Jump to content

Recommended Posts

I am trying to clean out a computer that was infected with XP Total Security. I have run the process recommended on a forum post on your site, which is located here.

http://forums.malwarebytes.org/index.php?showtopic=82696

When I try to install MBAM, I get the following error message.

"PROGRAM_ERROR_MISSING_FILE (2,0, mbamcore.dll)

The system cannot find the file specified."

Then the program continues to try to install, with the 2nd error message being

"Runtime error '53': file not found membamcore "

Can you please assist me in installing MBAM so that I can rid the computer of this virus? I have also tried this in Safe Mode, with the same results.

I have also tried instructions located here. (not on your website)

http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

Thank you.

~~Justin

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please do the following:

  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or ask and we'll explain how to do it.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply.

Link to post
Share on other sites

Hi,

In the future, please post all logs directly into your reply instead of attaching them. With that said, please update MBAM, run a Quick Scan, and post its log.

Next, run DDS again and post DDS.txt in your reply.

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6516

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/1/2011 10:07:33 PM

mbam-log-2011-06-01 (22-07-28).txt

Scan type: Quick scan

Objects scanned: 164974

Time elapsed: 17 minute(s), 42 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 3

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Opabofoseqova (Trojan.Hiloti) -> Value: Opabofoseqova -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\wimcpiay.dll (Trojan.Hiloti) -> No action taken.

c:\WINDOWS\system32\config\systemprofile\local settings\application data\ebd.exe (Trojan.ExeShell.Gen) -> No action taken.

c:\WINDOWS\system32\config\systemprofile\local settings\temporary internet files\Content.IE5\9BU0S53U\dictionaryboss[1].exe (Adware.FunWeb) -> No action taken.

Link to post
Share on other sites

.

DDS (Ver_11-05-19.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 22:08:25 on 2011-06-01

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1121 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\IncrediMail\bin\IncMail.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\IncrediMail\Bin\ImApp.exe

C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\TeamViewer\Version6\TeamViewer.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\AVG\AVG9\avgscanx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

C:\WINDOWS\system32\WSCRIPT.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.rr.com

uDefault_Page_URL = hxxp://www.msn.com

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa2.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa2.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa2.dll

TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [incrediMail] c:\program files\incredimail\bin\IncMail.exe /c

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

dRun: [incrediMail] c:\program files\incredimail\bin\IncMail.exe /c

dRun: [ieswqMPFEaliD] c:\documents and settings\all users\application data\ieswqMPFEaliD.exe

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_ActiveX.exe -update activex

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-explorer: MaxRecentDocs = 18 (0x12)

mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

dPolicies-explorer: NoDesktop = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: &Add animation to IncrediMail Style Box - c:\program files\incredimail\bin\resources\WebMenuImg.htm

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278390398906

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278390394625

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R0 amdide1;amdide1;c:\windows\system32\drivers\amdide1.sys [2009-4-20 9096]

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2010-7-6 3456]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-10 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-10 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-10 243152]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-10 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-10 308136]

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-10 10448]

R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-3-29 2271608]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-15 136176]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-7-10 947528]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]

S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-15 136176]

S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-7-18 30560]

.

=============== Created Last 30 ================

.

2011-06-02 02:08:03 54016 ----a-w- c:\windows\system32\drivers\nrcmiw.sys

2011-05-31 02:22:12 -------- d-----w- c:\program files\PdaNet for Android

2011-05-31 02:19:42 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes

2011-05-31 02:19:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-31 02:19:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-31 02:19:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-31 02:19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-20 05:09:30 431104 ---ha-w- c:\documents and settings\all users\application data\ieswqMPFEaliD.exe

2011-05-20 05:09:00 -------- d--h--w- C:\Adobe

.

==================== Find3M ====================

.

2011-05-05 13:49:29 243152 ---ha-w- c:\windows\system32\drivers\avgtdix.sys

2011-04-10 19:22:27 0 ---ha-w- c:\windows\system32\ConduitEngine.tmp

2011-03-07 05:31:47 692736 ---ha-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:37:06 420864 ---ha-w- c:\windows\system32\vbscript.dll

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: WDC_WD800JD-75MSA3 rev.10.01E04 -> Harddisk0\DR0 -> \Device\Ide\IdePort2 P2T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89EE4ECC]<<

_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0xb304c879; SUB DWORD [EBP-0x4], 0xb304c135; PUSH EDI; CALL 0xffffffffffffdf2c; }

1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8A6B1AB8]

3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8A4DCA90]

[0x8A2FC268] -> IRP_MJ_CREATE -> 0x89EE4ECC

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP2T0L0-3 -> \??\IDE#DiskWDC_WD800JD-75MSA3______________________10.01E04#5&6f788e1&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x89EE4AF1

user & kernel MBR OK

sectors 156249998 (+255): user != kernel

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 22:09:41.90 ===============

Link to post
Share on other sites

  • Staff

Hi,

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

Then update MBAM, run a Quick Scan, and post its log. Also run DDS again and post DDS.txt here.

Link to post
Share on other sites

I will be posting the requested information. It would APPEAR that the computer is, for the most part, clean. I did notice that about 99% of my files are now marked as "hidden". I have to go into folder options and "show hidden files" to see all of my files, including basic files in the c", My Documents, etc. Is there any way to "unhide" every file that went hidden? Here are the requested txt files, in the next post.

Link to post
Share on other sites

2011/06/10 23:44:11.0906 1840 TDSS rootkit removing tool 2.5.4.0 Jun 7 2011 17:31:48

2011/06/10 23:44:11.0921 1840 ================================================================================

2011/06/10 23:44:11.0921 1840 SystemInfo:

2011/06/10 23:44:11.0921 1840

2011/06/10 23:44:11.0921 1840 OS Version: 5.1.2600 ServicePack: 3.0

2011/06/10 23:44:11.0921 1840 Product type: Workstation

2011/06/10 23:44:11.0921 1840 ComputerName: ANONYMOUS

2011/06/10 23:44:11.0921 1840 UserName: Owner

2011/06/10 23:44:11.0921 1840 Windows directory: C:\WINDOWS

2011/06/10 23:44:11.0921 1840 System windows directory: C:\WINDOWS

2011/06/10 23:44:11.0921 1840 Processor architecture: Intel x86

2011/06/10 23:44:11.0921 1840 Number of processors: 1

2011/06/10 23:44:11.0921 1840 Page size: 0x1000

2011/06/10 23:44:11.0921 1840 Boot type: Normal boot

2011/06/10 23:44:11.0937 1840 ================================================================================

2011/06/10 23:44:13.0062 1840 Initialize success

2011/06/10 23:44:21.0000 0580 ================================================================================

2011/06/10 23:44:21.0000 0580 Scan started

2011/06/10 23:44:21.0000 0580 Mode: Manual;

2011/06/10 23:44:21.0000 0580 ================================================================================

2011/06/10 23:44:21.0562 0580 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/06/10 23:44:21.0625 0580 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2011/06/10 23:44:21.0687 0580 ADIHdAudAddService (f959f333a01f5c109e9d644c3bd8301c) C:\WINDOWS\system32\drivers\ADIHdAud.sys

2011/06/10 23:44:21.0781 0580 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2011/06/10 23:44:21.0859 0580 AFD (38d7b715504da4741df35e3594fe2099) C:\WINDOWS\System32\drivers\afd.sys

2011/06/10 23:44:22.0062 0580 amdide1 (6e58654cb25730b2579e45e1fd116a47) C:\WINDOWS\system32\drivers\amdide1.sys

2011/06/10 23:44:22.0296 0580 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/06/10 23:44:22.0343 0580 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2011/06/10 23:44:22.0500 0580 ati2mtag (6733656c24f4c6a29317c3dd9ac5980a) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2011/06/10 23:44:22.0578 0580 atiide (1842b56b3d3f195c36f62708d266b95e) C:\WINDOWS\system32\DRIVERS\atiide.sys

