PDA

View Full Version : Click.GiftLoad Removal Help!



alison210
2011-03-18, 22:58
Hello :)

I know I'm new to the forum but please help! Recently i keep getting redirected when i search things on google, get fake virus reports, and my sound suddenly stops working. In general my computer is a lot slower and i have to remove the Click.GiftLoad on spybot everyday to get my computer to run normally (but it won't stop appearing!) In my task manager there are also multiple svchost.exe processes running. I have run system restore a couple of times but it hasn't done anything. Please help

Thanks,
Alison

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Alison at 16:33:34.20 on Fri 03/18/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.92 [GMT -4:00]
.
FW: McAfee Personal Firewall Plus *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\America Online 9.0\aoltray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Alison\My Documents\Downloads\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\alison\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\alison\applic~1\mozilla\firefox\profiles\qvtibfxe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-

us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - youtube.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-

us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010&query=
FF - plugin: c:\documents and settings\alison\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\j2re1.4.2_03\bin\NPJPI142_03.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application

data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-8-16 83325]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2005-8-16 122880]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-12-13 1373480]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-8-16 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-8-16 23296]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-8-16 249856]
.
=============== Created Last 30 ================
.
2011-03-18 20:26:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-18 20:26:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-18 20:26:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-18 20:17:35 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-03-18 20:17:34 -------- d-----w- c:\program files\SpywareBlaster
2011-03-18 20:00:10 -------- d-----w- c:\docume~1\alison\locals~1\applic~1\AIM Toolbar
2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD80 rev.09.0 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81C45439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x81c4b7d0]; MOV EAX, [0x81c4b84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX,

[ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF0BC] -> \Device\Harddisk0\DR0[0x82570AB8]
3 CLASSPNP[0xF86A805B] -> ntkrnlpa!IofCallDriver[0x804EF0BC] -> [0x81BC2030]
\Driver\iastor[0x81C623D0] -> IRP_MJ_CREATE -> 0x81C45439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c;

RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

device not found
detected hooks:
user != kernel MBR !!!
sectors 156249998 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 16:35:54.80 ===============

Blottedisk
2011-03-19, 02:35
Hi alison210,


Welcome to Safer Networking. My name is Blottedisk and I will be helping you with your malware issues.


Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Thread Tools box to the top right of your topic title and then choosing Suscribe to this Thread (then choose Instant Notification by email). If the button says Unsuscribe from this Thread, then you are already subscribed.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then the thread will be locked due to inactivity. However, if you will be away, let us know and we will be sure to keep the thread open.


Please follow these steps in order:


Step 1 | Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".
Click the Scan button to start scan.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Step 2 | Please download GMER from one of the following locations and save it to your desktop:

Main Mirror (http://gmer.net/download.php ) - This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip ) - This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

--------------------------------------------------------------------


Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/index.php?showtopic=96260 ) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.


Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif


GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Make sure all options are checked except:

IAT/EAT
Drives/Partition other than Systemdrive, which is typically C:\
Show All (This is important, so do not miss it.)

http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_th.gif (http://i582.photobucket.com/albums/ss269/Cat_Byte/GMER/gmer_screen2-1.gif )
Click the image to enlarge it

Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode (http://www.computerhope.com/issues/chsafe.htm ).


Step 3 | Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe ) to your desktop.
Be sure to disable your security programs
Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.

alison210
2011-03-19, 03:37
Thank you for replying so quickly :D
Here is what you requested:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-18 20:38:49
-----------------------------
20:38:49.158 OS Version: Windows 5.1.2600 Service Pack 2
20:38:49.158 Number of processors: 2 586 0x407
20:38:49.174 ComputerName: D164L581 UserName: Alison
20:38:52.815 Initialize success
20:39:05.643 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
20:39:05.643 Disk 0 Vendor: WDC_WD80 09.0 Size: 76293MB BusType: 3
20:39:05.643 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
20:39:05.674 Disk 0 MBR read successfully
20:39:05.674 Disk 0 MBR scan
20:39:05.674 Disk 0 TDL4@MBR code has been found
20:39:05.674 Disk 0 MBR hidden
20:39:05.690 Disk 0 MBR [TDL4] **ROOTKIT**
20:39:05.690 Disk 0 trace - called modules:
20:39:05.705 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81c49439]<<
20:39:05.705 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82587030]
20:39:05.705 3 CLASSPNP.SYS[f86a805b] -> nt!IofCallDriver -> [0x81bc3030]
20:39:05.721 \Driver\iastor[0x81c46f38] -> IRP_MJ_CREATE -> 0x81c49439
20:39:05.721 Scan finished successfully


