up your computer.

Visit My Blog for Malware and Spyware Tips

6567E80CC55576485246E130E48A9FA8.png

Link to post
Share on other sites

Hey Kenny, I ran ESET one more time and it found the following

ESET 2nd Run

C:\Program Files\Trend Micro\HiJackThis\backups\backup-20110510-120819-435.dll a variant of Win32/Kryptik.NHY trojan

C:\System Volume Information\_restore{A2578CBA-012A-4EE9-9E3D-27D3F494A2B6}\RP8\A0001882.dll a variant of Win32/Kryptik.NHY trojan

C:\System Volume Information\_restore{C315F0C9-4E51-47F2-80C9-592203754487}\RP58\A0021150.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{C315F0C9-4E51-47F2-80C9-592203754487}\RP58\A0021151.ini Win32/Adware.Virtumonde.NEO application

C:\System Volume Information\_restore{C315F0C9-4E51-47F2-80C9-592203754487}\RP58\A0021152.ini Win32/Adware.Virtumonde.NEO application

Link to post
Share on other sites

Go to Start > Control Panel > Add/Remove Programs.

Please remove these entries from Add/Remove Programs in the Control Panel (if present):

HiJackThis

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete this Folder in bold:

(if present):

C:\Program Files\Trend Micro\HiJackThis

The others are in system restore. That are contain, there not going anywhere. Unless you do a System restore with your PC. Besides, these are old tools we used to use years ago.

You can Flush your System Restore points out again, but it might take a few days for them to go away completely.

Remove all but the most recent Restore Point on Windows XP

The easiest and safest way to do this is:

  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
  • Give the new Restore Point a name, then click "Create".
  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr.exe
  • Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
  • On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

Link to post
Share on other sites

Yes your computer is in good shape. Thank you for your donation!.... :)

I assume I should probably do the same with the other pc on the network?

Are you having any malware symptoms on your other PC? If your are, post DDS.txt and Attach.txt here in this topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.