Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Click.giftload Victim...another

  1. #1
    Junior Member
    Join Date
    May 2011
    Posts
    8

    Post Click.giftload Victim...another

    Hey,

    Hope someone on this forum can help me- I'm not the best at this kind of stuff so feel free to dumb it down for me a bit.

    Have got the Click.Giftload problem that others have and maybe another. Fake security pop ups are driving me crazy, my computer has slowed to a crawl and cuts to the blue screen of death every 2 hours or so. It annoyingly changes my windows theme to classic all the time, sometimes the windows XP option disappears when I try to change it back. Windows automatic updates seems to be on, although it keeps popping up saying it's off- I am also unable to update anything myself from the windows site.

    I'm using quite an old computer, Windows XP Home and use Firefox exclusively. I have AVG Free which finds nothing when I run it. Spybot can find the virus but doesn't do anything with it- it just finds it over and over again. I downloaded Malaware Bytes which found it the first time, but cut to a blue screen and I haven't been able to run it fully without this happening again. All 3 are fully updated.

    Thanks in advance, I appreciate any help.........Lorelei.

    Here is DSS log...

    s .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Lorelei Walker at 20:36:03.21 on 14/05/2011
    Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.511.99 [GMT 1:00]
    .
    AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\WINDOWS\system32\svchost.exe -k LocalService
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Creative\Shared Files\CTDevSrv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\Program Files\Belkin\F5D7050v3\Belkinwcui.exe
    C:\PROGRA~1\AVG\AVG9\avgtray.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe
    C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Documents and Settings\Kathryn Sharkey.THOMAS-H63N1KI6\My Documents\Downloads\dds.scr
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.co.uk/firefox
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    mWindow Title =
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} -
    EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [IE Privacy Keeper] "c:\program files\unh solutions\ie privacy keeper\IEPrivacyKeeper.exe" -startup
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [F5D7050v3] c:\program files\belkin\f5d7050v3\Belkinwcui.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/9/b/d/9bdc68ef-6a9f-4505-8fb8-d0d2d160e512/LegitCheckControl.cab
    DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120596427687
    DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122}
    DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://g:\resources\IntraLaunch.CAB
    DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/msnmessengersetupdownloader.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
    DPF: {C6637286-300D-11D4-AE0A-0010830243BD}
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {F281A59C-7B65-11D3-8617-0010830243BD}
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: ComPlusSetup - c:\windows\system32\catsrvut.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\docume~1\kathry~1.tho\applic~1\mozilla\firefox\profiles\sw3vmvw9.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
    FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: general.useragent.extra.zencast - );user_pref(general.useragent.extra.zencast,
    ============= SERVICES / DRIVERS ===============
    .
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-19 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-19 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-19 243152]
    R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\all users\application data\trusteer\rapport\store\exts\rapportcerberus\26169\RapportCerberus_26169.sys [2011-5-3 57144]
    R1 RapportEI;RapportEI;c:\program files\trusteer\rapport\bin\RapportEI.sys [2011-4-28 66360]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2011-4-28 158904]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
    R2 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2011-4-1 64000]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2011-4-28 870200]
    R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\talktalk\bin\sprtsvc.exe [2007-10-12 202016]
    R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\common files\supportsoft\bin\tgsrvc.exe [2007-8-2 148768]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-12 136176]
    S3 Avdieaacwch;Avdieaacwch;c:\windows\system32\drivers\rdpdr.sys [2006-1-27 196224]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-12 136176]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2002-8-29 14336]
    S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2011-4-28 53816]
    .
    =============== Created Last 30 ================
    .
    2011-05-13 23:20:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-13 23:19:57 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-13 21:04:33 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-07 01:56:12 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-05-07 01:56:12 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-05-07 01:56:12 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-05-07 01:56:11 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-05-07 01:56:11 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-05-07 01:56:10 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
    2011-05-07 01:56:10 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-05-07 01:56:09 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
    2011-05-01 02:28:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\fB31002DoMfE31002
    2011-04-30 18:02:24 -------- d-----w- c:\windows\system32\wbem\repository\FS
    2011-04-30 18:02:24 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-30 17:42:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\lH31002MdBlM31002
    2011-04-28 13:34:50 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-04-15 01:26:35 -------- d-----w- c:\docume~1\kathry~1.tho\locals~1\applic~1\Trusteer
    .
    ==================== Find3M ====================
    .
    2011-04-05 22:41:32 3398 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2005-02-10 11:47:51 0 -csh--r- c:\program files\q330994.exe
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST380021A rev.3.19 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x833194F0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8331f7d0]; MOV EAX, [0x8331f84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37C5] -> \Device\Harddisk0\DR0[0x8334AAB8]
    3 CLASSPNP[0xF8695FD7] -> nt!IofCallDriver[0x804E37C5] -> \Device\00000065[0x83388F18]
    5 ACPI[0xF85EC620] -> nt!IofCallDriver[0x804E37C5] -> [0x83385D98]
    \Driver\atapi[0x83347328] -> IRP_MJ_CREATE -> 0x833194F0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8331933B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 20:38:45.53 ===============