GMER 1.0.15.15565 - http://www.gmer.net
Rootkit scan 2011-03-18 21:11:53
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 WDC_WD80 rev.09.0
Running: zrh9kkod.exe; Driver: C:\DOCUME~1\Alison\LOCALS~1\Temp\pfdyapob.sys


---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\Alison\LOCALS~1\Temp\aswMBR.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\stsystra.exe[140] WS2_32.dll!connect 71AB406A 5 Bytes JMP 00FF5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe[148] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01775C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\program files\real\realplayer\update\realsched.exe[164] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\program files\real\realplayer\update\realsched.exe[164] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\Program Files\Dell Support\DSAgnt.exe[240] ws2_32.dll!connect 71AB406A 5 Bytes JMP 011E5C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe[248] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\WINDOWS\system32\ctfmon.exe[304] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\Program Files\America Online 9.0\aoltray.exe[408] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1764] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BB000C
.text C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe[1976] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01205C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\WINDOWS\system32\Rundll32.exe[1984] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe[2000] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[2016] WS2_32.dll!connect 71AB406A 5 Bytes JMP 10005C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text C:\PROGRA~1\mcafee.com\agent\mcagent.exe[2032] WS2_32.dll!connect 71AB406A 5 Bytes JMP 01565C5B c:\progra~1\mcafee.com\vso\McVSSkt.dll (McAfee VirusScan Winsock Helper DLL/Networks Associates Technology, Inc)
.text ...
.text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B8000A
.text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B9000A
.text C:\WINDOWS\System32\svchost.exe[3624] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!GetForegroundWindow 77D4C4AE 5 Bytes JMP 015A000A
.text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!GetCursorPos 77D4C566 5 Bytes JMP 0158000A
.text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!WindowFromPoint 77D4C57E 5 Bytes JMP 0159000A
.text C:\WINDOWS\System32\svchost.exe[3624] ole32.dll!CoCreateInstance 77526009 5 Bytes JMP 00C9000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3756] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[4028] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs NaiFiltr.sys
AttachedDevice \Driver\Tcpip \Device\Ip MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
AttachedDevice \Driver\Tcpip \Device\Ip ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
AttachedDevice \Driver\Tcpip \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
AttachedDevice \Driver\Tcpip \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp MpFirewall.sys (McAfee Personal Firewall Plus 5.0/McAfee Security)
AttachedDevice \Driver\Tcpip \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat NaiFiltr.sys

Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 113):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E2000 \WINDOWS\system32\hal.dll
0x81C08000 \WINDOWS\system32\KDCOM.DLL
0xF8A7B000 \WINDOWS\system32\BOOTVID.dll
0xF8538000 ACPI.sys
0xF8B67000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8527000 pci.sys
0xF8667000 isapnp.sys
0xF8C2F000 pciide.sys
0xF88E7000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8677000 MountMgr.sys
0xF8508000 ftdisk.sys
0xF88EF000 PartMgr.sys
0xF8687000 VolSnap.sys
0xF84F0000 atapi.sys
0xF841B000 iastor.sys
0xF8697000 disk.sys
0xF86A7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF83FC000 fltMgr.sys
0xF83EA000 sr.sys
0xF83D3000 KSecDD.sys
0xF8346000 Ntfs.sys
0xF8319000 NDIS.sys
0xF82FE000 Mup.sys
0xF8747000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF78F6000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF78E2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF78BC000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF8967000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7899000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF896F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7873000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF8757000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8767000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF7850000 \SystemRoot\system32\DRIVERS\ks.sys
0xF8977000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF8BA7000 \SystemRoot\system32\DRIVERS\wacomvhid.sys
0xF8777000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF897F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF8BA9000 \SystemRoot\system32\DRIVERS\WacomVKHid.sys
0xF8CCA000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8787000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7DF8000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7839000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8797000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF87A7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8987000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7828000 \SystemRoot\system32\DRIVERS\psched.sys
0xF87B7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF898F000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF8997000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF899F000 \SystemRoot\system32\DRIVERS\wanatw4.sys
0xF87C7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF89A7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF89AF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8BAB000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF77F4000 \SystemRoot\system32\DRIVERS\update.sys
0xF7DEC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF89B7000 \SystemRoot\system32\DRIVERS\omci.sys
0xF7DE8000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF89BF000 \SystemRoot\system32\DRIVERS\wacommousefilter.sys
0xF7DE4000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF87D7000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEF239000 \SystemRoot\system32\drivers\sthda.sys
0xEF217000 \SystemRoot\system32\drivers\portcls.sys
0xF7A4B000 \SystemRoot\system32\drivers\drmk.sys
0xF7A3B000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8BB5000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8C0B000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF8C0D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xEC532000 \SystemRoot\System32\Drivers\Null.SYS
0xF8C0F000 \SystemRoot\System32\Drivers\Beep.SYS
0xED120000 \SystemRoot\System32\drivers\vga.sys
0xF8C11000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8C13000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xED118000 \SystemRoot\System32\Drivers\Msfs.SYS
0xED110000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEEBF0000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA71D000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA6C5000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xBA6B1000 \SystemRoot\System32\Drivers\MpFirewall.sys
0xBA690000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xECE38000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA668000 \SystemRoot\system32\DRIVERS\netbt.sys
0xBA646000 \SystemRoot\System32\drivers\afd.sys
0xECE28000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA61B000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA5AC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xECA9F000 \SystemRoot\System32\Drivers\Fips.SYS
0xF8B5F000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF88B7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB889C000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xEC928000 \SystemRoot\System32\drivers\Dxapi.sys
0xF8A47000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8CDD000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04E000 \SystemRoot\System32\ati2cqag.dll
0xBF080000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
0xB777F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB4C05000 \SystemRoot\system32\drivers\wdmaud.sys
0xEBDFF000 \SystemRoot\system32\drivers\sysaudio.sys
0xB4A00000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB3C31000 \SystemRoot\system32\DRIVERS\srv.sys
0xB35D8000 \SystemRoot\System32\Drivers\HTTP.sys
0xB3709000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xF891F000 \SystemRoot\system32\DRIVERS\NaiFiltr.sys
0xB3480000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB3366000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 53):
0 System Idle Process
4 System
572 C:\WINDOWS\system32\smss.exe
620 csrss.exe
644 C:\WINDOWS\system32\winlogon.exe
692 C:\WINDOWS\system32\services.exe
704 C:\WINDOWS\system32\lsass.exe
868 C:\WINDOWS\system32\ati2evxx.exe
908 C:\WINDOWS\system32\svchost.exe
1000 svchost.exe
1116 C:\WINDOWS\system32\svchost.exe
1232 svchost.exe
1388 svchost.exe
1536 C:\WINDOWS\system32\spoolsv.exe
1760 C:\WINDOWS\explorer.exe
1868 svchost.exe
1924 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1956 C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
1972 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
1988 C:\WINDOWS\system32\rundll32.exe
2004 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
2032 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
140 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
160 C:\WINDOWS\stsystra.exe
176 C:\PROGRA~1\McAfee.com\VSO\mcvsshld.exe
196 C:\Program Files\real\realplayer\Update\realsched.exe
248 C:\Program Files\iTunes\iTunesHelper.exe
256 C:\Program Files\Dell Support\DSAgnt.exe
264 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
276 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
372 C:\WINDOWS\system32\ctfmon.exe
384 C:\Program Files\America Online 9.0\aoltray.exe
496 C:\PROGRA~1\McAfee.com\VSO\McVSEscn.exe
1604 C:\Program Files\Bonjour\mDNSResponder.exe
2000 C:\WINDOWS\system32\CTSVCCDA.EXE
2076 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
2148 C:\Program Files\Java\jre6\bin\jqs.exe
2264 C:\PROGRA~1\McAfee.com\VSO\mcvsrte.exe
2368 C:\WINDOWS\system32\HPZipm12.exe
2408 C:\WINDOWS\system32\svchost.exe
2524 C:\WINDOWS\system32\Pen_Tablet.exe
2556 wdfmgr.exe
2616 C:\WINDOWS\system32\MsPMSPSv.exe
2676 C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
2708 C:\WINDOWS\system32\Pen_Tablet.exe
2940 C:\WINDOWS\system32\wuauclt.exe
3256 C:\Program Files\iPod\bin\iPodService.exe
3496 C:\PROGRA~1\McAfee.com\VSO\McShield.exe
3544 C:\WINDOWS\system32\wscntfy.exe
3920 alg.exe
1216 C:\Program Files\Mozilla Firefox\firefox.exe
3756 C:\WINDOWS\system32\wuauclt.exe
1088 C:\Documents and Settings\Alison\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800JD-75LSA0, Rev: 09.01D09

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: E66C176942DF42CCFE7A0113EAFF39E82F8B0047


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

Blottedisk
2011-03-19, 20:03
Hi Alison,


Please follow these steps in order:


Step 1 | Please double click the aswMBR icon to run it.
Vista and Windows 7 users right click the icon and choose "Run as administrator".

