Jump to content

google redirect virus


Adorra

Recommended Posts

Hi Guys

I am on the long list of people affected by google redirect virus. I have looked at various forums to try and remove it on my own but haven't had any luck (UnHackMe is either a piece of crap program or I just don't know how to use it properly). Reading one of the forum posts here I have followed the instructions on it (updated MBAM, run a quick scan, then downloaded DDS and run that scan as well. Here are the results.

Keen to get this of my computer in a hurry and grateful for any help. Thanks

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26

Run by Administrator at 10:47:50 on 2011-09-15

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1527.763 [GMT 10:00]

.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *Enabled*

.

============== Running Processes ===============

.

D:\PROGRA~1\AVG\AVG10\avgchsvx.exe

D:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

D:\WINDOWS\System32\svchost.exe -k netsvcs

D:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\SOUNDMAN.EXE

D:\WINDOWS\system32\igfxpers.exe

D:\WINDOWS\system32\hkcmd.exe

D:\Program Files\AVG\AVG10\avgtray.exe

D:\Program Files\iTunes\iTunesHelper.exe

D:\Program Files\Common Files\Java\Java Update\jusched.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Windows Live\Messenger\msnmsgr.exe

D:\Program Files\Windows Sidebar\sidebar.exe

svchost.exe

D:\Program Files\Messenger\msmsgs.exe

D:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

D:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

D:\Program Files\AVG\AVG10\avgwdsvc.exe

D:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

D:\Program Files\Bonjour\mDNSResponder.exe

D:\Program Files\Java\jre6\bin\jqs.exe

D:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe

D:\WINDOWS\system32\svchost.exe -k imgsvc

D:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

D:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

D:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe

D:\Program Files\AVG\AVG10\avgnsx.exe

D:\Program Files\AVG\AVG10\avgemcx.exe

D:\Program Files\iPod\bin\iPodService.exe

D:\Program Files\Windows Sidebar\sidebar.exe

D:\WINDOWS\System32\svchost.exe -k HTTPFilter

D:\Program Files\Windows Live\Contacts\wlcomm.exe

D:\PROGRA~1\AVG\AVG10\avgrsx.exe

D:\Program Files\AVG\AVG10\avgcsrvx.exe

D:\Program Files\QuickBooks\qbw32.exe

D:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.tpg.com.au/

uInternet Settings,ProxyOverride = *.local

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

mWinlogon: SfcDisable=-99 (0xffffff9d)

{063aa87c-1c19-4ace-ba8f-ef0bb4f70fac}

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - McAfee Phishing Filter

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - d:\program files\avg\avg10\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - d:\program files\common files\mcafee\systemcore\ScriptSn.20091230114531.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - McAfee SiteAdvisor BHO

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll

{dfe31944-2f7b-4ba9-be58-3d679f75383e}

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} -

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe

uRun: [msnmsgr] "d:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [sidebar] d:\program files\windows sidebar\sidebar.exe /autoRun

uRun: [MSMSGS] "d:\program files\messenger\msmsgs.exe" /background

uRun: [TaskSwitchXP] d:\program files\taskswitchxp\TaskSwitchXP.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [REGSHAVE] d:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [Persistence] d:\windows\system32\igfxpers.exe

mRun: [igfxTray] d:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] d:\windows\system32\hkcmd.exe

mRun: [AppleSyncNotifier] d:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe

mRun: [AVG_TRAY] d:\program files\avg\avg10\avgtray.exe

mRun: [QuickTime Task] "d:\program files\k-lite codec pack\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "d:\program files\common files\java\java update\jusched.exe"

mRunOnce: [Malwarebytes' Anti-Malware] d:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

dRun: [CTFMON.EXE] d:\windows\system32\CTFMON.EXE

dRun: [TaskSwitchXP] d:\program files\taskswitchxp\TaskSwitchXP.exe

dRun: [Nokia.PCSync] "d:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog

mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)

mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)

dPolicies-explorer: NoSMMyPictures = 1 (0x1)

dPolicies-explorer: NoSMHelp = 1 (0x1)

dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)

IE: E&xport to Microsoft Excel - d:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\users\administrator\start menu\programs\imvu\Run IMVU.lnk

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\update

DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab

DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///D:/Program%20Files/Bejeweled%202/Images/armhelper.ocx

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.2.1 192.168.1.1

TCP: Interfaces\{C4A0B906-5D41-42D4-806C-459B29AD8D4C} : DhcpNameServer = 192.168.2.1 192.168.1.1

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - d:\program files\avg\avg10\avgpp.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\wpdshserviceobj.dll

LSA: Authentication Packages = msv1_0 d:\windows\system32\awtqqRKD

mASetup: {34A19196-274E-4D75-9D30-D7A45A0A4178} - "d:\program files\windows sidebar\.\regsvr32.exe" /s wlsrvc.dll

mASetup: {6B9228DA-9C15-419e-856C-19E768A13BDC} - "d:\program files\windows sidebar\.\regsvr32.exe" /s sbdrop.dll

mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - d:\windows\system32\hidec /w "d:\program files\vaioxp\tools\regtlib.exe" "d:\program files\windows sidebar\sidebar.exe"

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - d:\users\administrator\application data\mozilla\firefox\profiles\kkch63vd.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: network.proxy.type - 0

FF - component: d:\program files\avg\avg10\firefox4\components\avgssff4.dll

FF - plugin: d:\program files\abr\plug-in\bin\npAUSkeyPlugin.dll

FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin.dll

FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin2.dll

FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin3.dll

FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin4.dll

FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin5.dll

FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin6.dll

FF - plugin: d:\program files\k-lite codec pack\quicktime\plugins\npqtplugin7.dll

FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: d:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: d:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll

FF - plugin: d:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: d:\program files\mozilla firefox\plugins\npOGAPlugin.dll

FF - plugin: d:\program files\nos\bin\np_gp.dll

FF - plugin: d:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: d:\users\administrator\application data\facebook\npfbplugin_1_0_1.dll

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]

R0 mfehidk;McAfee Inc. mfehidk;d:\windows\system32\drivers\mfehidk.sys [2009-12-30 385344]

R1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [2010-9-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;d:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34896]

R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [2010-9-7 297168]

R1 mfetdi2k;McAfee Inc. mfetdi2k;d:\windows\system32\drivers\mfetdi2k.sys [2009-12-30 82952]

R2 AVGIDSAgent;AVGIDSAgent;d:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]

R2 avgwd;AVG WatchDog;d:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]

R2 McShield;McShield;d:\program files\common files\mcafee\systemcore\mcshield.exe [2009-12-30 170144]

R2 mfefire;McAfee Firewall Core Service;d:\program files\common files\mcafee\systemcore\mfefire.exe [2009-12-30 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;d:\program files\common files\mcafee\systemcore\mfevtps.exe [2009-12-30 141792]

R3 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 134480]

R3 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 24144]

R3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 27216]

R3 mfeavfk;McAfee Inc. mfeavfk;d:\windows\system32\drivers\mfeavfk.sys [2008-12-20 152320]

R3 mfebopk;McAfee Inc. mfebopk;d:\windows\system32\drivers\mfebopk.sys [2008-12-20 51688]

R3 mfefirek;McAfee Inc. mfefirek;d:\windows\system32\drivers\mfefirek.sys [2009-12-30 312584]

R3 mfendiskmp;mfendiskmp;d:\windows\system32\drivers\mfendisk.sys [2009-12-30 88480]

S1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys --> d:\windows\system32\drivers\nod32drv.sys [?]

S2 McMPFSvc;McAfee Personal Firewall;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2009-12-30 270968]

S2 McNaiAnn;McAfee VirusScan Announcer;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2009-12-30 270968]

S2 McProxy;McAfee Proxy Service;d:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2009-12-30 270968]

S3 cfwids;McAfee Inc. cfwids;d:\windows\system32\drivers\cfwids.sys [2009-12-30 55456]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;d:\windows\system32\drivers\mfendisk.sys [2009-12-30 88480]

S3 mferkdet;McAfee Inc. mferkdet;d:\windows\system32\drivers\mferkdet.sys [2009-12-30 83368]

S3 mferkdk;McAfee Inc. mferkdk;d:\windows\system32\drivers\mferkdk.sys [2008-12-20 34248]

S3 mfesmfk;McAfee Inc. mfesmfk;d:\windows\system32\drivers\mfesmfk.sys [2008-12-20 40552]

.

=============== File Associations ===============

.

inffile=d:\windows\system32\Notepad2.exe %1

inifile=d:\windows\system32\Notepad2.exe %1

txtfile=d:\windows\system32\Notepad2.exe %1

.

=============== Created Last 30 ================

.

2011-09-02 06:48:10 -------- d-sh--r- D:\comment.htt

2011-09-01 04:39:19 2 --shatr- d:\windows\winstart.bat

2011-09-01 04:39:06 -------- d-----w- d:\program files\UnHackMe

2011-08-17 04:31:02 32768 ----a-w- d:\windows\pnpclk.dll

2011-08-17 04:31:02 29184 ----a-w- d:\windows\RNDISMPK.sys

2011-08-17 04:31:02 27264 ----a-w- d:\windows\rndismpm.sys

2011-08-17 04:31:02 27008 ----a-w- d:\windows\rndismpw.sys

2011-08-17 04:31:02 13824 ----a-w- d:\windows\usb8023k.sys

2011-08-17 04:31:02 126976 ----a-w- d:\windows\autoclk.exe

2011-08-17 04:31:02 114688 ----a-w- d:\windows\unaddbcm.exe

2011-08-17 04:31:02 11264 ----a-w- d:\windows\usb8023w.sys

2011-08-17 04:31:02 11136 ----a-w- d:\windows\usb8023m.sys

.

==================== Find3M ====================

.

2011-09-03 10:17:37 599040 ----a-w- d:\windows\system32\crypt32.dll

2011-09-02 07:04:32 404640 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 07:00:50 22216 ----a-w- d:\windows\system32\drivers\mbam.sys

2011-07-29 05:32:14 81920 ----a-w- d:\windows\ALCFDRTM.VER

2011-07-15 13:29:31 456320 ----a-w- d:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 10496 ----a-w- d:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 139656 ----a-w- d:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 916480 ----a-w- d:\windows\system32\wininet.dll

2011-06-23 18:36:30 43520 ----a-w- d:\windows\system32\licmgr10.dll

2011-06-23 18:36:30 1469440 ------w- d:\windows\system32\inetcpl.cpl

2011-06-23 12:05:13 385024 ----a-w- d:\windows\system32\html.iec

2011-06-20 17:44:52 293376 ----a-w- d:\windows\system32\winsrv.dll

.

============= FINISH: 10:49:03.56 ===============

mbam-log-2011-09-15 (10-47-08).txt

DDS.txt

Link to post
Share on other sites

:welcome:

Logs will be closed if you haven't replied within 3 days

Please don't attach the scans / logs from these scans, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner»

Double-click ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

  • If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1

Download Mirror #2

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • It doesn't take long to run, once it is finished move onto the next step

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

TDSSKiller did not find any infections. The following is the log:-

2011/09/18 16:18:11.0093 5228 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17

2011/09/18 16:18:13.0062 5228 ================================================================================

2011/09/18 16:18:13.0062 5228 SystemInfo:

2011/09/18 16:18:13.0062 5228

2011/09/18 16:18:13.0062 5228 OS Version: 5.1.2600 ServicePack: 3.0

2011/09/18 16:18:13.0062 5228 Product type: Workstation

2011/09/18 16:18:13.0062 5228 ComputerName: LastXP15

2011/09/18 16:18:13.0062 5228 UserName: Administrator

2011/09/18 16:18:13.0062 5228 Windows directory: D:\WINDOWS

2011/09/18 16:18:13.0062 5228 System windows directory: D:\WINDOWS

2011/09/18 16:18:13.0062 5228 Processor architecture: Intel x86

2011/09/18 16:18:13.0062 5228 Number of processors: 2

2011/09/18 16:18:13.0062 5228 Page size: 0x1000

2011/09/18 16:18:13.0062 5228 Boot type: Normal boot

2011/09/18 16:18:13.0062 5228 ================================================================================

2011/09/18 16:18:14.0156 5228 Initialize success

2011/09/18 16:18:17.0375 3376 ================================================================================

2011/09/18 16:18:17.0375 3376 Scan started

2011/09/18 16:18:17.0375 3376 Mode: Manual;

2011/09/18 16:18:17.0375 3376 ================================================================================

2011/09/18 16:18:18.0156 3376 ACPI (8fd99680a539792a30e97944fdaecf17) D:\WINDOWS\system32\DRIVERS\ACPI.sys

2011/09/18 16:18:18.0187 3376 ACPIEC (9859c0f6936e723e4892d7141b1327d5) D:\WINDOWS\system32\drivers\ACPIEC.sys

2011/09/18 16:18:18.0250 3376 aec (8bed39e3c35d6a489438b8141717a557) D:\WINDOWS\system32\drivers\aec.sys

2011/09/18 16:18:18.0296 3376 AFD (355556d9e580915118cd7ef736653a89) D:\WINDOWS\System32\drivers\afd.sys

2011/09/18 16:18:18.0453 3376 Arp1394 (b5b8a80875c1dededa8b02765642c32f) D:\WINDOWS\system32\DRIVERS\arp1394.sys

2011/09/18 16:18:18.0578 3376 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) D:\WINDOWS\system32\drivers\Aspi32.sys

2011/09/18 16:18:18.0625 3376 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) D:\WINDOWS\system32\DRIVERS\asyncmac.sys

2011/09/18 16:18:18.0671 3376 atapi (cdfe4411a69c224bd1d11b2da92dac51) D:\WINDOWS\system32\DRIVERS\atapi.sys

2011/09/18 16:18:18.0734 3376 Atmarpc (9916c1225104ba14794209cfa8012159) D:\WINDOWS\system32\DRIVERS\atmarpc.sys

2011/09/18 16:18:18.0781 3376 audstub (d9f724aa26c010a217c97606b160ed68) D:\WINDOWS\system32\DRIVERS\audstub.sys

2011/09/18 16:18:18.0875 3376 AVGIDSDriver (2d18221aab3db2d408d6c55c0f23090a) D:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys

2011/09/18 16:18:19.0000 3376 AVGIDSEH (1af676db3f3d4cc709cfab2571cf5fc3) D:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys

2011/09/18 16:18:19.0078 3376 AVGIDSFilter (4c51e233c87f9ec7598551de554bc99d) D:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys

2011/09/18 16:18:19.0093 3376 AVGIDSShim (c3fc426e54f55c1cc3219e415b88e10c) D:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys

2011/09/18 16:18:19.0125 3376 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) D:\WINDOWS\system32\DRIVERS\avgldx86.sys

2011/09/18 16:18:19.0156 3376 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) D:\WINDOWS\system32\DRIVERS\avgmfx86.sys

2011/09/18 16:18:19.0203 3376 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) D:\WINDOWS\system32\DRIVERS\avgrkx86.sys

2011/09/18 16:18:19.0234 3376 Avgtdix (aaf0ebcad95f2164cffb544e00392498) D:\WINDOWS\system32\DRIVERS\avgtdix.sys

2011/09/18 16:18:19.0296 3376 Beep (da1f27d85e0d1525f6621372e7b685e9) D:\WINDOWS\system32\drivers\Beep.sys

2011/09/18 16:18:19.0359 3376 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) D:\WINDOWS\system32\drivers\cbidf2k.sys

2011/09/18 16:18:19.0390 3376 CCDECODE (0be5aef125be881c4f854c554f2b025c) D:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2011/09/18 16:18:19.0453 3376 Cdaudio (c1b486a7658353d33a10cc15211a873b) D:\WINDOWS\system32\drivers\Cdaudio.sys

2011/09/18 16:18:19.0484 3376 Cdfs (c885b02847f5d2fd45a24e219ed93b32) D:\WINDOWS\system32\drivers\Cdfs.sys

2011/09/18 16:18:19.0515 3376 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) D:\WINDOWS\system32\DRIVERS\cdrom.sys

2011/09/18 16:18:19.0562 3376 cfwids (e60a5d8c25856ed174e4100795273bd8) D:\WINDOWS\system32\drivers\cfwids.sys

2011/09/18 16:18:19.0765 3376 Disk (044452051f3e02e7963599fc8f4f3e25) D:\WINDOWS\system32\DRIVERS\disk.sys

2011/09/18 16:18:19.0828 3376 dmboot (d992fe1274bde0f84ad826acae022a41) D:\WINDOWS\system32\drivers\dmboot.sys

2011/09/18 16:18:19.0859 3376 dmio (7c824cf7bbde77d95c08005717a95f6f) D:\WINDOWS\system32\drivers\dmio.sys

2011/09/18 16:18:19.0890 3376 dmload (e9317282a63ca4d188c0df5e09c6ac5f) D:\WINDOWS\system32\drivers\dmload.sys

2011/09/18 16:18:19.0937 3376 DMusic (8a208dfcf89792a484e76c40e5f50b45) D:\WINDOWS\system32\drivers\DMusic.sys

2011/09/18 16:18:20.0000 3376 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) D:\WINDOWS\system32\drivers\drmkaud.sys

2011/09/18 16:18:20.0046 3376 E100B (5c940a174dfb2c42b9f6ba6edc2baa0b) D:\WINDOWS\system32\DRIVERS\e100b325.sys

2011/09/18 16:18:20.0109 3376 ezplay (73e701e0fa4d2fc7d22efceff276c50a) D:\WINDOWS\system32\Drivers\ezplay.sys

2011/09/18 16:18:20.0140 3376 Fastfat (38d332a6d56af32635675f132548343e) D:\WINDOWS\system32\drivers\Fastfat.sys

2011/09/18 16:18:20.0171 3376 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) D:\WINDOWS\system32\DRIVERS\fdc.sys

2011/09/18 16:18:20.0203 3376 Fips (d45926117eb9fa946a6af572fbe1caa3) D:\WINDOWS\system32\drivers\Fips.sys

2011/09/18 16:18:20.0234 3376 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) D:\WINDOWS\system32\DRIVERS\flpydisk.sys

2011/09/18 16:18:20.0281 3376 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) D:\WINDOWS\system32\drivers\fltmgr.sys

2011/09/18 16:18:20.0328 3376 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) D:\WINDOWS\system32\drivers\Fs_Rec.sys

2011/09/18 16:18:20.0359 3376 Ftdisk (6ac26732762483366c3969c9e4d2259d) D:\WINDOWS\system32\DRIVERS\ftdisk.sys

2011/09/18 16:18:20.0406 3376 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) D:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2011/09/18 16:18:20.0453 3376 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) D:\WINDOWS\system32\DRIVERS\msgpc.sys

2011/09/18 16:18:20.0500 3376 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) D:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2011/09/18 16:18:20.0546 3376 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) D:\WINDOWS\system32\DRIVERS\hidusb.sys

2011/09/18 16:18:20.0609 3376 HSFHWBS2 (970178e8e003eb1481293830069624b9) D:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys

2011/09/18 16:18:20.0671 3376 HSF_DP (ebb354438a4c5a3327fb97306260714a) D:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys

2011/09/18 16:18:20.0734 3376 HTTP (f80a415ef82cd06ffaf0d971528ead38) D:\WINDOWS\system32\Drivers\HTTP.sys

2011/09/18 16:18:20.0828 3376 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) D:\WINDOWS\system32\DRIVERS\i8042prt.sys

2011/09/18 16:18:21.0031 3376 ialm (2aae7be67911f4aec9ad28e9cfb9096f) D:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2011/09/18 16:18:21.0109 3376 Imapi (083a052659f5310dd8b6a6cb05edcf8e) D:\WINDOWS\system32\DRIVERS\imapi.sys

2011/09/18 16:18:21.0296 3376 IntcAzAudAddService (a799e941c3d19bcf6f93cbe12b55bc17) D:\WINDOWS\system32\drivers\RtkHDAud.sys

2011/09/18 16:18:21.0359 3376 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) D:\WINDOWS\system32\DRIVERS\intelide.sys

2011/09/18 16:18:21.0406 3376 intelppm (8c953733d8f36eb2133f5bb58808b66b) D:\WINDOWS\system32\DRIVERS\intelppm.sys

2011/09/18 16:18:21.0437 3376 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) D:\WINDOWS\system32\drivers\ip6fw.sys

2011/09/18 16:18:21.0484 3376 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) D:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2011/09/18 16:18:21.0515 3376 IpInIp (b87ab476dcf76e72010632b5550955f5) D:\WINDOWS\system32\DRIVERS\ipinip.sys

2011/09/18 16:18:21.0546 3376 IpNat (cc748ea12c6effde940ee98098bf96bb) D:\WINDOWS\system32\DRIVERS\ipnat.sys

2011/09/18 16:18:21.0593 3376 IPSec (23c74d75e36e7158768dd63d92789a91) D:\WINDOWS\system32\DRIVERS\ipsec.sys

2011/09/18 16:18:21.0625 3376 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) D:\WINDOWS\system32\DRIVERS\irenum.sys

2011/09/18 16:18:21.0671 3376 isapnp (e504f706ccb699c2596e9a3da1596e87) D:\WINDOWS\system32\DRIVERS\isapnp.sys

2011/09/18 16:18:21.0703 3376 Kbdclass (463c1ec80cd17420a542b7f36a36f128) D:\WINDOWS\system32\DRIVERS\kbdclass.sys

2011/09/18 16:18:21.0734 3376 kmixer (692bcf44383d056aed41b045a323d378) D:\WINDOWS\system32\drivers\kmixer.sys

2011/09/18 16:18:21.0781 3376 KSecDD (b467646c54cc746128904e1654c750c1) D:\WINDOWS\system32\drivers\KSecDD.sys

2011/09/18 16:18:21.0890 3376 mdmxsdk (195741aee20369980796b557358cd774) D:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2011/09/18 16:18:21.0953 3376 mfeapfk (1dd65e161384c009632eba4ce071cc72) D:\WINDOWS\system32\drivers\mfeapfk.sys

2011/09/18 16:18:22.0000 3376 mfeavfk (d3a768119c4d067cb38a643394a73b56) D:\WINDOWS\system32\drivers\mfeavfk.sys

2011/09/18 16:18:22.0046 3376 mfebopk (db3fbedb0da8d3e3a3fd539e31855e1f) D:\WINDOWS\system32\drivers\mfebopk.sys

2011/09/18 16:18:22.0093 3376 mfefirek (5f65554bcdda2fb5433f771e11c4a8ea) D:\WINDOWS\system32\drivers\mfefirek.sys

2011/09/18 16:18:22.0125 3376 mfehidk (29f2827e41b061d4fed169842e414d06) D:\WINDOWS\system32\drivers\mfehidk.sys

2011/09/18 16:18:22.0171 3376 mfendisk (166ed37593b82e090eb6761b429cf8e2) D:\WINDOWS\system32\DRIVERS\mfendisk.sys

2011/09/18 16:18:22.0187 3376 mfendiskmp (166ed37593b82e090eb6761b429cf8e2) D:\WINDOWS\system32\DRIVERS\mfendisk.sys

2011/09/18 16:18:22.0234 3376 mferkdet (41f8c19c5ebecdd02bda8adabe78c9d5) D:\WINDOWS\system32\drivers\mferkdet.sys

2011/09/18 16:18:22.0281 3376 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) D:\WINDOWS\system32\drivers\mferkdk.sys

2011/09/18 16:18:22.0312 3376 mfesmfk (096b52ea918aa909ba5903d79e129005) D:\WINDOWS\system32\drivers\mfesmfk.sys

2011/09/18 16:18:22.0359 3376 mfetdi2k (c1a6647b1b484f8f244d6da38cfd9fe5) D:\WINDOWS\system32\drivers\mfetdi2k.sys

2011/09/18 16:18:22.0406 3376 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) D:\WINDOWS\system32\drivers\mnmdd.sys

2011/09/18 16:18:22.0453 3376 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) D:\WINDOWS\system32\drivers\Modem.sys

2011/09/18 16:18:22.0484 3376 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) D:\WINDOWS\system32\DRIVERS\mouclass.sys

2011/09/18 16:18:22.0531 3376 mouhid (b1c303e17fb9d46e87a98e4ba6769685) D:\WINDOWS\system32\DRIVERS\mouhid.sys

2011/09/18 16:18:22.0562 3376 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) D:\WINDOWS\system32\drivers\MountMgr.sys

2011/09/18 16:18:22.0640 3376 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) D:\WINDOWS\system32\DRIVERS\mrxdav.sys

2011/09/18 16:18:22.0687 3376 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) D:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2011/09/18 16:18:22.0734 3376 Msfs (c941ea2454ba8350021d774daf0f1027) D:\WINDOWS\system32\drivers\Msfs.sys

2011/09/18 16:18:22.0765 3376 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) D:\WINDOWS\system32\drivers\MSKSSRV.sys

2011/09/18 16:18:22.0796 3376 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) D:\WINDOWS\system32\drivers\MSPCLOCK.sys

2011/09/18 16:18:22.0828 3376 MSPQM (bad59648ba099da4a17680b39730cb3d) D:\WINDOWS\system32\drivers\MSPQM.sys

2011/09/18 16:18:22.0875 3376 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) D:\WINDOWS\system32\DRIVERS\mssmbios.sys

2011/09/18 16:18:22.0906 3376 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) D:\WINDOWS\system32\drivers\MSTEE.sys

2011/09/18 16:18:22.0953 3376 Mup (de6a75f5c270e756c5508d94b6cf68f5) D:\WINDOWS\system32\drivers\Mup.sys

2011/09/18 16:18:22.0984 3376 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) D:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2011/09/18 16:18:23.0031 3376 NDIS (1df7f42665c94b825322fae71721130d) D:\WINDOWS\system32\drivers\NDIS.sys

2011/09/18 16:18:23.0062 3376 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) D:\WINDOWS\system32\DRIVERS\NdisIP.sys

2011/09/18 16:18:23.0109 3376 NdisTapi (0109c4f3850dfbab279542515386ae22) D:\WINDOWS\system32\DRIVERS\ndistapi.sys

2011/09/18 16:18:23.0171 3376 Ndisuio (f927a4434c5028758a842943ef1a3849) D:\WINDOWS\system32\DRIVERS\ndisuio.sys

2011/09/18 16:18:23.0203 3376 NdisWan (edc1531a49c80614b2cfda43ca8659ab) D:\WINDOWS\system32\DRIVERS\ndiswan.sys

2011/09/18 16:18:23.0234 3376 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) D:\WINDOWS\system32\drivers\NDProxy.sys

2011/09/18 16:18:23.0265 3376 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) D:\WINDOWS\system32\DRIVERS\netbios.sys

2011/09/18 16:18:23.0296 3376 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) D:\WINDOWS\system32\DRIVERS\netbt.sys

2011/09/18 16:18:23.0359 3376 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) D:\WINDOWS\system32\DRIVERS\nic1394.sys

2011/09/18 16:18:23.0406 3376 nmwcd (65ac8baa2f916ee9203ee48d7fcee605) D:\WINDOWS\system32\drivers\ccdcmb.sys

2011/09/18 16:18:23.0437 3376 nmwcdc (29af182734a247240d89a0fe63dbef03) D:\WINDOWS\system32\drivers\ccdcmbo.sys

2011/09/18 16:18:23.0484 3376 Npfs (3182d64ae053d6fb034f44b6def8034a) D:\WINDOWS\system32\drivers\Npfs.sys

2011/09/18 16:18:23.0515 3376 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) D:\WINDOWS\system32\drivers\Ntfs.sys

2011/09/18 16:18:23.0578 3376 Null (73c1e1f395918bc2c6dd67af7591a3ad) D:\WINDOWS\system32\drivers\Null.sys

2011/09/18 16:18:23.0609 3376 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) D:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2011/09/18 16:18:23.0625 3376 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) D:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2011/09/18 16:18:23.0656 3376 ohci1394 (ca33832df41afb202ee7aeb05145922f) D:\WINDOWS\system32\DRIVERS\ohci1394.sys

2011/09/18 16:18:23.0703 3376 Parport (5575faf8f97ce5e713d108c2a58d7c7c) D:\WINDOWS\system32\DRIVERS\parport.sys

2011/09/18 16:18:23.0718 3376 PartMgr (beb3ba25197665d82ec7065b724171c6) D:\WINDOWS\system32\drivers\PartMgr.sys

2011/09/18 16:18:23.0781 3376 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) D:\WINDOWS\system32\drivers\ParVdm.sys

2011/09/18 16:18:23.0812 3376 pccsmcfd (175cc28dcf819f78caa3fbd44ad9e52a) D:\WINDOWS\system32\DRIVERS\pccsmcfd.sys

2011/09/18 16:18:23.0843 3376 PCI (8086d9979234b603ad5bc2f5d890b234) D:\WINDOWS\system32\DRIVERS\pci.sys

2011/09/18 16:18:23.0906 3376 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) D:\WINDOWS\system32\drivers\PCIIde.sys

2011/09/18 16:18:23.0984 3376 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) D:\WINDOWS\system32\drivers\Pcmcia.sys

2011/09/18 16:18:24.0031 3376 pcouffin (5b6c11de7e839c05248ced8825470fef) D:\WINDOWS\system32\Drivers\pcouffin.sys

2011/09/18 16:18:24.0250 3376 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) D:\WINDOWS\system32\DRIVERS\raspptp.sys

2011/09/18 16:18:24.0281 3376 PSched (09298ec810b07e5d582cb3a3f9255424) D:\WINDOWS\system32\DRIVERS\psched.sys

2011/09/18 16:18:24.0328 3376 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) D:\WINDOWS\system32\DRIVERS\ptilink.sys

2011/09/18 16:18:24.0468 3376 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) D:\WINDOWS\system32\DRIVERS\rasacd.sys

2011/09/18 16:18:24.0500 3376 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) D:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2011/09/18 16:18:24.0531 3376 RasPppoe (5bc962f2654137c9909c3d4603587dee) D:\WINDOWS\system32\DRIVERS\raspppoe.sys

2011/09/18 16:18:24.0546 3376 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) D:\WINDOWS\system32\DRIVERS\raspti.sys

2011/09/18 16:18:24.0593 3376 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) D:\WINDOWS\system32\DRIVERS\rdbss.sys

2011/09/18 16:18:24.0625 3376 RDPCDD (4912d5b403614ce99c28420f75353332) D:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2011/09/18 16:18:24.0671 3376 rdpdr (15cabd0f7c00c47c70124907916af3f1) D:\WINDOWS\system32\DRIVERS\rdpdr.sys

2011/09/18 16:18:24.0718 3376 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) D:\WINDOWS\system32\drivers\RDPWD.sys

2011/09/18 16:18:24.0765 3376 redbook (f828dd7e1419b6653894a8f97a0094c5) D:\WINDOWS\system32\DRIVERS\redbook.sys

2011/09/18 16:18:24.0828 3376 rspndr (0e11b35e972796042044bc27ce13b065) D:\WINDOWS\system32\DRIVERS\rspndr.sys

2011/09/18 16:18:24.0875 3376 SCDEmu (ee7a1b6e155258288d99be61190e1112) D:\WINDOWS\system32\drivers\SCDEmu.sys

2011/09/18 16:18:24.0937 3376 Secdrv (90a3935d05b494a5a39d37e71f09a677) D:\WINDOWS\system32\DRIVERS\secdrv.sys

2011/09/18 16:18:24.0984 3376 serenum (0f29512ccd6bead730039fb4bd2c85ce) D:\WINDOWS\system32\DRIVERS\serenum.sys

2011/09/18 16:18:25.0015 3376 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) D:\WINDOWS\system32\DRIVERS\serial.sys

2011/09/18 16:18:25.0062 3376 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) D:\WINDOWS\system32\drivers\Sfloppy.sys

2011/09/18 16:18:25.0140 3376 SLIP (866d538ebe33709a5c9f5c62b73b7d14) D:\WINDOWS\system32\DRIVERS\SLIP.sys

2011/09/18 16:18:25.0203 3376 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) D:\WINDOWS\system32\drivers\splitter.sys

2011/09/18 16:18:25.0265 3376 sptd (4f576e516cc76ec50a244586bcfa1c78) D:\WINDOWS\system32\Drivers\sptd.sys

2011/09/18 16:18:25.0265 3376 Suspicious file (NoAccess): D:\WINDOWS\system32\Drivers\sptd.sys. md5: 4f576e516cc76ec50a244586bcfa1c78

2011/09/18 16:18:25.0281 3376 sptd - detected LockedFile.Multi.Generic (1)

2011/09/18 16:18:25.0296 3376 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) D:\WINDOWS\system32\DRIVERS\sr.sys

2011/09/18 16:18:25.0359 3376 Srv (47ddfc2f003f7f9f0592c6874962a2e7) D:\WINDOWS\system32\DRIVERS\srv.sys

2011/09/18 16:18:25.0421 3376 StillCam (a9573045baa16eab9b1085205b82f1ed) D:\WINDOWS\system32\DRIVERS\serscan.sys

2011/09/18 16:18:25.0468 3376 streamip (77813007ba6265c4b6098187e6ed79d2) D:\WINDOWS\system32\DRIVERS\StreamIP.sys

2011/09/18 16:18:25.0500 3376 swenum (3941d127aef12e93addf6fe6ee027e0f) D:\WINDOWS\system32\DRIVERS\swenum.sys

2011/09/18 16:18:25.0546 3376 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) D:\WINDOWS\system32\drivers\swmidi.sys

2011/09/18 16:18:25.0687 3376 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) D:\WINDOWS\system32\drivers\sysaudio.sys

2011/09/18 16:18:25.0828 3376 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) D:\WINDOWS\system32\DRIVERS\tcpip.sys

2011/09/18 16:18:25.0890 3376 TDPIPE (6471a66807f5e104e4885f5b67349397) D:\WINDOWS\system32\drivers\TDPIPE.sys

2011/09/18 16:18:25.0921 3376 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) D:\WINDOWS\system32\drivers\TDTCP.sys

2011/09/18 16:18:25.0968 3376 TermDD (88155247177638048422893737429d9e) D:\WINDOWS\system32\DRIVERS\termdd.sys

2011/09/18 16:18:26.0046 3376 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) D:\WINDOWS\system32\drivers\Udfs.sys

2011/09/18 16:18:26.0140 3376 UnlockerDriver5 (b2af2ba8a3205a8458b61f638fb431dd) D:\Program Files\Unlocker\UnlockerDriver5.sys

2011/09/18 16:18:26.0187 3376 Update (402ddc88356b1bac0ee3dd1580c76a31) D:\WINDOWS\system32\DRIVERS\update.sys

2011/09/18 16:18:26.0234 3376 upperdev (2522747ba661514e3770e508cce45b64) D:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys

2011/09/18 16:18:26.0296 3376 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) D:\WINDOWS\system32\Drivers\usbaapl.sys

2011/09/18 16:18:26.0343 3376 usbaudio (e919708db44ed8543a7c017953148330) D:\WINDOWS\system32\drivers\usbaudio.sys

2011/09/18 16:18:26.0375 3376 usbccgp (173f317ce0db8e21322e71b7e60a27e8) D:\WINDOWS\system32\DRIVERS\usbccgp.sys

2011/09/18 16:18:26.0421 3376 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) D:\WINDOWS\system32\DRIVERS\usbehci.sys

2011/09/18 16:18:26.0468 3376 usbhub (a874d1629762019ceaf824ad8a8c5660) D:\WINDOWS\system32\DRIVERS\usbhub.sys

2011/09/18 16:18:26.0515 3376 usbohci (0daecce65366ea32b162f85f07c6753b) D:\WINDOWS\system32\DRIVERS\usbohci.sys

2011/09/18 16:18:26.0562 3376 usbprint (a717c8721046828520c9edf31288fc00) D:\WINDOWS\system32\DRIVERS\usbprint.sys

2011/09/18 16:18:26.0609 3376 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) D:\WINDOWS\system32\DRIVERS\usbscan.sys

2011/09/18 16:18:26.0656 3376 usbser (49106ee29074e6a3d3ac9e24c6d791d8) D:\WINDOWS\system32\DRIVERS\usbser.sys

2011/09/18 16:18:26.0687 3376 UsbserFilt (8aa5f86a6c3b3234beed9556d145bfac) D:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys

2011/09/18 16:18:26.0734 3376 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2011/09/18 16:18:26.0781 3376 usbuhci (0ee1925590ba1abec14254d54d9870f4) D:\WINDOWS\system32\DRIVERS\usbuhci.sys

2011/09/18 16:18:26.0812 3376 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) D:\WINDOWS\System32\drivers\vga.sys

2011/09/18 16:18:26.0859 3376 VolSnap (4c8fcb5cc53aab716d810740fe59d025) D:\WINDOWS\system32\drivers\VolSnap.sys

2011/09/18 16:18:26.0906 3376 Wanarp (e20b95baedb550f32dd489265c1da1f6) D:\WINDOWS\system32\DRIVERS\wanarp.sys

2011/09/18 16:18:26.0968 3376 Wdf01000 (fd47474bd21794508af449d9d91af6e6) D:\WINDOWS\system32\DRIVERS\Wdf01000.sys

2011/09/18 16:18:27.0031 3376 wdmaud (6768acf64b18196494413695f0c3a00f) D:\WINDOWS\system32\drivers\wdmaud.sys

2011/09/18 16:18:27.0093 3376 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) D:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys

2011/09/18 16:18:27.0187 3376 WpdUsb (cf4def1bf66f06964dc0d91844239104) D:\WINDOWS\system32\Drivers\wpdusb.sys

2011/09/18 16:18:27.0234 3376 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) D:\WINDOWS\System32\drivers\ws2ifsl.sys

2011/09/18 16:18:27.0281 3376 WSTCODEC (c98b39829c2bbd34e454150633c62c78) D:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2011/09/18 16:18:27.0343 3376 WudfPf (50eb9e21963b4f06fd010d007d54351b) D:\WINDOWS\system32\DRIVERS\WudfPf.sys