  2. #2
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Hello Lorelai and
    I'm RedCar92 and my name is Bill, I'll be glad to help you with your computer problems.

    • Please observe these rules while we work:
    • Read the entire procedure
    • It is important to perform ALL actions in sequence.
    • If you don't know, stop and ask! Don't keep going on.
    • Please reply to this thread. Do not start a new topic.
    • Stick with me till you're given the all clear. Malware removal can be stressful but we will clean it.
    • Remember, absence of symptoms does not mean the infection is all gone.
    • Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.


    Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise, this will be a team effort.
    This may cause a delay, but I will do my best to keep it as short as possible.

    Please bear with me, I will post back to you as soon as I can.

    IMPORTANT NOTE : Please do not delete anything unless instructed to.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

    Doing so could make your pc inoperative and could require a full reinstall of your OS, losing all your programs and data.

    Stay with this topic until I give you the all clean post.[/b]

  3. #3
    Junior Member
    Join Date
    May 2011
    Posts
    8

    Default Thanks.



    I appreciate any help you can give Bill...will await instructions from you.

  4. #4
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Greetings Lorelei,
    It appears that you have a TDL3 rootkit, so please do the following first:

    Please read carefully and follow these steps.
    • Download TDSSKiller and save it to your Desktop.
    • Extract its contents to your desktop.
    • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

    • If an infected file is detected, the default action will be Cure, click on Continue.


    • If a suspicious file is detected, the default action will be Skip, click on Continue.

    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file in your next post.
    • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file in your next post.



    Logs to post:
    • TDSSKiller?????.txt

  5. #5
    Junior Member
    Join Date
    May 2011
    Posts
    8

    Default Hope I've done this right....

    Ran TDSSKiller, it found something and cured it, then rebooted.

    Here's the report...