Click the Scan button to start scan.
When scan finishes, press the Fix Button. Once the Fix is done, press the Save Log button and save the log to your desktop. You need to reboot your computer when its done before you do anything else, then post the log that will be on your desktop.

http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix-1.png (http://i1190.photobucket.com/albums/z454/Blottedisk/aswMBRfix.png)
Click the image to enlarge it


Step 2 | Please run DDS and post a new log.

alison210
2011-03-20, 02:11
Hi blottedisk :D

Thanks again for being so speedy. I don't know if you need the attachment so I didn't attach it. Any how here are the logs:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-03-19 19:56:00
-----------------------------
19:56:00.202 OS Version: Windows 5.1.2600 Service Pack 2
19:56:00.202 Number of processors: 2 586 0x407
19:56:00.202 ComputerName: D164L581 UserName: Alison
19:56:03.015 Initialize success
19:56:20.936 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\iaStor0
19:56:20.952 Disk 0 Vendor: WDC_WD80 09.0 Size: 76293MB BusType: 3
19:56:20.952 Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskWDC_WD800JD-75LSA0______________________09.01D09#4&a820f75&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} not found
19:56:20.952 Disk 0 MBR read successfully
19:56:20.952 Disk 0 MBR scan
19:56:20.968 Disk 0 TDL4@MBR code has been found
19:56:20.968 Disk 0 MBR hidden
19:56:20.968 Disk 0 MBR [TDL4] **ROOTKIT**
19:56:20.983 Disk 0 trace - called modules:
19:56:20.983 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x81c51439]<<
19:56:20.999 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82575030]
19:56:20.999 3 CLASSPNP.SYS[f86a805b] -> nt!IofCallDriver -> [0x825d91d8]
19:56:20.999 \Driver\iastor[0x82574598] -> IRP_MJ_CREATE -> 0x81c51439
19:56:21.015 Scan finished successfully
19:56:31.858 Disk 0 fixing MBR
19:56:41.890 Disk 0 MBR restored successfully
19:56:41.890 Infection fixed successfully - please reboot ASAP

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Alison at 20:04:20.14 on Sat 03/19/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.118 [GMT -4:00]
.
FW: McAfee Personal Firewall Plus *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\program files\real\realplayer\update\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Alison\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uSearch Bar = hxxp://bfc.myway.com/search/de_srchlft.html?p=DS
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Google Update] "c:\documents and settings\alison\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sound blaster live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [VSOCheckTask] "c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\mcagent.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [VirusScan Online] c:\progra~1\mcafee.com\vso\mcvsshld.exe
mRun: [MPFExe] c:\progra~1\mcafee.com\person~1\MpfTray.exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\alison\applic~1\mozilla\firefox\profiles\qvtibfxe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - youtube.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=20101222043212296&tb_oid=22-12-2010&tb_mrud=22-12-2010&query=
FF - component: c:\documents and settings\alison\application data\mozilla\firefox\profiles\qvtibfxe.default\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}\components\MailUtil.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\documents and settings\alison\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\Ext
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: AOL Messaging Toolbar: {c2f863cd-0429-48c7-bb54-db756a951760} - %profile%\extensions\{c2f863cd-0429-48c7-bb54-db756a951760}
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false
FF - user.js: browser.sessionstore.resume_from_crash - false
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
============= SERVICES / DRIVERS ===============
.
R1 MPFIREWL;MPFIREWL;c:\windows\system32\drivers\MpFirewall.sys [2005-8-16 83325]
R2 MCVSRte;McAfee.com VirusScan Online Realtime Engine;c:\progra~1\mcafee.com\vso\mcvsrte.exe [2005-8-16 122880]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-12-13 1373480]
R3 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2005-8-16 225375]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2005-8-16 23296]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-8-16 249856]
.
=============== Created Last 30 ================
.
2011-03-18 20:26:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-18 20:26:53 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-03-18 20:26:53 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-03-18 20:17:35 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2011-03-18 20:17:34 -------- d-----w- c:\program files\SpywareBlaster
2011-03-18 20:00:10 -------- d-----w- c:\docume~1\alison\locals~1\applic~1\AIM Toolbar
2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-03-18 19:26:23 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
.
============= FINISH: 20:05:28.53 ===============

Blottedisk
2011-03-20, 04:27
Hi Alice :)


Please visit the following and have a look how you can disable your security software (Spybot's S&D Teatimer and McAfee).

How to disable your security programs (http://forums.whatthetech.com/index.php?showtopic=96260 )

After disabling your security programs, download Combofix from any of the links below and save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe )
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe )

--------------------------------------------------------------------

Double click on Combofix.exe & follow the prompts.
When finished, it will produce a report for you.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix )

alison210
2011-03-20, 08:16
Hello Blottedisk

I don't know if I did something wrong but ComboFix won't run properly for me. The first time I ran it:
1. Security Warning popped up and I clicked "Run"
2. The screen where is says "ComboFix is preparing to run" did not come up.
3. Instead it went directly to the Disclaimer where i clicked "Yes"
4. Afterwards the blue screen comes up but there is just an "_" dissapearing and reappearing.

I have tried leaving the screen there for over 30 minutes but nothing happens and I can't close the screen either. I have also tried downloading from the other link and running it but I had the same results. I don't know what to do!

Perplexed,
Alison

Blottedisk
2011-03-21, 16:56
Hi Alison,


Don't worry about Combofix for now. Before we continue with this, one word of caution. Unfortunately your computer appears to have been infected by a backdoor infection. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:


Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other
site you use.
Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
Consider what other private information could possibly have been taken from your computer and take appropriate steps


This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the
system partition and reinstalling Windows as this is the only 100% sure answer.You should not be following fixes in another threads as those fixes are specifically for those computers.

Please read these for more information:

How Do I Handle Possible
Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451 )

When Should I Format, How
Should I Reinstall? (http://www.dslreports.com/faq/10063 )


Should you have any questions, please feel free to ask. Please let me know what you have decided to do in your next post. If you decide you want to try and clean your PC then please continue with the following instructions:


Please download TDSSKiller from one of the following mirrors and save it in your desktop:

This is THE Mirror (http://support.kaspersky.com/downloads/utils/tdsskiller.zip )

Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png


If a suspicious file is detected, the default action will be Skip, click on Continue.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious-1.png


It may ask you to reboot the computer to complete the process. Click on Reboot Now.


http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png


If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "[TDSSKiller.Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

alison210
2011-03-21, 22:05
Hi blottedisk,

I didn't expect to have a backdoor infection :sad: but I'm not too worried about my information getting stolen (I don't use this computer for much besides gaming/watching videos/writing papers.) Unfortunately (!!!!) I used my mom's credit card yesterday to register for an SAT II and I'm not sure if I should get her to take action on securing her account because I didn't actually log into her bank account. (I typed in her card # though...) What do you suggest?

Thank you for the warning but I think I'll continue cleaning my PC.
Here's the log

2011/03/21 16:00:50.0562 3120 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/21 16:00:52.0562 3120 ================================================================================
2011/03/21 16:00:52.0562 3120 SystemInfo:
2011/03/21 16:00:52.0562 3120
2011/03/21 16:00:52.0562 3120 OS Version: 5.1.2600 ServicePack: 2.0
2011/03/21 16:00:52.0562 3120 Product type: Workstation
2011/03/21 16:00:52.0562 3120 ComputerName: D164L581
2011/03/21 16:00:52.0562 3120 UserName: Alison
2011/03/21 16:00:52.0562 3120 Windows directory: C:\WINDOWS
2011/03/21 16:00:52.0562 3120 System windows directory: C:\WINDOWS
2011/03/21 16:00:52.0562 3120 Processor architecture: Intel x86
2011/03/21 16:00:52.0562 3120 Number of processors: 2
2011/03/21 16:00:52.0562 3120 Page size: 0x1000
2011/03/21 16:00:52.0562 3120 Boot type: Normal boot
2011/03/21 16:00:52.0562 3120 ================================================================================
2011/03/21 16:00:54.0234 3120 Initialize success
2011/03/21 16:01:09.0078 3204 ================================================================================
2011/03/21 16:01:09.0078 3204 Scan started
2011/03/21 16:01:09.0078 3204 Mode: Manual;
2011/03/21 16:01:09.0078 3204 ================================================================================
2011/03/21 16:01:10.0312 3204 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/03/21 16:01:10.0375 3204 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/21 16:01:10.0453 3204 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/21 16:01:10.0531 3204 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/03/21 16:01:10.0593 3204 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/03/21 16:01:10.0671 3204 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/03/21 16:01:10.0718 3204 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/03/21 16:01:10.0828 3204 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/03/21 16:01:10.0875 3204 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/03/21 16:01:10.0937 3204 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/03/21 16:01:11.0031 3204 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/03/21 16:01:11.0078 3204 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/03/21 16:01:11.0140 3204 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/03/21 16:01:11.0187 3204 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/03/21 16:01:11.0203 3204 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/03/21 16:01:11.0250 3204 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/03/21 16:01:11.0265 3204 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/03/21 16:01:11.0296 3204 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/03/21 16:01:11.0328 3204 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/21 16:01:11.0343 3204 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/21 16:01:11.0437 3204 ati2mtag (b8142104502f794689c1c0bcbfb53b98) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/03/21 16:01:11.0656 3204 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/21 16:01:11.0718 3204 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/21 16:01:11.0781 3204 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/21 16:01:11.0828 3204 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/03/21 16:01:11.0859 3204 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/21 16:01:11.0921 3204 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/03/21 16:01:12.0000 3204 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/21 16:01:12.0046 3204 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/21 16:01:12.0125 3204 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/21 16:01:12.0234 3204 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/03/21 16:01:12.0328 3204 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/03/21 16:01:12.0390 3204 ctsfm2k (b459ae4afca570088adddbe55eabbc92) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
2011/03/21 16:01:12.0437 3204 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/03/21 16:01:12.0468 3204 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/03/21 16:01:12.0531 3204 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/21 16:01:12.0593 3204 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/21 16:01:12.0687 3204 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/21 16:01:12.0718 3204 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/21 16:01:12.0796 3204 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/21 16:01:12.0843 3204 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/03/21 16:01:12.0906 3204 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/21 16:01:12.0953 3204 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/03/21 16:01:13.0218 3204 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/21 16:01:13.0296 3204 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/21 16:01:13.0343 3204 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/21 16:01:13.0421 3204 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/21 16:01:13.0484 3204 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/21 16:01:13.0500 3204 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/21 16:01:13.0546 3204 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/21 16:01:13.0609 3204 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/03/21 16:01:13.0640 3204 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/21 16:01:13.0718 3204 HDAudBus (e31363d186b3e1d7c4e9117884a6aee5) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/21 16:01:13.0781 3204 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/21 16:01:13.0828 3204 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/03/21 16:01:13.0875 3204 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/03/21 16:01:13.0906 3204 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/03/21 16:01:14.0000 3204 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/03/21 16:01:14.0078 3204 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/21 16:01:14.0218 3204 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/03/21 16:01:14.0343 3204 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/03/21 16:01:14.0375 3204 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/21 16:01:14.0453 3204 iastor (d593517879e65167df35f6015814ac59) C:\WINDOWS\system32\drivers\iastor.sys
2011/03/21 16:01:14.0531 3204 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/21 16:01:14.0640 3204 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/03/21 16:01:14.0734 3204 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/21 16:01:14.0781 3204 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/21 16:01:14.0843 3204 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/21 16:01:14.0906 3204 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/21 16:01:14.0984 3204 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/21 16:01:15.0031 3204 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/21 16:01:15.0109 3204 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/21 16:01:15.0203 3204 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/21 16:01:15.0250 3204 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/21 16:01:15.0312 3204 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/21 16:01:15.0390 3204 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/21 16:01:15.0421 3204 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/21 16:01:15.0468 3204 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/21 16:01:15.0609 3204 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/21 16:01:15.0656 3204 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/21 16:01:15.0703 3204 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/21 16:01:15.0750 3204 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/21 16:01:15.0781 3204 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/21 16:01:15.0859 3204 MPFIREWL (8867e5937ecae0782bdba20c8a6ad586) C:\WINDOWS\system32\Drivers\MpFirewall.sys
