PDA

View Full Version : JayBG needs help with malware removal



jaybg
2011-11-14, 18:12
Hi,

I'm new to the forum but have had a problem for a few months now. I believed it was just adware that would pop up a new IE window, which was annoying but not necessarily malicious. Recently, though my computer will crash whenever video is run (seems to crash all video except WMV files).

Some background:
- Computer is several years old running Windows XP Home with service pack updates
- we've been running AVAST! as our primary protection
- based on some other sites I've tried Malewarebytes' Anti-Malware and Advanced System Care for periodic scans and system optimization (including registry fixes, which I now see is not recommended by this site)

As directed by "before you post" thread, I have:
- run ERUNT and created a registry backup point for this morning
- run DDS with the DDS.txt file following and ATTACH.txt as an attachment

Please let me know what to do next .... THANKS !!!!!!!!!!!!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Run by ZZadmin at 10:41:03 on 2011-11-14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.393 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Sony\Giga Pocket\shwserv.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\IObit\Advanced SystemCare 4\ASCTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\xampp\mysql\bin\mysqld.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Sony\Giga Pocket\RM_SV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://file.net/process/_a.html
uInternet Connection Wizard,ShellNext = iexplore
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Advanced SystemCare 4] "c:\program files\iobit\advanced systemcare 4\ASCTray.exe"
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} - hxxps://mygmgw.gm.com/http://usabhma20.mail.gm.com/iNotes.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxps://mygmgw.gm.com/http://usabhembma10.mail.gm.com/iNotes6W.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/12838be1816f2a23e906/netzip/RdxIE601.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} - hxxp://picture.vzw.com/activex/VerizonWirelessUploadControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {983A9C21-8207-4B58-BBB8-0EBC3D7C5505} - hxxps://mygmgw.gm.com/http://usabhembma10.mail.gm.com/dwa8W.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-27-0.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{00D379ED-BD69-48C0-AC8D-9E38EFC56EEA} : NameServer = 192.168.1.1
Notify: Themes - c:\windows\system32\o6480ghue6480.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\zzadmin\application data\mozilla\firefox\profiles\u7mv6nbs.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-6-25 13496]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-13 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-6-25 320856]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-6-25 353168]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-25 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-10-24 44768]
R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2011-6-25 821080]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-10-14 86098]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]
S0 shzu;shzu;c:\windows\system32\drivers\mpfy.sys --> c:\windows\system32\drivers\mpfy.sys [?]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [2009-8-21 24636]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-24 136176]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2006-11-7 39424]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-24 136176]
S3 niemrkw;niemrkw;c:\windows\system32\drivers\niemrkw.sys --> c:\windows\system32\drivers\niemrkw.sys [?]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-9-2 50704]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [2005-9-29 131776]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2010-3-11 25088]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]
S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\drivers\usb6xxxkw.sys --> c:\windows\system32\drivers\usb6xxxkw.sys [?]
S3 usb9162k;NI-USB 9162 Carrier Loader Driver;c:\windows\system32\drivers\usb9162k.sys --> c:\windows\system32\drivers\usb9162k.sys [?]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-10 47128]
S4 NiRioRpc;National Instruments RIO Server;c:\windows\system32\niriorpc.exe --> c:\windows\system32\NiRioRpc.exe [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-10 369688]
.
=============== Created Last 30 ================
.
2020-08-11 14:37:27 3991 ----a-w- c:\windows\system32\kbdcache.dll
.
==================== Find3M ====================
.
2011-11-06 19:03:58 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-06 20:45:29 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:38:05 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-08-31 22:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160021A rev.3.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86BEAEC5]<<
_asm { PUSH EBP; MOV EBP, ESP; SUB ESP, 0x1c; PUSH EBX; PUSH ESI; MOV DWORD [EBP-0x4], 0x85952872; SUB DWORD [EBP-0x4], 0x8595212e; PUSH EDI; CALL 0xffffffffffffdf33; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86FCCAB8]
3 CLASSPNP[0xF759005B] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000070[0x86EC59E8]
5 ACPI[0xF73CE620] -> nt!IofCallDriver[0x804E13B9] -> [0x86F25940]
[0x86DE6A78] -> IRP_MJ_CREATE -> 0x86BEAEC5
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskST3160021A______________________________3.04____#4a35325348354748202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86BEAAEA
\Driver\atapi -> 0x86fd71f8
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 10:48:28.20 ===============

Another symptom I forgot to mention was that Google searches get hijacked ... the search seems successful, but the links in the search results are all redirected to somewhere unintended by the user or Google.

Thanks once again and let me know the next steps, PLEASE!!

SpyBot S&D results:

CouponBar: [SBI $5E6E3641] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5BED3930-2E9E-76D8-BACC-80DF2188D455}

CouponBar: [SBI $5E6E3641] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5BED3930-2E9E-76D8-BACC-80DF2188D455}

CouponBar: [SBI $5E6E3641] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5BED3930-2E9E-76D8-BACC-80DF2188D455}

CouponBar: [SBI $5E6E3641] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1012\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5BED3930-2E9E-76D8-BACC-80DF2188D455}

CouponBar: [SBI $8222F1A1] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}

CouponBar: [SBI $8222F1A1] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}

CouponBar: [SBI $8222F1A1] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}

CouponBar: [SBI $8222F1A1] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1012\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{62960D20-6D0D-1AB4-4BF1-95B0B5B8783A}

CouponBar: [SBI $0508B240] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1006\Software\TTB000001

CouponBar: [SBI $0508B240] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1011\Software\TTB000001

CouponBar: [SBI $0508B240] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1012\Software\TTB000001

SearchPixieBar: [SBI $B4D617E4] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1005\Software\BestToolbars\IEToolbar

Fraud.Sysguard: [SBI $3BC81493] Settings (Registry key, fixed)
HKEY_USERS\.DEFAULT\Software\wnxmal

Fraud.Sysguard: [SBI $3BC81493] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1005\Software\wnxmal

Fraud.Sysguard: [SBI $3BC81493] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-18\Software\wnxmal

Fraud.Sysguard: [SBI $1D5B98D0] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes

Fraud.Sysguard: [SBI $1D5B98D0] User settings (Registry value, fixing failed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes

SpyOnThis: [SBI $6CD506DA] Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{2A1E37A4-04F1-5535-0715-F2C7C83EB4EE}