    2011/05/17 23:53:24.0962 3992 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
    2011/05/17 23:53:25.0292 3992 ================================================================================
    2011/05/17 23:53:25.0292 3992 SystemInfo:
    2011/05/17 23:53:25.0292 3992
    2011/05/17 23:53:25.0292 3992 OS Version: 5.1.2600 ServicePack: 3.0
    2011/05/17 23:53:25.0292 3992 Product type: Workstation
    2011/05/17 23:53:25.0292 3992 ComputerName: H63N1KI6
    2011/05/17 23:53:25.0292 3992 UserName: Lorelai Walker
    2011/05/17 23:53:25.0292 3992 Windows directory: C:\WINDOWS
    2011/05/17 23:53:25.0292 3992 System windows directory: C:\WINDOWS
    2011/05/17 23:53:25.0292 3992 Processor architecture: Intel x86
    2011/05/17 23:53:25.0292 3992 Number of processors: 1
    2011/05/17 23:53:25.0292 3992 Page size: 0x1000
    2011/05/17 23:53:25.0292 3992 Boot type: Normal boot
    2011/05/17 23:53:25.0292 3992 ================================================================================
    2011/05/17 23:53:26.0564 3992 Initialize success
    2011/05/17 23:53:32.0142 1380 ================================================================================
    2011/05/17 23:53:32.0142 1380 Scan started
    2011/05/17 23:53:32.0142 1380 Mode: Manual;
    2011/05/17 23:53:32.0142 1380 ================================================================================
    2011/05/17 23:53:34.0735 1380 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/05/17 23:53:34.0855 1380 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/05/17 23:53:35.0126 1380 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/05/17 23:53:35.0306 1380 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2011/05/17 23:53:35.0536 1380 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/05/17 23:53:36.0057 1380 ALCXSENS (ba88534a3ceb6161e7432438b9ea4f54) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
    2011/05/17 23:53:36.0438 1380 ALCXWDM (4d4593c10f2c90d48da9fd1b14ace825) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2011/05/17 23:53:36.0868 1380 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2011/05/17 23:53:37.0239 1380 Aspi32 (b979979ab8027f7f53fb16ec4229b7db) C:\WINDOWS\system32\drivers\Aspi32.sys
    2011/05/17 23:53:37.0469 1380 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/05/17 23:53:37.0719 1380 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/05/17 23:53:37.0870 1380 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/05/17 23:53:38.0050 1380 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/05/17 23:53:38.0300 1380 Avdieaacwch (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\drivers\rdpdr.sys
    2011/05/17 23:53:38.0560 1380 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\system32\Drivers\avgldx86.sys
    2011/05/17 23:53:38.0671 1380 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\system32\Drivers\avgmfx86.sys
    2011/05/17 23:53:38.0771 1380 AvgTdiX (9a7a93388f503a34e7339ae7f9997449) C:\WINDOWS\system32\Drivers\avgtdix.sys
    2011/05/17 23:53:38.0881 1380 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/05/17 23:53:39.0131 1380 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/05/17 23:53:39.0311 1380 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/05/17 23:53:39.0622 1380 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/05/17 23:53:39.0822 1380 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/05/17 23:53:40.0043 1380 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/05/17 23:53:40.0633 1380 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/05/17 23:53:40.0904 1380 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/05/17 23:53:41.0194 1380 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/05/17 23:53:41.0434 1380 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/05/17 23:53:41.0605 1380 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/05/17 23:53:41.0765 1380 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/05/17 23:53:42.0025 1380 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/05/17 23:53:42.0195 1380 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/05/17 23:53:42.0436 1380 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/05/17 23:53:42.0646 1380 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/05/17 23:53:42.0886 1380 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/05/17 23:53:43.0167 1380 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/05/17 23:53:43.0347 1380 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/05/17 23:53:43.0587 1380 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
    2011/05/17 23:53:43.0828 1380 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/05/17 23:53:43.0948 1380 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/05/17 23:53:44.0398 1380 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/05/17 23:53:44.0639 1380 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/05/17 23:53:44.0789 1380 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/05/17 23:53:45.0160 1380 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/05/17 23:53:45.0480 1380 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/05/17 23:53:45.0680 1380 Intels51 (eb6d8e9cd813596b6d59d878337a4998) C:\WINDOWS\system32\DRIVERS\Intels51.sys