2011/03/21 16:01:15.0921 3204 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/03/21 16:01:16.0000 3204 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/21 16:01:16.0078 3204 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/21 16:01:16.0187 3204 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/21 16:01:16.0234 3204 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/21 16:01:16.0312 3204 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/21 16:01:16.0359 3204 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/21 16:01:16.0390 3204 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/21 16:01:16.0421 3204 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/21 16:01:16.0468 3204 NaiFiltr (102de6d24087fb53ad47ca059a32fb66) C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
2011/03/21 16:01:16.0515 3204 NAL (9121d8ffff773c66bbf4955e4f7aac23) C:\WINDOWS\system32\Drivers\iqvw32.sys
2011/03/21 16:01:16.0562 3204 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/21 16:01:16.0609 3204 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/21 16:01:16.0671 3204 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/21 16:01:16.0703 3204 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/21 16:01:16.0734 3204 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/21 16:01:16.0750 3204 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/21 16:01:16.0843 3204 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/21 16:01:16.0906 3204 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/21 16:01:17.0031 3204 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/21 16:01:17.0078 3204 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/21 16:01:17.0187 3204 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/21 16:01:17.0328 3204 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/21 16:01:17.0390 3204 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/21 16:01:17.0468 3204 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
2011/03/21 16:01:17.0546 3204 ossrv (c720c25b2d0c93dc425155f5b6a707f3) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
2011/03/21 16:01:17.0593 3204 P17 (3a7290f2c423b80ba95becae015b9b1b) C:\WINDOWS\system32\drivers\P17.sys
2011/03/21 16:01:17.0671 3204 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/21 16:01:17.0703 3204 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/21 16:01:17.0781 3204 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/21 16:01:17.0843 3204 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/21 16:01:17.0921 3204 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/21 16:01:18.0031 3204 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/21 16:01:18.0171 3204 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/03/21 16:01:18.0203 3204 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/03/21 16:01:18.0312 3204 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/21 16:01:18.0375 3204 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/21 16:01:18.0406 3204 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/21 16:01:18.0437 3204 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/03/21 16:01:18.0484 3204 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/03/21 16:01:18.0531 3204 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/03/21 16:01:18.0578 3204 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/03/21 16:01:18.0609 3204 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/03/21 16:01:18.0656 3204 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/21 16:01:18.0703 3204 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/21 16:01:18.0750 3204 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/21 16:01:18.0765 3204 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/21 16:01:18.0843 3204 Rdbss (809ca45caa9072b3176ad44579d7f688) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/21 16:01:18.0937 3204 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/21 16:01:19.0093 3204 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/21 16:01:19.0140 3204 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/21 16:01:19.0203 3204 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/21 16:01:19.0328 3204 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/21 16:01:19.0359 3204 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/21 16:01:19.0406 3204 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/21 16:01:19.0453 3204 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/21 16:01:19.0531 3204 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/03/21 16:01:19.0625 3204 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/03/21 16:01:19.0671 3204 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/21 16:01:19.0718 3204 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/21 16:01:19.0828 3204 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/21 16:01:19.0921 3204 STHDA (6b14c6e98f752ebbab24a4e0bd0f3a24) C:\WINDOWS\system32\drivers\sthda.sys
2011/03/21 16:01:20.0046 3204 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/21 16:01:20.0078 3204 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/21 16:01:20.0203 3204 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/03/21 16:01:20.0359 3204 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/03/21 16:01:20.0437 3204 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/03/21 16:01:20.0468 3204 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/03/21 16:01:20.0531 3204 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/21 16:01:20.0656 3204 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/21 16:01:20.0718 3204 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/21 16:01:20.0734 3204 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/21 16:01:20.0796 3204 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/21 16:01:20.0843 3204 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/03/21 16:01:20.0906 3204 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/21 16:01:21.0000 3204 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/03/21 16:01:21.0078 3204 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/21 16:01:21.0218 3204 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/03/21 16:01:21.0312 3204 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/21 16:01:21.0359 3204 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/21 16:01:21.0390 3204 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/21 16:01:21.0453 3204 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/21 16:01:21.0500 3204 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/21 16:01:21.0546 3204 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/21 16:01:21.0609 3204 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/21 16:01:21.0687 3204 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/03/21 16:01:21.0750 3204 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/03/21 16:01:21.0781 3204 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/21 16:01:21.0828 3204 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/21 16:01:21.0890 3204 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
2011/03/21 16:01:22.0015 3204 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
2011/03/21 16:01:22.0046 3204 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
2011/03/21 16:01:22.0078 3204 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/21 16:01:22.0171 3204 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/03/21 16:01:22.0265 3204 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/21 16:01:22.0453 3204 ================================================================================
2011/03/21 16:01:22.0453 3204 Scan finished
2011/03/21 16:01:22.0453 3204 ================================================================================