SpyOnThis: [SBI $440C9E27] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses\{041B0275E8944912A}

SpyOnThis: [SBI $E281A2CC] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Licenses\{I41B0275E8944912A}

SpyOnThis: [SBI $2517715A] Program directory (Directory, fixed)
C:\Program Files\SpyOnThis\

Fraud.Codec.x3: [SBI $7DC4C6ED] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1005\Software\Microsoft\Internet Explorer\DOMStorage\grooveshark.com

Fraud.Codec.x3: [SBI $7DC4C6ED] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1006\Software\Microsoft\Internet Explorer\DOMStorage\grooveshark.com

Fraud.Codec.x3: [SBI $7DC4C6ED] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1012\Software\Microsoft\Internet Explorer\DOMStorage\grooveshark.com

Fraud.Codec.x3: [SBI $7DC4C6ED] User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1019\Software\Microsoft\Internet Explorer\DOMStorage\grooveshark.com

GameVance: [SBI $E776375B] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1007\Software\gvtl

GameVance: [SBI $E776375B] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1012\Software\gvtl

FastBrowserSearchToolbar: [SBI $0ECF0F00] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1005\Software\FBSearch

FastBrowserSearchToolbar: [SBI $0ECF0F00] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1006\Software\FBSearch

FastBrowserSearchToolbar: [SBI $0ECF0F00] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1007\Software\FBSearch

FastBrowserSearchToolbar: [SBI $0ECF0F00] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1011\Software\FBSearch

FastBrowserSearchToolbar: [SBI $0ECF0F00] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1012\Software\FBSearch

FastBrowserSearchToolbar: [SBI $278DF143] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1005\Software\TBSB07183

FastBrowserSearchToolbar: [SBI $278DF143] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1006\Software\TBSB07183

FastBrowserSearchToolbar: [SBI $278DF143] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1007\Software\TBSB07183

FastBrowserSearchToolbar: [SBI $278DF143] Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1011\Software\TBSB07183

Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, fixed)
HKEY_USERS\S-1-5-21-1094779051-1531272271-1340405700-1005\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe

DSSAgent: [SBI $BF58EA32] Global settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Broderbund software\dss

Smitfraud-C.MSVPS: [SBI $6FE8300C] Text file (File, fixed)
C:\WINDOWS\dat.txt
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E

Right Media: Tracking cookie (Internet Explorer: ZZadmin) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Guest (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: Kyle (default)) (Cookie, fixed)


Right Media: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Right Media: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Right Media: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Right Media: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Right Media: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Right Media: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


BlueStreak: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


BurstMedia: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


HitsLink: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


CoreMetrics: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


LinkSynergy: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


LinkSynergy: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


AdRevolver: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


AdRevolver: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


CoreMetrics: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Olivia (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: ZZadmin (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: ZZadmin (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: ZZadmin (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: ZZadmin (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: ZZadmin (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: ZZadmin (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: ZZadmin (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


MediaPlex: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Statcounter: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


Zedo: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


FastClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


BurstMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


CasaleMedia: Tracking cookie (Chrome: Chrome) (Cookie, fixed)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-11-14 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-08-29 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-10-04 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-09-27 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-10-31 Includes\Malware.sbi (*)
2011-11-08 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-10-11 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-10-18 Includes\Spyware.sbi (*)
2011-10-18 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2011-11-09 Includes\TrojansC-02.sbi (*)
2011-11-09 Includes\TrojansC-03.sbi (*)
2011-10-28 Includes\TrojansC-04.sbi (*)
2011-11-03 Includes\TrojansC-05.sbi (*)
2011-11-09 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

ken545
2011-11-16, 02:04
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.


Your infected with a Rootkit



Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)







Then run DDS again and post a new log please

jaybg
2011-11-16, 08:05
FIRST, let me say THANKS a MILLION !! Your time and effort are greatly appreciated.

TDSSKiller.2.6.18.0_15.11.2011_23.42.07_log
----------------------------------------------