2011/06/10 23:44:22.0640 0580 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/06/10 23:44:22.0703 0580 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2011/06/10 23:44:22.0796 0580 AvgLdx86 (60b9c15e0199cecae802af9594781cc8) C:\WINDOWS\system32\Drivers\avgldx86.sys

2011/06/10 23:44:22.0796 0580 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\avgldx86.sys. Real md5: 60b9c15e0199cecae802af9594781cc8, Fake md5: b8c187439d27aba430dd69fdcf1fa657

2011/06/10 23:44:22.0812 0580 AvgLdx86 - detected Rootkit.Win32.TDSS.tdl3 (0)

2011/06/10 23:44:22.0859 0580 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys

2011/06/10 23:44:22.0921 0580 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\system32\Drivers\avgtdix.sys

2011/06/10 23:44:23.0000 0580 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2011/06/10 23:44:23.0078 0580 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2011/06/10 23:44:23.0171 0580 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2011/06/10 23:44:23.0265 0580 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/06/10 23:44:23.0328 0580 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2011/06/10 23:44:23.0390 0580 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2011/06/10 23:44:23.0421 0580 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/06/10 23:44:23.0812 0580 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys

2011/06/10 23:44:23.0906 0580 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2011/06/10 23:44:23.0984 0580 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2011/06/10 23:44:24.0031 0580 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2011/06/10 23:44:24.0109 0580 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2011/06/10 23:44:24.0218 0580 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2011/06/10 23:44:24.0375 0580 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys

2011/06/10 23:44:24.0500 0580 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys

2011/06/10 23:44:24.0562 0580 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2011/06/10 23:44:24.0656 0580 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2011/06/10 23:44:24.0703 0580 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2011/06/10 23:44:24.0750 0580 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2011/06/10 23:44:24.0812 0580 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys

2011/06/10 23:44:24.0890 0580 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/06/10 23:44:24.0937 0580 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/06/10 23:44:25.0000 0580 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/06/10 23:44:25.0078 0580 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/06/10 23:44:25.0171 0580 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/06/10 23:44:25.0296 0580 HSFHWBS2 (663b895c3f8464339eacd1d9cf69d661) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys

2011/06/10 23:44:25.0390 0580 HSF_DPV (7340b4d13875c413a6229bba8e4913ca) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2011/06/10 23:44:25.0484 0580 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2011/06/10 23:44:25.0640 0580 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys

2011/06/10 23:44:25.0734 0580 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2011/06/10 23:44:25.0890 0580 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/06/10 23:44:25.0937 0580 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

2011/06/10 23:44:25.0984 0580 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/06/10 23:44:26.0031 0580 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/06/10 23:44:26.0125 0580 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/06/10 23:44:26.0187 0580 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/06/10 23:44:26.0234 0580 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2011/06/10 23:44:26.0312 0580 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/06/10 23:44:26.0390 0580 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/06/10 23:44:26.0421 0580 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2011/06/10 23:44:26.0484 0580 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2011/06/10 23:44:26.0546 0580 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys

2011/06/10 23:44:26.0640 0580 LBeepKE (ca63fe81705ad660e482bef210bf2c73) C:\WINDOWS\system32\Drivers\LBeepKE.sys

2011/06/10 23:44:26.0750 0580 LHidFilt (b68309f25c5787385da842eb5b496958) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

2011/06/10 23:44:26.0937 0580 LMouFilt (63d3b1d3cd267fcc186a0146b80d453b) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

2011/06/10 23:44:27.0000 0580 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/06/10 23:44:27.0109 0580 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2011/06/10 23:44:27.0171 0580 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/06/10 23:44:27.0218 0580 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/06/10 23:44:27.0250 0580 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2011/06/10 23:44:27.0343 0580 MRxDAV (65e818c473e220b6ab762e1966296fd1) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/06/10 23:44:27.0421 0580 MRxSmb (fb7dfd15d760ad339837a470f0e780d3) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/06/10 23:44:27.0500 0580 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2011/06/10 23:44:27.0578 0580 MSHUSBVideo (066f26efe273125b352e35405d258e85) C:\WINDOWS\system32\Drivers\nx6000.sys

2011/06/10 23:44:27.0640 0580 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/06/10 23:44:27.0687 0580 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/06/10 23:44:27.0750 0580 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2011/06/10 23:44:27.0796 0580 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/06/10 23:44:27.0875 0580 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2011/06/10 23:44:27.0906 0580 Mup (6546fe6639499fa4bef180bdf08266a1) C:\WINDOWS\system32\drivers\Mup.sys

2011/06/10 23:44:28.0000 0580 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/06/10 23:44:28.0046 0580 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys

2011/06/10 23:44:28.0109 0580 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/06/10 23:44:28.0156 0580 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/06/10 23:44:28.0218 0580 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/06/10 23:44:28.0265 0580 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/06/10 23:44:28.0312 0580 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

2011/06/10 23:44:28.0375 0580 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2011/06/10 23:44:28.0468 0580 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2011/06/10 23:44:28.0578 0580 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2011/06/10 23:44:28.0656 0580 Ntfs (ae8cad8f28db13b515a68510a539b0b8) C:\WINDOWS\system32\drivers\Ntfs.sys

2011/06/10 23:44:28.0765 0580 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys

2011/06/10 23:44:28.0828 0580 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2011/06/10 23:44:28.0875 0580 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/06/10 23:44:28.0921 0580 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/06/10 23:44:29.0000 0580 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2011/06/10 23:44:29.0031 0580 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2011/06/10 23:44:29.0093 0580 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2011/06/10 23:44:29.0140 0580 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2011/06/10 23:44:29.0234 0580 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2011/06/10 23:44:29.0296 0580 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2011/06/10 23:44:29.0656 0580 Point32 (e552d6598670b1e7655cb73d562e0cd9) C:\WINDOWS\system32\DRIVERS\point32.sys

2011/06/10 23:44:29.0718 0580 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/06/10 23:44:29.0765 0580 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2011/06/10 23:44:29.0828 0580 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/06/10 23:44:30.0078 0580 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/06/10 23:44:30.0171 0580 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/06/10 23:44:30.0218 0580 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/06/10 23:44:30.0265 0580 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2011/06/10 23:44:30.0328 0580 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/06/10 23:44:30.0390 0580 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/06/10 23:44:30.0468 0580 rdpdr (c694a927eb7c354f7ae97955043a9641) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/06/10 23:44:30.0562 0580 RDPWD (e8e3107243b16a549b88d145ec051b06) C:\WINDOWS\system32\drivers\RDPWD.sys

2011/06/10 23:44:30.0656 0580 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2011/06/10 23:44:30.0750 0580 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys

2011/06/10 23:44:30.0859 0580 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/06/10 23:44:30.0984 0580 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys

2011/06/10 23:44:31.0046 0580 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2011/06/10 23:44:31.0093 0580 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2011/06/10 23:44:31.0203 0580 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2011/06/10 23:44:31.0328 0580 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/06/10 23:44:31.0437 0580 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2011/06/10 23:44:31.0515 0580 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2011/06/10 23:44:31.0609 0580 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys

2011/06/10 23:44:31.0687 0580 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/06/10 23:44:31.0734 0580 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2011/06/10 23:44:31.0781 0580 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2011/06/10 23:44:32.0000 0580 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2011/06/10 23:44:32.0093 0580 Tcpip (ba8c046d98345129723e6bcaa1e8ab99) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/06/10 23:44:32.0250 0580 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2011/06/10 23:44:32.0296 0580 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys

2011/06/10 23:44:32.0359 0580 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2011/06/10 23:44:32.0515 0580 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2011/06/10 23:44:32.0656 0580 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2011/06/10 23:44:32.0781 0580 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2011/06/10 23:44:32.0843 0580 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/06/10 23:44:32.0906 0580 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/06/10 23:44:32.0953 0580 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/06/10 23:44:32.0984 0580 usbohci (c5e11cd822adf0019a5a862d9c4e2222) C:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/06/10 23:44:33.0062 0580 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/06/10 23:44:33.0140 0580 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/06/10 23:44:33.0218 0580 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/06/10 23:44:33.0296 0580 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2011/06/10 23:44:33.0343 0580 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2011/06/10 23:44:33.0437 0580 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2011/06/10 23:44:33.0515 0580 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/06/10 23:44:33.0609 0580 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/06/10 23:44:33.0718 0580 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2011/06/10 23:44:33.0828 0580 winachsf (8adcd6078affc4c81f3c3ebb1e9e3a2b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2011/06/10 23:44:34.0046 0580 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/06/10 23:44:34.0093 0580 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/06/10 23:44:34.0156 0580 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/06/10 23:44:34.0234 0580 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/06/10 23:44:34.0375 0580 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk1\DR3

2011/06/10 23:44:34.0390 0580 ================================================================================

2011/06/10 23:44:34.0390 0580 Scan finished

2011/06/10 23:44:34.0390 0580 ================================================================================

2011/06/10 23:44:34.0437 3448 Detected object count: 1

2011/06/10 23:44:34.0437 3448 Actual detected object count: 1

2011/06/10 23:45:24.0046 3448 AvgLdx86 (60b9c15e0199cecae802af9594781cc8) C:\WINDOWS\system32\Drivers\avgldx86.sys

2011/06/10 23:45:24.0046 3448 Suspicious file (Forged): C:\WINDOWS\system32\Drivers\avgldx86.sys. Real md5: 60b9c15e0199cecae802af9594781cc8, Fake md5: b8c187439d27aba430dd69fdcf1fa657

2011/06/10 23:45:24.0296 3448 Backup copy found, using it..

2011/06/10 23:45:24.0312 3448 C:\WINDOWS\system32\Drivers\avgldx86.sys - will be cured after reboot

2011/06/10 23:45:24.0312 3448 Rootkit.Win32.TDSS.tdl3(AvgLdx86) - User select action: Cure

2011/06/10 23:45:33.0843 1696 Deinitialize success

Link to post
Share on other sites

  • Staff

Hi,

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Next, please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan.

  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.50.1.1100

www.malwarebytes.org

Database version: 6516

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/11/2011 12:08:48 AM

mbam-log-2011-06-11 (00-08-48).txt

Scan type: Quick scan

Objects scanned: 165010

Time elapsed: 11 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

.

DDS (Ver_2011-06-11.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Owner at 0:11:25 on 2011-06-11

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1135 [GMT -4:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Microsoft LifeCam\MSCamS32.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Microsoft\BingBar\SeaPort.EXE

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe

C:\WINDOWS\system32\taskswitch.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Program Files\IncrediMail\bin\IncMail.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\TeamViewer\Version6\TeamViewer.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\IncrediMail\Bin\ImApp.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.rr.com

uDefault_Page_URL = hxxp://www.msn.com

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

uURLSearchHooks: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa2.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mWinlogon: SfcDisable=-99 (0xffffff9d)

BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa2.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: Road Runner Toolbar: {e4878b45-e2c0-4307-b6e8-734922f92f5b} - c:\program files\road_runner\prxtbRoa2.dll

TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll

TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [incrediMail] c:\program files\incredimail\bin\IncMail.exe /c

uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1

uRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe

mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"

mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe

dRun: [incrediMail] c:\program files\incredimail\bin\IncMail.exe /c

dRun: [ieswqMPFEaliD] c:\documents and settings\all users\application data\ieswqMPFEaliD.exe