Blottedisk
2011-03-21, 23:41
Hi Alison,


Hopefully we took care of the backdoor infection with aswMBR the day before yesterday. However, when dealing with these types of infections we can't be 100% sure that the machine is clean; I would suggest you to have a look at the following thread and take the necessary actions:

http://www.dslreports.com/faq/10451


Ok, we continue with this steps:


Step 1 | Please download CCleaner (freeware) (http://www.majorgeeks.com/download4191.html )

Run the installer.
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:


http://i210.photobucket.com/albums/bb164/jedi_030/CCleanerA.png

Next: click Options (in the left panel) and click the Advanced button.
Uncheck: "Only delete files in Windows Temp folders older than 24 hours."
Go back to Cleaner (in the left panel) and click the Run Cleaner button (bottom right). Then exit CCleaner.

Step 2 | Please download Malwarebytes' Anti-Malware (http://www.malwarebytes.org/mbam.php ) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

Step 3 | Let's perform an ESET Online Scan

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://www.bleepingcomputer.com/forums/topic114351.html ).


Please go here (http://www.eset.com/onlinescan/ ) then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed make sure you first copy the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic.
Now click on: http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif (Selecting Uninstall application on close if you so wish)

alison210
2011-03-22, 02:52
Hello~ here are the logs~~

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6122

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

3/21/2011 6:14:03 PM
mbam-log-2011-03-21 (18-14-03).txt

Scan type: Quick scan
Objects scanned: 155477
Time elapsed: 19 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6425
# api_version=3.0.2
# EOSSerial=6c5afcf07857e84388d5b0bfe7404ad5
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-03-22 12:45:33
# local_time=2011-03-21 08:45:33 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=79408
# found=0
# cleaned=0
# scan_time=7299

Blottedisk
2011-03-22, 15:19
Congratulations Alison, the logs are clean. We have finished :)


Please follow this last set of instructions:


Step 1 | Delete ComboFix and Clean Up

The following will implement some cleanup procedures as well as reset System Restore points. Click Start > Run and copy/paste the following underlined text into the Run box and click OK:

ComboFix /Uninstall

Please advise if this step is missed for any reason as it performs some important actions.


Step 2 | Please download OTC by OldTimer (http://oldtimer.geekstogo.com/OTC.exe ) to your desktop and run it
Click Yes to beginning the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.


Step 3 | Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:


Download the latest version of Adobe Reader Version X (http://get.adobe.com/reader/?promoid=BUIGO). and save it to your desktop.
Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered.
Click the download button at the bottom.
If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial: How To Remove An Installed Program From Your Computer (http://www.bleepingcomputer.com/forums/topic42133.html)
Then from your desktop double-click on Adobe Reader to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the "Adobe Setup - Welcome" window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
Once the installation is finished, open Adobe Reader and accept the warranty if prompted.
Click on Help and select Check for Updates.
A window will open and Adobe will check for Updates. If any updates are found to be available click on Download.
Once the update is downloaded you will get a system notification telling you so. Click on the popup to restore the window.
In the window that opens click Install.
Once the update is done click Close.
Your Adobe Reader is updated now.


Last Step | Now, in order to avoid future infections, please take time to read the following articles:


Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html )
Preventing Malware - Tools and Practices for Safe Computing (http://forums.whatthetech.com/Preventing_Malware_Tools_Practices_Safe_Computing_t98700.html )
So how did I get infected in the first place? (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fwww.forums.security-central.us%2Fshowthread.php%3Ft%3D321 )
How to prevent malware (http://forums.whatthetech.com/redirect.php?url=http%3A%2F%2Fmiekiemoes.blogspot.com%2F2008%2F02%2Fhow-to-prevent-malware.html )
Read those articles and your potential for being infected again will reduce dramatically.

Thank you for your patience, and performing all of the procedures requested. I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed. http://forums.whatthetech.com/style_emoticons/default/thumbup.gif

alison210
2011-03-22, 22:27
Hi blottedisk!

:thanks: Thank you for everthing you've done! :thanks:
You've been such a great help and I don't know what I would have done without you. I will make sure to read all the articles and try not to be back too soon :)

Extremely Thankful,
Alison

Blottedisk
2011-03-22, 22:38
You are welcome :)


Best Regards,
Blottedisk.