2011/09/18 16:18:27.0375 3376 WudfRd (6e209664bdea8a15b5e8e480d6c607c2) D:\WINDOWS\system32\DRIVERS\wudfrd.sys

2011/09/18 16:18:27.0453 3376 ZSMC211 (34855358150e44876e60e61b46e70a56) D:\WINDOWS\system32\Drivers\ZS211.sys

2011/09/18 16:18:27.0500 3376 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

2011/09/18 16:18:27.0640 3376 Boot (0x1200) (e32b80a1babe77d48545f838aa121437) \Device\Harddisk0\DR0\Partition0

2011/09/18 16:18:27.0656 3376 Boot (0x1200) (59380ae653443bc569d7e96c24126e07) \Device\Harddisk0\DR0\Partition1

2011/09/18 16:18:27.0671 3376 ================================================================================

2011/09/18 16:18:27.0671 3376 Scan finished

2011/09/18 16:18:27.0671 3376 ================================================================================

2011/09/18 16:18:27.0687 1388 Detected object count: 1

2011/09/18 16:18:27.0687 1388 Actual detected object count: 1

2011/09/18 16:24:00.0046 1388 LockedFile.Multi.Generic(sptd) - User select action: Skip

The only thing my computer is doing which is not normal is that it keeps telling me I have a connection problem when I was trying to download the required programs but I persisted by refreshing on the link and was able to push through it. Also thought you would like to know that the link you have for ATF-Cleaner actually goes to a different program called PC cleaner which was totally different and required paid registration to work. I was able to do a google search on ATF cleaner and finally found a copy.

Link to post
Share on other sites

The ATF link should be this.

http://forums.whatthetech.com/index.php?autocom=downloads&req=download&code=confirm_download&id=17

http://forums.whatthetech.com/index.php?autocom=downloads&req=download&code=do_download

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

Following is the ComboFix report. ComboFix claimed that I had McAfee running but I have not used this program in years (I currently run AVG) and don't know if this affected the report in any way.

ComboFix 11-09-18.03 - Administrator 19/09/2011 14:40:25.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1527.747 [GMT 10:00]

Running from: D:\Users\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

D:\Users\Administrator\Application Data\inst.exe

D:\Users\Administrator\Local Settings\Application Data\ApplicationHistory

D:\Users\Administrator\Local Settings\Application Data\ApplicationHistory\ConfigWizards.exe.74b59281.ini

D:\Users\Administrator\Local Settings\Application Data\ApplicationHistory\csc.exe.8a121d6e.ini

D:\Users\Administrator\Local Settings\Application Data\ApplicationHistory\MBKInstaller.exe.d92db616.ini

D:\Users\Administrator\Local Settings\Application Data\ApplicationHistory\timezone.exe.202762ac.ini

D:\Users\Administrator\WINDOWS

D:\WINDOWS\Downloaded Program Files\ODCTOOLS

D:\WINDOWS\system32\CddbCdda.dll

D:\WINDOWS\system32\comct332.ocx

D:\WINDOWS\system32\Thumbs.db

((((((((((((((((((((((((( Files Created from 2011-08-19 to 2011-09-19 )))))))))))))))))))))))))))))))

2011-09-18 05:33:30 . 2011-09-18 05:33:30 -------- d-----w- D:\Users\Administrator\Application Data\RegistryKeys

2011-09-02 06:48:10 . 2011-09-02 06:48:10 -------- d-----r- D:\comment.htt

2011-09-01 04:39:19 . 2011-09-01 04:39:19 2 --shatr- D:\WINDOWS\winstart.bat

2011-09-01 04:39:06 . 2011-09-14 05:24:37 -------- d-----w- D:\Program Files\UnHackMe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2011-09-09 09:12:13 . 2004-08-04 00:56:42 599040 ----a-w- D:\WINDOWS\system32\crypt32.dll

2011-09-02 07:04:32 . 2011-07-27 08:45:15 404640 ----a-w- D:\WINDOWS\system32\FlashPlayerCPLApp.cpl

2011-08-31 07:00:50 . 2010-07-08 05:11:18 22216 ----a-w- D:\WINDOWS\system32\drivers\mbam.sys

2011-07-29 05:32:14 . 2008-02-04 10:54:35 81920 ----a-w- D:\WINDOWS\ALCFDRTM.VER

2011-07-15 13:29:31 . 2007-05-21 19:41:00 456320 ----a-w- D:\WINDOWS\system32\drivers\mrxsmb.sys

2011-07-08 14:02:00 . 2001-08-23 22:00:00 10496 ----a-w- D:\WINDOWS\system32\drivers\ndistapi.sys

2011-06-24 14:10:36 . 2008-01-28 01:27:22 139656 ----a-w- D:\WINDOWS\system32\drivers\rdpwd.sys

2011-06-23 18:36:30 . 2007-05-21 19:46:50 916480 ----a-w- D:\WINDOWS\system32\wininet.dll

2011-06-23 18:36:30 . 2007-05-21 19:46:28 43520 ----a-w- D:\WINDOWS\system32\licmgr10.dll

2011-06-23 18:36:30 . 2007-05-21 19:46:20 1469440 ------w- D:\WINDOWS\system32\inetcpl.cpl

2011-06-23 12:05:13 . 2007-05-21 19:45:54 385024 ----a-w- D:\WINDOWS\system32\html.iec

2011-09-06 23:17:57 . 2011-05-16 05:55:07 134104 ----a-w- D:\Program Files\mozilla firefox\components\browsercomps.dll

2009-12-04 03:39:14 . 2009-12-30 01:45:31 24376 ----a-w- D:\Program Files\mozilla firefox\components\Scriptff.dll

Link to post
Share on other sites

ran Combofix again and seem to have gotten a longer report this time. I think AVG kicked in before the last report was finished and stalled it.

ComboFix 11-09-19.01 - Administrator 19/09/2011 15:47:10.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1527.807 [GMT 10:00]

Running from: d:\users\Administrator\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

d:\users\Administrator\Application Data\inst.exe

d:\users\Administrator\Local Settings\Application Data\ApplicationHistory\ConfigWizards.exe.74b59281.ini

d:\users\Administrator\Local Settings\Application Data\ApplicationHistory\csc.exe.8a121d6e.ini

d:\users\Administrator\Local Settings\Application Data\ApplicationHistory\MBKInstaller.exe.d92db616.ini

d:\users\Administrator\Local Settings\Application Data\ApplicationHistory\timezone.exe.202762ac.ini

d:\windows\system32\CddbCdda.dll

d:\windows\system32\comct332.ocx

d:\windows\system32\Thumbs.db

.

.

((((((((((((((((((((((((( Files Created from 2011-08-19 to 2011-09-19 )))))))))))))))))))))))))))))))

.

.

2011-09-18 05:33 . 2011-09-18 05:33 -------- d-----w- d:\users\Administrator\Application Data\RegistryKeys

2011-09-02 06:48 . 2011-09-02 06:48 -------- d-----r- D:\comment.htt

2011-09-01 04:39 . 2011-09-01 04:39 2 --shatr- d:\windows\winstart.bat

2011-09-01 04:39 . 2011-09-14 05:24 -------- d-----w- d:\program files\UnHackMe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-09 09:12 . 2004-08-04 00:56 599040 ----a-w- d:\windows\system32\crypt32.dll

2011-09-02 07:04 . 2011-07-27 08:45 404640 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 07:00 . 2010-07-08 05:11 22216 ----a-w- d:\windows\system32\drivers\mbam.sys

2011-07-29 05:32 . 2008-02-04 10:54 81920 ----a-w- d:\windows\ALCFDRTM.VER

2011-07-15 13:29 . 2007-05-21 19:41 456320 ----a-w- d:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2001-08-23 22:00 10496 ----a-w- d:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2008-01-28 01:27 139656 ----a-w- d:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2007-05-21 19:46 916480 ----a-w- d:\windows\system32\wininet.dll

2011-06-23 18:36 . 2007-05-21 19:46 43520 ----a-w- d:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2007-05-21 19:46 1469440 ------w- d:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2007-05-21 19:45 385024 ----a-w- d:\windows\system32\html.iec

2011-09-06 23:17 . 2011-05-16 05:55 134104 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll

2009-12-04 03:39 . 2009-12-30 01:45 24376 ----a-w- d:\program files\mozilla firefox\components\Scriptff.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . d:\windows\ServicePackFiles\i386\usp10.dll

[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . d:\windows\SoftwareDistribution.old\Download\79123dd72d0f61d4ed8c7a816ed338d7\usp10.dll

[-] 2007-05-21 . 456FB859236C9074ACF6C3B6243D8B46 . 502784 . . [1.0626.6000.16386] . . d:\windows\system32\usp10.dll

.

[7] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . d:\windows\ServicePackFiles\i386\regsvc.dll

[7] 2008-04-14 . 5B19B557B0C188210A56A6B699D90B8F . 59904 . . [5.1.2600.5512] . . d:\windows\SoftwareDistribution.old\Download\79123dd72d0f61d4ed8c7a816ed338d7\regsvc.dll

.

[-] 2007-01-17 21:43 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . d:\windows\system32\mspmsnsv.dll

.

d:\windows\System32\regsvc.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"Sidebar"="d:\program files\Windows Sidebar\sidebar.exe" [2007-01-29 1230848]

"TaskSwitchXP"="d:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 62976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2006-07-21 86016]

"REGSHAVE"="d:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"Persistence"="d:\windows\system32\igfxpers.exe" [2007-01-13 135168]

"IgfxTray"="d:\windows\system32\igfxtray.exe" [2007-01-13 131072]

"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2007-01-13 163840]

"AppleSyncNotifier"="d:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"AVG_TRAY"="d:\program files\AVG\AVG10\avgtray.exe" [2011-09-09 2338656]

"QuickTime Task"="d:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"TaskSwitchXP"="d:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 62976]

"Nokia.PCSync"="d:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 1232896]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0d:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0d:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-11 12:16 39792 ----a-w- d:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 16:43 69632 ----a-w- d:\windows\ALCMTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

2006-05-04 14:26 2808832 ----a-w- d:\windows\ALCWZRD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-09-13 16:50 1603152 ----a-w- d:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-10-25 16:10 652624 ----a-w- d:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-01-25 05:08 421160 ----a-w- d:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 00:50 155648 ----a-w- d:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]

2008-03-26 08:41 1232896 ----a-w- d:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]

2003-05-08 00:00 49152 ----a-w- d:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

2006-09-07 17:19 15872 ----a-w- d:\program files\Unlocker\UnlockerAssistant.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"bgsvcgen"=2 (0x2)

"MBackMonitor"=3 (0x3)

"Bonjour Service"=2 (0x2)

"mnmsrvc"=3 (0x3)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Program Files\\LimeWire\\LimeWire.exe"=

"d:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"d:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

"d:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=

"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"d:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"d:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

.

R0 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 4:27 PM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [7/09/2010 3:48 AM 32592]

R0 sptd;sptd;d:\windows\system32\drivers\sptd.sys [28/01/2008 11:33 AM 682232]

R1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [7/09/2010 3:48 AM 248656]

R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [7/09/2010 3:49 AM 297168]

R1 mfetdi2k;McAfee Inc. mfetdi2k;d:\windows\system32\drivers\mfetdi2k.sys [30/12/2009 11:45 AM 82952]

R2 avgwd;AVG WatchDog;d:\program files\AVG\AVG10\avgwdsvc.exe [8/02/2011 5:33 AM 269520]

R2 mfefire;McAfee Firewall Core Service;d:\program files\Common Files\McAfee\SystemCore\mfefire.exe [30/12/2009 11:45 AM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;d:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [30/12/2009 11:45 AM 141792]

R3 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 9:42 PM 134480]

R3 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 9:42 PM 24144]

R3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 9:42 PM 27216]

R3 mfefirek;McAfee Inc. mfefirek;d:\windows\system32\drivers\mfefirek.sys [30/12/2009 11:45 AM 312584]

R3 mfendiskmp;mfendiskmp;d:\windows\system32\drivers\mfendisk.sys [30/12/2009 11:45 AM 88480]

S1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys --> d:\windows\system32\drivers\nod32drv.sys [?]

S2 AVGIDSAgent;AVGIDSAgent;d:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/08/2011 1:33 AM 7390560]

S2 McMPFSvc;McAfee Personal Firewall;"d:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/12/2009 11:45 AM 270968]

S2 McNaiAnn;McAfee VirusScan Announcer;"d:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/12/2009 11:45 AM 270968]

S3 cfwids;McAfee Inc. cfwids;d:\windows\system32\drivers\cfwids.sys [30/12/2009 11:45 AM 55456]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;d:\windows\system32\drivers\mfendisk.sys [30/12/2009 11:45 AM 88480]

S3 mferkdet;McAfee Inc. mferkdet;d:\windows\system32\drivers\mferkdet.sys [30/12/2009 11:45 AM 83368]

.

--- Other Services/Drivers In Memory ---

.

*Deregistered* - mfeavfk01

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]

2004-08-03 07:07 11776 ----a-w- d:\program files\Windows Sidebar\regsvr32.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]

2004-08-03 07:07 11776 ----a-w- d:\program files\Windows Sidebar\regsvr32.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-19 d:\windows\Tasks\OGADaily.job

- d:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

.

2011-09-19 d:\windows\Tasks\OGALogon.job

- d:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.tpg.com.au/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\users\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\update

TCP: DhcpNameServer = 192.168.2.1 192.168.1.1

FF - ProfilePath - d:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\kkch63vd.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: network.proxy.type - 0

.

.

------- File Associations -------

.

inifile=d:\windows\system32\Notepad2.exe %1

txtfile=d:\windows\system32\Notepad2.exe %1

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{063aa87c-1c19-4ace-ba8f-ef0bb4f70fac} - (no file)

BHO-{DFE31944-2F7B-4BA9-BE58-3D679F75383E} - (no file)

MSConfigStartUp-a4e5691a - d:\windows\system32\dctwoxen.dll

MSConfigStartUp-AVG8_TRAY - d:\progra~1\AVG\AVG8\avgtray.exe

MSConfigStartUp-mcagent_exe - d:\program files\McAfee.com\Agent\mcagent.exe

MSConfigStartUp-PCSuiteTrayApplication - d:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

MSConfigStartUp-SansaDispatch - d:\program files\SanDisk\Sansa Updater\SansaDispatch.exe

MSConfigStartUp-terefelele - d:\windows\system32\tadovoyi.dll

HKLM_ActiveSetup-{D58F39FF-953E-4F45-898F-59F243B9A523} - d:\windows\system32\hidec

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-19 15:52

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-515967899-1275210071-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,63,cd,d4,5d,4c,3a,4b,a8,54,f3,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,63,cd,d4,5d,4c,3a,4b,a8,54,f3,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3988)

d:\windows\system32\WININET.dll

d:\windows\system32\ieframe.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\wpdshserviceobj.dll

d:\windows\system32\portabledevicetypes.dll

d:\windows\system32\portabledeviceapi.dll

.

Completion time: 2011-09-19 15:55:21

ComboFix-quarantined-files.txt 2011-09-19 05:55

.

Pre-Run: 13,972,365,312 bytes free

Post-Run: 13,926,391,808 bytes free

.

- - End Of File - - BCE95908AD40CF0A8D95E9B81805E244

Link to post
Share on other sites

McAfee does not appear on my list of programs to remove so I had just guessed that it was some remnants that were left behind from when I was using it as my virus protection. I uninstalled it using add/remove before but something is still hiding somewhere. Maybe you can suggest how else I can remove what is hiding? Other than that I have done a few google searches and haven't gone to any rogue sites yet so it seems that the problem has been fixed. Should I come up with the same problem in the future should I just follow all the steps I have done here again or is it advisable to seek help from your forum site again? Thank you for all your help :)

Link to post
Share on other sites

We're not finished yet

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
d:\windows\system32\drivers\mfetdi2k.sys
d:\windows\system32\drivers\mfefirek.sys
d:\windows\system32\drivers\mfendisk.sys
d:\windows\system32\drivers\cfwids.sys
d:\windows\system32\drivers\mferkdet.sys

Folder::
d:\\Program Files\\Common Files\\McAfee

Driver::
mfetdi2k
mfefire
mfevtp
mfefirek
McMPFSv
McNaiAnn
cfwids
mfendisk
mferkdet

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

ComboFix 11-09-19.01 - Administrator 19/09/2011 22:29:06.3.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.61.1033.18.1527.749 [GMT 10:00]

Running from: d:\users\Administrator\Desktop\ComboFix.exe

Command switches used :: d:\users\Administrator\Desktop\CFScript.txt

AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall Plus *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

FILE ::

"d:\windows\system32\drivers\cfwids.sys"

"d:\windows\system32\drivers\mfefirek.sys"

"d:\windows\system32\drivers\mfendisk.sys"

"d:\windows\system32\drivers\mferkdet.sys"

"d:\windows\system32\drivers\mfetdi2k.sys"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

d:\program files\Common Files\McAfee

d:\program files\Common Files\McAfee\McSvcHost\McSHIns.dll

d:\program files\Common Files\McAfee\McSvcHost\McSvcHost.inf

d:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe

d:\program files\Common Files\McAfee\McSvcHost\McSvHVer.dll

d:\program files\Common Files\McAfee\NMC\1033\nmcdef.inf

d:\program files\Common Files\McAfee\NMC\1033\nmclang32.inf

d:\program files\Common Files\McAfee\NMC\3081\instLDNMC.inf

d:\program files\Common Files\McAfee\NMC\McDisc.dll

d:\program files\Common Files\McAfee\NMC\McDiscPS.dll

d:\program files\Common Files\McAfee\NMC\McHNShim.dll

d:\program files\Common Files\McAfee\NMC\McHNShPS.dll

d:\program files\Common Files\McAfee\NMC\McMPFEvt.dll

d:\program files\Common Files\McAfee\NMC\McNdAtpg.dll

d:\program files\Common Files\McAfee\NMC\McNDLor.dll

d:\program files\Common Files\McAfee\NMC\McNDSv.dll

d:\program files\Common Files\McAfee\NMC\McNDSVPS.dll

d:\program files\Common Files\McAfee\NMC\McNMAtpg.dll

d:\program files\Common Files\McAfee\NMC\McNmcIns.dll

d:\program files\Common Files\McAfee\NMC\McNmcLor.dll

d:\program files\Common Files\McAfee\NMC\McNmcSPS.dll

d:\program files\Common Files\McAfee\NMC\McNmcSrv.dll

d:\program files\Common Files\McAfee\NMC\McNmcVer.dll

d:\program files\Common Files\McAfee\NMC\NMCJsRes.dll

d:\program files\Common Files\McAfee\NMC\nmcLD.inf

d:\program files\Common Files\McAfee\NMC\nmcLI32.inf

d:\program files\Common Files\McAfee\NMC\nmcuicfg.dat

d:\program files\Common Files\McAfee\NMC\readme.txt

d:\program files\Common Files\McAfee\SystemCore\ftl.dll

d:\program files\Common Files\McAfee\SystemCore\lockdown.dll

d:\program files\Common Files\McAfee\SystemCore\mcshield.dll

d:\program files\Common Files\McAfee\SystemCore\mcshield.exe

d:\program files\Common Files\McAfee\SystemCore\mfeapfa.dll

d:\program files\Common Files\McAfee\SystemCore\mfeavfa.dll

d:\program files\Common Files\McAfee\SystemCore\mfebopa.dll

d:\program files\Common Files\McAfee\SystemCore\mfefire.exe

d:\program files\Common Files\McAfee\SystemCore\mfefwctl.dll

d:\program files\Common Files\McAfee\SystemCore\mfehida.dll

d:\program files\Common Files\McAfee\SystemCore\mfehidin.exe

d:\program files\Common Files\McAfee\SystemCore\mfehidk_messages.dll

d:\program files\Common Files\McAfee\SystemCore\mferkda.dll

d:\program files\Common Files\McAfee\SystemCore\mfevtpa.dll

d:\program files\Common Files\McAfee\SystemCore\mfevtps.exe

d:\program files\Common Files\McAfee\SystemCore\mytilus3.dll

d:\program files\Common Files\McAfee\SystemCore\mytilus3_server.dll

d:\program files\Common Files\McAfee\SystemCore\mytilus3_worker.dll

d:\program files\Common Files\McAfee\SystemCore\naevent.dll

d:\program files\Common Files\McAfee\SystemCore\naievent.dll

d:\program files\Common Files\McAfee\SystemCore\scriptff.dll

d:\program files\Common Files\McAfee\SystemCore\ScriptSn.20091230114531.dll

d:\program files\Common Files\McAfee\SystemCore\scriptsn.dll

d:\program files\Common Files\McAfee\SystemCore\strings.bin

d:\program files\Common Files\McAfee\SystemCore\vscan.bof

d:\program files\Common Files\McAfee\SystemCore\vtp_catcache

d:\program files\Common Files\McAfee\VSCore\av.inf

d:\program files\Common Files\McAfee\VSCore\cfwids.cat

d:\program files\Common Files\McAfee\VSCore\cfwids.inf

d:\program files\Common Files\McAfee\VSCore\cfwids.sys

d:\program files\Common Files\McAfee\VSCore\DAInstall.exe

d:\program files\Common Files\McAfee\VSCore\ftl.dll

d:\program files\Common Files\McAfee\VSCore\fw.inf

d:\program files\Common Files\McAfee\VSCore\lockdown.dll

d:\program files\Common Files\McAfee\VSCore\McShield.dll

d:\program files\Common Files\McAfee\VSCore\Mcshield.exe

d:\program files\Common Files\McAfee\VSCore\mfeapfa.dll

d:\program files\Common Files\McAfee\VSCore\mfeapfk.cat

d:\program files\Common Files\McAfee\VSCore\mfeapfk.inf

d:\program files\Common Files\McAfee\VSCore\mfeapfk.sys

d:\program files\Common Files\McAfee\VSCore\mfeavfa.dll

d:\program files\Common Files\McAfee\VSCore\mfeavfk.cat

d:\program files\Common Files\McAfee\VSCore\mfeavfk.inf

d:\program files\Common Files\McAfee\VSCore\mfeavfk.sys

d:\program files\Common Files\McAfee\VSCore\mfebopa.dll

d:\program files\Common Files\McAfee\VSCore\mfebopk.cat

d:\program files\Common Files\McAfee\VSCore\mfebopk.inf

d:\program files\Common Files\McAfee\VSCore\mfebopk.sys

d:\program files\Common Files\McAfee\VSCore\mfeclnk.cat

d:\program files\Common Files\McAfee\VSCore\mfeclnk.inf

d:\program files\Common Files\McAfee\VSCore\mfeclnk.sys

d:\program files\Common Files\McAfee\VSCore\mfefire.exe

d:\program files\Common Files\McAfee\VSCore\mfefirek.cat

d:\program files\Common Files\McAfee\VSCore\mfefirek.inf

d:\program files\Common Files\McAfee\VSCore\mfefirek.sys

d:\program files\Common Files\McAfee\VSCore\mfefwctl.dll

d:\program files\Common Files\McAfee\VSCore\mfehida.dll

d:\program files\Common Files\McAfee\VSCore\mfehidin.exe

d:\program files\Common Files\McAfee\VSCore\mfehidk.cat

d:\program files\Common Files\McAfee\VSCore\mfehidk.inf

d:\program files\Common Files\McAfee\VSCore\mfehidk.sys

d:\program files\Common Files\McAfee\VSCore\mfehidk_messages.dll

d:\program files\Common Files\McAfee\VSCore\mfendisk.cat

d:\program files\Common Files\McAfee\VSCore\mfendisk.inf

d:\program files\Common Files\McAfee\VSCore\mfendisk.sys

d:\program files\Common Files\McAfee\VSCore\mfendisk_m.cat

d:\program files\Common Files\McAfee\VSCore\mfendisk_m.inf

d:\program files\Common Files\McAfee\VSCore\mfenlfk.cat

d:\program files\Common Files\McAfee\VSCore\mfenlfk.inf

d:\program files\Common Files\McAfee\VSCore\mfenlfk.sys

d:\program files\Common Files\McAfee\VSCore\mferkda.dll

d:\program files\Common Files\McAfee\VSCore\mferkdet.cat

d:\program files\Common Files\McAfee\VSCore\mferkdet.inf

d:\program files\Common Files\McAfee\VSCore\mferkdet.sys

d:\program files\Common Files\McAfee\VSCore\mfetdi2k.cat

d:\program files\Common Files\McAfee\VSCore\mfetdi2k.inf

d:\program files\Common Files\McAfee\VSCore\mfetdi2k.sys

d:\program files\Common Files\McAfee\VSCore\mfevtpa.dll

d:\program files\Common Files\McAfee\VSCore\mfevtps.exe

d:\program files\Common Files\McAfee\VSCore\mfewfpk.cat

d:\program files\Common Files\McAfee\VSCore\mfewfpk.inf

d:\program files\Common Files\McAfee\VSCore\mfewfpk.sys

d:\program files\Common Files\McAfee\VSCore\mytilus3.dll

d:\program files\Common Files\McAfee\VSCore\mytilus3_server.dll

d:\program files\Common Files\McAfee\VSCore\mytilus3_worker.dll

d:\program files\Common Files\McAfee\VSCore\NaEvent.dll

d:\program files\Common Files\McAfee\VSCore\NaiEvent.dll

d:\program files\Common Files\McAfee\VSCore\scriptff.dll

d:\program files\Common Files\McAfee\VSCore\scriptsn.dll

d:\program files\Common Files\McAfee\VSCore\strings.bin

d:\program files\Common Files\McAfee\VSCore\vscore.inf

d:\program files\Common Files\McAfee\VSCore\vscore.xml

d:\program files\Common Files\McAfee\VSCore\VSCVer.dll

d:\windows\system32\drivers\cfwids.sys

d:\windows\system32\drivers\mfefirek.sys

d:\windows\system32\drivers\mfendisk.sys

d:\windows\system32\drivers\mferkdet.sys

d:\windows\system32\drivers\mfetdi2k.sys

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_MCNAIANN

-------\Legacy_MFEFIRE

-------\Legacy_MFEFIREK

-------\Legacy_MFETDI2K

-------\Legacy_MFEVTP

-------\Service_cfwids

-------\Service_McNaiAnn

-------\Service_mfefire

-------\Service_mfefirek

-------\Service_mfendisk

-------\Service_mferkdet

-------\Service_mfetdi2k

-------\Service_mfevtp

-------\Legacy_McMPFSvc

-------\Legacy_McMPFSvc

-------\Service_McMPFSvc

-------\Service_mfendiskmp

-------\Service_McMPFSvc

.

.

((((((((((((((((((((((((( Files Created from 2011-08-19 to 2011-09-19 )))))))))))))))))))))))))))))))

.

.

2011-09-18 05:33 . 2011-09-18 05:33 -------- d-----w- d:\users\Administrator\Application Data\RegistryKeys

2011-09-02 06:48 . 2011-09-02 06:48 -------- d-----r- D:\comment.htt

2011-09-01 04:39 . 2011-09-01 04:39 2 --shatr- d:\windows\winstart.bat

2011-09-01 04:39 . 2011-09-14 05:24 -------- d-----w- d:\program files\UnHackMe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-09 09:12 . 2004-08-04 00:56 599040 ----a-w- d:\windows\system32\crypt32.dll

2011-09-02 07:04 . 2011-07-27 08:45 404640 ----a-w- d:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-31 07:00 . 2010-07-08 05:11 22216 ----a-w- d:\windows\system32\drivers\mbam.sys

2011-07-29 05:32 . 2008-02-04 10:54 81920 ----a-w- d:\windows\ALCFDRTM.VER

2011-07-15 13:29 . 2007-05-21 19:41 456320 ----a-w- d:\windows\system32\drivers\mrxsmb.sys

2011-07-08 14:02 . 2001-08-23 22:00 10496 ----a-w- d:\windows\system32\drivers\ndistapi.sys

2011-06-24 14:10 . 2008-01-28 01:27 139656 ----a-w- d:\windows\system32\drivers\rdpwd.sys

2011-06-23 18:36 . 2007-05-21 19:46 916480 ----a-w- d:\windows\system32\wininet.dll

2011-06-23 18:36 . 2007-05-21 19:46 43520 ----a-w- d:\windows\system32\licmgr10.dll

2011-06-23 18:36 . 2007-05-21 19:46 1469440 ------w- d:\windows\system32\inetcpl.cpl

2011-06-23 12:05 . 2007-05-21 19:45 385024 ----a-w- d:\windows\system32\html.iec

2011-09-06 23:17 . 2011-05-16 05:55 134104 ----a-w- d:\program files\mozilla firefox\components\browsercomps.dll

2009-12-04 03:39 . 2009-12-30 01:45 24376 ----a-w- d:\program files\mozilla firefox\components\Scriptff.dll

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . d:\windows\ServicePackFiles\i386\usp10.dll

[7] 2008-04-14 . 7D7D8501F3CB45D0408CDEFA08CDAEFF . 406016 . . [1.0420.2600.5512] . . d:\windows\SoftwareDistribution.old\Download\79123dd72d0f61d4ed8c7a816ed338d7\usp10.dll

[-] 2007-05-21 . 456FB859236C9074ACF6C3B6243D8B46 . 502784 . . [1.0626.6000.16386] . . d:\windows\system32\usp10.dll

.

[-] 2007-01-17 21:43 . C51B4A5C05A5475708E3C81C7765B71D . 27136 . . [11.0.5721.5145] . . d:\windows\system32\mspmsnsv.dll

.

((((((((((((((((((((((((((((( SnapShot@2011-09-19_05.52.49 )))))))))))))))))))))))))))))))))))))))))

.

+ 2011-09-19 12:45 . 2011-09-19 12:45 16384 d:\windows\temp\Perflib_Perfdata_754.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="d:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]

"Sidebar"="d:\program files\Windows Sidebar\sidebar.exe" [2007-01-29 1230848]

"TaskSwitchXP"="d:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 62976]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMan"="SOUNDMAN.EXE" [2006-07-21 86016]

"REGSHAVE"="d:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]

"Persistence"="d:\windows\system32\igfxpers.exe" [2007-01-13 135168]

"IgfxTray"="d:\windows\system32\igfxtray.exe" [2007-01-13 131072]

"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2007-01-13 163840]

"AppleSyncNotifier"="d:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-12-14 47904]

"AVG_TRAY"="d:\program files\AVG\AVG10\avgtray.exe" [2011-09-09 2338656]

"QuickTime Task"="d:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2010-11-29 421888]

"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

"SunJavaUpdateSched"="d:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="d:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

"TaskSwitchXP"="d:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 62976]

"Nokia.PCSync"="d:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 1232896]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"SynchronousMachineGroupPolicy"= 0 (0x0)

"SynchronousUserGroupPolicy"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyPictures"= 1 (0x1)

"NoSMHelp"= 1 (0x1)

"NoSMConfigurePrograms"= 1 (0x1)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0d:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0d:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2008-01-11 12:16 39792 ----a-w- d:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-03 16:43 69632 ----a-w- d:\windows\ALCMTR.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]

2006-05-04 14:26 2808832 ----a-w- d:\windows\ALCWZRD.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]

2007-09-13 16:50 1603152 ----a-w- d:\program files\Canon\MyPrinter\BJMYPRT.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]

2007-10-25 16:10 652624 ----a-w- d:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

2011-01-25 05:08 421160 ----a-w- d:\program files\iTunes\iTunesHelper.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

2001-07-09 00:50 155648 ----a-w- d:\windows\system32\NeroCheck.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]

2008-03-26 08:41 1232896 ----a-w- d:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]

2003-05-08 00:00 49152 ----a-w- d:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]

2006-09-07 17:19 15872 ----a-w- d:\program files\Unlocker\UnlockerAssistant.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"bgsvcgen"=2 (0x2)

"MBackMonitor"=3 (0x3)

"Bonjour Service"=2 (0x2)

"mnmsrvc"=3 (0x3)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"d:\\Program Files\\LimeWire\\LimeWire.exe"=

"d:\\WINDOWS\\system32\\sessmgr.exe"=

"%windir%\\system32\\sessmgr.exe"=

"d:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"d:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"d:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"d:\\Program Files\\iTunes\\iTunes.exe"=

"d:\\Program Files\\AVG\\AVG10\\avgmfapx.exe"=

"d:\\Program Files\\Skype\\Phone\\Skype.exe"=

"d:\\Program Files\\AVG\\AVG10\\avgdiagex.exe"=

"d:\\Program Files\\AVG\\AVG10\\avgnsx.exe"=

"d:\\Program Files\\AVG\\AVG10\\avgemcx.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

.

R0 AVGIDSEH;AVGIDSEH;d:\windows\system32\drivers\AVGIDSEH.sys [13/09/2010 4:27 PM 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;d:\windows\system32\drivers\avgrkx86.sys [7/09/2010 3:48 AM 32592]

R0 sptd;sptd;d:\windows\system32\drivers\sptd.sys [28/01/2008 11:33 AM 682232]

R1 Avgldx86;AVG AVI Loader Driver;d:\windows\system32\drivers\avgldx86.sys [7/09/2010 3:48 AM 248656]

R1 Avgtdix;AVG TDI Driver;d:\windows\system32\drivers\avgtdix.sys [7/09/2010 3:49 AM 297168]

R2 AVGIDSAgent;AVGIDSAgent;d:\program files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [18/08/2011 1:33 AM 7390560]

R2 avgwd;AVG WatchDog;d:\program files\AVG\AVG10\avgwdsvc.exe [8/02/2011 5:33 AM 269520]

R3 AVGIDSDriver;AVGIDSDriver;d:\windows\system32\drivers\AVGIDSDriver.sys [19/08/2010 9:42 PM 134480]

R3 AVGIDSFilter;AVGIDSFilter;d:\windows\system32\drivers\AVGIDSFilter.sys [19/08/2010 9:42 PM 24144]

R3 AVGIDSShim;AVGIDSShim;d:\windows\system32\drivers\AVGIDSShim.sys [19/08/2010 9:42 PM 27216]

S1 nod32drv;nod32drv;d:\windows\system32\drivers\nod32drv.sys --> d:\windows\system32\drivers\nod32drv.sys [?]

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{34A19196-274E-4D75-9D30-D7A45A0A4178}]

2004-08-03 07:07 11776 ----a-w- d:\program files\Windows Sidebar\regsvr32.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6B9228DA-9C15-419e-856C-19E768A13BDC}]

2004-08-03 07:07 11776 ----a-w- d:\program files\Windows Sidebar\regsvr32.exe

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-19 d:\windows\Tasks\OGADaily.job

- d:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

.

2011-09-19 d:\windows\Tasks\OGALogon.job

- d:\windows\system32\OGAVerify.exe [2008-12-31 07:04]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.tpg.com.au/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - d:\users\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk

Trusted Zone: microsoft.com\*.update

Trusted Zone: microsoft.com\update

TCP: DhcpNameServer = 192.168.2.1 192.168.1.1

FF - ProfilePath - d:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\kkch63vd.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-09-19 22:46

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-515967899-1275210071-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,63,cd,d4,5d,4c,3a,4b,a8,54,f3,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9b,63,cd,d4,5d,4c,3a,4b,a8,54,f3,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(3504)

d:\windows\system32\WININET.dll

d:\windows\system32\ieframe.dll

d:\windows\system32\webcheck.dll

d:\windows\system32\wpdshserviceobj.dll

d:\program files\Nokia\Nokia PC Suite 6\phonebrowser.dll

d:\program files\Nokia\Nokia PC Suite 6\NGSCM.DLL

d:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll

d:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

d:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

d:\windows\system32\portabledevicetypes.dll

d:\windows\system32\portabledeviceapi.dll

.

------------------------ Other Running Processes ------------------------

.

d:\progra~1\AVG\AVG10\avgchsvx.exe

d:\progra~1\AVG\AVG10\avgrsx.exe

d:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

d:\program files\Bonjour\mDNSResponder.exe

d:\program files\Java\jre6\bin\jqs.exe

d:\program files\AVG\AVG10\avgnsx.exe

d:\program files\AVG\AVG10\avgemcx.exe

d:\windows\SOUNDMAN.EXE

d:\program files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe

d:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2011-09-19 22:50:45 - machine was rebooted

ComboFix-quarantined-files.txt 2011-09-19 12:50

ComboFix2.txt 2011-09-19 05:55

.

Pre-Run: 13,866,434,560 bytes free

Post-Run: 13,820,817,408 bytes free

.

- - End Of File - - DFC267C8AF4F5F0046B6B4F53CF80015

I now cannot access the internet from my computer. Had to send this from another computer. I get an internet connection problem and when I get interenet explore to "diagnose the connection problem" I get the following error as shown in the first screen dump. I noticed an error in network devices and tried to "repair" the connection and also came up with an error as shown in the second screen dump. Help :(

Doc1.doc

Link to post
Share on other sites

Start Task Manager

To start Task Manager, take any of the following actions:

Press CTRL+ALT+DELETE, and then click Task Manager.

Press CTRL+SHIFT+ESC.

Look for your network devices.

Right click on the device and select uninstall.

Restart the computer and let windows re-install the device.

Link to post
Share on other sites

Oki well since I no longer have the mcafee install program I either have to roll back my computer to a restore point before we last ran combofix or is there a way to "unquarantine" the mcafee files that you helped me get rid of in that last combofix script you got me to run?

Link to post
Share on other sites

I have tried to restore to yesterday's date and the day before and both time I get an error message saying the system was unable to restore to that point and to choose another restore point. If I try and go back any further I will have undone all the work you have done until now, that's if it lets me do it at all

Link to post
Share on other sites

Yay I have internet access back on my computer. I uninstalled the legitimate network connection device like you said and when I restarted it reinstalled itself minus McAfee. McAfee still has a hold on the WAN miniport core NDIS intermediate filter and ive tried the instructions in the link you posted but the computer is not recognising any of the commands (I'm guessing because most of the program is already deleted and we removed the rest via ComboFix). So the question now is what's next?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.