Unsolved
This post is more than 5 years old
9 Posts
0
2118
Problem redirect virus to search result links
I have already run combofix and will post log next.
Have cleaned and scanned with numerous tools. Redirects all links from search result pages no matter the browser or search provider.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:53:34 AM, on 7/23/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Ask.com\Updater\Updater.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dishmail.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080826
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://admin.isp.netscape.com/session/limited_session.jsp?connection_id=21050439L&page=https%3A%2F%2Fmyaccount.isp.netscape.com%2Fmyaccount%2FLostPassword.do
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.6406.1642\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [PMX Daemon] ICO.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.5\masqform.exe -RunOnce
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files\Ask.com\Updater\Updater.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 9470 by
ComboFix 11-07-23.04 - hcarter 07/23/2011 15:05:45.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2286 [GMT -5:00]
Running from: c:\documents and settings\hcarter\Desktop\Gotcha.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-23 to 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-23 20:05 . 2011-07-23 20:05 -------- d-----w- C:\32788R22FWJFW
2011-07-23 20:03 . 2011-07-23 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-07-23 20:01 . 2011-07-23 20:01 -------- d-----w- c:\program files\WinPcap
2011-07-23 14:51 . 2011-07-23 14:51 388096 ----a-r- c:\documents and settings\hcarter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-23 14:51 . 2011-07-23 20:01 -------- d-----w- c:\program files\Trend Micro
2011-07-23 14:50 . 2011-07-23 14:50 1402880 ----a-w- C:\HijackThis.msi
2011-07-22 20:00 . 2011-07-22 18:12 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-22 18:12 . 2011-07-22 18:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-22 17:41 . 2011-07-21 19:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-22 17:41 . 2011-07-22 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-07-22 17:41 . 2011-07-22 17:41 -------- d-----w- c:\program files\Lavasoft
2011-07-22 17:40 . 2011-07-22 17:41 10285056 ----a-w- C:\Ad-Aware90Install.msi
2011-07-22 16:46 . 2011-07-22 16:46 -------- d-----w- c:\documents and settings\scarter\Application Data\Sammsoft
2011-07-22 15:38 . 2011-07-22 15:38 -------- d-----w- c:\documents and settings\hcarter\Application Data\Sammsoft
2011-07-22 13:49 . 2011-07-22 13:50 3433016 ----a-w- C:\AROLicense2011.exe
2011-07-22 13:01 . 2011-07-22 13:01 -------- d-----w- c:\documents and settings\Karen Carter\Application Data\Sammsoft
2011-07-22 13:01 . 2011-07-22 13:51 -------- d-----w- c:\program files\ARO 2011
2011-07-22 12:59 . 2011-07-22 13:00 5883832 ----a-w- C:\ARO2011_tbt.exe
2011-07-16 15:52 . 2011-07-16 15:52 8016 ----a-w- C:\cc_20110716_105201.reg
2011-07-16 12:17 . 2011-07-16 12:18 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Temp
2011-07-16 12:17 . 2011-07-16 12:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-14 18:46 . 2011-04-26 11:07 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-08 16:46 . 2011-07-08 16:46 -------- d-----w- c:\documents and settings\hcarter\Application Data\PCDr
2011-07-08 16:10 . 2011-07-08 16:10 4936 ----a-w- C:\cc_20110708_111015.reg
2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\program files\iolo
2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\documents and settings\hcarter\Application Data\iolo
2011-07-08 12:31 . 2011-07-08 12:31 -------- d-----w- c:\documents and settings\Administrator
2011-07-08 04:28 . 2011-07-08 04:28 -------- d-----w- c:\documents and settings\Karen Carter\Application Data\Template
2011-07-08 01:44 . 2011-07-08 01:44 4928 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-07-08 01:22 . 2011-07-08 01:22 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\KodakGallery
2011-07-06 12:01 . 2011-07-06 12:01 -------- d-----w- c:\documents and settings\hcarter\Application Data\AskToolbar
2011-07-06 11:52 . 2011-07-06 11:52 -------- d-----w- c:\documents and settings\scarter\Application Data\AskToolbar
2011-07-06 11:47 . 2011-07-06 11:47 -------- d-----w- c:\program files\Ask.com
2011-07-06 05:25 . 2011-07-06 05:56 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Adobe
2011-07-05 17:50 . 2011-07-05 17:51 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Deployment
2011-06-29 02:32 . 2011-06-29 02:32 661334 ----a-w- C:\cc_20110628_213218.reg
2011-06-29 02:01 . 2011-06-29 02:01 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-03 19:27 . 2010-03-13 21:52 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-03 19:27 . 2010-03-13 21:52 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-18 12:42 . 2011-05-17 03:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-10 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-22_21.04.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-20 18:19 . 2009-10-20 18:19 53299 c:\windows\system32\pthreadVC.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 50704 c:\windows\system32\drivers\npf.sys
+ 2009-10-20 18:19 . 2009-10-20 18:19 281104 c:\windows\system32\wpcap.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 100880 c:\windows\system32\Packet.dll
+ 2011-07-23 14:51 . 2011-07-23 14:51 1094656 c:\windows\Installer\2622a5.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-01 884696]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2011 12:41 PM 64512]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/13/2010 4:52 PM 136360]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/21/2011 2:59 PM 2151640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/23/2011 3:01 PM 439632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:17 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:17 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [7/21/2011 2:59 PM 15232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NPF
*NewlyCreated* - RUBOTSRV
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 19:59]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 21:17]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 21:17]
.
2011-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1006Core.job
- c:\documents and settings\hcarter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 23:14]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1006UA.job
- c:\documents and settings\hcarter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 23:14]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1009Core.job
- c:\documents and settings\Karen Carter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 17:51]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1009UA.job
- c:\documents and settings\Karen Carter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 17:51]
.
2011-07-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-07-23 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
2011-07-23 c:\windows\Tasks\User_Feed_Synchronization-{708451AE-3678-44D7-B584-3903128EADBC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
2011-07-23 c:\windows\Tasks\User_Feed_Synchronization-{D8C30020-2FC0-40C9-9C30-14A16152B783}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dishmail.net
uInternet Connection Wizard,ShellNext = hxxp://admin.isp.netscape.com/session/limited_session.jsp?connection_id=21050439L&page=https%3A%2F%2Fmyaccount.isp.netscape.com%2Fmyaccount%2FLostPassword.do
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-23 15:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2876)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-23 15:10:15
ComboFix-quarantined-files.txt 2011-07-23 20:10
ComboFix2.txt 2011-07-22 21:06
.
Pre-Run: 468,688,707,584 bytes free
Post-Run: 468,689,825,792 bytes free
.
- - End Of File - - AAFBED3207F0FDEF165EAF5B6C8CC2DB
kevinf80_1d0ac6
1.1K Posts
0
July 25th, 2011 17:00
I'm kevinf80 and I will be helping with any issues you may have. Please be aware that some of the logs I may ask for can be very complex and can take a long time to decipher. I am a volunteer here with a job and family so I ask that you be patient when waiting for replies.
Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.
Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.
Malware is often buggy and can be very unstable, with that in mind it is advisable to backup any important data before we begin.
If you do not reply within 72 hours the thread will be closed, if you need more time let me know. Likewise if I do not respond within 48 hours feel free to PM me.
* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE
** If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a partial list HERE
Please proceed as follows :-
You`ve actually ran Combofix twice, can I see the other log, also the Quarantined-files.txt both will be in C:\Qoobox
Next,
Please read carefully and follow these steps.
You also have two Anti-virus programs running, that aint good. You can turn off the AV component of Lavasoft Ad-Aware as follows:
You can turn off the anti-virus component as follows:
Kevin
harv_c
9 Posts
0
July 25th, 2011 17:00
Thanks Kevin,,,
At this point I will be a lot patient,, and please be with me also.
I am currently away from this computer on business so please extend some days.
I do have people there that I will talk through these attempts to clean.
I thought Ad-Aware was only scanning for inbound malware. I will validate and turn off any normal Antivirus. I just previously installed it in hopes it would find my problem.
Do I need to turn all AV off for the TDSSKILLER scan?
kevinf80_1d0ac6
1.1K Posts
0
July 26th, 2011 02:00
When you have TDSSKiller ready to run from your Desktop disconnect from internet and turn off all security. When the scan is complete turn security back on. Please remember you must have only one AV program running with real time protection.
Let me see the log from TDSSKiller, dont worry about time issues i`m here every day. I may be less active over weekends but do check at least once per day.
Kevin
harv_c
9 Posts
0
July 26th, 2011 04:00
2011/07/26 05:34:40.0953 3540 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56ഀ
2011/07/26 05:34:42.0953 3540 ================================================================================ഀ
2011/07/26 05:34:42.0953 3540 SystemInfo:ഀ
2011/07/26 05:34:42.0953 3540 ഀ
2011/07/26 05:34:42.0953 3540 OS Version: 5.1.2600 ServicePack: 3.0ഀ
2011/07/26 05:34:42.0953 3540 Product type: Workstationഀ
2011/07/26 05:34:42.0953 3540 ComputerName: HARVഀ
2011/07/26 05:34:42.0953 3540 UserName: Karen Carterഀ
2011/07/26 05:34:42.0953 3540 Windows directory: C:\WINDOWSഀ
2011/07/26 05:34:42.0953 3540 System windows directory: C:\WINDOWSഀ
2011/07/26 05:34:42.0953 3540 Processor architecture: Intel x86ഀ
2011/07/26 05:34:42.0953 3540 Number of processors: 2ഀ
2011/07/26 05:34:42.0953 3540 Page size: 0x1000ഀ
2011/07/26 05:34:42.0953 3540 Boot type: Normal bootഀ
2011/07/26 05:34:42.0953 3540 ================================================================================ഀ
2011/07/26 05:34:43.0187 3540 Initialize successഀ
2011/07/26 05:34:52.0750 0932 ================================================================================ഀ
2011/07/26 05:34:52.0750 0932 Scan startedഀ
2011/07/26 05:34:52.0750 0932 Mode: Manual; ഀ
2011/07/26 05:34:52.0750 0932 ================================================================================ഀ
2011/07/26 05:34:53.0390 0932 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYSഀ
2011/07/26 05:34:53.0468 0932 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sysഀ
2011/07/26 05:34:53.0500 0932 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sysഀ
2011/07/26 05:34:53.0531 0932 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sysഀ
2011/07/26 05:34:53.0562 0932 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sysഀ
2011/07/26 05:34:53.0625 0932 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sysഀ
2011/07/26 05:34:53.0656 0932 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sysഀ
2011/07/26 05:34:53.0687 0932 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sysഀ
2011/07/26 05:34:53.0750 0932 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sysഀ
2011/07/26 05:34:53.0812 0932 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sysഀ
2011/07/26 05:34:53.0875 0932 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sysഀ
2011/07/26 05:34:53.0953 0932 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sysഀ
2011/07/26 05:34:54.0000 0932 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sysഀ
2011/07/26 05:34:54.0031 0932 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sysഀ
2011/07/26 05:34:54.0046 0932 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sysഀ
2011/07/26 05:34:54.0078 0932 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sysഀ
2011/07/26 05:34:54.0125 0932 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sysഀ
2011/07/26 05:34:54.0140 0932 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sysഀ
2011/07/26 05:34:54.0156 0932 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sysഀ
2011/07/26 05:34:54.0203 0932 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sysഀ
2011/07/26 05:34:54.0234 0932 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sysഀ
2011/07/26 05:34:54.0328 0932 ati2mtag (f942e79994b3751501c478bf9713d221) C:\WINDOWS\system32\DRIVERS\ati2mtag.sysഀ
2011/07/26 05:34:54.0390 0932 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sysഀ
2011/07/26 05:34:54.0406 0932 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sysഀ
2011/07/26 05:34:54.0531 0932 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sysഀ
2011/07/26 05:34:54.0578 0932 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sysഀ
2011/07/26 05:34:54.0625 0932 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sysഀ
2011/07/26 05:34:54.0656 0932 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sysഀ
2011/07/26 05:34:54.0703 0932 bvrp_pci (647c1626114e789c5b8ab8e9c33c04bc) C:\WINDOWS\system32\drivers\bvrp_pci.sysഀ
2011/07/26 05:34:54.0859 0932 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sysഀ
2011/07/26 05:34:54.0890 0932 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sysഀ
2011/07/26 05:34:54.0937 0932 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sysഀ
2011/07/26 05:34:54.0984 0932 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sysഀ
2011/07/26 05:34:55.0046 0932 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sysഀ
2011/07/26 05:34:55.0093 0932 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sysഀ
2011/07/26 05:34:55.0171 0932 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sysഀ
2011/07/26 05:34:55.0250 0932 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sysഀ
2011/07/26 05:34:55.0312 0932 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sysഀ
2011/07/26 05:34:55.0390 0932 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sysഀ
2011/07/26 05:34:55.0437 0932 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sysഀ
2011/07/26 05:34:55.0468 0932 DLABMFSM (a0500678a33802d8954153839301d539) C:\WINDOWS\system32\Drivers\DLABMFSM.SYSഀ
2011/07/26 05:34:55.0500 0932 DLABOIOM (b8d2f68cac54d46281399f9092644794) C:\WINDOWS\system32\Drivers\DLABOIOM.SYSഀ
2011/07/26 05:34:55.0515 0932 DLACDBHM (0ee93ab799d1cb4ec90b36f3612fe907) C:\WINDOWS\system32\Drivers\DLACDBHM.SYSഀ
2011/07/26 05:34:55.0531 0932 DLADResM (87413b94ae1fabc117c4e8ae6725134e) C:\WINDOWS\system32\Drivers\DLADResM.SYSഀ
2011/07/26 05:34:55.0546 0932 DLAIFS_M (766a148235be1c0039c974446e4c0edc) C:\WINDOWS\system32\Drivers\DLAIFS_M.SYSഀ
2011/07/26 05:34:55.0546 0932 DLAOPIOM (38267cca177354f1c64450a43a4f7627) C:\WINDOWS\system32\Drivers\DLAOPIOM.SYSഀ
2011/07/26 05:34:55.0562 0932 DLAPoolM (fd363369fd313b46b5aeab1a688b52e9) C:\WINDOWS\system32\Drivers\DLAPoolM.SYSഀ
2011/07/26 05:34:55.0578 0932 DLARTL_M (336ae18f0912ef4fbe5518849e004d74) C:\WINDOWS\system32\Drivers\DLARTL_M.SYSഀ
2011/07/26 05:34:55.0593 0932 DLAUDFAM (fd85f682c1cc2a7ca878c7a448e6d87e) C:\WINDOWS\system32\Drivers\DLAUDFAM.SYSഀ
2011/07/26 05:34:55.0593 0932 DLAUDF_M (af389ce587b6bf5bbdcd6f6abe5eabc0) C:\WINDOWS\system32\Drivers\DLAUDF_M.SYSഀ
2011/07/26 05:34:55.0640 0932 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sysഀ
2011/07/26 05:34:55.0687 0932 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sysഀ
2011/07/26 05:34:55.0718 0932 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sysഀ
2011/07/26 05:34:55.0750 0932 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sysഀ
2011/07/26 05:34:55.0765 0932 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sysഀ
2011/07/26 05:34:55.0781 0932 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sysഀ
2011/07/26 05:34:55.0828 0932 DRVMCDB (5d3b71bb2bb0009d65d290e2ef374bd3) C:\WINDOWS\system32\Drivers\DRVMCDB.SYSഀ
2011/07/26 05:34:55.0843 0932 DRVNDDM (c591ba9f96f40a1fd6494dafdcd17185) C:\WINDOWS\system32\Drivers\DRVNDDM.SYSഀ
2011/07/26 05:34:55.0953 0932 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sysഀ
2011/07/26 05:34:56.0015 0932 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sysഀ
2011/07/26 05:34:56.0062 0932 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sysഀ
2011/07/26 05:34:56.0093 0932 e1express (d0e8dd3f56bd8488995f67b80ff51461) C:\WINDOWS\system32\DRIVERS\e1e5132.sysഀ
2011/07/26 05:34:56.0156 0932 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sysഀ
2011/07/26 05:34:56.0171 0932 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sysഀ
2011/07/26 05:34:56.0218 0932 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sysഀ
2011/07/26 05:34:56.0234 0932 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sysഀ
2011/07/26 05:34:56.0281 0932 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sysഀ
2011/07/26 05:34:56.0296 0932 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sysഀ
2011/07/26 05:34:56.0343 0932 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sysഀ
2011/07/26 05:34:56.0390 0932 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sysഀ
2011/07/26 05:34:56.0453 0932 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sysഀ
2011/07/26 05:34:56.0468 0932 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sysഀ
2011/07/26 05:34:56.0531 0932 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sysഀ
2011/07/26 05:34:56.0593 0932 HSFHWAZL (14b15d0d803ef4ab9b525b7e2da303ef) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sysഀ
2011/07/26 05:34:56.0625 0932 HSF_DPV (cbf6831420a97e8fbb91e5f52b707ef7) C:\WINDOWS\system32\DRIVERS\HSF_DPV.SYSഀ
2011/07/26 05:34:56.0687 0932 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sysഀ
2011/07/26 05:34:56.0703 0932 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sysഀ
2011/07/26 05:34:56.0718 0932 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sysഀ
2011/07/26 05:34:56.0718 0932 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sysഀ
2011/07/26 05:34:56.0765 0932 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\drivers\iaStor.sysഀ
2011/07/26 05:34:56.0781 0932 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sysഀ
2011/07/26 05:34:56.0828 0932 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sysഀ
2011/07/26 05:34:56.0859 0932 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sysഀ
2011/07/26 05:34:56.0937 0932 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sysഀ
2011/07/26 05:34:56.0968 0932 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sysഀ
2011/07/26 05:34:56.0984 0932 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sysഀ
2011/07/26 05:34:57.0000 0932 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sysഀ
2011/07/26 05:34:57.0031 0932 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sysഀ
2011/07/26 05:34:57.0046 0932 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sysഀ
2011/07/26 05:34:57.0062 0932 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sysഀ
2011/07/26 05:34:57.0093 0932 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sysഀ
2011/07/26 05:34:57.0109 0932 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sysഀ
2011/07/26 05:34:57.0125 0932 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sysഀ
2011/07/26 05:34:57.0156 0932 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sysഀ
2011/07/26 05:34:57.0281 0932 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sysഀ
2011/07/26 05:34:57.0296 0932 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sysഀ
2011/07/26 05:34:57.0375 0932 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sysഀ
2011/07/26 05:34:57.0453 0932 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sysഀ
2011/07/26 05:34:57.0546 0932 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sysഀ
2011/07/26 05:34:57.0578 0932 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sysഀ
2011/07/26 05:34:57.0640 0932 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sysഀ
2011/07/26 05:34:57.0671 0932 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sysഀ
2011/07/26 05:34:57.0734 0932 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sysഀ
2011/07/26 05:34:57.0765 0932 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sysഀ
2011/07/26 05:34:57.0859 0932 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sysഀ
2011/07/26 05:34:57.0890 0932 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sysഀ
2011/07/26 05:34:57.0937 0932 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sysഀ
2011/07/26 05:34:57.0984 0932 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sysഀ
2011/07/26 05:34:58.0000 0932 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sysഀ
2011/07/26 05:34:58.0093 0932 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sysഀ
2011/07/26 05:34:58.0156 0932 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sysഀ
2011/07/26 05:34:58.0218 0932 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sysഀ
2011/07/26 05:34:58.0250 0932 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sysഀ
2011/07/26 05:34:58.0281 0932 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sysഀ
2011/07/26 05:34:58.0328 0932 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sysഀ
2011/07/26 05:34:58.0406 0932 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sysഀ
2011/07/26 05:34:58.0453 0932 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sysഀ
2011/07/26 05:34:58.0500 0932 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sysഀ
2011/07/26 05:34:58.0562 0932 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sysഀ
2011/07/26 05:34:58.0640 0932 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\npf.sysഀ
2011/07/26 05:34:58.0703 0932 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sysഀ
2011/07/26 05:34:58.0750 0932 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sysഀ
2011/07/26 05:34:58.0781 0932 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sysഀ
2011/07/26 05:34:58.0859 0932 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sysഀ
2011/07/26 05:34:59.0000 0932 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sysഀ
2011/07/26 05:34:59.0015 0932 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sysഀ
2011/07/26 05:34:59.0046 0932 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sysഀ
2011/07/26 05:34:59.0093 0932 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sysഀ
2011/07/26 05:34:59.0125 0932 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sysഀ
2011/07/26 05:34:59.0156 0932 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sysഀ
2011/07/26 05:34:59.0171 0932 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sysഀ
2011/07/26 05:34:59.0203 0932 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sysഀ
2011/07/26 05:34:59.0265 0932 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sysഀ
2011/07/26 05:34:59.0468 0932 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sysഀ
2011/07/26 05:34:59.0531 0932 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sysഀ
2011/07/26 05:34:59.0593 0932 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sysഀ
2011/07/26 05:34:59.0625 0932 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sysഀ
2011/07/26 05:34:59.0625 0932 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sysഀ
2011/07/26 05:34:59.0656 0932 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sysഀ
2011/07/26 05:34:59.0687 0932 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sysഀ
2011/07/26 05:34:59.0703 0932 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sysഀ
2011/07/26 05:34:59.0718 0932 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sysഀ
2011/07/26 05:34:59.0734 0932 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sysഀ
2011/07/26 05:34:59.0750 0932 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sysഀ
2011/07/26 05:34:59.0812 0932 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sysഀ
2011/07/26 05:34:59.0828 0932 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sysഀ
2011/07/26 05:34:59.0859 0932 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sysഀ
2011/07/26 05:34:59.0875 0932 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sysഀ
2011/07/26 05:34:59.0921 0932 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sysഀ
2011/07/26 05:34:59.0953 0932 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sysഀ
2011/07/26 05:35:00.0000 0932 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sysഀ
2011/07/26 05:35:00.0078 0932 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sysഀ
2011/07/26 05:35:00.0125 0932 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sysഀ
2011/07/26 05:35:00.0234 0932 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sysഀ
2011/07/26 05:35:00.0296 0932 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sysഀ
2011/07/26 05:35:00.0343 0932 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sysഀ
2011/07/26 05:35:00.0359 0932 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sysഀ
2011/07/26 05:35:00.0421 0932 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sysഀ
2011/07/26 05:35:00.0468 0932 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sysഀ
2011/07/26 05:35:00.0500 0932 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sysഀ
2011/07/26 05:35:00.0531 0932 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sysഀ
2011/07/26 05:35:00.0625 0932 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sysഀ
2011/07/26 05:35:00.0656 0932 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sysഀ
2011/07/26 05:35:00.0734 0932 STHDA (797fcc1d859b203958e915bb82528da9) C:\WINDOWS\system32\drivers\sthda.sysഀ
2011/07/26 05:35:00.0750 0932 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sysഀ
2011/07/26 05:35:00.0765 0932 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sysഀ
2011/07/26 05:35:00.0796 0932 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sysഀ
2011/07/26 05:35:00.0812 0932 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sysഀ
2011/07/26 05:35:00.0859 0932 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sysഀ
2011/07/26 05:35:00.0890 0932 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sysഀ
2011/07/26 05:35:00.0906 0932 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sysഀ
2011/07/26 05:35:00.0953 0932 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sysഀ
2011/07/26 05:35:00.0984 0932 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sysഀ
2011/07/26 05:35:00.0984 0932 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sysഀ
2011/07/26 05:35:01.0015 0932 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sysഀ
2011/07/26 05:35:01.0062 0932 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sysഀ
2011/07/26 05:35:01.0093 0932 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sysഀ
2011/07/26 05:35:01.0140 0932 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sysഀ
2011/07/26 05:35:01.0187 0932 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sysഀ
2011/07/26 05:35:01.0234 0932 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sysഀ
2011/07/26 05:35:01.0265 0932 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sysഀ
2011/07/26 05:35:01.0296 0932 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sysഀ
2011/07/26 05:35:01.0328 0932 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sysഀ
2011/07/26 05:35:01.0375 0932 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYSഀ
2011/07/26 05:35:01.0375 0932 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sysഀ
2011/07/26 05:35:01.0390 0932 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sysഀ
2011/07/26 05:35:01.0421 0932 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sysഀ
2011/07/26 05:35:01.0437 0932 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sysഀ
2011/07/26 05:35:01.0468 0932 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sysഀ
2011/07/26 05:35:01.0484 0932 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025ഀ
2011/07/26 05:35:01.0484 0932 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)ഀ
2011/07/26 05:35:01.0515 0932 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sysഀ
2011/07/26 05:35:01.0531 0932 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sysഀ
2011/07/26 05:35:01.0609 0932 winachsf (59d043485a6eda2ed2685c81489ae5bd) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sysഀ
2011/07/26 05:35:01.0687 0932 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sysഀ
2011/07/26 05:35:01.0734 0932 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sysഀ
2011/07/26 05:35:01.0765 0932 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sysഀ
2011/07/26 05:35:01.0796 0932 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0ഀ
2011/07/26 05:35:01.0812 0932 Boot (0x1200) (80aa57cf936528bddc4dced5a3129476) \Device\Harddisk0\DR0\Partition0ഀ
2011/07/26 05:35:01.0812 0932 ================================================================================ഀ
2011/07/26 05:35:01.0812 0932 Scan finishedഀ
2011/07/26 05:35:01.0812 0932 ================================================================================ഀ
2011/07/26 05:35:01.0828 3912 Detected object count: 1ഀ
2011/07/26 05:35:01.0828 3912 Actual detected object count: 1ഀ
2011/07/26 05:35:29.0640 3912 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sysഀ
2011/07/26 05:35:29.0640 3912 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025ഀ
2011/07/26 05:35:30.0015 3912 Backup copy found, using it..ഀ
2011/07/26 05:35:30.0031 3912 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after rebootഀ
2011/07/26 05:35:30.0031 3912 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure ഀ
2011/07/26 05:35:46.0578 3472 Deinitialize successഀ
ComboFix 11-07-23.04 - hcarter 07/23/2011 15:05:45.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2286 [GMT -5:00]
Running from: c:\documents and settings\hcarter\Desktop\Gotcha.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-23 to 2011-07-23 )))))))))))))))))))))))))))))))
.
.
2011-07-23 20:05 . 2011-07-23 20:05 -------- d-----w- C:\32788R22FWJFW
2011-07-23 20:03 . 2011-07-23 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-07-23 20:01 . 2011-07-23 20:01 -------- d-----w- c:\program files\WinPcap
2011-07-23 14:51 . 2011-07-23 14:51 388096 ----a-r- c:\documents and settings\hcarter\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-23 14:51 . 2011-07-23 20:01 -------- d-----w- c:\program files\Trend Micro
2011-07-23 14:50 . 2011-07-23 14:50 1402880 ----a-w- C:\HijackThis.msi
2011-07-22 20:00 . 2011-07-22 18:12 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-22 18:12 . 2011-07-22 18:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-22 17:41 . 2011-07-21 19:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-22 17:41 . 2011-07-22 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-07-22 17:41 . 2011-07-22 17:41 -------- d-----w- c:\program files\Lavasoft
2011-07-22 17:40 . 2011-07-22 17:41 10285056 ----a-w- C:\Ad-Aware90Install.msi
2011-07-22 16:46 . 2011-07-22 16:46 -------- d-----w- c:\documents and settings\scarter\Application Data\Sammsoft
2011-07-22 15:38 . 2011-07-22 15:38 -------- d-----w- c:\documents and settings\hcarter\Application Data\Sammsoft
2011-07-22 13:49 . 2011-07-22 13:50 3433016 ----a-w- C:\AROLicense2011.exe
2011-07-22 13:01 . 2011-07-22 13:01 -------- d-----w- c:\documents and settings\Karen Carter\Application Data\Sammsoft
2011-07-22 13:01 . 2011-07-22 13:51 -------- d-----w- c:\program files\ARO 2011
2011-07-22 12:59 . 2011-07-22 13:00 5883832 ----a-w- C:\ARO2011_tbt.exe
2011-07-16 15:52 . 2011-07-16 15:52 8016 ----a-w- C:\cc_20110716_105201.reg
2011-07-16 12:17 . 2011-07-16 12:18 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Temp
2011-07-16 12:17 . 2011-07-16 12:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-14 18:46 . 2011-04-26 11:07 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-08 16:46 . 2011-07-08 16:46 -------- d-----w- c:\documents and settings\hcarter\Application Data\PCDr
2011-07-08 16:10 . 2011-07-08 16:10 4936 ----a-w- C:\cc_20110708_111015.reg
2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\program files\iolo
2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\documents and settings\hcarter\Application Data\iolo
2011-07-08 12:31 . 2011-07-08 12:31 -------- d-----w- c:\documents and settings\Administrator
2011-07-08 04:28 . 2011-07-08 04:28 -------- d-----w- c:\documents and settings\Karen Carter\Application Data\Template
2011-07-08 01:44 . 2011-07-08 01:44 4928 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-07-08 01:22 . 2011-07-08 01:22 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\KodakGallery
2011-07-06 12:01 . 2011-07-06 12:01 -------- d-----w- c:\documents and settings\hcarter\Application Data\AskToolbar
2011-07-06 11:52 . 2011-07-06 11:52 -------- d-----w- c:\documents and settings\scarter\Application Data\AskToolbar
2011-07-06 11:47 . 2011-07-06 11:47 -------- d-----w- c:\program files\Ask.com
2011-07-06 05:25 . 2011-07-06 05:56 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Adobe
2011-07-05 17:50 . 2011-07-05 17:51 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Deployment
2011-06-29 02:32 . 2011-06-29 02:32 661334 ----a-w- C:\cc_20110628_213218.reg
2011-06-29 02:01 . 2011-06-29 02:01 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-03 19:27 . 2010-03-13 21:52 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-03 19:27 . 2010-03-13 21:52 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-18 12:42 . 2011-05-17 03:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-10 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2004-08-10 17:51 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-10 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-10 17:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-10 17:51 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-22_21.04.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-20 18:19 . 2009-10-20 18:19 53299 c:\windows\system32\pthreadVC.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 50704 c:\windows\system32\drivers\npf.sys
+ 2009-10-20 18:19 . 2009-10-20 18:19 281104 c:\windows\system32\wpcap.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 100880 c:\windows\system32\Packet.dll
+ 2011-07-23 14:51 . 2011-07-23 14:51 1094656 c:\windows\Installer\2622a5.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-01 884696]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2011 12:41 PM 64512]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/13/2010 4:52 PM 136360]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/21/2011 2:59 PM 2151640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/23/2011 3:01 PM 439632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:17 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:17 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [7/21/2011 2:59 PM 15232]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - NPF
*NewlyCreated* - RUBOTSRV
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 19:59]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 21:17]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 21:17]
.
2011-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1006Core.job
- c:\documents and settings\hcarter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 23:14]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1006UA.job
- c:\documents and settings\hcarter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-05 23:14]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1009Core.job
- c:\documents and settings\Karen Carter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 17:51]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1009UA.job
- c:\documents and settings\Karen Carter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 17:51]
.
2011-07-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-07-23 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
2011-07-23 c:\windows\Tasks\User_Feed_Synchronization-{708451AE-3678-44D7-B584-3903128EADBC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
2011-07-23 c:\windows\Tasks\User_Feed_Synchronization-{D8C30020-2FC0-40C9-9C30-14A16152B783}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.dishmail.net
uInternet Connection Wizard,ShellNext = hxxp://admin.isp.netscape.com/session/limited_session.jsp?connection_id=21050439L&page=https%3A%2F%2Fmyaccount.isp.netscape.com%2Fmyaccount%2FLostPassword.do
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-23 15:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2876)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-23 15:10:15
ComboFix-quarantined-files.txt 2011-07-23 20:10
ComboFix2.txt 2011-07-22 21:06
.
Pre-Run: 468,688,707,584 bytes free
Post-Run: 468,689,825,792 bytes free
.
- - End Of File - - AAFBED3207F0FDEF165EAF5B6C8CC2DB
The TDSSKiller did get one virus and it seems to be it since my search results are NOT redirected. Let me know if you think we only got the result of it and it may return.
Thanks Kevin.
kevinf80_1d0ac6
1.1K Posts
0
July 26th, 2011 13:00
Step 1
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in between the dotted lines below into it:
----------------------------------------------------------------------------------------------
KillAll::
File::
c:\program files\Ask.com
Folder::
c:\documents and settings\hcarter\Application Data\AskToolbar
c:\documents and settings\scarter\Application Data\AskToolbar
----------------------------------------------------------------------------------------------
Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Step 2
Run ESET Online Scan
You can refer to this animation by neomage if needed.
Frequently asked questions available Here Please read them before running the scan.
Also be aware this scan can take between one and several hours to complete depending on the size of your system.
ESET log can be found here "C:\Program Files\ESET\EsetOnlineScanner\log.txt".
Step 3
Download Security Check by screen317 from HERE or HERE.
Save it to your Desktop.
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.
What i`d like in your reply :-
Kevin
harv_c
9 Posts
0
July 28th, 2011 06:00
Here is the combofix,,, it seemed to do alot of things. I assume this was something else you saw. The second scan did not find anything. I will get you that log next if you want it. Links are still working correctly, no redirect.
ComboFix 11-07-23.04 - hcarter 07/27/2011 20:44:05.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2216 [GMT -5:00]
Running from: c:\documents and settings\hcarter\Desktop\Gotcha.exe
Command switches used :: c:\documents and settings\hcarter\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
FILE ::
"c:\program files\Ask.com"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\hcarter\Application Data\AskToolbar
c:\documents and settings\hcarter\Application Data\AskToolbar\Avira.install-bubble.config
c:\documents and settings\hcarter\Application Data\AskToolbar\Avira.status.config
c:\documents and settings\scarter\Application Data\AskToolbar
c:\documents and settings\scarter\Application Data\AskToolbar\Avira.install-bubble.config
c:\documents and settings\scarter\Application Data\AskToolbar\Avira.status.config
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-23 20:05 . 2011-07-23 20:10 -------- d-----w- C:\Gotcha
2011-07-23 20:03 . 2011-07-23 20:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Trend Micro
2011-07-23 20:01 . 2011-07-23 20:01 -------- d-----w- c:\program files\WinPcap
2011-07-23 14:51 . 2011-07-23 20:01 -------- d-----w- c:\program files\Trend Micro
2011-07-23 14:50 . 2011-07-23 14:50 1402880 ----a-w- C:\HijackThis.msi
2011-07-22 20:00 . 2011-07-22 18:12 16432 ----a-w- c:\windows\system32\lsdelete.exe
2011-07-22 18:12 . 2011-07-22 18:12 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-07-22 17:41 . 2011-07-21 19:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-07-22 17:41 . 2011-07-22 17:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-07-22 17:41 . 2011-07-22 17:41 -------- d-----w- c:\program files\Lavasoft
2011-07-22 17:40 . 2011-07-22 17:41 10285056 ----a-w- C:\Ad-Aware90Install.msi
2011-07-22 16:46 . 2011-07-22 16:46 -------- d-----w- c:\documents and settings\scarter\Application Data\Sammsoft
2011-07-22 13:49 . 2011-07-22 13:50 3433016 ----a-w- C:\AROLicense2011.exe
2011-07-22 13:01 . 2011-07-22 13:01 -------- d-----w- c:\documents and settings\Karen Carter\Application Data\Sammsoft
2011-07-22 13:01 . 2011-07-22 13:51 -------- d-----w- c:\program files\ARO 2011
2011-07-22 12:59 . 2011-07-22 13:00 5883832 ----a-w- C:\ARO2011_tbt.exe
2011-07-16 15:52 . 2011-07-16 15:52 8016 ----a-w- C:\cc_20110716_105201.reg
2011-07-16 12:17 . 2011-07-16 12:18 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Temp
2011-07-16 12:17 . 2011-07-16 12:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2011-07-14 18:46 . 2011-04-26 11:07 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-07-08 16:10 . 2011-07-08 16:10 4936 ----a-w- C:\cc_20110708_111015.reg
2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2011-07-08 15:49 . 2011-07-08 15:49 -------- d-----w- c:\program files\iolo
2011-07-08 12:31 . 2011-07-08 12:31 -------- d-----w- c:\documents and settings\Administrator
2011-07-08 04:28 . 2011-07-08 04:28 -------- d-----w- c:\documents and settings\Karen Carter\Application Data\Template
2011-07-08 01:44 . 2011-07-08 01:44 4928 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-07-08 01:22 . 2011-07-08 01:22 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\KodakGallery
2011-07-06 11:47 . 2011-07-06 11:47 -------- d-----w- c:\program files\Ask.com
2011-07-06 05:25 . 2011-07-06 05:56 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Adobe
2011-07-05 17:50 . 2011-07-05 17:51 -------- d-----w- c:\documents and settings\Karen Carter\Local Settings\Application Data\Deployment
2011-06-29 02:32 . 2011-06-29 02:32 661334 ----a-w- C:\cc_20110628_213218.reg
2011-06-29 02:01 . 2011-06-29 02:01 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-26 10:36 . 2004-08-10 17:51 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-07-03 19:27 . 2010-03-13 21:52 66616 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-03 19:27 . 2010-03-13 21:52 138192 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-06-18 12:42 . 2011-05-17 03:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-02 14:02 . 2004-08-10 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-02 15:31 . 2004-08-10 18:02 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2004-08-10 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2004-08-10 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-22_21.04.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-20 18:19 . 2009-10-20 18:19 53299 c:\windows\system32\pthreadVC.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 50704 c:\windows\system32\drivers\npf.sys
+ 2009-10-20 18:19 . 2009-10-20 18:19 281104 c:\windows\system32\wpcap.dll
+ 2009-10-20 18:19 . 2009-10-20 18:19 100880 c:\windows\system32\Packet.dll
+ 2011-07-23 14:51 . 2011-07-23 14:51 1094656 c:\windows\Installer\2622a5.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-07-16 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PMX Daemon"="ICO.EXE" [2006-11-08 49152]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-03 281768]
"masqform.exe"="c:\program files\PureEdge\Viewer 6.5\masqform.exe" [2005-07-04 643072]
"ApnUpdater"="c:\program files\Ask.com\Updater\Updater.exe" [2011-07-01 884696]
"Trend Micro RUBotted V2.0 Beta"="c:\program files\Trend Micro\RUBotted\RUBottedGUI.exe" [2010-12-17 1103184]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-6-21 282624]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/22/2011 12:41 PM 64512]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/13/2010 4:52 PM 136360]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/21/2011 2:59 PM 2151640]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 1:19 PM 50704]
R2 RUBotSrv;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\RUBotSrv.exe [7/23/2011 3:01 PM 439632]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:17 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 4:17 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [7/21/2011 2:59 PM 15232]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\Dell Support Center\pcdsrvc.pkms [11/17/2010 7:36 PM 21744]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-07-21 19:59]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 21:17]
.
2011-07-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 21:17]
.
2011-07-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1009Core.job
- c:\documents and settings\Karen Carter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 17:51]
.
2011-07-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-756404058-4268596145-2842271720-1009UA.job
- c:\documents and settings\Karen Carter\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-05 17:51]
.
2011-07-22 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-07-28 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
2011-07-28 c:\windows\Tasks\User_Feed_Synchronization-{708451AE-3678-44D7-B584-3903128EADBC}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
2011-07-28 c:\windows\Tasks\User_Feed_Synchronization-{D8C30020-2FC0-40C9-9C30-14A16152B783}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dishmail.net
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SafeBoot-33904770.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-27 20:49
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3576)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\program files\Common Files\Roxio Shared\9.0\DLLShared\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\ICO.EXE
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-07-27 20:54:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-28 01:54
ComboFix2.txt 2011-07-23 20:10
ComboFix3.txt 2011-07-22 21:06
.
Pre-Run: 468,654,813,184 bytes free
Post-Run: 468,647,952,384 bytes free
.
- - End Of File - - 0E2B99C46794A6DA9B564406425FCF4D
kevinf80_1d0ac6
1.1K Posts
0
July 28th, 2011 15:00
Can I see the log from ESET online scan, log from Security Check and have an update on system status....
harv_c
9 Posts
0
July 30th, 2011 19:00
This is the last step below....... ESET did not find anything or produce a log.
Do you think this did not run correctly?
Results of screen317's Security Check version 0.99.18
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
ESET Online Scanner v3
Trend Micro RUBotted 2.0 Beta
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
CCleaner
Adobe Flash Player
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Trend Micro RUBotted RUBotSrv.exe
Trend Micro RUBotted RUBottedGUI.exe
``````````End of Log````````````
kevinf80_1d0ac6
1.1K Posts
0
July 31st, 2011 15:00
I`m not surprised ESET found nothing, we already got the infection. ESET scan was to prove system is clean.
Can I have an update on issues/concerns, if none we can clean up our tools etc
harv_c
9 Posts
0
August 6th, 2011 09:00
Yes, sorry for the delay, remember I was out of town.... I really want to check the system out myself before giving you the final answer.
The system seems fine, this issue is gone. It even runs faster from all the cleanup. I was also having some boot problems previously, which are now gone.
I am now the only one that does anything more than run a browser on this system, so I will just hang on to the tools.
Thank you greatly for all your help, Kevin. I hope we chat later over better things.
Harv
kevinf80_1d0ac6
1.1K Posts
0
August 6th, 2011 13:00
I recommend that you remove the tools we have used on your system, your choice as its your Computer. Let me know and i`ll give instruction for uninstallation of said tools...
Other than that you should be good to go, here are some tips to reduce the potential for malware infection in the future:
Make proper use of your antivirus and firewall
Antivirus and Firewall programs are integral to your computer security. However, just having them installed isn't enough. The definitions of these programs are frequently updated to detect the latest malware, if you don't keep up with these updates then you'll be vulnerable to infection. Many antivirus and firewall programs have automatic update features, make use of those if you can. If your program doesn't, then get in the habit of routinely performing manual updates, because it's important.
You should keep your antivirus and firewall guard enabled at all times, NEVER turn them off unless there's a specific reason to do so. Also, regularly performing a full system scan with your antivirus program is a good idea to make sure you're system remains clean. Once a week should be adequate. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.
Install and use WinPatrol This will inform you of any attempted unauthorized changes to your system.
WinPatrol features explained Here
You will have several programs installed, these maybe outdated and vulnerable to exploits also. To be certain, please run the free online scan by Secunia, available Here Before clicking the Start scan button, please check the box for the option Enable thorough system inspection. Just below the "Scan Options:" section, you'll see the status of what's currently processing....
...when the scan completes, the message "Detection completed successfully" will appear in the Programs/Result section. For each problem detected, Secunia will offer a "Solution" option. Please follow those instructions to download updated versions of the programs as recommended by Secunia.
Use a safer web browser
Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a few good free alternatives:
Firefox,
Opera, and
Chrome.
All of these are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial HERE which will help you to make IE MUCH safer.
These browser add-ons will help to make your browser safer:
Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous ones:
Available for Firefox and Internet Explorer.
Green to go,
Yellow for caution, and
Red to stop.
Available for Firefox only. NoScript helps to block malicious scripts and in general gives you much better control over what types of things webpages can do to your computer while you're browsing.
These are just a couple of the most popular add-ons, if you're interested in more, take a look at THIS article.
Here a couple of links by two security experts that will give some excellent tips and advice.
So how did I get infected in the first place by Tony Klein
How to prevent Malware by Miekiemoes
Finally this link HERE will give a comprehensive upto date list of free Security programs. To include - Antivirus, Antispyware, Firewall, Antimalware, Online scanners and rescue CD`s.
Don`t forget, the best form of defense is common sense. If you don`t recognize it, don`t open it. If something looks to good to be true, then it aint.
Kevin
kevinf80_1d0ac6
1.1K Posts
0
August 10th, 2011 13:00
Since this issue appears to be resolved the topic has been closed. Glad we could help.:emotion-21:
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
The fixes and advice in this thread are for this System only. Do not apply the instructions from this thread to your own System. Please start a new thread describing your issue and someone will be along to assist you.