23:42:07.0968 4084 TDSS rootkit removing tool 2.6.18.0 Nov 11 2011 15:47:15
23:42:08.0468 4084 ============================================================
23:42:08.0468 4084 Current date / time: 2011/11/15 23:42:08.0468
23:42:08.0468 4084 SystemInfo:
23:42:08.0468 4084
23:42:08.0468 4084 OS Version: 5.1.2600 ServicePack: 2.0
23:42:08.0468 4084 Product type: Workstation
23:42:08.0468 4084 ComputerName: CINDIE
23:42:08.0468 4084 UserName: ZZadmin
23:42:08.0468 4084 Windows directory: C:\WINDOWS
23:42:08.0468 4084 System windows directory: C:\WINDOWS
23:42:08.0468 4084 Processor architecture: Intel x86
23:42:08.0468 4084 Number of processors: 2
23:42:08.0468 4084 Page size: 0x1000
23:42:08.0468 4084 Boot type: Normal boot
23:42:08.0484 4084 ============================================================
23:42:08.0484 4084 SetPrivileges failed!
23:42:10.0625 4084 Initialize success
23:42:29.0453 0720 ============================================================
23:42:29.0453 0720 Scan started
23:42:29.0453 0720 Mode: Manual;
23:42:29.0453 0720 ============================================================
23:42:29.0734 0720 Aavmker4 (95d1de2a6613494e853a9738d5d9acd4) C:\WINDOWS\system32\drivers\Aavmker4.sys
23:42:29.0734 0720 Aavmker4 - ok
23:42:29.0812 0720 Abiosdsk - ok
23:42:29.0875 0720 abp480n5 - ok
23:42:29.0968 0720 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:42:29.0984 0720 ACPI - ok
23:42:30.0093 0720 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:42:30.0093 0720 ACPIEC - ok
23:42:30.0140 0720 adpu160m - ok
23:42:30.0234 0720 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
23:42:30.0234 0720 aeaudio - ok
23:42:30.0328 0720 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
23:42:30.0328 0720 aec - ok
23:42:30.0453 0720 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
23:42:30.0453 0720 AFD - ok
23:42:30.0625 0720 AgereSoftModem (f1a97570ea402493bcc22246e8141ae6) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
23:42:30.0718 0720 AgereSoftModem - ok
23:42:30.0843 0720 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
23:42:30.0843 0720 agp440 - ok
23:42:30.0890 0720 Aha154x - ok
23:42:30.0953 0720 aic78u2 - ok
23:42:31.0031 0720 aic78xx - ok
23:42:31.0078 0720 AliIde - ok
23:42:31.0125 0720 amsint - ok
23:42:31.0218 0720 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
23:42:31.0218 0720 Arp1394 - ok
23:42:31.0250 0720 asc - ok
23:42:31.0296 0720 asc3350p - ok
23:42:31.0328 0720 asc3550 - ok
23:42:31.0421 0720 aswFsBlk (c47623ffd181a1e7d63574dde2a0a711) C:\WINDOWS\system32\drivers\aswFsBlk.sys
23:42:31.0421 0720 aswFsBlk - ok
23:42:31.0468 0720 aswMon2 (fff2dbb17a3c89f87f78d5fa72ca47fd) C:\WINDOWS\system32\drivers\aswMon2.sys
23:42:31.0484 0720 aswMon2 - ok
23:42:31.0562 0720 aswRdr (36239e24470a3dd81fae37510953cc6c) C:\WINDOWS\system32\drivers\aswRdr.sys
23:42:31.0562 0720 aswRdr - ok
23:42:31.0656 0720 aswSnx (caa846e9c83836bdc3d2d700c678db65) C:\WINDOWS\system32\drivers\aswSnx.sys
23:42:31.0718 0720 aswSnx - ok
23:42:31.0875 0720 aswSP (748ae7f2d7da33adb063fe05704a9969) C:\WINDOWS\system32\drivers\aswSP.sys
23:42:31.0890 0720 aswSP - ok
23:42:32.0000 0720 aswTdi (ca9925ce1dbd07ffe1eb357752cf5577) C:\WINDOWS\system32\drivers\aswTdi.sys
23:42:32.0015 0720 aswTdi - ok
23:42:32.0078 0720 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:42:32.0078 0720 AsyncMac - ok
23:42:32.0125 0720 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:42:32.0140 0720 atapi - ok
23:42:32.0171 0720 Atdisk - ok
23:42:32.0265 0720 ati2mtag (8a4bb7291606fba4eaafd7b5604255a4) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
23:42:32.0296 0720 ati2mtag - ok
23:42:32.0421 0720 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:42:32.0437 0720 Atmarpc - ok
23:42:32.0562 0720 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:42:32.0562 0720 audstub - ok
23:42:32.0687 0720 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:42:32.0687 0720 Beep - ok
23:42:32.0828 0720 Bridge (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
23:42:32.0843 0720 Bridge - ok
23:42:32.0859 0720 BridgeMP (e4e6a0922e3d983728c9ad4e8d466954) C:\WINDOWS\system32\DRIVERS\bridge.sys
23:42:32.0859 0720 BridgeMP - ok
23:42:32.0968 0720 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:42:32.0968 0720 cbidf2k - ok
23:42:33.0046 0720 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
23:42:33.0046 0720 CCDECODE - ok
23:42:33.0078 0720 cd20xrnt - ok
23:42:33.0171 0720 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:42:33.0171 0720 Cdaudio - ok
23:42:33.0234 0720 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
23:42:33.0234 0720 Cdfs - ok
23:42:33.0281 0720 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:42:33.0296 0720 Cdrom - ok
23:42:33.0328 0720 Changer - ok
23:42:33.0390 0720 CmdIde - ok
23:42:33.0453 0720 Cpqarray - ok
23:42:33.0531 0720 dac2w2k - ok
23:42:33.0593 0720 dac960nt - ok
23:42:33.0718 0720 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
23:42:33.0718 0720 Disk - ok
23:42:33.0843 0720 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
23:42:33.0875 0720 dmboot - ok
23:42:34.0000 0720 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
23:42:34.0000 0720 DMICall - ok
23:42:34.0078 0720 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
23:42:34.0078 0720 dmio - ok
23:42:34.0171 0720 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:42:34.0171 0720 dmload - ok
23:42:34.0250 0720 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
23:42:34.0250 0720 DMusic - ok
23:42:34.0312 0720 dpti2o - ok
23:42:34.0375 0720 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
23:42:34.0375 0720 drmkaud - ok
23:42:34.0515 0720 E100B (afee15c5b16317ebf17f79cc1843465a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
23:42:34.0515 0720 E100B - ok
23:42:34.0640 0720 FANTOM (e3b0cd18146f9d51a34969e9bc2458d2) C:\WINDOWS\system32\DRIVERS\fantom.sys
23:42:34.0640 0720 FANTOM - ok
23:42:34.0718 0720 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
23:42:34.0718 0720 Fastfat - ok
23:42:34.0890 0720 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:42:34.0890 0720 Fdc - ok
23:42:35.0125 0720 FileMonitor (f1fc45d2712d0aafee45a728fbe16062) C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys
23:42:35.0125 0720 FileMonitor - ok
23:42:35.0250 0720 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
23:42:35.0250 0720 Fips - ok
23:42:35.0312 0720 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:42:35.0312 0720 Flpydisk - ok
23:42:35.0406 0720 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
23:42:35.0406 0720 FltMgr - ok
23:42:35.0484 0720 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:42:35.0500 0720 Fs_Rec - ok
23:42:35.0578 0720 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:42:35.0593 0720 Ftdisk - ok
23:42:35.0687 0720 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
23:42:35.0703 0720 GEARAspiWDM - ok
23:42:35.0828 0720 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:42:35.0828 0720 Gpc - ok
23:42:35.0968 0720 hcmon (ac6586971883c28c1d9e77f921b6105f) C:\WINDOWS\system32\drivers\hcmon.sys
23:42:35.0968 0720 hcmon - ok
23:42:36.0062 0720 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:42:36.0062 0720 HidUsb - ok
23:42:36.0125 0720 hpn - ok
23:42:36.0203 0720 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
23:42:36.0218 0720 HPZid412 - ok
23:42:36.0296 0720 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
23:42:36.0296 0720 HPZipr12 - ok
23:42:36.0375 0720 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
23:42:36.0375 0720 HPZius12 - ok
23:42:36.0500 0720 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
23:42:36.0515 0720 HTTP - ok
23:42:36.0593 0720 i2omgmt - ok
23:42:36.0656 0720 i2omp - ok
23:42:36.0781 0720 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:42:36.0781 0720 i8042prt - ok
23:42:36.0875 0720 ialm (1406d6ef4436aee970efe13193123965) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
23:42:36.0890 0720 ialm - ok
23:42:36.0968 0720 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:42:36.0968 0720 Imapi - ok
23:42:37.0031 0720 ini910u - ok
23:42:37.0093 0720 IntelIde - ok
23:42:37.0171 0720 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:42:37.0171 0720 intelppm - ok
23:42:37.0250 0720 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
23:42:37.0250 0720 ip6fw - ok
23:42:37.0343 0720 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:42:37.0343 0720 IpFilterDriver - ok
23:42:37.0421 0720 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:42:37.0421 0720 IpInIp - ok
23:42:37.0468 0720 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:42:37.0484 0720 IpNat - ok
23:42:37.0609 0720 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:42:37.0609 0720 IPSec - ok
23:42:37.0656 0720 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:42:37.0656 0720 IRENUM - ok
23:42:37.0765 0720 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:42:37.0765 0720 isapnp - ok
23:42:37.0890 0720 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:42:37.0890 0720 Kbdclass - ok
23:42:37.0937 0720 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
23:42:37.0953 0720 kmixer - ok
23:42:38.0046 0720 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
23:42:38.0046 0720 KSecDD - ok
23:42:38.0109 0720 lbrtfdc - ok
23:42:38.0234 0720 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:42:38.0234 0720 mnmdd - ok
23:42:38.0328 0720 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
23:42:38.0328 0720 Modem - ok
23:42:38.0375 0720 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:42:38.0375 0720 Mouclass - ok
23:42:38.0453 0720 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:42:38.0468 0720 mouhid - ok
23:42:38.0578 0720 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
23:42:38.0578 0720 MountMgr - ok
23:42:38.0640 0720 mraid35x - ok
23:42:38.0734 0720 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:42:38.0734 0720 MRxDAV - ok
23:42:38.0890 0720 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:42:38.0921 0720 MRxSmb - ok
23:42:39.0046 0720 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
23:42:39.0062 0720 Msfs - ok
23:42:39.0109 0720 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:42:39.0109 0720 MSKSSRV - ok
23:42:39.0187 0720 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:42:39.0187 0720 MSPCLOCK - ok
23:42:39.0281 0720 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
23:42:39.0281 0720 MSPQM - ok
23:42:39.0359 0720 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:42:39.0359 0720 mssmbios - ok
23:42:39.0437 0720 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
23:42:39.0437 0720 MSTEE - ok
23:42:39.0500 0720 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
23:42:39.0500 0720 Mup - ok
23:42:39.0593 0720 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
23:42:39.0609 0720 NABTSFEC - ok
23:42:39.0718 0720 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
23:42:39.0718 0720 NDIS - ok
23:42:39.0843 0720 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
23:42:39.0843 0720 NdisIP - ok
23:42:39.0921 0720 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:42:39.0921 0720 NdisTapi - ok
23:42:40.0015 0720 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:42:40.0015 0720 Ndisuio - ok
23:42:40.0062 0720 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:42:40.0062 0720 NdisWan - ok
23:42:40.0156 0720 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
23:42:40.0156 0720 NDProxy - ok
23:42:40.0234 0720 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:42:40.0234 0720 NetBIOS - ok
23:42:40.0343 0720 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:42:40.0359 0720 NetBT - ok
23:42:40.0468 0720 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
23:42:40.0468 0720 NIC1394 - ok
23:42:40.0515 0720 niemrkw - ok
23:42:40.0656 0720 nm (60cf8c7192b3614f240838ddbaa4a245) C:\WINDOWS\system32\DRIVERS\NMnt.sys
23:42:40.0656 0720 nm - ok
23:42:40.0734 0720 NPF (b9730495e0cf674680121e34bd95a73b) C:\WINDOWS\system32\drivers\NPF.sys
23:42:40.0750 0720 NPF - ok
23:42:40.0859 0720 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
23:42:40.0859 0720 Npfs - ok
23:42:40.0921 0720 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
23:42:40.0937 0720 Ntfs - ok
23:42:41.0093 0720 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:42:41.0093 0720 Null - ok
23:42:41.0171 0720 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:42:41.0171 0720 NwlnkFlt - ok
23:42:41.0250 0720 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:42:41.0265 0720 NwlnkFwd - ok
23:42:41.0343 0720 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
23:42:41.0343 0720 ohci1394 - ok
23:42:41.0468 0720 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
23:42:41.0468 0720 Parport - ok
23:42:41.0609 0720 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
23:42:41.0609 0720 PartMgr - ok
23:42:41.0718 0720 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:42:41.0718 0720 ParVdm - ok
23:42:41.0796 0720 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
23:42:41.0812 0720 PCI - ok
23:42:41.0890 0720 PCIDump - ok
23:42:42.0015 0720 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:42:42.0015 0720 PCIIde - ok
23:42:42.0140 0720 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:42:42.0140 0720 Pcmcia - ok
23:42:42.0187 0720 PDCOMP - ok
23:42:42.0234 0720 PDFRAME - ok
23:42:42.0281 0720 PDRELI - ok
23:42:42.0312 0720 PDRFRAME - ok
23:42:42.0359 0720 perc2 - ok
23:42:42.0406 0720 perc2hib - ok
23:42:42.0562 0720 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:42:42.0578 0720 PptpMiniport - ok
23:42:42.0656 0720 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
23:42:42.0656 0720 Processor - ok
23:42:42.0734 0720 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
23:42:42.0750 0720 PSched - ok
23:42:42.0828 0720 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:42:42.0843 0720 Ptilink - ok
23:42:42.0921 0720 PxHelp20 (0c8da0a8b0d227319c285e0eae65defd) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:42:42.0937 0720 PxHelp20 - ok
23:42:42.0984 0720 ql1080 - ok
23:42:43.0031 0720 Ql10wnt - ok
23:42:43.0062 0720 ql12160 - ok
23:42:43.0109 0720 ql1240 - ok
23:42:43.0156 0720 ql1280 - ok
23:42:43.0234 0720 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:42:43.0234 0720 RasAcd - ok
23:42:43.0328 0720 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:42:43.0328 0720 Rasl2tp - ok
23:42:43.0406 0720 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:42:43.0406 0720 RasPppoe - ok
23:42:43.0500 0720 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:42:43.0515 0720 Raspti - ok
23:42:43.0640 0720 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:42:43.0640 0720 Rdbss - ok
23:42:43.0796 0720 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:42:43.0796 0720 RDPCDD - ok
23:42:43.0906 0720 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
23:42:43.0906 0720 RDPWD - ok
23:42:44.0031 0720 redbook (86d3afb02bef12949b26e0ba966bd252) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:42:44.0031 0720 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\redbook.sys. Real md5: 86d3afb02bef12949b26e0ba966bd252, Fake md5: b31b4588e4086d8d84adbf9845c2402b
23:42:44.0031 0720 redbook ( Rootkit.Win32.TDSS.tdl3 ) - infected
23:42:44.0031 0720 redbook - detected Rootkit.Win32.TDSS.tdl3 (0)
23:42:44.0234 0720 RegFilter (2ca761ce3abb7bbbb9c5519b2fb54f5e) C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys
23:42:44.0234 0720 RegFilter - ok
23:42:44.0343 0720 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
23:42:44.0359 0720 RimVSerPort - ok
23:42:44.0484 0720 RsFx0102 (fedd2710b75be3ecf078adace790c423) C:\WINDOWS\system32\DRIVERS\RsFx0102.sys
23:42:44.0500 0720 RsFx0102 - ok
23:42:44.0640 0720 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:42:44.0640 0720 Secdrv - ok
23:42:44.0750 0720 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
23:42:44.0750 0720 Serial - ok
23:42:44.0890 0720 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:42:44.0890 0720 Sfloppy - ok
23:42:44.0968 0720 shzu - ok
23:42:45.0031 0720 Simbad - ok
23:42:45.0125 0720 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
23:42:45.0140 0720 SLIP - ok
23:42:45.0218 0720 SmartDefragDriver (972dea0d8149d73c5b7a2c97b2e749e3) C:\WINDOWS\system32\Drivers\SmartDefragDriver.sys
23:42:45.0218 0720 SmartDefragDriver - ok
23:42:45.0328 0720 smrt (72d7eb6c2baab40683b4c71920990f7d) C:\WINDOWS\system32\DRIVERS\smrt.sys
23:42:45.0390 0720 smrt - ok
23:42:45.0531 0720 smwdm (13739b36bd8d94d0fed7662aa7a4235d) C:\WINDOWS\system32\drivers\smwdm.sys
23:42:45.0593 0720 smwdm - ok
23:42:45.0687 0720 Sparrow - ok
23:42:45.0796 0720 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
23:42:45.0812 0720 splitter - ok
23:42:45.0953 0720 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
23:42:45.0968 0720 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
23:42:45.0968 0720 sptd ( LockedFile.Multi.Generic ) - warning
23:42:45.0968 0720 sptd - detected LockedFile.Multi.Generic (1)
23:42:46.0109 0720 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
23:42:46.0109 0720 sr - ok
23:42:46.0265 0720 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
23:42:46.0281 0720 Srv - ok
23:42:46.0421 0720 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
23:42:46.0421 0720 StarOpen - ok
23:42:46.0546 0720 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
23:42:46.0546 0720 StillCam - ok
23:42:46.0734 0720 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
23:42:46.0734 0720 streamip - ok
23:42:46.0843 0720 STVqx3 (65ba7d9daca76f67bb5a62f3570c5fe5) C:\WINDOWS\system32\drivers\STVqx3.sys
23:42:46.0843 0720 STVqx3 - ok
23:42:47.0000 0720 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:42:47.0000 0720 swenum - ok
23:42:47.0078 0720 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
23:42:47.0093 0720 swmidi - ok
23:42:47.0171 0720 symc810 - ok
23:42:47.0250 0720 symc8xx - ok
23:42:47.0312 0720 sym_hi - ok
23:42:47.0375 0720 sym_u3 - ok
23:42:47.0484 0720 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
23:42:47.0484 0720 sysaudio - ok
23:42:47.0625 0720 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:42:47.0640 0720 Tcpip - ok
23:42:47.0765 0720 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:42:47.0765 0720 TDPIPE - ok
23:42:47.0875 0720 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
23:42:47.0875 0720 TDTCP - ok
23:42:48.0031 0720 teamviewervpn (9101fffcfccd1a30e870a5b8a9091b10) C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys
23:42:48.0031 0720 teamviewervpn - ok
23:42:48.0140 0720 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:42:48.0140 0720 TermDD - ok
23:42:48.0234 0720 TMPassthruMP - ok
23:42:48.0296 0720 TosIde - ok
23:42:48.0421 0720 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
23:42:48.0421 0720 Udfs - ok
23:42:48.0531 0720 ultra - ok
23:42:48.0656 0720 Update (a4815a4884898f355a3513e60843a4fd) C:\WINDOWS\system32\DRIVERS\update.sys
23:42:48.0671 0720 Update - ok
23:42:48.0906 0720 UrlFilter (62551ba687f1d0f582810cfa37384bb0) C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys
23:42:48.0906 0720 UrlFilter - ok
23:42:49.0000 0720 usb6xxxkw - ok
23:42:49.0078 0720 usb9162k - ok
23:42:49.0187 0720 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
23:42:49.0203 0720 USBAAPL - ok
23:42:49.0265 0720 usbbus - ok
23:42:49.0375 0720 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:42:49.0375 0720 usbccgp - ok
23:42:49.0468 0720 UsbDiag - ok
23:42:49.0578 0720 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:42:49.0578 0720 usbehci - ok
23:42:49.0687 0720 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:42:49.0687 0720 usbhub - ok
23:42:49.0765 0720 USBModem - ok
23:42:49.0875 0720 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:42:49.0875 0720 usbprint - ok
23:42:49.0968 0720 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:42:49.0968 0720 usbscan - ok
23:42:50.0062 0720 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:42:50.0062 0720 usbstor - ok
23:42:50.0140 0720 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:42:50.0140 0720 usbuhci - ok
23:42:50.0328 0720 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
23:42:50.0328 0720 VgaSave - ok
23:42:50.0359 0720 ViaIde - ok
23:42:50.0453 0720 vmci (eca058fdf9105001b113441f6d420fa4) C:\WINDOWS\system32\Drivers\vmci.sys
23:42:50.0468 0720 vmci - ok
23:42:50.0578 0720 vmkbd (c993e9325c68dd1f6ee4a8151b34f442) C:\WINDOWS\system32\drivers\VMkbd.sys
23:42:50.0593 0720 vmkbd - ok
23:42:50.0687 0720 VMnetAdapter (898706a05d20b706848a440961c52436) C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys
23:42:50.0687 0720 VMnetAdapter - ok
23:42:50.0765 0720 VMnetBridge (5692cbd2a25e04c62707bfc311884b65) C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys
23:42:50.0781 0720 VMnetBridge - ok
23:42:50.0843 0720 VMnetuserif (5f1ba57c5882cedf70b14de331f06ee0) C:\WINDOWS\system32\drivers\vmnetuserif.sys
23:42:50.0843 0720 VMnetuserif - ok
23:42:50.0921 0720 VMparport (c04e55f58d9871da1b153b48889f594f) C:\WINDOWS\system32\Drivers\VMparport.sys
23:42:50.0937 0720 VMparport - ok
23:42:51.0031 0720 vmusb (25017db6451b002158db425961a82b7b) C:\WINDOWS\system32\Drivers\vmusb.sys
23:42:51.0031 0720 vmusb - ok
23:42:51.0171 0720 vmx86 (72defa27db4a31e11740e12d745a70f3) C:\WINDOWS\system32\Drivers\vmx86.sys
23:42:51.0203 0720 vmx86 - ok
23:42:51.0328 0720 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
23:42:51.0328 0720 VolSnap - ok
23:42:51.0484 0720 vstor2-ws60 (e4fa7aff5046fc49de22e903b7e35add) C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
23:42:51.0484 0720 vstor2-ws60 - ok
23:42:51.0640 0720 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:42:51.0640 0720 Wanarp - ok
23:42:51.0750 0720 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
23:42:51.0750 0720 wanatw - ok
23:42:51.0796 0720 WDICA - ok
23:42:51.0875 0720 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
23:42:51.0890 0720 wdmaud - ok
23:42:52.0125 0720 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
23:42:52.0125 0720 WpdUsb - ok
23:42:52.0218 0720 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
23:42:52.0234 0720 WS2IFSL - ok
23:42:52.0328 0720 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
23:42:52.0328 0720 WSTCODEC - ok
23:42:52.0421 0720 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:42:52.0437 0720 WudfPf - ok
23:42:52.0500 0720 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:42:52.0500 0720 WudfRd - ok
23:42:52.0671 0720 {6080A529-897E-4629-A488-ABA0C29B635E} (fd1f4e9cf06c71c8d73a24acf18d8296) C:\WINDOWS\system32\drivers\ialmsbw.sys
23:42:52.0687 0720 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
23:42:52.0843 0720 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (d4d7331d33d1fa73e588e5ce0d90a4c1) C:\WINDOWS\system32\drivers\ialmkchw.sys
23:42:52.0843 0720 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
23:42:52.0875 0720 MBR (0x1B8) (671b81004fdd1588fa9ed1331c9ceca9) \Device\Harddisk0\DR0
23:42:53.0109 0720 \Device\Harddisk0\DR0 - ok
23:42:53.0125 0720 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
23:42:53.0140 0720 \Device\Harddisk1\DR1 - ok
23:42:53.0156 0720 Boot (0x1200) (711c73626a2c51579528f2eb42a25390) \Device\Harddisk0\DR0\Partition0
23:42:53.0156 0720 \Device\Harddisk0\DR0\Partition0 - ok
23:42:53.0171 0720 Boot (0x1200) (44915dd5061ea9ca725b40cb52ee464b) \Device\Harddisk1\DR1\Partition0
23:42:53.0171 0720 \Device\Harddisk1\DR1\Partition0 - ok
23:42:53.0187 0720 ============================================================
23:42:53.0187 0720 Scan finished
23:42:53.0187 0720 ============================================================
23:42:53.0218 0396 Detected object count: 2
23:42:53.0218 0396 Actual detected object count: 2
23:44:42.0531 0396 Backup copy found, using it..
23:44:42.0562 0396 C:\WINDOWS\system32\DRIVERS\redbook.sys - will be cured on reboot
23:44:42.0562 0396 redbook ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
23:44:42.0562 0396 sptd ( LockedFile.Multi.Generic ) - skipped by user
23:44:42.0562 0396 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
23:45:20.0421 3264 Deinitialize success








SSD results:
-------------------------------

DoubleClick: Tracking cookie (Firefox: Emily (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Chrome: Chrome) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2011-11-14 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-03-18 Includes\Adware.sbi (*)
2011-08-29 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2011-03-29 Includes\Hijackers.sbi (*)
2011-10-04 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-09-27 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-10-31 Includes\Malware.sbi (*)
2011-11-08 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-10-11 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2011-02-24 Includes\Security.sbi (*)
2011-05-03 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-10-18 Includes\Spyware.sbi (*)
2011-10-18 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2011-09-28 Includes\Trojans.sbi (*)
2011-11-09 Includes\TrojansC-02.sbi (*)
2011-11-09 Includes\TrojansC-03.sbi (*)
2011-10-28 Includes\TrojansC-04.sbi (*)
2011-11-03 Includes\TrojansC-05.sbi (*)
2011-11-09 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

ken545
2011-11-16, 10:58
:bigthumb:

Post a new DDS log not SSD please

With Rootkit type of infections there could be more lurking, lets do this


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

jaybg
2011-11-17, 21:28
Thanks for the help, but I have been unsuccessful at installing and runnning ComboFix.

The only software that I found and disabled were the AVAST free antivirus and IOBits Malware Fighter. After disabling those, I tried to download ComboFix, but on installation, it was extracting dozens of files and then just quit. The installation text box disappeared and no other window or dialogbox popped up. After verifying the disabled status of those two software packages, I tried ComboFix a second time with the same result.

My guess is that I am missing some other anti-spy antil-malware software that does not show up in the online list or in my quick link tray. Any suggestions?

ken545
2011-11-17, 23:49
Lets try running Combofix in Safemode


To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode with Networking
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)

jaybg
2011-11-19, 18:50
Hello again.

Thanks for the tips on running in Safe Mode.

It took me a while, as I had to get a VGA monitor hooked up, as my computer does not output DVI until later in the boot process, so I never saw the safemode menus with the DVI. Anyway ...

Was able to run ComboFix in safemode, but it insisted Avast! was still scanning, although I had disabled all 8 sheilds repeatedly. So that scared me (warning that it was running at my risk of machine damage) .. so the first two times I aborted by rebooting

Anyway, it finally fully executed and I followed that up with a DDS scan. All three files (log from ComboFix, DDS.txt and Attach.txt) are attachments to this message.

I am running SSD now, but it will be an hour or more .. will post results if you want me to.

Thanks again!!



ComboFix 11-11-19.03 - ZZadmin 11/19/2011 10:56:39.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.760 [GMT -5:00]
Running from: c:\documents and settings\ZZadmin\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\AMMYY
c:\documents and settings\All Users\Application Data\AMMYY\hr
c:\documents and settings\All Users\Application Data\AMMYY\settings.bin
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\_Setup.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\_Setupx.dll
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\20100709075325.log
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.dat
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.exe
c:\documents and settings\All Users\Application Data\Tarma Installer\{E7269FD6-34EA-4617-8752-6739AA384080}\Setup.ico
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\BB960BFC.TMP
c:\documents and settings\Olivia\WINDOWS
c:\program files\Common Files\ofmf
c:\program files\Common Files\ofmf\ofmfa.lck
c:\program files\Common Files\ofmf\ofmfd\class-barrel
c:\program files\Common Files\ofmf\ofmfd\vocabulary
c:\program files\Common Files\ofmf\ofmfl.lck
c:\program files\Common Files\ofmf\ofmfm.lck
c:\windows\desktop
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\Downloaded Program Files\Temp
c:\windows\help\wmplayer.bak
c:\windows\iun6002.exe
c:\windows\search_res.txt
c:\windows\system32\components
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\res
c:\windows\system32\wnsapisv.exe
c:\windows\system32\wpcap.dll
c:\windows\system32\zlibwapi.dll
c:\windows\windowsmedia-kb828026-x86-enu.exe
c:\windows\windowsmedia9-kb819639-x86-enu.exe
c:\windows\windowsxp-kb817611-x86-enu.exe
c:\windows\windowsxp-kb820291-x86-enu.exe
c:\windows\windowsxp-kb822827-x86-enu.exe
c:\windows\windowsxp-kb823182-x86-enu.exe
c:\windows\windowsxp-kb824105-x86-enu.exe
c:\windows\windowsxp-kb824141-x86-enu.exe
c:\windows\windowsxp-kb824146-x86-enu.exe
c:\windows\windowsxp-kb825119-x86-enu.exe
c:\windows\windowsxp-kb825121-x86-enu.exe
c:\windows\windowsxp-kb826939-x86-enu.exe
c:\windows\windowsxp-kb826959-x86-enu.exe
c:\windows\windowsxp-kb828028-x86-enu.exe
c:\windows\windowsxp-kb828035-x86-enu.exe
c:\windows\wnsxs~1
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2011-10-19 to 2011-11-19 )))))))))))))))))))))))))))))))
.
.
2020-08-11 14:37 . 2020-08-11 15:26 3991 ----a-w- c:\windows\system32\kbdcache.dll
2011-11-17 00:33 . 2011-11-17 00:33 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\IObit
2011-11-17 00:29 . 2011-11-17 00:29 -------- d-----w- c:\documents and settings\ZZadmin\Local Settings\Application Data\Solid State Networks
2011-11-17 00:27 . 2011-11-17 00:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-16 23:50 . 2011-11-16 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2011-11-14 17:39 . 2011-11-14 18:53 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-11-14 15:34 . 2011-11-14 15:36 -------- d-----w- c:\program files\ERUNT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-16 04:46 . 2004-03-31 13:05 57472 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-11-06 19:03 . 2010-09-02 00:20 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-09-06 20:45 . 2010-10-24 14:07 41184 ----a-w- c:\windows\avastSS.scr
2011-09-06 20:45 . 2009-06-25 22:51 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-09-06 20:38 . 2011-05-13 20:17 442200 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-09-06 20:37 . 2009-06-25 22:51 320856 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-09-06 20:36 . 2009-06-25 22:51 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-09-06 20:36 . 2009-06-25 22:51 52568 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-09-06 20:36 . 2009-06-25 22:51 110552 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-09-06 20:36 . 2009-06-25 22:51 104536 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-09-06 20:36 . 2009-06-25 22:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-09-06 20:33 . 2009-06-25 22:51 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-08-31 22:00 . 2010-09-02 00:20 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Advanced SystemCare 5"="c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe" [2011-11-12 1647448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 335872]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-10-08 4441944]
.
c:\documents and settings\Guest\Start Menu\Programs\Startup\
V CAST Media Monitor.lnk - c:\program files\V CAST Media Manager\MEMonitor.exe [2010-3-21 2991464]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\empires2.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\xampp\\MercuryMail\\mercury.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\mektek.net\\MTX\\mtx.exe"=
.
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/25/2011 12:04 PM 13496]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/27/2008 5:51 PM 717296]
S0 shzu;shzu;c:\windows\system32\drivers\mpfy.sys --> c:\windows\system32\drivers\mpfy.sys [?]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/13/2011 3:17 PM 442200]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/25/2009 5:51 PM 320856]
S2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [11/16/2011 6:49 PM 490840]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\httpd.exe [8/21/2009 11:17 AM 24636]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/25/2009 5:51 PM 20568]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/24/2010 9:08 AM 136176]
S2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [6/25/2011 12:04 PM 820568]
S2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [10/14/2004 5:30 PM 86098]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [3/26/2009 9:58 PM 54960]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [11/7/2006 5:02 PM 39424]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/24/2010 9:08 AM 136176]
S3 niemrkw;niemrkw;c:\windows\system32\DRIVERS\niemrkw.sys --> c:\windows\system32\DRIVERS\niemrkw.sys [?]
S3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [11/14/2011 12:24 PM 30368]
S3 STVqx3;Intel Play QX3 Microscope;c:\windows\system32\drivers\STVqx3.SYS [9/29/2005 3:52 PM 131776]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [3/11/2010 4:17 AM 25088]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys --> c:\windows\system32\DRIVERS\TMPassthru.sys [?]
S3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [11/14/2011 12:24 PM 16208]
S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\DRIVERS\usb6xxxkw.sys --> c:\windows\system32\DRIVERS\usb6xxxkw.sys [?]
S3 usb9162k;NI-USB 9162 Carrier Loader Driver;c:\windows\system32\DRIVERS\usb9162k.sys --> c:\windows\system32\DRIVERS\usb9162k.sys [?]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM --> c:\program files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe -RunBySCM [?]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [11/14/2011 12:24 PM 239472]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 7:28 PM 47128]
S4 NiRioRpc;National Instruments RIO Server;c:\windows\system32\NiRioRpc.exe --> c:\windows\system32\NiRioRpc.exe [?]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 1:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 7:28 PM 369688]
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-24 14:07]
.
2011-11-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-24 14:07]
.
2011-11-19 c:\windows\Tasks\User_Feed_Synchronization-{056B7D34-B07B-4BFB-B256-0823BB5D667A}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-11-19 c:\windows\Tasks\User_Feed_Synchronization-{99A3DB5B-40AB-4547-8310-1B14D1112E9C}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-11-19 c:\windows\Tasks\User_Feed_Synchronization-{B53B5342-0B01-4984-9240-16FCDB1D2A7E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
2011-11-19 c:\windows\Tasks\User_Feed_Synchronization-{B9B78A04-42C7-480A-A6F4-D57AECFE97D5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://file.net/process/_a.html
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
TCP: Interfaces\{00D379ED-BD69-48C0-AC8D-9E38EFC56EEA}: NameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\ZZadmin\Application Data\Mozilla\Firefox\Profiles\u7mv6nbs.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&type=685749&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
Notify-Themes - c:\windows\system32\o6480ghue6480.dll
SafeBoot-93410293.sys
AddRemove-HijackThis - j:\portableapps\HiJackThis\HijackThis.exe
AddRemove-{E7269FD6-34EA-4617-8752-6739AA384080} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{E7269~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-19 11:09
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.EXE'(1392)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
.
Completion time: 2011-11-19 11:17:32 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-19 16:17
.
Pre-Run: 65,557,426,176 bytes free
Post-Run: 65,807,409,152 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 7238C42AB4BA39B990AE3C10594066E0

ken545
2011-11-19, 19:19
You did just fine, things are looking better. I dont need the SSD report

How are things running now, any better ???


Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

jaybg
2011-11-20, 06:05
MBAM found 8 related items and required a reboot. The log file is attached.

To verify the reboot deletion was successful, I re-ran MBAM ... that file is attached as well.

-------------

Regarding how things are running, I believe most symptoms are gone.
The only remaining symptom that I seem to have is a system crash (reboot) whenever we try to run videos like youtube or news feeds. The exception seems to be WMV files, which apparently run fine.

I'm thinking that something was deleted incorrectly by some earlier attempt to clean up the system.

THANKS AGAIN for all the help .. any further tips would also be appreciated

ken545
2011-11-20, 11:10
Good Morning,

Do me a favor and just copy and paste the logs we ask for into this thread in lew of attaching them, its easier on these old eyes to analyze.


As far as running videos, when where done I will link you to another forum that can help you with that as we just do malware removal on this one.



ESET Online Scanner
I'd like us to scan your machine with ESET OnlineScan

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.



Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan (http://eset.com/onlinescan)
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetOnline.png button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
Double click on the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetSmartInstallDesktopIcon.png icon on your desktop.

Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetAcceptTerms.png
Click the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetStart.png button.
Accept any security warnings from your browser.
Check http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetScanArchives.png
Make sure that the option "Remove found threats" is Unchecked
Push the Start button.
ESET will then download updates for itself, install itself, and begin
scanning your computer. Please be patient as this can take some time.
When the scan completes, push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetListThreats.png
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetExport.png, and save the file to your desktop using a unique name, such as
ESETScan. Include the contents of this report in your next reply.
Push the http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetBack.png button.
Push http://billy-oneal.com/Canned%20Speeches/speechimages/eset/esetFinish.png
Please make sure you include the following items in your next post:
The log that was produced after running ESET Online Scanner.

jaybg
2011-11-20, 19:59
This was the second time I ran it .. the first time I came back to my computer and it was on a post-test ad to purchase software ...

ESET Online Scan results:
---------------------------
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\16\7de60ad0-12a1005a a variant of OSX/Exploit.Smid.D trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\29\218affdd-5c45f67c a variant of Java/Rowindal.A trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\48\2121b370-6e48e8a0 multiple threats

ken545
2011-11-20, 20:07
Great, the only thing we need to do is empty your Java Cache

Please download ATF Cleaner (http://majorgeeks.com/ATF_Cleaner_d4949.html) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility. If you want to keep your log on info, just click on Select All and then uncheck cookies



Outside of your video, everything else ok ?

jaybg
2011-11-21, 02:48
Yes, I believe all symptoms have been eliminated, except for the video issues. As some symptoms were sporatic, only time will tell if they pop up, but I'm confident that (almost) all is well.

Thank you very much, Ken, for all your thorough and persistant aid in fixing these issues.

My one last question for you before you refer me for the video help:
Other than running Avast free antivirus, what other guards should I have in place running in active or resident mode 24/7 to keep this from happening again? An ounce of prevention .....

ken545
2011-11-21, 03:30
Lets do this, post here for your Video problems, all us forums work together so you can link them to this thread if you wish so they can see what we have done.
http://forums.whatthetech.com/index.php?showforum=119


Avast is a nice AV, you should have a firewall as well, here are three free ones, just install one. Or you can upgrade Avast to the complete package that includes a firewall and some anti spyware

http://www.avast.com/free-antivirus-download


Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp)
Sygate Personal Firewall Free Edition (http://www.filehippo.com/download_sygate_personal_firewall/[/url])
Outpost Firewall Free (http://www.agnitum.com/products/outpostfree/index.php)





All I have on my systems is Norton Internet Security that includes AV, a firewall and some Anti Spyware. Your call but you can upgrade Malwarebytes to the Pro Version, the cost is minimal and you own the key code, no yearly fee. This version has a protection module that will block any bad sites that you may wander into with a page not found and a pop up from Malwarebytes telling you they blocked it, I have this on all my systems. Just use one AV and one Firewall and a nice program like malwarebytes and you should be ok, just dont to crazy installing to many programs or they will bog down your system



Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png




Open OTL and click on Clean Up and it will remove programs we used to clean your system along with there backups

Malwarebytes is the free version and yours to keep and will not be removed

Keeping your Java updated is very important to the security of your system, info here on how to update
http://forums.spybot.info/showpost.php?p=12880&postcount=2



How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Safe Surfn
Ken

ken545
2011-11-28, 02:08
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.