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10p_ActiveX.exe -update activex

mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)

mPolicies-explorer: MaxRecentDocs = 18 (0x12)

mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

mPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)

mPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)

dPolicies-explorer: NoDesktop = 1 (0x1)

dPolicies-system: DisableTaskMgr = 1 (0x1)

IE: &Add animation to IncrediMail Style Box - c:\program files\incredimail\bin\resources\WebMenuImg.htm

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1278390398906

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1278390394625

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

TCP: DhcpNameServer = 192.168.0.1

TCP: Interfaces\{52D1E4F1-96A0-4866-9F79-390DDB32B3CF} : DhcpNameServer = 192.168.0.1

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

.

============= SERVICES / DRIVERS ===============

.

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2010-7-6 3456]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-7-10 216400]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-7-10 29584]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-7-10 243152]

R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-10 921952]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-10 308136]

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-7-10 10448]

R2 TeamViewer6;TeamViewer 6;c:\program files\teamviewer\version6\TeamViewer_Service.exe [2011-3-29 2271608]

S0 amdide1;amdide1;c:\windows\system32\drivers\amdide1.sys [2009-4-20 9096]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-12-15 136176]

S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg9\toolbar\ToolbarBroker.exe [2010-7-10 947528]

S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]

S3 cpuz132;cpuz132;\??\c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\owner\locals~1\temp\cpuz132\cpuz132_x32.sys [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-12-15 136176]

S3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [2010-7-18 30560]

.

=============== Created Last 30 ================

.

2011-05-31 02:22:12 -------- d-----w- c:\program files\PdaNet for Android

2011-05-31 02:19:42 -------- d-----w- c:\documents and settings\owner\application data\Malwarebytes

2011-05-31 02:19:05 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-05-31 02:19:04 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2011-05-31 02:19:00 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-05-31 02:19:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2011-05-20 05:09:30 431104 ---ha-w- c:\documents and settings\all users\application data\ieswqMPFEaliD.exe

2011-05-20 05:09:00 -------- d--h--w- C:\Adobe

.

==================== Find3M ====================

.

2011-06-11 03:46:18 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2011-05-05 13:49:29 243152 ---ha-w- c:\windows\system32\drivers\avgtdix.sys

2011-04-10 19:22:27 0 ---ha-w- c:\windows\system32\ConduitEngine.tmp

.

============= FINISH: 0:12:03.25 ===============

Link to post
Share on other sites

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6526

# api_version=3.0.2

# EOSSerial=0f1a1b612318734b9d37627bf9dc6a28

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2011-06-15 06:14:11

# local_time=2011-06-15 02:14:11 (-0500, Eastern Daylight Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=crash

# scanned=79815

# found=4

# cleaned=4

# scan_time=5360

C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\eBay.url Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\I2R9G4HR\8DCE[1].htm JS/Exploit.JavaDepKit.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Documents and Settings\Owner\My Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application (deleted - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\Temp\smtmp\1\Programs\eBay.url Win32/Adware.ADON application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.13

Windows XP Service Pack 3

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!

AVG Free 9.0

ESET Online Scanner v3

WMI entry may not exist for antivirus; attempting automatic update.

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

Java 6 Update 21

Out of date Java installed!

Adobe Flash Player

````````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

``````````End of Log````````````

Link to post
Share on other sites

I turned on the Windows Firewall and updated Java, as the last scan pointed out. The only thing that appears to be wrong still is there are shortcuts in the Windows Start Menu that are empty. IE: Start>All Programs>Skype shows (empty) but Skype is still installed as it starts up with Windows, and it's located in the Program Files menu. Any chance I can get those back without doing it manually?

And I want to take this opportunity to thank you for all of your help. I wouldn't have been able to beat this without you!

~~Justin

Link to post
Share on other sites

  • Staff

Hi,

Please download Unhide.exe by Grinler and save it to your Desktop.

Run it, then restart your computer.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

A few things. I have already run Unhide.exe as you have stated. I ran it again and I did notice at the end, it did tell me that if my start menu programs did not get restored, that I should disable my antivirus program. I use AVG Free. I disabled that, and the Windows Firewall as well. Ran it again, and restarted. Some items are still showing up "empty" in my start menu.

Then I tried to run Combo Fix. It told me that there were issues with AVG and I had to uninstall it. I tried to uninstall AVG, but I get the following error message.

??Local machine: installation failed

Installation:

Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....

Access is denied.

So I am stuck here for right now.

Link to post
Share on other sites

ComboFix 11-06-30.02 - Owner 06/30/2011 12:12:38.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.1445 [GMT -4:00]

Running from: c:\documents and settings\Owner\My Documents\Downloads\ComboFix.exe

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\Custom Settings\ToggleQL.exe

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb

.

.

((((((((((((((((((((((((( Files Created from 2011-05-28 to 2011-06-30 )))))))))))))))))))))))))))))))

.

.

2011-06-17 01:50 . 2008-04-14 07:42 159232 ----a-w- c:\windows\system32\ptpusd.dll

2011-06-17 01:50 . 2001-08-18 00:36 5632 ----a-w- c:\windows\system32\ptpusb.dll

2011-06-17 01:50 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll

2011-06-17 01:49 . 2010-01-25 22:56 9472 ----a-w- c:\windows\system32\drivers\motusbdevice.sys

2011-06-17 01:49 . 2010-04-01 17:31 23424 ----a-w- c:\windows\system32\drivers\Motousbnet.sys

2011-06-17 01:49 . 2009-01-29 20:11 6016 ----a-w- c:\windows\system32\drivers\motfilt.sys

2011-06-17 01:49 . 2010-09-29 21:13 24064 ----a-w- c:\windows\system32\drivers\motmodem.sys

2011-06-17 01:49 . 2010-12-03 18:03 20352 ----a-w- c:\windows\system32\drivers\motccgp.sys

2011-06-17 01:49 . 2009-01-29 20:18 8320 ----a-w- c:\windows\system32\drivers\motccgpfl.sys

2011-06-17 01:49 . 2007-11-02 18:51 6400 ----a-w- c:\windows\system32\drivers\motswch.sys

2011-06-17 01:49 . 2011-06-17 01:49 -------- d-----w- c:\program files\Common Files\Motorola Shared

2011-06-17 01:49 . 2011-06-17 01:49 -------- d-----w- c:\program files\Motorola

2011-06-15 16:41 . 2011-06-15 16:41 -------- d-----w- c:\program files\ESET

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-04-10 19:22 . 2010-11-17 08:22 0 ----a-w- c:\windows\system32\ConduitEngine.tmp

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[-] 2009-04-20 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys

.

.

c:\windows\System32\wscntfy.exe ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{e4878b45-e2c0-4307-b6e8-734922f92f5b}"= "c:\program files\Road_Runner\prxtbRoa2.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{e4878b45-e2c0-4307-b6e8-734922f92f5b}]

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]

2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e4878b45-e2c0-4307-b6e8-734922f92f5b}]

2011-01-17 14:54 175912 ----a-w- c:\program files\Road_Runner\prxtbRoa2.dll

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{e4878b45-e2c0-4307-b6e8-734922f92f5b}"= "c:\program files\Road_Runner\prxtbRoa2.dll" [2011-01-17 175912]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{e4878b45-e2c0-4307-b6e8-734922f92f5b}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{E4878B45-E2C0-4307-B6E8-734922F92F5B}"= "c:\program files\Road_Runner\prxtbRoa2.dll" [2011-01-17 175912]

"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]

.

[HKEY_CLASSES_ROOT\clsid\{e4878b45-e2c0-4307-b6e8-734922f92f5b}]

.

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2010-07-08 349640]

"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2010-04-29 1652736]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-11 14940040]

"Advanced SystemCare 4"="c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe" [2011-05-28 412560]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]

"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]

"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-03-17 157552]

"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-05-20 90112]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-07 1496968]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"IncrediMail"="c:\program files\IncrediMail\bin\IncMail.exe" [2010-07-08 349640]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"_nltide_3"="advpack.dll" [2009-04-20 128512]

"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10p_ActiveX.exe" [2011-04-28 235168]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"MaxRecentDocs"= 18 (0x12)

"NoSMConfigurePrograms"= 1 (0x1)

"NoRecentDocsNetHood"= 1 (0x1)

"MemCheckBoxInRunDlg"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\IncrediMail\\Bin\\IncMail.exe"=

"c:\\Program Files\\IncrediMail\\Bin\\ImApp.exe"=

"c:\\Program Files\\IncrediMail\\Bin\\ImpCnt.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=

"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=

"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaws.exe"=

.

R0 amdide1;amdide1;c:\windows\system32\drivers\amdide1.sys [4/20/2009 2:31 PM 9096]

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [7/6/2010 12:38 AM 3456]

R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/19/2011 10:56 PM 353168]

R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [7/10/2010 2:53 PM 10448]

R2 MotoHelper;MotoHelper Service;c:\program files\Motorola\MotoHelper\MotoHelperService.exe [1/27/2011 5:13 PM 226624]

R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [3/29/2011 12:59 PM 2271608]

R3 MSHUSBVideo;NX6000/NX3000/VX5000/VX5500/VX2000/VX7000 Filter Driver;c:\windows\system32\drivers\nx6000.sys [7/18/2010 4:44 PM 30560]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/15/2010 5:45 PM 136176]

S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2/28/2011 6:44 PM 183560]

S3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\drivers\motfilt.sys [6/16/2011 9:49 PM 6016]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/15/2010 5:45 PM 136176]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [6/16/2011 9:49 PM 20352]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [6/16/2011 9:49 PM 8320]

S3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\drivers\Motousbnet.sys [6/16/2011 9:49 PM 23424]

S3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\drivers\motusbdevice.sys [6/16/2011 9:49 PM 9472]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - uphcleanhlp

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08

.

Contents of the 'Scheduled Tasks' folder

.

2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-15 21:45]

.

2011-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-15 21:45]

.

2011-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1532298954-1417001333-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-06 04:14]

.

2011-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1532298954-1417001333-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-07-06 04:14]

.

2010-09-04 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job

- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

.

2010-07-18 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job

- c:\program files\Microsoft LifeCam\LifeExp.exe [2009-03-17 19:24]

.

2011-06-17 c:\windows\Tasks\MotoHelper MUM.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]

.

2011-06-30 c:\windows\Tasks\MotoHelper Routing.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]

.

2011-06-17 c:\windows\Tasks\MotoHelper Update.job

- c:\program files\Motorola\MotoHelper\MotoHelperUpdate.exe [2011-01-27 21:14]

.

2011-06-30 c:\windows\Tasks\User_Feed_Synchronization-{09DA03B3-C2E3-41C6-A2AD-6F1E34CA7FFD}.job

- c:\windows\system32\msfeedssync.exe [2009-04-20 18:22]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.rr.com

IE: &Add animation to IncrediMail Style Box - c:\program files\IncrediMail\bin\resources\WebMenuImg.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

TCP: DhcpNameServer = 192.168.0.1

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)

Notify-avgrsstarter - avgrsstx.dll

SafeBoot-55175061.sys

AddRemove-conduitEngine - c:\program files\ConduitEngine\ConduitEngineUninstall.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-06-30 12:17

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,b5,18,7f,53,03,ae,41,90,02,eb,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,93,b5,18,7f,53,03,ae,41,90,02,eb,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(668)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2011-06-30 12:19:27

ComboFix-quarantined-files.txt 2011-06-30 16:19

.

Pre-Run: 56,284,643,328 bytes free

Post-Run: 56,690,933,760 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - EB05678F12485AE7CDDE8AD752B4793F

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.