    2011/05/17 23:53:46.0061 1380 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/05/17 23:53:46.0261 1380 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/05/17 23:53:46.0491 1380 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/05/17 23:53:46.0682 1380 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/05/17 23:53:46.0792 1380 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/05/17 23:53:47.0022 1380 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/05/17 23:53:47.0282 1380 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/05/17 23:53:47.0473 1380 Jukebox3 (c4d1e49a7d853a6fdfe8ec2906ae5aaa) C:\WINDOWS\system32\DRIVERS\ctpdusb.sys
    2011/05/17 23:53:47.0693 1380 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/05/17 23:53:47.0963 1380 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/05/17 23:53:48.0124 1380 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/05/17 23:53:48.0184 1380 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/05/17 23:53:48.0464 1380 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/05/17 23:53:48.0634 1380 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/05/17 23:53:48.0694 1380 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/05/17 23:53:48.0885 1380 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/05/17 23:53:49.0075 1380 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/05/17 23:53:49.0235 1380 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/05/17 23:53:49.0515 1380 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/05/17 23:53:49.0616 1380 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/05/17 23:53:49.0826 1380 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/05/17 23:53:50.0016 1380 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/05/17 23:53:50.0216 1380 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/05/17 23:53:50.0417 1380 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/05/17 23:53:50.0477 1380 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/05/17 23:53:50.0737 1380 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
    2011/05/17 23:53:50.0937 1380 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/05/17 23:53:51.0138 1380 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/05/17 23:53:51.0348 1380 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/05/17 23:53:51.0528 1380 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/05/17 23:53:51.0718 1380 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/05/17 23:53:51.0959 1380 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/05/17 23:53:52.0079 1380 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/05/17 23:53:52.0249 1380 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/05/17 23:53:52.0490 1380 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/05/17 23:53:52.0770 1380 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2011/05/17 23:53:52.0880 1380 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/05/17 23:53:53.0120 1380 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/05/17 23:53:53.0441 1380 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/05/17 23:53:53.0761 1380 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/05/17 23:53:54.0142 1380 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/05/17 23:53:54.0332 1380 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/05/17 23:53:54.0552 1380 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2011/05/17 23:53:54.0663 1380 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/05/17 23:53:54.0903 1380 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/05/17 23:53:55.0113 1380 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/05/17 23:53:55.0203 1380 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/05/17 23:53:55.0454 1380 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/05/17 23:53:55.0634 1380 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/05/17 23:53:55.0864 1380 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
    2011/05/17 23:53:56.0465 1380 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/05/17 23:53:56.0645 1380 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/05/17 23:53:56.0916 1380 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/05/17 23:53:57.0126 1380 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/05/17 23:53:57.0296 1380 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/05/17 23:53:57.0807 1380 RapportCerberus_26169 (df1f468a6016c4950cfc169ae77d84cd) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys
    2011/05/17 23:53:57.0947 1380 RapportEI (1602ff4aec5c2246ac387e49e474dd7b) C:\Program Files\Trusteer\Rapport\bin\RapportEI.sys
    2011/05/17 23:53:58.0087 1380 RapportKELL (12031844f5ad4126eab4c410623f7789) C:\WINDOWS\system32\Drivers\RapportKELL.sys
    2011/05/17 23:53:58.0227 1380 RapportPG (1c303f85986c3dfcb01cc67f185c32e5) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    2011/05/17 23:53:58.0348 1380 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/05/17 23:53:58.0568 1380 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/05/17 23:53:58.0748 1380 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/05/17 23:53:59.0008 1380 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/05/17 23:53:59.0219 1380 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/05/17 23:53:59.0439 1380 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/05/17 23:53:59.0699 1380 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/05/17 23:54:00.0010 1380 RT73 (4f153709d0691c6de8c9a4c5e813907c) C:\WINDOWS\system32\DRIVERS\rt73.sys
    2011/05/17 23:54:00.0270 1380 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/05/17 23:54:00.0410 1380 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/05/17 23:54:00.0601 1380 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/05/17 23:54:00.0871 1380 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/05/17 23:54:01.0131 1380 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2011/05/17 23:54:01.0352 1380 SISNIC (3fbb6ef8b5a71a2fa11f5f461bb73219) C:\WINDOWS\system32\DRIVERS\sisnic.sys
    2011/05/17 23:54:01.0562 1380 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/05/17 23:54:01.0962 1380 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/05/17 23:54:02.0083 1380 SQTECH905C (545a8412a9349074132330ad5b30e09a) C:\WINDOWS\system32\Drivers\Capt905c.sys
    2011/05/17 23:54:02.0403 1380 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/05/17 23:54:02.0653 1380 Srv (4f8a43adef66f135564085a9dca96a26) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/05/17 23:54:02.0974 1380 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/05/17 23:54:03.0164 1380 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/05/17 23:54:03.0374 1380 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/05/17 23:54:03.0685 1380 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/05/17 23:54:03.0855 1380 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/05/17 23:54:04.0105 1380 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/05/17 23:54:04.0296 1380 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/05/17 23:54:04.0476 1380 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/05/17 23:54:04.0846 1380 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/05/17 23:54:05.0137 1380 UPATC (2345843f5a031a943176e9e4954c288d) C:\WINDOWS\system32\DRIVERS\upatc.sys
    2011/05/17 23:54:05.0397 1380 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/05/17 23:54:05.0628 1380 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/05/17 23:54:05.0838 1380 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/05/17 23:54:06.0038 1380 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/05/17 23:54:06.0178 1380 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2011/05/17 23:54:06.0359 1380 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/05/17 23:54:06.0609 1380 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/05/17 23:54:06.0789 1380 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/05/17 23:54:06.0979 1380 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
    2011/05/17 23:54:07.0190 1380 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/05/17 23:54:07.0460 1380 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/05/17 23:54:07.0650 1380 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/05/17 23:54:07.0911 1380 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/05/17 23:54:08.0061 1380 WmBEnum (588c1df21321ec51eebff2c8909d1587) C:\WINDOWS\system32\drivers\WmBEnum.sys
    2011/05/17 23:54:08.0221 1380 WmFilter (3b45b7bfd513d3313e895d187849e3a3) C:\WINDOWS\system32\drivers\WmFilter.sys
    2011/05/17 23:54:08.0451 1380 WmVirHid (fe7d6991fd5894f06aae95dc78e79948) C:\WINDOWS\system32\drivers\WmVirHid.sys
    2011/05/17 23:54:08.0612 1380 WmXlCore (dcbb4688ee775912444b9010cd3fe9b6) C:\WINDOWS\system32\drivers\WmXlCore.sys
    2011/05/17 23:54:08.0852 1380 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
    2011/05/17 23:54:09.0022 1380 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/05/17 23:54:09.0202 1380 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/05/17 23:54:09.0393 1380 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/05/17 23:54:09.0603 1380 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/05/17 23:54:09.0803 1380 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/05/17 23:54:09.0813 1380 ================================================================================
    2011/05/17 23:54:09.0813 1380 Scan finished
    2011/05/17 23:54:09.0813 1380 ================================================================================
    2011/05/17 23:54:09.0853 1040 Detected object count: 1
    2011/05/17 23:54:19.0256 1040 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/05/17 23:54:19.0256 1040 \HardDisk0 - ok
    2011/05/17 23:54:19.0256 1040 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/05/17 23:54:52.0922 2668 Deinitialize success

  6. #6
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Greetings Lorelei,
    TDSSkiller did a good job for us.

    ***Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.***
    Download Combofix from any of the links below. Save it to your desktop.

    Link 1
    Link 2




    * IMPORTANT !!! Save ComboFix.exe to your Desktop

    • If you have AVG you will need to uninstall it. See this site for the removal tool. http://www.avg.com/us-en/download-tools Select the topmost listed tool.
    • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    • See this Link for programs that need to be disabled and instruction on how to disable them.
    • Remember to re-enable them when we're done.
    • Double click on ComboFix.exe & follow the prompts.

    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

    *If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

  7. #7
    Junior Member
    Join Date
    May 2011
    Posts
    8

    Default Log after running COMBOFIX

    Should I be switching my antiviruses etc back on already- I'm not even sure if I was able to stop them all prior to running Combofix, but here's the log.

    Thank-you




    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Walker\Application Data\Xeywd
    c:\documents and settings\Walker\Application Data\Xeywd\zaxes.odc
    c:\documents and settings\Walker\Start Menu\Programs\System Tool
    c:\documents and settings\Walker\Start Menu\Programs\System Tool\System Tool 2011.lnk
    c:\documents and settings\Walker\WINDOWS
    c:\program files\filesubmit
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-13 23:20 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-13 23:19 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-13 21:04 . 2011-05-13 21:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-07 01:56 . 2011-05-07 01:56 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-05-07 01:56 . 2011-05-07 01:56 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-05-07 01:56 . 2011-05-07 01:56 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-05-07 01:56 . 2011-05-07 01:56 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-05-07 01:56 . 2011-05-07 01:56 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-05-07 01:56 . 2011-05-07 01:56 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
    2011-05-07 01:56 . 2011-05-07 01:56 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-05-07 01:56 . 2011-05-07 01:56 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
    2011-05-05 13:42 . 2011-05-05 13:42 0 ----a-w- c:\documents and settings\Walker\ntuser.tmp
    2011-05-01 02:28 . 2011-05-03 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\fB31002DoMfE31002
    2011-04-30 18:02 . 2011-04-30 18:02 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-30 17:42 . 2011-04-30 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\lH31002MdBlM31002
    2011-04-28 13:34 . 2011-04-28 13:34 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-04-22 21:54 . 2011-04-22 21:54 -------- d-----w- c:\documents and settings\Walker\Local Settings\Application Data\Trusteer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-05 22:41 . 2011-03-31 23:27 3398 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2005-02-10 11:47 . 2004-11-10 14:30 0 -csh--r- c:\program files\q330994.exe
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2011-05-07 01:56 . 2011-05-07 01:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1654784]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    c:\documents and settings\Walker\Start Menu\Programs\Startup\AutorunsDisabled
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
    2008-04-14 00:11 625664 ----a-w- c:\windows\system32\catsrvut.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk]
    backup=c:\windows\pss\BT Broadband Help.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Connection Manager.lnk]
    backup=c:\windows\pss\PC Connection Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^H63N1KI6^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-11 22:16 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2007-08-24 06:00 33648 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-10-22 11:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2006-10-22 11:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-10-22 11:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-07-27 17:01 68096 ----a-w- c:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkTalk]
    2007-10-12 07:33 202016 -c--a-w- c:\program files\TalkTalk\bin\sprtcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys [03/05/2011 02:19 57144]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [28/04/2011 14:34 66360]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [28/04/2011 14:34 158904]
    R2 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [01/04/2011 14:20 64000]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [28/04/2011 14:34 870200]
    R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]
    R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/08/2010 20:49 136176]
    S3 Avdieaacwch;Avdieaacwch;c:\windows\system32\drivers\rdpdr.sys [27/01/2006 19:53 196224]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/08/2010 20:49 136176]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [29/08/2002 13:00 14336]
    S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [28/04/2011 14:34 53816]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
    .
    2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-12 19:48]
    .
    2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-12 19:48]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/firefox
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    mWindow Title =
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://g:\resources\IntraLaunch.CAB
    FF - ProfilePath - c:\documents and settings\H63N1KI6\Application Data\Mozilla\Firefox\Profiles\sw3vmvw9.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - user.js: general.useragent.extra.zencast - );user_pref(general.useragent.extra.zencast,
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Notify-avgrsstarter - avgrsstx.dll
    MSConfigStartUp-ares ultra - c:\program files\Ares Ultra\Ares Ultra.exe
    MSConfigStartUp-MSSE - c:\program files\Microsoft Security Essentials\msseces.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-18 04:47
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-602162358-1532298954-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F71501F-0A8F-B548-77D8-A869FAD7956B}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "hacjlabliplkoada"=hex:6b,61,63,6d,66,6d,67,66,66,62,69,69,6d,6c,65,61,6b,6d,
    6a,6e,6e,62,00,00
    "jaiakdhnjhdicambgmhi"=hex:6b,61,63,6d,66,6d,67,66,66,62,69,69,6d,6c,65,61,6b,
    6d,6a,6e,6e,62,00,00
    "faiponchmedf"=hex:69,61,6f,6d,6a,6b,65,61,64,68,63,6c,64,6c,63,65,6b,63,00,00
    .
    Completion time: 2011-05-18 04:52:06
    ComboFix-quarantined-files.txt 2011-05-18 03:51
    ComboFix2.txt 2010-05-19 15:49
    .
    Pre-Run: 13,870,997,504 bytes free
    Post-Run: 13,913,698,304 bytes free
    .
    - - End Of File - - D0BA14A172EDC7EE61B407DD267AB73A

  8. #8
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Greetings Lorelei,
    You should switch Anti-virus off when running the Combofix program, after it completes you should switch it back on again for normal PC use. We will now use Combofix again so turn AV off until log is complete and Combofix completes.

    Next
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    3. Open notepad and copy/paste the text in the quotebox below into it:


    File::
    c:\program files\q330994.exe

    Dirlook::
    c:\docume~1\alluse~1\applic~1\fB31002DoMfE31002
    c:\docume~1\alluse~1\applic~1\lH31002MdBlM31002
    Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe



    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
    Also let me know how your PC is behaving now.

  9. #9
    Junior Member
    Join Date
    May 2011
    Posts
    8

    Default I need a high-5 icon.....

    I'm so happy to say that my computer's problems appear to be fixed. No pop ups, changes or blue screens So far so good.

    Combofix report below- I don't think it found anything, I wasn't asked to cure or restart etc.




    * Created a new restore point
    .
    FILE ::
    "c:\program files\q330994.exe"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-05-18 18:16 . 2011-05-18 18:16 -------- d-----w- c:\documents and settings\Walker\Application Data\AVG10
    2011-05-18 04:28 . 2011-05-18 04:28 -------- d-----w- c:\documents and settings\H63N1KI6\Application Data\AVG10
    2011-05-18 04:07 . 2011-05-18 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2011-05-13 23:20 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-05-13 23:19 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-05-13 21:04 . 2011-05-13 21:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-07 01:56 . 2011-05-07 01:56 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-05-07 01:56 . 2011-05-07 01:56 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-05-07 01:56 . 2011-05-07 01:56 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-05-07 01:56 . 2011-05-07 01:56 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-05-07 01:56 . 2011-05-07 01:56 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-05-07 01:56 . 2011-05-07 01:56 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
    2011-05-07 01:56 . 2011-05-07 01:56 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-05-07 01:56 . 2011-05-07 01:56 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
    2011-05-05 13:42 . 2011-05-05 13:42 0 ----a-w- c:\documents and settings\ntuser.tmp
    2011-05-01 02:28 . 2011-05-03 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\fB31002DoMfE31002
    2011-04-30 18:02 . 2011-04-30 18:02 -------- d-----w- c:\windows\system32\wbem\Repository
    2011-04-30 17:42 . 2011-04-30 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\lH31002MdBlM31002
    2011-04-28 13:34 . 2011-04-28 13:34 53816 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2011-04-22 21:54 . 2011-04-22 21:54 -------- d-----w- c:\documents and settings\Local Settings\Application Data\Trusteer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-04-05 22:41 . 2011-03-31 23:27 3398 ----a-w- c:\windows\system32\PerfStringBackup.TMP
    2005-02-10 11:47 . 2004-11-10 14:30 0 -csh--r- c:\program files\q330994.exe
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2011-05-07 01:56 . 2011-05-07 01:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    ---- Directory of c:\docume~1\alluse~1\applic~1\fB31002DoMfE31002 ----
    .
    2011-05-01 02:28 . 2011-05-02 01:21 192 ----a-w- c:\docume~1\alluse~1\applic~1\fB31002DoMfE31002\fB31002DoMfE31002
    .
    ---- Directory of c:\docume~1\alluse~1\applic~1\lH31002MdBlM31002 ----
    .
    2011-04-30 17:42 . 2011-04-30 17:53 192 ----a-w- c:\docume~1\alluse~1\applic~1\lH31002MdBlM31002\lH31002MdBlM31002
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-05-18_03.47.12 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-07-11 23:02 . 2009-07-11 23:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 59728 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90rus.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 42832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90kor.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 43344 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90jpn.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61264 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90ita.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 62800 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90fra.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61760 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esp.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 61776 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90esn.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 53568 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90enu.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 63296 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90deu.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 36688 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90cht.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 35648 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_15fc9313\mfc90chs.dll
    + 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90u.dll
    + 2009-07-11 23:05 . 2009-07-11 23:05 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfcm90.dll
    + 2011-05-20 03:00 . 2011-05-20 03:00 16384 c:\windows\TEMP\Perflib_Perfdata_600.dat
    + 2009-07-11 23:02 . 2009-07-11 23:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
    + 2009-07-11 23:05 . 2009-07-11 23:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 159032 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_353599c2\atl90.dll
    + 2002-08-29 12:00 . 2008-04-14 00:11 640000 c:\windows\system32\dllcache\dbghelp.dll
    + 2011-05-18 04:14 . 2011-05-18 04:14 219648 c:\windows\Installer\28dbdc.msi
    + 2009-07-11 23:02 . 2009-07-11 23:02 3780424 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90u.dll
    + 2009-07-11 23:02 . 2009-07-11 23:02 3765048 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_a57c1f53\mfc90.dll
    + 2005-07-05 21:20 . 2011-04-29 10:29 42829768 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IE Privacy Keeper"="c:\program files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" [2005-12-03 1015808]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
    "F5D7050v3"="c:\program files\Belkin\F5D7050v3\Belkinwcui.exe" [2007-10-30 1654784]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    c:\documents and settings\Start Menu\Programs\Startup\AutorunsDisabled
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ComPlusSetup]
    2008-04-14 00:11 625664 ----a-w- c:\windows\system32\catsrvut.dll
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk]
    backup=c:\windows\pss\BT Broadband Help.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PC Connection Manager.lnk]
    backup=c:\windows\pss\PC Connection Manager.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^H63N1KI6^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-01-11 22:16 39792 -c--a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2007-08-24 06:00 33648 -c--a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2006-10-22 11:22 7700480 ----a-w- c:\windows\system32\nvcpl.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2006-10-22 11:22 86016 ----a-w- c:\windows\system32\nvmctray.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2006-10-22 11:22 1622016 ----a-w- c:\windows\system32\nwiz.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    2004-07-27 17:01 68096 ----a-w- c:\windows\SOUNDMAN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkTalk]
    2007-10-12 07:33 202016 -c--a-w- c:\program files\TalkTalk\bin\sprtcmd.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "wuauserv"=2 (0x2)
    "wscsvc"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "AVG9_TRAY"=c:\progra~1\AVG\AVG9\avgtray.exe
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\WINDOWS\\system32\\dpnsvr.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\system32\\drivers\\svchost.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    .
    R1 RapportCerberus_26169;RapportCerberus_26169;c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys [03/05/2011 02:19 57144]
    R1 RapportEI;RapportEI;c:\program files\Trusteer\Rapport\bin\RapportEI.sys [28/04/2011 14:34 66360]
    R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [28/04/2011 14:34 158904]
    R2 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [01/04/2011 14:20 64000]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [28/04/2011 14:34 870200]
    R2 sprtsvc_TalkTalk;SupportSoft Sprocket Service (TalkTalk);c:\program files\TalkTalk\bin\sprtsvc.exe [12/10/2007 08:33 202016]
    R2 tgsrvc_TalkTalk;SupportSoft Repair Service (TalkTalk);c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe [02/08/2007 13:42 148768]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/08/2010 20:49 136176]
    S3 Avdieaacwch;Avdieaacwch;c:\windows\system32\drivers\rdpdr.sys [27/01/2006 19:53 196224]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/08/2010 20:49 136176]
    S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [29/08/2002 13:00 14336]
    S3 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [28/04/2011 14:34 53816]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-02-23 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
    .
    2011-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-12 19:48]
    .
    2011-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-12 19:48]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.co.uk/firefox
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    mWindow Title =
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    DPF: {AE9DCB17-F804-11D2-A44A-0020182C1446} - file://g:\resources\IntraLaunch.CAB
    FF - ProfilePath - c:\documents and settings\H63N1KI6\Application Data\Mozilla\Firefox\Profiles\sw3vmvw9.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-US:official
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - user.js: general.useragent.extra.zencast - );user_pref(general.useragent.extra.zencast,
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-05-20 04:20
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-602162358-1532298954-839522115-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F71501F-0A8F-B548-77D8-A869FAD7956B}*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    "hacjlabliplkoada"=hex:6b,61,63,6d,66,6d,67,66,66,62,69,69,6d,6c,65,61,6b,6d,
    6a,6e,6e,62,00,00
    "jaiakdhnjhdicambgmhi"=hex:6b,61,63,6d,66,6d,67,66,66,62,69,69,6d,6c,65,61,6b,
    6d,6a,6e,6e,62,00,00
    "faiponchmedf"=hex:69,61,6f,6d,6a,6b,65,61,64,68,63,6c,64,6c,63,65,6b,63,00,00
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3880)
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-05-20 04:24:46
    ComboFix-quarantined-files.txt 2011-05-20 03:24
    ComboFix2.txt 2011-05-18 03:52
    ComboFix3.txt 2010-05-19 15:49
    .
    Pre-Run: 13,882,036,224 bytes free
    Post-Run: 13,856,366,592 bytes free
    .
    - - End Of File - - 2C595597631D506E574BA5C71D9EB446


  10. #10
    Senior Member
    Join Date
    Aug 2010
    Location
    Near Atlanta, GA
    Posts
    189

    Default

    Greetings Lorelei,
    I am glad to hear that your PC is acting better, before we finish up we need to do a couple more things.

    Please go to one of the below sites to scan the following files:
    jotti.org
    Virus Total

    click on Browse, and upload the following file for analysis:

    c:\docume~1\alluse~1\applic~1\fB31002DoMfE31002\fB31002DoMfE31002
    c:\docume~1\alluse~1\applic~1\lH31002MdBlM31002\lH31002MdBlM31002



    Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.
    If it says already scanned -- click "reanalyze now"
    Please post the results in your next reply.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •