Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

malware and missing drive


  • This topic is locked This topic is locked

#1
lilian

lilian

    Member

  • Member
  • PipPip
  • 97 posts
hello, i suspect i have some malware on my pc. its an acer.using windows vista. and i also seem to be missing a drive i dont know which drive exactly. when i go to my windows media player i tried to burn a cd and it was telling me to conect a burner then restart. i aslo lookd to see if i could rip it also told me a cd drive is needed. i dnt know what else is wrong
  • 0

Advertisements


#2
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Hello and :)

My name is patndoris. I will be glad to take a look at your log and help you with solving any malware problems. It will be very helpful if you follow these guidelines:
  • Malware logs are often lengthy and can take a lot of time to research and interpret. Please be patient while I review your logs.
  • Please note that there is no "Quick Fix" to modern malware infections and we may need to use several different approaches to get your system clean.
  • Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • Please follow my instructions carefully and in the order they are posted. You may also find it helpful to print out the instructions you receive.
  • Please do not run any scans or install/uninstall any applications or delete anything without being directed to do so.
  • Remember, absence of symptoms does not mean the infection is all gone. Please stick with me till you're given the "all clear".
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • Please reply within 3 days. If I do not hear back from you in that time frame, I will post a reminder for you. Topics with no reply in 4 days are closed!


While it is possible malware can cause the kind of problems you describe, it is also not uncommon for a CD drive to go bad. I'll be glad to help determine if malware seems to be present or not.




Download and Run DDS by sUBs

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Save both reports to your desktop.
---------------------------------------------------

Please Please copy / paste the scan reults.

DDS.txt

Please attach the second file; Attach.txt.



Download and Run GMER

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Right-click and choose Run as Administrator on GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that may have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one - make sure it is UNCHECKED)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

  • 0

#3
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
thank you for the help,

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.19088
Run by tuche at 20:22:25 on 2011-08-15
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.683 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k termvvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\WindowsMobile\wmdSync.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ooVoo\ooVoo.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system\svchost.exe -k NetworkService
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\System32\notepad.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.2:58465
mURLSearchHooks: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - c:\program files\whitesmoke_bar\prxtbWhit.dll
mWinlogon: Userinit=userinit.exe,
BHO: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - c:\program files\whitesmoke_bar\prxtbWhit.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Shop to Win 3: {9f56a04a-4886-48f7-b8b2-376f30fc27df} - c:\program files\shop to win 3\Shop to Win 3.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\acer\empowering technology\edatasecurity\x86\eDStoolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: IspAssistant Add-on: {6da1e850-9f71-4b3c-81a4-d9eeef6fcd50} - c:\program files\ispassistant addon\ispassistant.dll
TB: FinderQuery Add-on: {adc66251-6410-4a15-9499-7d73c6994b25} - c:\program files\finderquery addon\finderquery.dll
TB: WhiteSmoke Bar Toolbar: {167d9323-f7cc-48f5-948a-6f012831a69f} - c:\program files\whitesmoke_bar\prxtbWhit.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ooVoo.exe] c:\program files\oovoo\oovoo.exe /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [<NO NAME>]
mRun: [ApnUpdater] "c:\program files\ask.com\updater\Updater.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 1 (0x1)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 68.87.68.162 68.87.74.162 68.87.68.166
TCP: Interfaces\{3D390A9E-FC1F-4E98-BB14-18557C9845AE} : DhcpNameServer = 68.87.68.162 68.87.74.162 68.87.68.166
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\tuche\appdata\roaming\mozilla\firefox\profiles\c3pvi0o4.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_0
FF - prefs.js: keyword.URL - hxxp://ispassistant.com/?clid=0628b24ffbbd4eac91018d28efe6bd0e&prt=ispassistantbho&tmp=ispassistant_results&keywords=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58465
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\tuche\appdata\roaming\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\users\tuche\appdata\roaming\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\users\tuche\appdata\roaming\mozilla\firefox\profiles\c3pvi0o4.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: FinderQuery Extension: [email protected] - c:\program files\mozilla firefox\extensions\[email protected]
FF - Ext: IspAssistant Extension: [email protected] - c:\program files\mozilla firefox\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Oberon GamesBar: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Ask Toolbar: [email protected] - %profile%\extensions\[email protected]
.
---- FIREFOX POLICIES ----
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=
FF - user.js: keyword.enabled - 1
.
============= SERVICES / DRIVERS ===============
.
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-7-19 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-7-19 35712]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-15 366640]
R2 TermServices;Remote Desktop Service;c:\windows\system32\svchost.exe -k termvvc [2008-1-20 21504]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-15 22712]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9b4a777de65e4;Google Update Service (gupdate1c9b4a777de65e4);c:\program files\google\update\GoogleUpdate.exe [2009-4-3 133104]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-1-20 179712]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-11-5 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-4-3 133104]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-2-15 41272]
S3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\drivers\Ph3xIB32.sys [2007-4-3 1131136]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AGWinService;AG Windows Service;c:\program files\agi\common\win32\pythonservice.exe [2008-10-25 10240]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-19 24652]
.
=============== File Associations ===============
.
exefile="c:\windows\system32\config\systemprofile\appdata\local\wry.exe" -a "%1" %*
.
=============== Created Last 30 ================
.
2011-08-11 00:44:09 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 00:18:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 00:11:59 7680 ----a-w- c:\windows\system\svchost.exe
2011-08-01 14:31:14 218624 ----a-w- c:\windows\system32\termvw32.dll
2011-08-01 07:01:04 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-07-30 21:32:14 2042368 ----a-w- c:\windows\system32\win32k.sys
2011-07-30 19:39:59 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-30 19:39:59 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-30 19:37:13 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-07-30 16:47:26 0 ---ha-w- c:\users\tuche\appdata\local\BITE9D8.tmp
2011-07-29 15:36:19 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-07-29 15:36:19 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-07-29 15:36:12 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
2011-07-29 15:36:12 409600 ----a-w- c:\windows\system32\odbc32.dll
2011-07-29 15:36:11 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
2011-07-29 15:36:11 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
2011-07-29 15:36:11 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
2011-07-29 15:36:11 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
2011-07-29 15:33:58 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-07-29 15:32:45 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-07-29 15:32:40 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-07-28 21:31:40 -------- d-----w- c:\program files\Shop to Win 3
2011-07-28 21:31:37 -------- d-----w- c:\program files\Shop To Win
2011-07-28 21:31:37 -------- d-----w- c:\program files\Conduit
2011-07-28 21:31:22 -------- d-----w- c:\program files\WhiteSmoke_Bar
2011-07-28 21:30:55 -------- d-----w- c:\program files\FinderQuery Addon
2011-07-28 21:30:53 -------- d-----w- c:\program files\IspAssistant Addon
2011-07-28 17:27:54 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-07-28 17:27:49 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-07-28 17:27:49 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-07-28 17:27:48 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-07-28 17:26:30 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-07-28 17:26:30 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-07-28 17:23:25 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-07-28 17:23:21 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-07-28 17:23:20 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-07-28 17:23:12 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-28 17:20:09 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-07-28 17:20:09 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
==================== Find3M ====================
.
2011-07-06 23:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-28 06:08:58 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04:17 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04:03 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 06:04:03 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 05:10:26 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33:03 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-24 23:14:10 222080 ------w- c:\windows\system32\MpSigStub.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6001 Disk: Hitachi_HTS542512K9SA00 rev.BB2OC31P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85ACC555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85ad27b0]; MOV EAX, [0x85ad282c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x820D2FEF] -> \Device\Harddisk0\DR0[0x84FB4AC8]
3 CLASSPNP[0x829A4745] -> ntkrnlpa!IofCallDriver[0x820D2FEF] -> [0x84EB3F08]
5 acpi[0x8060E6A0] -> ntkrnlpa!IofCallDriver[0x820D2FEF] -> [0x84E9DBA0]
\Driver\atapi[0x84FF20C0] -> IRP_MJ_CREATE -> 0x85ACC555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS542512K9SA00_________________BB2OC31P#5&2eebe7a5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 234441646 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 20:24:52.40 ===============

Attached Files


  • 0

#4
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and right-click and choose Run as Administrator on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
  • 0

#5
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
i also forgot to mention that sometimes when im trying to fix an issue on the pc or when i ran the combo fix after the pc reboots there usualy is a crash dump blue screen that appears and it reboots and crashes again. i dnt know if you can tell. and yes the burner issues is fixed thank you



2011/08/16 16:36:48.0255 3656 TDSS rootkit removing tool 2.5.15.0 Aug 11 2011 16:32:13
2011/08/16 16:36:48.0637 3656 ================================================================================
2011/08/16 16:36:48.0637 3656 SystemInfo:
2011/08/16 16:36:48.0637 3656
2011/08/16 16:36:48.0637 3656 OS Version: 6.0.6001 ServicePack: 1.0
2011/08/16 16:36:48.0637 3656 Product type: Workstation
2011/08/16 16:36:48.0637 3656 ComputerName: TUCHE-PC
2011/08/16 16:36:48.0638 3656 UserName: tuche
2011/08/16 16:36:48.0638 3656 Windows directory: C:\Windows
2011/08/16 16:36:48.0638 3656 System windows directory: C:\Windows
2011/08/16 16:36:48.0638 3656 Processor architecture: Intel x86
2011/08/16 16:36:48.0638 3656 Number of processors: 2
2011/08/16 16:36:48.0638 3656 Page size: 0x1000
2011/08/16 16:36:48.0638 3656 Boot type: Normal boot
2011/08/16 16:36:48.0638 3656 ================================================================================
2011/08/16 16:36:53.0363 3656 Initialize success
2011/08/16 16:37:04.0323 0784 ================================================================================
2011/08/16 16:37:04.0323 0784 Scan started
2011/08/16 16:37:04.0323 0784 Mode: Manual;
2011/08/16 16:37:04.0323 0784 ================================================================================
2011/08/16 16:37:08.0240 0784 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2011/08/16 16:37:08.0500 0784 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2011/08/16 16:37:08.0895 0784 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2011/08/16 16:37:09.0185 0784 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2011/08/16 16:37:09.0659 0784 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2011/08/16 16:37:10.0045 0784 AFD (48eb99503533c27ac6135648e5474457) C:\Windows\system32\drivers\afd.sys
2011/08/16 16:37:10.0484 0784 AgereSoftModem (d31d1a92479bd8c0d050a6ffbdd410d9) C:\Windows\system32\DRIVERS\AGRSM.sys
2011/08/16 16:37:10.0949 0784 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2011/08/16 16:37:11.0179 0784 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/08/16 16:37:11.0272 0784 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2011/08/16 16:37:11.0469 0784 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2011/08/16 16:37:11.0535 0784 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2011/08/16 16:37:11.0857 0784 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2011/08/16 16:37:12.0133 0784 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2011/08/16 16:37:12.0446 0784 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2011/08/16 16:37:12.0752 0784 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2011/08/16 16:37:13.0150 0784 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/08/16 16:37:13.0428 0784 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2011/08/16 16:37:14.0224 0784 atikmdag (8ae1745bfc7d383daa3f82fe8d7be7c0) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/08/16 16:37:14.0769 0784 AtiPcie (4aa1eb65481c392955939e735d27118b) C:\Windows\system32\DRIVERS\AtiPcie.sys
2011/08/16 16:37:15.0159 0784 b57nd60x (502f1c30bd50b32d00ce4dcaecc3d3c7) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/08/16 16:37:15.0599 0784 BCM43XX (e22abcaa7b6ff580feb0d49545dc4263) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/08/16 16:37:16.0012 0784 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/08/16 16:37:16.0204 0784 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2011/08/16 16:37:16.0476 0784 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
2011/08/16 16:37:16.0789 0784 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/08/16 16:37:17.0142 0784 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/08/16 16:37:17.0421 0784 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/08/16 16:37:17.0866 0784 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/08/16 16:37:18.0734 0784 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/08/16 16:37:19.0238 0784 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/08/16 16:37:19.0616 0784 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/08/16 16:37:20.0155 0784 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/08/16 16:37:20.0375 0784 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2011/08/16 16:37:20.0619 0784 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2011/08/16 16:37:20.0898 0784 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2011/08/16 16:37:21.0190 0784 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/08/16 16:37:21.0356 0784 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2011/08/16 16:37:21.0700 0784 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/08/16 16:37:22.0012 0784 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2011/08/16 16:37:22.0212 0784 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2011/08/16 16:37:22.0425 0784 DfsC (a3e9fa213f443ac77c7746119d13feec) C:\Windows\system32\Drivers\dfsc.sys
2011/08/16 16:37:22.0650 0784 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2011/08/16 16:37:22.0981 0784 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
2011/08/16 16:37:23.0217 0784 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2011/08/16 16:37:23.0335 0784 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/08/16 16:37:23.0486 0784 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/08/16 16:37:23.0715 0784 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/08/16 16:37:24.0258 0784 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2011/08/16 16:37:24.0696 0784 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/08/16 16:37:25.0144 0784 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2011/08/16 16:37:25.0804 0784 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2011/08/16 16:37:26.0185 0784 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2011/08/16 16:37:26.0541 0784 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2011/08/16 16:37:26.0703 0784 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2011/08/16 16:37:26.0908 0784 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2011/08/16 16:37:27.0181 0784 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/08/16 16:37:27.0361 0784 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/08/16 16:37:27.0628 0784 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/08/16 16:37:28.0057 0784 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2011/08/16 16:37:28.0379 0784 fssfltr (b74b0578fd1d3f897e95f2a2b69ea051) C:\Windows\system32\DRIVERS\fssfltr.sys
2011/08/16 16:37:28.0478 0784 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/08/16 16:37:28.0635 0784 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2011/08/16 16:37:28.0688 0784 GEARAspiWDM (f2f431d1573ee632975c524418655b84) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/08/16 16:37:29.0003 0784 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/08/16 16:37:29.0067 0784 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/08/16 16:37:29.0909 0784 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/08/16 16:37:30.0287 0784 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/08/16 16:37:30.0547 0784 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\drivers\hidusb.sys
2011/08/16 16:37:30.0768 0784 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2011/08/16 16:37:31.0163 0784 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
2011/08/16 16:37:31.0419 0784 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2011/08/16 16:37:31.0692 0784 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/08/16 16:37:32.0116 0784 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2011/08/16 16:37:32.0428 0784 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/08/16 16:37:32.0668 0784 int15 (c6e5276c00ebdeb096bb5ef4b797d1b6) C:\Acer\Empowering Technology\eRecovery\int15.sys
2011/08/16 16:37:33.0248 0784 IntcAzAudAddService (b795745f7e51aa20d46753ec5a811aca) C:\Windows\system32\drivers\RTKVHDA.sys
2011/08/16 16:37:33.0585 0784 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/08/16 16:37:33.0692 0784 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/08/16 16:37:34.0089 0784 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/08/16 16:37:34.0719 0784 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2011/08/16 16:37:34.0816 0784 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/08/16 16:37:35.0175 0784 irda (e50a95179211b12946f7e035d60af560) C:\Windows\system32\DRIVERS\irda.sys
2011/08/16 16:37:35.0421 0784 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/08/16 16:37:35.0765 0784 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2011/08/16 16:37:35.0999 0784 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/08/16 16:37:36.0251 0784 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/08/16 16:37:36.0705 0784 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/08/16 16:37:36.0977 0784 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/08/16 16:37:37.0249 0784 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2011/08/16 16:37:37.0392 0784 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2011/08/16 16:37:37.0676 0784 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/08/16 16:37:37.0814 0784 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2011/08/16 16:37:37.0898 0784 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2011/08/16 16:37:38.0194 0784 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2011/08/16 16:37:38.0440 0784 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/08/16 16:37:38.0631 0784 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\Windows\system32\drivers\mbam.sys
2011/08/16 16:37:38.0907 0784 MBAMSwissArmy (b18225739ed9caa83ba2df966e9f43e8) C:\Windows\system32\drivers\mbamswissarmy.sys
2011/08/16 16:37:39.0104 0784 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2011/08/16 16:37:39.0235 0784 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2011/08/16 16:37:39.0411 0784 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/08/16 16:37:39.0488 0784 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/08/16 16:37:39.0616 0784 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/08/16 16:37:39.0707 0784 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\drivers\mouhid.sys
2011/08/16 16:37:39.0837 0784 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/08/16 16:37:39.0900 0784 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2011/08/16 16:37:40.0005 0784 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/08/16 16:37:40.0820 0784 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/08/16 16:37:41.0007 0784 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/08/16 16:37:41.0418 0784 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/08/16 16:37:41.0639 0784 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2011/08/16 16:37:41.0708 0784 mrxsmb (5734a0f2be7e495f7d3ed6efd4b9f5a1) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/08/16 16:37:41.0795 0784 mrxsmb10 (6b5fa5adfacac9dbbe0991f4566d7d55) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/08/16 16:37:41.0962 0784 mrxsmb20 (5c80d8159181c7abf1b14ba703b01e0b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/08/16 16:37:42.0060 0784 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2011/08/16 16:37:42.0218 0784 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2011/08/16 16:37:42.0349 0784 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/08/16 16:37:42.0526 0784 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/08/16 16:37:42.0653 0784 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/08/16 16:37:42.0714 0784 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/08/16 16:37:42.0832 0784 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/08/16 16:37:42.0931 0784 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2011/08/16 16:37:43.0015 0784 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/08/16 16:37:43.0163 0784 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/08/16 16:37:43.0236 0784 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2011/08/16 16:37:43.0351 0784 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2011/08/16 16:37:43.0506 0784 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
2011/08/16 16:37:43.0736 0784 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/08/16 16:37:43.0800 0784 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/08/16 16:37:43.0904 0784 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/08/16 16:37:43.0972 0784 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/08/16 16:37:44.0097 0784 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/08/16 16:37:44.0224 0784 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2011/08/16 16:37:44.0380 0784 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/08/16 16:37:44.0548 0784 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2011/08/16 16:37:44.0700 0784 NSCIRDA (6d8d2e5652fc2442c810c5d8be784148) C:\Windows\system32\DRIVERS\nscirda.sys
2011/08/16 16:37:44.0789 0784 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/08/16 16:37:44.0967 0784 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2011/08/16 16:37:45.0120 0784 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\Windows\system32\DRIVERS\NTIDrvr.sys
2011/08/16 16:37:45.0196 0784 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/08/16 16:37:45.0263 0784 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/08/16 16:37:45.0399 0784 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2011/08/16 16:37:45.0539 0784 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2011/08/16 16:37:45.0662 0784 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2011/08/16 16:37:45.0954 0784 O2MDRDR (36ed541ff0ad27d7f1c1e8f86f026309) C:\Windows\system32\DRIVERS\o2media.sys
2011/08/16 16:37:46.0018 0784 O2SDRDR (f3d467025d365a96b5e51c6229562716) C:\Windows\system32\DRIVERS\o2sd.sys
2011/08/16 16:37:46.0164 0784 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/08/16 16:37:46.0356 0784 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/08/16 16:37:46.0424 0784 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2011/08/16 16:37:46.0499 0784 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/08/16 16:37:46.0621 0784 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\Windows\system32\Drivers\PCASp50.sys
2011/08/16 16:37:46.0761 0784 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2011/08/16 16:37:46.0820 0784 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
2011/08/16 16:37:47.0267 0784 pcmcia (b7c5a8769541900f6dfa6fe0c5e4d513) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/08/16 16:37:47.0453 0784 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/08/16 16:37:47.0758 0784 Ph3xIB32 (9f2f541c52cd7a452e235e885f7d95de) C:\Windows\system32\DRIVERS\Ph3xIB32.sys
2011/08/16 16:37:48.0118 0784 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/08/16 16:37:48.0206 0784 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2011/08/16 16:37:48.0395 0784 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2011/08/16 16:37:48.0468 0784 PSDFilter (18de162f9b83079c24cd96f59292f5ed) C:\Windows\system32\DRIVERS\psdfilter.sys
2011/08/16 16:37:48.0516 0784 PSDNServ (bc1457a28e76ab3106d43802ac22a627) C:\Windows\system32\DRIVERS\PSDNServ.sys
2011/08/16 16:37:48.0703 0784 psdvdisk (ac151e5b0943304e368c98ec78b5fc4f) C:\Windows\system32\DRIVERS\PSDVdisk.sys
2011/08/16 16:37:48.0977 0784 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2011/08/16 16:37:49.0189 0784 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/08/16 16:37:49.0283 0784 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/08/16 16:37:49.0443 0784 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/08/16 16:37:49.0550 0784 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/08/16 16:37:49.0625 0784 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/08/16 16:37:49.0770 0784 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2011/08/16 16:37:49.0838 0784 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2011/08/16 16:37:49.0900 0784 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/08/16 16:37:50.0042 0784 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
2011/08/16 16:37:50.0200 0784 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/08/16 16:37:50.0307 0784 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2011/08/16 16:37:50.0444 0784 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
2011/08/16 16:37:50.0546 0784 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2011/08/16 16:37:50.0858 0784 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/08/16 16:37:51.0477 0784 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/08/16 16:37:51.0712 0784 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2011/08/16 16:37:51.0815 0784 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/08/16 16:37:52.0017 0784 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/08/16 16:37:52.0093 0784 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/08/16 16:37:52.0164 0784 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/08/16 16:37:52.0385 0784 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2011/08/16 16:37:52.0456 0784 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2011/08/16 16:37:52.0508 0784 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2011/08/16 16:37:52.0700 0784 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/08/16 16:37:52.0814 0784 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2011/08/16 16:37:52.0886 0784 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2011/08/16 16:37:53.0050 0784 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2011/08/16 16:37:53.0181 0784 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2011/08/16 16:37:53.0370 0784 SNP2UVC (0302bc619d4a723317e7f8eb0c362bd3) C:\Windows\system32\DRIVERS\snp2uvc.sys
2011/08/16 16:37:53.0588 0784 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/08/16 16:37:53.0744 0784 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
2011/08/16 16:37:53.0914 0784 srv2 (b7ff59408034119476b00a81bb53d5d1) C:\Windows\system32\DRIVERS\srv2.sys
2011/08/16 16:37:54.0013 0784 srvnet (2accc9b12af02030f531e6cca6f8b76e) C:\Windows\system32\DRIVERS\srvnet.sys
2011/08/16 16:37:54.0175 0784 sscdbus (d6870895fe46a464a19141440eb6cc1e) C:\Windows\system32\DRIVERS\sscdbus.sys
2011/08/16 16:37:54.0270 0784 sscdmdfl (0fe167362e4689b716cdc8d93adedda8) C:\Windows\system32\DRIVERS\sscdmdfl.sys
2011/08/16 16:37:54.0423 0784 sscdmdm (55a15707e32b6709242ad127e62ca55a) C:\Windows\system32\DRIVERS\sscdmdm.sys
2011/08/16 16:37:54.0555 0784 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/08/16 16:37:54.0728 0784 swmsflt (851681f7d3200e2a646c5ee4d4e9883d) C:\Windows\System32\drivers\swmsflt.sys
2011/08/16 16:37:54.0894 0784 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/08/16 16:37:54.0990 0784 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/08/16 16:37:55.0122 0784 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/08/16 16:37:55.0256 0784 SynTP (c5f25d490d0915732508fd421bf76d93) C:\Windows\system32\DRIVERS\SynTP.sys
2011/08/16 16:37:55.0475 0784 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
2011/08/16 16:37:55.0717 0784 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
2011/08/16 16:37:55.0898 0784 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2011/08/16 16:37:55.0962 0784 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/08/16 16:37:56.0033 0784 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/08/16 16:37:56.0192 0784 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
2011/08/16 16:37:56.0274 0784 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2011/08/16 16:37:56.0465 0784 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/08/16 16:37:56.0726 0784 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/08/16 16:37:56.0987 0784 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
2011/08/16 16:37:57.0162 0784 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2011/08/16 16:37:57.0328 0784 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2011/08/16 16:37:57.0695 0784 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2011/08/16 16:37:58.0032 0784 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2011/08/16 16:37:58.0308 0784 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/08/16 16:37:58.0517 0784 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/08/16 16:37:58.0677 0784 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/08/16 16:37:59.0080 0784 USBAAPL (026f7f224f088ee11e383bca448fff81) C:\Windows\system32\Drivers\usbaapl.sys
2011/08/16 16:37:59.0297 0784 usbbus (5aadc9297c39aa249cd994acdba19034) C:\Windows\system32\DRIVERS\lgusbbus.sys
2011/08/16 16:37:59.0530 0784 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/08/16 16:37:59.0749 0784 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/08/16 16:38:00.0043 0784 UsbDiag (4650ffe04e5922399b0e932319e6b215) C:\Windows\system32\DRIVERS\lgusbdiag.sys
2011/08/16 16:38:00.0250 0784 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2011/08/16 16:38:00.0364 0784 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2011/08/16 16:38:00.0760 0784 USBModem (2666fe171e0c2e7085ccd5fe0bac09e3) C:\Windows\system32\DRIVERS\lgusbmodem.sys
2011/08/16 16:38:01.0112 0784 usbohci (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
2011/08/16 16:38:01.0446 0784 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/08/16 16:38:02.0221 0784 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/08/16 16:38:02.0659 0784 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/08/16 16:38:03.0004 0784 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/08/16 16:38:03.0225 0784 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/08/16 16:38:03.0343 0784 usb_rndisx (ee181a08e09db23cf4a49b46a1e66bb8) C:\Windows\system32\DRIVERS\usb8023x.sys
2011/08/16 16:38:03.0679 0784 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/08/16 16:38:04.0022 0784 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/08/16 16:38:04.0347 0784 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2011/08/16 16:38:04.0648 0784 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2011/08/16 16:38:05.0019 0784 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2011/08/16 16:38:05.0229 0784 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/08/16 16:38:05.0308 0784 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2011/08/16 16:38:05.0477 0784 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
2011/08/16 16:38:05.0559 0784 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2011/08/16 16:38:05.0760 0784 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/08/16 16:38:05.0926 0784 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/16 16:38:05.0968 0784 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/08/16 16:38:06.0113 0784 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2011/08/16 16:38:06.0311 0784 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
2011/08/16 16:38:06.0424 0784 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/08/16 16:38:06.0821 0784 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/08/16 16:38:07.0027 0784 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/08/16 16:38:07.0193 0784 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/08/16 16:38:07.0346 0784 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/08/16 16:38:07.0621 0784 yukonwlh (7927e830ecde6db3682cc319bad26984) C:\Windows\system32\DRIVERS\yk60x86.sys
2011/08/16 16:38:07.0804 0784 MBR (0x1B8) (cbfbb19dfd31809471f934899fedfd81) \Device\Harddisk0\DR0
2011/08/16 16:38:07.0826 0784 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/08/16 16:38:07.0873 0784 Boot (0x1200) (bbce2f9e2db1ca9032e08bcddfdb6d97) \Device\Harddisk0\DR0\Partition0
2011/08/16 16:38:07.0932 0784 Boot (0x1200) (f41bcaa794072027971ab8e50ff793d2) \Device\Harddisk0\DR0\Partition1
2011/08/16 16:38:07.0950 0784 ================================================================================
2011/08/16 16:38:07.0950 0784 Scan finished
2011/08/16 16:38:07.0950 0784 ================================================================================
2011/08/16 16:38:08.0000 5744 Detected object count: 1
2011/08/16 16:38:08.0000 5744 Actual detected object count: 1
2011/08/16 16:38:13.0477 5744 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/08/16 16:38:13.0478 5744 \Device\Harddisk0\DR0 - ok
2011/08/16 16:38:13.0543 5744 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/08/16 16:38:56.0537 2616 Deinitialize success






ComboFix 11-08-16.05 - tuche 08/16/2011 17:18:37.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.1172 [GMT -4:00]
Running from: c:\users\tuche\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\FinderQuery Addon\fiNDerquery.dll
c:\program files\IspAssistant Addon\isPAssistant.dll
c:\windows\$NtUninstallKB11510$
c:\windows\$NtUninstallKB11510$\2201702450\{1B372133-BFFA-4dba-9CCF-5474BED6A9F6}
c:\windows\$NtUninstallKB11510$\2201702450\click.tlb
c:\windows\$NtUninstallKB11510$\2201702450\L\qnbwvoto
c:\windows\$NtUninstallKB11510$\2201702450\loader.tlb
c:\windows\$NtUninstallKB11510$\2201702450\U\@00000001
c:\windows\$NtUninstallKB11510$\2201702450\U\@000000c0
c:\windows\$NtUninstallKB11510$\2201702450\U\@000000cb
c:\windows\$NtUninstallKB11510$\2201702450\U\@000000cf
c:\windows\$NtUninstallKB11510$\2201702450\U\@80000000
c:\windows\$NtUninstallKB11510$\2201702450\U\@800000c0
c:\windows\$NtUninstallKB11510$\2201702450\U\@800000cb
c:\windows\$NtUninstallKB11510$\2201702450\U\@800000cf
c:\windows\$NtUninstallKB11510$\2652364809
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-07-16 to 2011-08-16 )))))))))))))))))))))))))))))))
.
.
2011-08-16 21:34 . 2011-08-16 21:46 -------- d-----w- c:\users\tuche\AppData\Local\temp
2011-08-16 21:34 . 2011-08-16 21:34 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-16 21:34 . 2011-08-16 21:34 -------- d-----w- c:\users\jennifer and charlot\AppData\Local\temp
2011-08-16 21:34 . 2011-08-16 21:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-16 21:34 . 2011-08-16 21:34 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-08-11 00:44 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 00:18 . 2011-08-11 00:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 00:11 . 2011-08-16 21:34 7680 ----a-w- c:\windows\system\svchost.exe
2011-08-01 14:31 . 2011-08-01 14:31 218624 ----a-w- c:\windows\system32\termvw32.dll
2011-08-01 07:01 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-07-30 21:32 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
2011-07-30 19:39 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-30 19:39 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-30 19:37 . 2010-12-20 15:39 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-07-30 16:47 . 2011-07-30 16:47 0 ---ha-w- c:\users\tuche\AppData\Local\BITE9D8.tmp
2011-07-29 15:36 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-07-29 15:36 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-07-29 15:36 . 2010-12-28 14:57 409600 ----a-w- c:\windows\system32\odbc32.dll
2011-07-29 15:36 . 2010-12-28 14:56 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-07-29 15:36 . 2010-12-28 14:56 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-07-29 15:36 . 2010-12-28 14:56 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-07-29 15:36 . 2010-12-28 14:56 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-07-29 15:36 . 2010-12-28 14:56 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-07-29 15:33 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-07-29 15:32 . 2010-12-14 15:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-07-29 15:32 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-07-28 21:31 . 2011-07-28 21:32 -------- d-----w- c:\program files\Shop to Win 3
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Shop To Win
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Conduit
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\WhiteSmoke_Bar
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\FinderQuery Addon
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\IspAssistant Addon
2011-07-28 17:27 . 2011-04-14 14:24 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-07-28 17:27 . 2010-10-15 14:08 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-07-28 17:27 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-07-28 17:27 . 2010-10-15 14:08 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-07-28 17:26 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-07-28 17:26 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-07-28 17:23 . 2011-02-18 13:31 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-07-28 17:23 . 2011-03-02 14:49 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-07-28 17:23 . 2009-05-04 10:11 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-07-28 17:23 . 2011-04-21 13:16 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-28 17:20 . 2011-04-29 12:49 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-07-28 17:20 . 2011-04-29 12:49 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-02-15 14:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-02-15 14:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-20 12:57 . 2011-06-29 19:46 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD8B4F99-E108-47E5-9C8C-2A75F49BDCBB}\mpengine.dll
2011-05-28 06:08 . 2011-06-29 19:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04 . 2011-06-29 19:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04 . 2011-06-29 19:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04 . 2011-06-29 19:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 06:04 . 2011-06-29 19:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 05:10 . 2011-06-29 19:18 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33 . 2011-06-29 19:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31 . 2011-06-29 19:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-24 23:14 . 2009-10-02 03:56 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-05-17 17:29 1490312 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-05-17 1490312]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-05 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-18 22631608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-05-17 395144]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 08:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
2008-06-18 07:13 198184 ----a-w- c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 23:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:06 62760 ------w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51 858632 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 04:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 17:56 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-08 00:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-10-26 04:17 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-05 21:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-07 19:35 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9b4a777de65e4;Google Update Service (gupdate1c9b4a777de65e4);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
R4 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\PythonService.exe [2008-10-25 10240]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
termvvc REG_MULTI_SZ TermServices
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-08-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-01-03 c:\windows\Tasks\User_Feed_Synchronization-{8D48BC85-7DF9-46EB-A599-73C58B86D96C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.2:58465
FF - ProfilePath - c:\users\tuche\AppData\Roaming\Mozilla\Firefox\Profiles\c3pvi0o4.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_0
FF - prefs.js: keyword.URL - hxxp://ispassistant.com/?clid=0628b24ffbbd4eac91018d28efe6bd0e&prt=ispassistantbho&tmp=ispassistant_results&keywords=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58465
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: FinderQuery Extension: [email protected] - c:\program files\Mozilla Firefox\extensions\[email protected]
FF - Ext: IspAssistant Extension: [email protected] - c:\program files\Mozilla Firefox\extensions\[email protected]
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: Oberon GamesBar: [email protected] - %profile%\extensions\[email protected]
FF - Ext: Ask Toolbar: [email protected] - %profile%\extensions\[email protected]
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=
FF - user.js: keyword.enabled - 1
.
.
------- File Associations -------
.
exefile="c:\windows\system32\config\systemprofile\AppData\Local\wry.exe" -a "%1" %*
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-16 17:47
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-08-16 17:52:27
ComboFix-quarantined-files.txt 2011-08-16 21:52
ComboFix2.txt 2010-05-16 00:22
.
Pre-Run: 7,931,428,864 bytes free
Post-Run: 9,052,315,648 bytes free
.
- - End Of File - - 10A2B60BA0848A091776264BD034F39A
  • 0

#6
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
I would suggest that you remove AskToolbar
  • It promotes its toolbars on sites targeted at kids.
  • It promotes its toolbars through ads that appear to be part of other companies' sites.
  • It promotes its toolbars through other companies' spyware.
  • It is Installed without any disclosure whatsoever and without any consent from the user whatsoever.
  • It solicits installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • It makes confusing changes to user's browsers - increasing Ask's revenues while taking users to pages they didn't intend to visit.
I would strongly suggest going to Control Panel > Programs/Features and uninstalling this toolbar




We need to get additional information about some files.

Please go to the following site:
http://www.virustotal.com/
Click on Choose File, and then upload the following files for analysis: (you will need to do them one at a time)

c:\windows\system32\termvw32.dll
c:\windows\system32\config\systemprofile\AppData\Local\wry.exe

Then click Send File and allow the file to be scanned.

Please ensure the scan is complete and the results saved before submitting the next.
If a pop-up appears saying the file has been scanned already, please select the ReScan button.

Please copy and paste the results here for me to see.
  • 0

#7
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
for the second one it tells me i dont have permision to open the file


File name: termvw32.dll
Submission date: 2011-08-17 02:09:36 (UTC)
Current status: queued queued analysing finished


Result: 20/ 42 (47.6%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2011.08.16.03 2011.08.16 Trojan/Win32.Agent
AntiVir 7.11.13.90 2011.08.16 TR/Agent.ojiq
Antiy-AVL 2.0.3.7 2011.08.16 Trojan/Win32.Agent.gen
Avast 4.8.1351.0 2011.08.16 -
Avast5 5.0.677.0 2011.08.16 -
AVG 10.0.0.1190 2011.08.16 Agent3.ZGJ
BitDefender 7.2 2011.08.16 Trojan.Generic.KDV.320183
CAT-QuickHeal 11.00 2011.08.16 -
ClamAV 0.97.0.0 2011.08.17 -
Commtouch 5.3.2.6 2011.08.17 -
Comodo 9770 2011.08.17 Backdoor.Win32.DarkMoon.A
Emsisoft 5.1.0.8 2011.08.17 Trojan.Win32.Agent!IK
eSafe 7.0.17.0 2011.08.16 -
eTrust-Vet 36.1.8505 2011.08.16 -
F-Prot 4.6.2.117 2011.08.16 -
F-Secure 9.0.16440.0 2011.08.17 Trojan.Generic.KDV.320183
Fortinet 4.2.257.0 2011.08.17 W32/Agent.OJIQ!tr
GData 22 2011.08.16 Trojan.Generic.KDV.320183
Ikarus T3.1.1.107.0 2011.08.17 Trojan.Win32.Agent
Jiangmin 13.0.900 2011.08.16 -
K7AntiVirus 9.109.5021 2011.08.16 Trojan
Kaspersky 9.0.0.837 2011.08.17 Trojan.Win32.Agent.ojiq
McAfee 5.400.0.1158 2011.08.17 Artemis!50C7385B09D3
McAfee-GW-Edition 2010.1D 2011.08.16 Artemis!50C7385B09D3
Microsoft 1.7104 2011.08.16 -
NOD32 6383 2011.08.17 -
Norman 6.07.10 2011.08.16 -
nProtect 2011-08-16.01 2011.08.16 -
Panda 10.0.3.5 2011.08.16 Generic Trojan
PCTools 8.0.0.5 2011.08.17 -
Prevx 3.0 2011.08.17 -
Rising 23.71.01.03 2011.08.16 -
Sophos 4.68.0 2011.08.16 -
SUPERAntiSpyware 4.40.0.1006 2011.08.17 -
Symantec 20111.2.0.82 2011.08.17 WS.Reputation.1
TheHacker 6.7.0.1.278 2011.08.16 Trojan/Agent.ojiq
TrendMicro 9.500.0.1008 2011.08.16 -
TrendMicro-HouseCall 9.500.0.1008 2011.08.17 -
VBA32 3.12.16.4 2011.08.15 Trojan.Win32.Agent.ohvi
VIPRE 10186 2011.08.17 Trojan.Win32.Generic!BT
ViRobot 2011.8.16.4623 2011.08.16 -
VirusBuster 14.0.172.0 2011.08.16 -
Additional informationShow all
MD5 : 50c7385b09d3717e05fcc0b16a6591b4
SHA1 : 9075a75f71d01b657387a4291c764f590a979fc3
SHA256: 57f6ea998be432bf23586c4c0a82e970d1300ca40227936e54599e2c5db4f7a2
ssdeep: 3072:IcMWUimHHFDJQpBxUGy3bvAgsvo2ARg9sD312fA6nwPm6L21BQhV8Kf/:IcMWUimFdQpBd
yUX3RsZ2vkmHihF
File size : 218624 bytes
First seen: 2011-08-01 00:54:59
Last seen : 2011-08-17 02:09:36
TrID:
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
sigcheck:
publisher....: Intel Corporation
copyright....: Copyright 1999-2009, Intel Corporation
product......: Intel® CPU Performance
description..: itlperf Module
original name: itlperf.dll
internal name: itlperf
file version.: 1, 0, 0, 0
comments.....: This installation was built with Inno Setup.
signers......: -
signing date.: -
verified.....: Unsigned

PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x17958
timedatestamp....: 0x2A425E19 (Fri Jun 19 22:22:17 1992)
machinetype......: 0x14c (I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
CODE, 0x1000, 0x1699C, 0x16A00, 6.59, 2cbbe99a5e0ba0d985067081b6134a51
DATA, 0x18000, 0x27E0, 0x2800, 3.26, 3260507c9d51efb3154e29bab43d10a4
BSS, 0x1B000, 0x9B1, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
.idata, 0x1C000, 0x6B6, 0x800, 4.19, 0ba2dc7a3b2d6fed614fe9154944751a
.edata, 0x1D000, 0x4A, 0x200, 0.76, 1f12731aff1de074399e71554b8bf3bc
.reloc, 0x1E000, 0x1110, 0x1200, 6.61, dc3b5ec06c23d2d99337d1350df05aad
.rsrc, 0x20000, 0x1A22C, 0x1A400, 7.94, 8321d75891cd5431b418e24597991e57

[[ 8 import(s) ]]
kernel32.dll: GetCurrentThreadId, WideCharToMultiByte, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetSystemTime, FreeLibrary, HeapFree, HeapReAlloc, HeapAlloc, GetProcessHeap
oleaut32.dll: SysFreeString, SysReAllocStringLen
kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc
kernel32.dll: WriteFile, VirtualQuery, Sleep, SizeofResource, SetLastError, SetFilePointer, SetEndOfFile, ReadFile, LoadResource, GlobalUnlock, GlobalLock, GetTickCount, GetSystemTime, GetProcAddress, GetLocalTime, GetLastError, GetFileSize, GetCurrentProcess, FreeLibrary, FreeConsole, CreateProcessA, CloseHandle
advapi32.dll: RegCloseKey
user32.dll: wvsprintfA, MessageBoxA
kernel32.dll: LoadLibraryA, GetWindowsDirectoryA, GetVersionExA, GetTimeFormatA, GetTempPathA, GetSystemDirectoryA, GetModuleHandleA, GetModuleFileNameA, GetFileAttributesA, GetDateFormatA, GetComputerNameA, GetCommandLineA, FindResourceA, CreateFileA, CompareStringA
advapi32.dll: RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegEnumValueA, RegCreateKeyExA, GetUserNameA, CreateProcessAsUserA

[[ 1 export(s) ]]
ServiceMain

ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 92672
Comments: This installation was built with Inno Setup.
CompanyName: Intel Corporation
EntryPoint: 0x17958
FileDescription: itlperf Module
FileFlagsMask: 0x003f
FileOS: Win32
FileSize: 214 kB
FileSubtype: 0
FileType: Win32 DLL
FileVersion: 1, 0, 0, 0
FileVersionNumber: 1.0.0.0
ImageVersion: 0.0
InitializedDataSize: 124928
InternalName: itlperf
LanguageCode: Neutral
LegalCopyright: Copyright 1999-2009, Intel Corporation
LegalTrademarks:
LinkerVersion: 2.25
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
OriginalFilename: itlperf.dll
PEType: PE32
PrivateBuild:
ProductName: Intel® CPU Performance
ProductVersion: 1, 0, 0, 0
ProductVersionNumber: 1.0.0.0
SpecialBuild:
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 1992:06:20 00:22:17+02:00
UninitializedDataSize: 0
  • 0

#8
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
I'm still seeing some evidence of infections on your machine. Please be patient as we work to try and get rid of them. It may take several steps and several different tools.


Download and Run RKill

Please download and run the following tool to help allow other programs to run. (Thanks to Grinler of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of these to run, not all of them.
Rkill.exe
Rkill.com
Rkill.scr

Once it is downloaded, right-click and choose Run as Administrator[/] on the rkill.com in order to automatically try to stop any processes associated with rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next steps.

If you get a message rkill is an infection, do not be concerned. The message is just a fake warning by some rogue programs when it terminates programs that may potentially remove it. The trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this should allow you to bypass the malware trying to protect itself so that rkill can terminate the rogue processes. Continue to try running Rkill until the malware is no longer running. You will then be able to proceed with the next steps.

Do not reboot your computer after running rkill as the malware programs will start again.

If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.




Please read carefully and follow these steps.
  • Open the TDSSKiller folder and right-click and choose [i]Run as Administrator on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.




1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.2:58465

File::
c:\users\tuche\AppData\Local\BITE9D8.tmp
c:\windows\system32\termvw32.dll

Firefox::
FF - ProfilePath - c:\users\tuche\AppData\Roaming\Mozilla\Firefox\Profiles\c3pvi0o4.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58465


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe. ComboFix may request an update; please allow it.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#9
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
the rkill is not working properly when i downloaded it it ask me which program to open it with and i dnt no which program to use to open it it with
  • 0

#10
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Did you try one of the other links? If so please let me know. If not, try the 2nd one and if it doesn't work the 3rd. If none of them will work please let me know.
  • 0

Advertisements


#11
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
yes tried it all it popd up popd back out never saw it again
  • 0

#12
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
Please go ahead and run the Combofix script and then post the resulting log and we'll go from there.
  • 0

#13
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
after i did the combofix i tried to get back on the ie and it wouldnt work almost all programs are tellin me ilegal operation on registry keys that are marked for deletion





ComboFix 11-08-16.05 - tuche 08/18/2011 20:03:24.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1789.1196 [GMT -4:00]
Running from: c:\users\tuche\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2011-07-19 to 2011-08-19 )))))))))))))))))))))))))))))))
.
.
2011-08-19 00:17 . 2011-08-19 00:19 -------- d-----w- c:\users\tuche\AppData\Local\temp
2011-08-19 00:17 . 2011-08-19 00:17 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-08-19 00:17 . 2011-08-19 00:17 -------- d-----w- c:\users\jennifer and charlot\AppData\Local\temp
2011-08-19 00:17 . 2011-08-19 00:17 -------- d-----w- c:\users\Guest\AppData\Local\temp
2011-08-19 00:17 . 2011-08-19 00:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-08-11 00:44 . 2011-07-06 14:56 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-08-11 00:18 . 2011-08-11 00:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-11 00:11 . 2011-08-19 00:04 7680 ----a-w- c:\windows\system\svchost.exe
2011-08-01 14:31 . 2011-08-01 14:31 218624 ----a-w- c:\windows\system32\termvw32.dll
2011-08-01 07:01 . 2009-10-09 21:56 2048 ----a-w- c:\windows\system32\winrsmgr.dll
2011-07-30 21:32 . 2011-06-02 12:59 2042368 ----a-w- c:\windows\system32\win32k.sys
2011-07-30 19:39 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2011-07-30 19:39 . 2011-04-20 14:44 49152 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-30 19:37 . 2010-12-20 15:39 563200 ----a-w- c:\windows\system32\oleaut32.dll
2011-07-30 16:47 . 2011-07-30 16:47 0 ---ha-w- c:\users\tuche\AppData\Local\BITE9D8.tmp
2011-07-29 15:36 . 2011-02-16 15:29 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-07-29 15:36 . 2011-02-16 13:24 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-07-29 15:36 . 2010-12-28 14:57 409600 ----a-w- c:\windows\system32\odbc32.dll
2011-07-29 15:36 . 2010-12-28 14:56 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-07-29 15:36 . 2010-12-28 14:56 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-07-29 15:36 . 2010-12-28 14:56 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-07-29 15:36 . 2010-12-28 14:56 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-07-29 15:36 . 2010-12-28 14:56 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-07-29 15:33 . 2011-02-22 12:51 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-07-29 15:32 . 2010-12-14 15:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
2011-07-29 15:32 . 2011-02-17 06:23 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-07-28 21:31 . 2011-07-28 21:32 -------- d-----w- c:\program files\Shop to Win 3
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Shop To Win
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\Conduit
2011-07-28 21:31 . 2011-07-28 21:31 -------- d-----w- c:\program files\WhiteSmoke_Bar
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\FinderQuery Addon
2011-07-28 21:30 . 2011-08-16 21:33 -------- d-----w- c:\program files\IspAssistant Addon
2011-07-28 17:27 . 2011-04-14 14:24 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-07-28 17:27 . 2010-10-15 14:08 3548048 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-07-28 17:27 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-07-28 17:27 . 2010-10-15 14:08 3600272 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-07-28 17:26 . 2011-03-10 16:12 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-07-28 17:26 . 2011-03-10 16:12 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-07-28 17:23 . 2011-02-18 13:31 304640 ----a-w- c:\windows\system32\drivers\srv.sys
2011-07-28 17:23 . 2011-03-02 14:49 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-07-28 17:23 . 2009-05-04 10:11 25088 ----a-w- c:\windows\system32\dnscacheugc.exe
2011-07-28 17:23 . 2011-04-21 13:16 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-28 17:20 . 2011-04-29 12:49 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-07-28 17:20 . 2011-04-29 12:49 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-06 23:52 . 2010-02-15 14:05 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-06 23:52 . 2010-02-15 14:05 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-20 12:57 . 2011-06-29 19:46 7074640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AD8B4F99-E108-47E5-9C8C-2A75F49BDCBB}\mpengine.dll
2011-05-28 06:08 . 2011-06-29 19:18 916480 ----a-w- c:\windows\system32\wininet.dll
2011-05-28 06:04 . 2011-06-29 19:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-05-28 06:04 . 2011-06-29 19:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-05-28 06:04 . 2011-06-29 19:18 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-05-28 06:04 . 2011-06-29 19:18 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-05-28 05:10 . 2011-06-29 19:18 385024 ----a-w- c:\windows\system32\html.iec
2011-05-28 04:33 . 2011-06-29 19:18 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-05-28 04:31 . 2011-06-29 19:18 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-05-24 23:14 . 2009-10-02 03:56 222080 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\egisPSDP]
@="{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}"
[HKEY_CLASSES_ROOT\CLSID\{30A0A3F6-38AC-4C53-BB8B-0D95238E25BA}]
2008-01-03 09:00 39472 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-05 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ooVoo.exe"="c:\program files\oovoo\oovoo.exe" [2011-05-18 22631608]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2011-07-06 1047656]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-07-06 449584]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-11-02 8704]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"HideSCAHealth"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
2007-11-19 22:17 1261568 ----a-w- c:\program files\Acer\Acer Assist\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
2008-01-03 08:55 521776 ----a-w- c:\acer\Empowering Technology\eDataSecurity\x86\eDSLoader.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-21 02:25 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HelpCenter4.1]
2008-06-18 07:13 198184 ----a-w- c:\program files\FastAccessDSL\HelpCenter43\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-04-02 23:11 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
2007-10-11 19:06 62760 ------w- c:\program files\CyberLink\PowerDVD\Language\Language.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
2008-01-07 23:51 858632 ----a-w- c:\progra~1\LAUNCH~1\LManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 04:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetI]
2007-10-23 17:56 200704 ----a-w- c:\windows\PLFSetI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PLFSetL]
2007-07-05 19:35 94208 ----a-w- c:\windows\PLFSetL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2008-01-22 21:23 81920 ------w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-08 00:25 4853760 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-21 02:23 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-10-26 04:17 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-05 21:42 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-07 19:35 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2008-01-21 02:23 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-21 02:25 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9b4a777de65e4;Google Update Service (gupdate1c9b4a777de65e4);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2008-01-21 179712]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 133104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-07-06 41272]
R3 Ph3xIB32;Philips 713x Inbox PCI TV Card;c:\windows\system32\DRIVERS\Ph3xIB32.sys [2007-04-03 1131136]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys [2008-05-06 11520]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AGWinService;AG Windows Service;c:\program files\AGI\common\win32\PythonService.exe [2008-10-25 10240]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 O2MDRDR;O2MDRDR;c:\windows\system32\DRIVERS\o2media.sys [2007-04-03 39680]
S0 O2SDRDR;O2SDRDR;c:\windows\system32\DRIVERS\o2sd.sys [2007-04-03 35712]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-07-06 366640]
S2 TermServices;Remote Desktop Service;c:\windows\System32\svchost.exe [2008-01-21 21504]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-07-06 22712]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
termvvc REG_MULTI_SZ TermServices
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 11:32 128512 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-08-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-03 21:58]
.
2011-01-03 c:\windows\Tasks\User_Feed_Synchronization-{8D48BC85-7DF9-46EB-A599-73C58B86D96C}.job
- c:\windows\system32\msfeedssync.exe [2011-06-29 04:32]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.2:58465
TCP: DhcpNameServer = 68.87.68.162 68.87.74.162 68.87.68.166
FF - ProfilePath - c:\users\tuche\AppData\Roaming\Mozilla\Firefox\Profiles\c3pvi0o4.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_0
FF - prefs.js: keyword.URL - hxxp://ispassistant.com/?clid=0628b24ffbbd4eac91018d28efe6bd0e&prt=ispassistantbho&tmp=ispassistant_results&keywords=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 58465
FF - prefs.js: network.proxy.type - 4
FF - user.js: keyword.URL - hxxp://finderquery.com/?tmp=redir_bho_bing&prt=whitesmokefqbho&keywords=
FF - user.js: keyword.enabled - 1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-18 20:19
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4600)
c:\acer\Empowering Technology\eDataSecurity\x86\PSDProtect.dll
c:\acer\Empowering Technology\eDataSecurity\x86\sysenv.dll
.
Completion time: 2011-08-18 20:23:57
ComboFix-quarantined-files.txt 2011-08-19 00:23
ComboFix2.txt 2011-08-16 21:52
ComboFix3.txt 2010-05-16 00:22
.
Pre-Run: 3,571,691,520 bytes free
Post-Run: 3,520,520,192 bytes free
.
- - End Of File - - 6FC32EFBA4651E7AECEC31694AE8312B
  • 0

#14
patndoris

patndoris

    Trusted Helper

  • Malware Removal
  • 228 posts
I've seen the latest development regarding the registry keys. Please sit tight. I'll be back to you just as soon as I can. In the mean time, please do NOT run any additional tools or do any kind of clean up or try to fix the problem on your own. It's important that nothing else changes at the moment. I'll be back to you shortly.
  • 0

#15
lilian

lilian

    Member

  • Topic Starter
  • Member
  • PipPip
  • 97 posts
ok
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP