redirecting problem, please help (Resolved)

klm0824 · Feb 27, 2010

Still having redirects when I click on llinks from google search.

I get this in a window when I try to run Kapersky:

Launch of the Java application is interupted! Please establish an uninterrupted Internet connection for work with this program.

My internet connection is always on. The java icon appears in the system tray after I click on accept, but then it gives the error.

Not sure what to do.

katana · Feb 27, 2010

Let's just have a look at something......

You must first verify that you can logon to the Windows Recovery Console.

How to use the Windows XP Recovery Console

Next, please download maxlook, saving the file to your desktop.
Double click maxlook.exe to run it. Note - you must run it only once!
As instructed when the tool runs, restart the computer and logon to the Recovery Console.
Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

You will see 1 file copied many times then return to the x:\windows> prompt.
Type Exit to restart your computer then logon in normal mode.
Please run maxlook.exe again now. Note - you must run it only once!
It will produce looklog.txt on the desktop and open it.
Please post the results here.

klm0824 · Feb 27, 2010

maxlook:
Run from C:\Documents and Settings\Mom\Desktop\maxlook.exe on Sat 02/27/2010 at 9:23:20.93

No infected file found

Not sure if this matters, but:
While the system was rebooting, McAfee popped a window up and said it repaired something. I checked the log and attached is a screen shot of what it said.

katana · Feb 27, 2010

McAfee popped a window up and said it repaired something

That file was part of tool I asked you to download, nothing to worry about.

A couple of questions for you ...

Do you have a Router ?
Which browser are you using for the web ?
Do you get redirected to the same site, or different ones ?
Do you know anything about Zynga Toolbar ?

Active Scan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Please go to this site Link >> ActiveScan << LINK

Click the Scan Now button
Follow the prompts to install the Active X if necessary
Go and make a cup of tea/coffee/beverage of your choice and watch some TV
When the scan is finished, a report will be generated
Next to Scan Details click the small export to notepad button and save the report to your desktop.
Please post the report in your reply.

klm0824 · Feb 28, 2010

answers:
Yes, I have a wirelss router. The infected PC is hard wired to the router.
Browser is IE7
I get redirected to random sites.
Zynga toolbar was downloaded for a game I play in facebook. I don't need it.

Active scan said I was infected. Report is here:
;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-02-28 07:42:53
PROTECTIONS: 1
MALWARE: 24
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@trafficmp[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@247realmedia[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@mediaplex[2].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@7search[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@com[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@www.burstbeacon[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@server.iad.liveperson[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@advertising[1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@ads.pointroll[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@realmedia[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@go[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@searchportal.information[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@target[1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No c:\documents and settings\mom\cookies\mom@did-it[1].txt
00966839 Spyware/Virtumonde Spyware No 1 Yes No c:\program files\viewpoint\viewpoint experience technology\newcomponents\swfview.dll
01260840 Trj/Downloader.PME Virus/Trojan No 1 Yes No c:\documents and settings\mom\local settings\application data\wildtangent\cdacache\00\00\73.dat
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

katana · Feb 28, 2010

Well, that didn't shed much light on the situation

The files that Panda found were mainly cookies, and it didn't flag anything that would cause redirects.

klm0824 said:
Yes, I have a wirelss router. The infected PC is hard wired to the router.

Do you have more than one computer ?
If so, is that one having the same problems ?

klm0824 · Feb 28, 2010

Yes I have more than one computer.
I spot checked one and it is not having the same problem.

katana · Feb 28, 2010

Looking around the web there appear to be many cases of redirects with Zynga installed, and when it is removed the problem stops.

I think we should try uninstalling it and see if that helps.

----------------------------------------------------------------------------------------
Step 1

Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs.
If any of the following programs are still listed there, click on the program to highlight it, and click on remove.

Zynga Toolbar

Now close the Control Panel.

----------------------------------------------------------------------------------------
Step 2

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"=-
[-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"=-
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Symantec PIF AlertEng"=-
Folder::
c:\program files\Zynga
c:\program files\viewpoint\viewpoint experience technology\newcomponents
c:\documents and settings\mom\local settings\application data\wildtangent
ADS::

Save this as CFScript.txt and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Combofix Log
A fresh HJT log
How are things running now ?

klm0824 · Feb 28, 2010

combofix part 1:

ComboFix 10-02-27.04 - Mom 02/28/2010 12:43:16.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2445 [GMT -6:00]
Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Mom\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\mom\local settings\application data\wildtangent
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\01.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\02.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\03.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\04.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\05.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\06.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\07.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\08.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\09.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\0A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\0B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\0C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\0D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\0E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\0F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\10.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\11.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\12.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\13.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\14.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\15.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\16.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\17.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\18.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\19.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\1A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\1B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\1C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\1D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\1E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\1F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\20.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\21.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\22.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\23.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\24.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\25.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\26.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\27.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\28.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\29.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\2A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\2B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\2C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\2D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\2E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\2F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\30.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\31.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\32.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\33.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\34.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\35.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\36.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\37.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\38.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\39.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\3A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\3B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\3C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\3D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\3E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\3F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\40.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\41.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\42.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\43.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\44.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\45.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\46.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\47.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\48.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\49.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\4A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\4B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\4C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\4D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\4E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\4F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\50.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\51.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\52.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\53.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\54.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\55.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\56.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\57.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\58.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\59.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\5A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\5B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\5C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\5D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\5E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\5F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\60.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\61.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\62.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\63.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\64.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\65.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\66.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\67.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\68.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\69.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\6A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\6B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\6C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\6D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\6E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\6F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\70.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\71.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\72.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\73.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\74.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\75.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\76.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\77.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\78.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\79.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\7A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\7B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\7C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\7D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\7E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\7F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\80.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\81.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\82.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\83.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\84.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\85.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\86.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\87.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\88.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\89.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\8A.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\8B.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\8C.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\8D.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\8E.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\8F.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\90.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\91.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\92.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\93.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\94.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\95.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\00\00\96.dat
c:\documents and settings\mom\local settings\application data\wildtangent\Cdacache\cdacache.odds
c:\program files\viewpoint\viewpoint experience technology\newcomponents
c:\program files\viewpoint\viewpoint experience technology\newcomponents\JpegReader.dll
c:\program files\viewpoint\viewpoint experience technology\newcomponents\MTS3Reader.dll
c:\program files\viewpoint\viewpoint experience technology\newcomponents\SWFView.dll
c:\program files\viewpoint\viewpoint experience technology\newcomponents\WaveletReader.dll

.
((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 03:19 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-28 03:19 . 2010-02-28 03:19 -------- d-----w- c:\program files\Panda Security
2010-02-27 15:17 . 2010-02-27 15:23 -------- d-----w- c:\windows\maxdriver
2010-02-22 03:30 . 2010-02-22 03:30 -------- d-----w- C:\Rooter$
2010-02-21 03:01 . 2010-02-21 03:00 38784 ----a-w- c:\documents and settings\Mom\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-21 03:01 . 2010-02-21 03:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-21 02:59 . 2010-02-21 02:59 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-21 02:59 . 2010-02-21 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-21 01:09 . 2010-02-21 01:09 -------- d-----w- c:\documents and settings\Mom\Application Data\Malwarebytes
2010-02-21 01:09 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-21 01:09 . 2010-02-21 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-21 01:09 . 2010-02-21 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 01:09 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 22:20 . 2010-02-18 22:21 -------- d-----w- C:\rsit
2010-02-15 01:51 . 2010-02-15 01:51 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\Yahoo!
2010-02-13 03:13 . 2010-02-27 15:44 -------- d-----w- c:\program files\SpywareBlaster
2010-02-12 23:00 . 2010-02-12 23:00 50354 ----a-w- c:\documents and settings\Mom\Application Data\Facebook\uninstall.exe
2010-02-12 23:00 . 2010-02-12 23:00 -------- d-----w- c:\documents and settings\Mom\Application Data\Facebook
2010-02-12 01:18 . 2010-02-12 01:18 -------- d-----w- c:\program files\ERUNT
2010-02-11 23:17 . 2010-02-11 23:17 -------- d-----w- c:\program files\Flip Video
2010-02-11 23:17 . 2010-02-11 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Mom\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Mom\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-30 19:53 . 2010-01-30 19:53 -------- d--h--w- c:\windows\system32\GroupPolicy

klm0824 · Feb 28, 2010

combofix part 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 18:26 . 2008-07-30 01:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-24 15:16 . 2009-10-02 20:40 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 02:33 . 2006-03-26 05:45 -------- d-----w- c:\program files\quicken
2010-02-21 03:03 . 2006-03-23 04:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-20 13:57 . 2006-03-17 01:33 90112 ----a-w- c:\windows\DUMP6021.tmp
2010-02-19 03:57 . 2006-03-17 02:01 -------- d-----w- c:\program files\McAfee
2010-02-11 23:16 . 2008-12-26 03:12 -------- d-----w- c:\program files\Pure Digital Technologies
2010-02-07 16:55 . 2007-09-29 02:45 -------- d-----w- c:\program files\Google
2010-02-02 06:55 . 2008-12-17 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-30 22:14 . 2006-03-17 01:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-27 02:15 . 2009-09-20 00:34 696320 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-24 19:42 . 2010-01-24 19:42 -------- d-----w- c:\program files\Common Files\eSellerate
2010-01-24 19:40 . 2010-01-24 19:40 8854 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2010-01-24 19:40 . 2010-01-24 19:40 40960 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2010-01-24 19:40 . 2010-01-24 19:40 10134 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2010-01-24 19:40 . 2010-01-24 19:40 -------- d-----w- c:\program files\Western Digital Technologies
2010-01-24 19:39 . 2008-08-13 22:02 -------- d-----w- c:\program files\Western Digital
2010-01-12 00:54 . 2010-01-12 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\RosettaStoneLtdServices
2010-01-12 00:52 . 2010-01-12 00:52 -------- d-----w- c:\program files\RosettaStoneLtdServices
2010-01-05 10:00 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-04-08 23:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-03 21:23 . 2010-01-03 21:01 -------- d-----w- c:\program files\Family Tree Maker 2010
2010-01-03 21:04 . 2010-01-03 21:04 -------- d-----w- c:\program files\Windows Media Components
2010-01-03 21:04 . 2010-01-03 21:04 -------- d-----w- c:\program files\Microsoft.NET
2010-01-03 21:04 . 2010-01-03 21:04 1078 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}\DocumentationShortcu_EDEA8AB776834ED2AA19E6C078064C0D.exe
2010-01-03 21:04 . 2010-01-03 21:04 10134 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}\ARPPRODUCTICON.exe
2010-01-03 21:04 . 2010-01-03 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-03 21:04 . 2010-01-03 21:04 -------- d-----w- c:\program files\Microsoft WSE
2010-01-03 21:03 . 2010-01-03 21:01 -------- d-----w- c:\program files\BCL Technologies
2009-12-31 16:50 . 2006-03-17 01:27 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2005-08-16 10:37 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2005-08-16 10:18 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-03-17 01:27 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-03-31 01:17 . 2006-03-23 04:05 104 --sh--r- c:\windows\system32\59C154333E.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-02-26_22.37.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-28 18:07 . 2010-02-28 18:07 16384 c:\windows\Temp\Perflib_Perfdata_700.dat
+ 2010-02-27 02:41 . 2010-02-28 17:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-23 02:42 . 2010-02-28 17:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-23 02:42 . 2010-02-26 22:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-03-23 02:42 . 2010-02-26 22:28 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-02-27 02:41 . 2010-02-28 17:59 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2001-07-14 23:32 . 2001-07-14 23:32 69632 c:\windows\setupupd\temp\wsdueng.dll
+ 2006-09-29 00:00 . 2006-09-29 00:00 82944 c:\windows\maxdriver\WudfRd.sys
+ 2006-09-28 23:55 . 2006-09-28 23:55 77568 c:\windows\maxdriver\WudfPf.sys
+ 2006-03-25 14:43 . 2008-04-13 18:46 19200 c:\windows\maxdriver\wstcodec.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 12032 c:\windows\maxdriver\ws2ifsl.sys
+ 2005-08-16 10:18 . 2006-10-19 01:00 38528 c:\windows\maxdriver\wpdusb.sys
+ 2006-03-17 01:48 . 2008-04-13 19:17 83072 c:\windows\maxdriver\wdmaud.sys
+ 2010-01-24 19:39 . 2007-10-01 21:17 11520 c:\windows\maxdriver\wdcsam.sys
+ 2008-09-17 23:33 . 2004-08-04 03:29 25471 c:\windows\maxdriver\watv10nt.sys
+ 2008-09-17 23:33 . 2004-08-04 03:29 22271 c:\windows\maxdriver\watv06nt.sys
+ 2005-08-16 10:18 . 2008-04-13 18:57 34560 c:\windows\maxdriver\wanarp.sys
+ 2008-09-17 23:33 . 2004-08-04 03:29 11935 c:\windows\maxdriver\wadv11nt.sys
+ 2008-09-17 23:33 . 2004-08-04 03:29 11871 c:\windows\maxdriver\wadv09nt.sys
+ 2008-09-17 23:33 . 2004-08-04 03:29 11295 c:\windows\maxdriver\wadv08nt.sys
+ 2008-09-17 23:33 . 2004-08-04 03:29 11807 c:\windows\maxdriver\wadv07nt.sys
+ 2008-09-17 23:33 . 2008-04-13 18:43 14208 c:\windows\maxdriver\wacompen.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 83344 c:\windows\maxdriver\w810obex.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 85408 c:\windows\maxdriver\w810mgmt.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 94064 c:\windows\maxdriver\w810mdm.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 58288 c:\windows\maxdriver\w810bus.sys
+ 2005-08-16 10:18 . 2008-04-13 18:41 52352 c:\windows\maxdriver\volsnap.sys
+ 2005-08-16 10:18 . 2008-04-13 18:44 81664 c:\windows\maxdriver\videoprt.sys
+ 2005-08-17 03:21 . 2008-04-13 18:36 42240 c:\windows\maxdriver\viaagp.sys
+ 2005-08-16 10:18 . 2008-04-13 18:44 20992 c:\windows\maxdriver\vga.sys
+ 2001-08-17 20:02 . 2004-08-10 11:00 58112 c:\windows\maxdriver\vdmindvd.sys
+ 2004-08-04 05:08 . 2008-04-13 18:45 20608 c:\windows\maxdriver\usbuhci.sys
+ 2006-03-17 01:34 . 2008-04-13 18:45 26368 c:\windows\maxdriver\usbstor.sys
+ 2007-07-20 00:19 . 2008-04-13 18:45 15104 c:\windows\maxdriver\usbscan.sys
+ 2006-04-05 00:36 . 2008-04-13 18:47 25856 c:\windows\maxdriver\usbprint.sys
+ 2004-08-04 05:08 . 2008-04-13 18:45 15872 c:\windows\maxdriver\usbintel.sys
+ 2004-08-04 05:08 . 2008-04-13 18:45 59520 c:\windows\maxdriver\usbhub.sys
+ 2004-08-04 05:08 . 2008-04-13 18:45 30208 c:\windows\maxdriver\usbehci.sys
+ 2006-03-23 02:41 . 2008-04-13 18:45 32128 c:\windows\maxdriver\usbccgp.sys
+ 2001-08-17 20:03 . 2008-04-13 18:45 25728 c:\windows\maxdriver\usbcamd2.sys
+ 2001-08-17 20:03 . 2008-04-13 18:45 25600 c:\windows\maxdriver\usbcamd.sys
+ 2010-01-12 00:49 . 2008-04-13 18:45 60032 c:\windows\maxdriver\USBAUDIO.sys
+ 2008-10-14 02:52 . 2009-08-29 00:42 40448 c:\windows\maxdriver\usbaapl.sys
+ 2008-08-24 20:31 . 2008-04-13 18:56 12800 c:\windows\maxdriver\usb8023x.sys
+ 2005-08-16 10:18 . 2008-04-13 18:56 12800 c:\windows\maxdriver\usb8023.sys
+ 2005-08-17 03:29 . 2001-08-17 19:52 36736 c:\windows\maxdriver\ultra.sys
+ 2005-08-16 10:18 . 2008-04-13 18:32 66048 c:\windows\maxdriver\udfs.sys
+ 2008-09-17 23:33 . 2008-04-13 18:36 44672 c:\windows\maxdriver\uagp35.sys
+ 2004-08-04 05:03 . 2008-04-13 18:56 12288 c:\windows\maxdriver\tunmp.sys
+ 2001-08-17 20:06 . 2004-08-10 11:00 21376 c:\windows\maxdriver\tsbvcap.sys
+ 2001-08-17 20:01 . 2004-08-10 11:00 51712 c:\windows\maxdriver\tosdvd.sys
+ 2005-08-16 10:37 . 2008-04-14 00:13 40840 c:\windows\maxdriver\termdd.sys
+ 2005-08-16 10:37 . 2008-04-14 00:13 21896 c:\windows\maxdriver\tdtcp.sys
+ 2005-08-16 10:37 . 2008-04-14 00:13 12040 c:\windows\maxdriver\tdpipe.sys
+ 2005-08-16 10:18 . 2008-04-13 19:00 19072 c:\windows\maxdriver\tdi.sys
+ 2005-08-16 10:18 . 2008-04-13 18:40 14976 c:\windows\maxdriver\tape.sys
+ 2006-03-17 01:48 . 2008-04-13 19:15 60800 c:\windows\maxdriver\sysaudio.sys
+ 2005-08-17 03:25 . 2001-08-17 20:07 32640 c:\windows\maxdriver\symc8xx.sys
+ 2005-08-17 03:26 . 2001-08-17 20:07 16256 c:\windows\maxdriver\symc810.sys
+ 2005-08-17 03:26 . 2001-08-17 20:07 30688 c:\windows\maxdriver\sym_u3.sys
+ 2005-08-17 03:24 . 2001-08-17 20:07 28384 c:\windows\maxdriver\sym_hi.sys
+ 2006-03-17 01:48 . 2008-04-13 18:45 56576 c:\windows\maxdriver\swmidi.sys
+ 2006-03-25 14:45 . 2008-04-13 18:46 15232 c:\windows\maxdriver\streamip.sys
+ 2004-08-04 05:08 . 2008-04-13 18:45 49408 c:\windows\maxdriver\stream.sys
+ 2005-08-16 10:40 . 2008-04-13 18:36 73472 c:\windows\maxdriver\sr.sys
+ 2005-08-17 03:22 . 2001-08-17 20:07 19072 c:\windows\maxdriver\sparrow.sys
+ 2004-08-04 05:09 . 2008-04-13 18:46 25344 c:\windows\maxdriver\sonydcam.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 14592 c:\windows\maxdriver\smclib.sys
+ 2008-09-17 23:33 . 2004-08-04 03:41 13240 c:\windows\maxdriver\slwdmsup.sys
+ 2008-09-17 23:33 . 2004-08-04 03:41 95424 c:\windows\maxdriver\slnthal.sys
+ 2006-03-25 14:45 . 2008-04-13 18:46 11136 c:\windows\maxdriver\slip.sys
+ 2005-08-17 03:20 . 2008-04-13 18:36 40960 c:\windows\maxdriver\sisagp.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 11392 c:\windows\maxdriver\sfloppy.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 11008 c:\windows\maxdriver\sffp_sd.sys
+ 2008-09-17 23:33 . 2008-04-13 18:40 10240 c:\windows\maxdriver\sffp_mmc.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 11904 c:\windows\maxdriver\sffdisk.sys
+ 2004-08-04 05:15 . 2008-04-13 19:15 64512 c:\windows\maxdriver\serial.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 15744 c:\windows\maxdriver\serenum.sys
+ 2010-02-27 15:22 . 2002-09-18 12:38 82944 c:\windows\maxdriver\sed.exe
+ 2005-08-16 10:18 . 2007-11-13 10:25 20480 c:\windows\maxdriver\secdrv.sys
+ 2004-08-04 05:07 . 2008-04-13 18:36 79232 c:\windows\maxdriver\sdbus.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 96384 c:\windows\maxdriver\scsiport.sys
+ 2010-01-24 19:36 . 2008-04-13 18:40 43904 c:\windows\maxdriver\sbp2port.sys
+ 2008-08-24 20:31 . 2008-04-13 18:56 30592 c:\windows\maxdriver\rndismpx.sys
+ 2005-08-16 10:18 . 2008-04-13 18:56 30592 c:\windows\maxdriver\rndismp.sys
+ 2001-08-17 19:24 . 2004-08-10 11:00 12032 c:\windows\maxdriver\riodrv.sys
+ 2001-08-17 19:24 . 2004-08-10 11:00 12032 c:\windows\maxdriver\rio8drv.sys
+ 2008-09-17 23:33 . 2008-04-13 18:46 59136 c:\windows\maxdriver\rfcomm.sys
+ 2005-08-16 10:35 . 2008-04-13 18:40 57600 c:\windows\maxdriver\redbook.sys
+ 2008-09-17 23:33 . 2004-08-04 03:41 13776 c:\windows\maxdriver\recagent.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 34432 c:\windows\maxdriver\rawwan.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 16512 c:\windows\maxdriver\raspti.sys
+ 2005-08-16 10:18 . 2008-04-13 19:19 48384 c:\windows\maxdriver\raspptp.sys
+ 2005-08-16 10:18 . 2008-04-13 18:57 41472 c:\windows\maxdriver\raspppoe.sys
+ 2005-08-16 10:18 . 2008-04-13 19:19 51328 c:\windows\maxdriver\rasl2tp.sys
+ 2005-08-17 03:26 . 2001-08-17 19:52 49024 c:\windows\maxdriver\ql1280.sys
+ 2005-08-17 03:26 . 2001-08-17 19:52 40448 c:\windows\maxdriver\ql1240.sys
+ 2005-08-17 03:27 . 2001-08-17 19:52 45312 c:\windows\maxdriver\ql12160.sys
+ 2005-08-17 03:26 . 2001-08-17 19:52 33152 c:\windows\maxdriver\ql10wnt.sys
+ 2005-08-17 03:26 . 2001-08-17 19:52 40320 c:\windows\maxdriver\ql1080.sys
+ 2008-11-20 19:19 . 2008-11-20 19:19 43872 c:\windows\maxdriver\pxhelp20.sys
+ 2009-09-19 15:19 . 2008-12-12 23:05 25264 c:\windows\maxdriver\purendis.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 17792 c:\windows\maxdriver\ptilink.sys
+ 2005-08-16 10:18 . 2008-04-13 18:56 69120 c:\windows\maxdriver\psched.sys
+ 2004-08-04 04:59 . 2008-04-13 18:31 35840 c:\windows\maxdriver\processr.sys
+ 2009-09-19 15:19 . 2008-12-12 23:05 23984 c:\windows\maxdriver\pnarp.sys
+ 2006-04-02 03:52 . 2003-12-05 23:46 10368 c:\windows\maxdriver\pfc.sys
+ 2005-08-17 03:24 . 2001-08-17 20:07 27296 c:\windows\maxdriver\perc2.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 24960 c:\windows\maxdriver\pciidex.sys
+ 2004-08-04 05:07 . 2008-04-13 18:36 68224 c:\windows\maxdriver\pci.sys
+ 2005-08-16 10:18 . 2008-04-13 18:40 19712 c:\windows\maxdriver\partmgr.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 80128 c:\windows\maxdriver\parport.sys
+ 2004-08-04 04:59 . 2008-04-13 18:31 42752 c:\windows\maxdriver\p3.sys
+ 2006-03-17 01:33 . 2008-04-13 18:46 61696 c:\windows\maxdriver\ohci1394.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 55936 c:\windows\maxdriver\nwlnkspx.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 63232 c:\windows\maxdriver\nwlnknb.sys
+ 2005-08-16 10:18 . 2008-04-13 18:56 88320 c:\windows\maxdriver\nwlnkipx.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 32512 c:\windows\maxdriver\nwlnkfwd.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 12416 c:\windows\maxdriver\nwlnkflt.sys
+ 2005-08-16 10:18 . 2008-04-13 18:32 30848 c:\windows\maxdriver\npfs.sys
+ 2005-08-16 10:18 . 2008-04-13 18:53 40320 c:\windows\maxdriver\nmnt.sys
+ 2001-08-17 19:24 . 2004-08-10 11:00 12032 c:\windows\maxdriver\nikedrv.sys
+ 2004-08-04 04:58 . 2008-04-13 18:51 61824 c:\windows\maxdriver\nic1394.sys
+ 2005-08-16 10:18 . 2008-04-13 18:56 34688 c:\windows\maxdriver\netbios.sys
+ 2005-08-16 10:18 . 2008-04-13 18:57 40576 c:\windows\maxdriver\ndproxy.sys
+ 2005-08-16 10:18 . 2008-04-13 19:20 91520 c:\windows\maxdriver\ndiswan.sys
+ 2004-08-04 05:03 . 2008-04-13 18:55 14592 c:\windows\maxdriver\ndisuio.sys
+ 2005-08-16 10:18 . 2008-04-13 18:57 10112 c:\windows\maxdriver\ndistapi.sys
+ 2006-03-25 14:45 . 2008-04-13 18:46 10880 c:\windows\maxdriver\ndisip.sys
+ 2006-03-25 14:43 . 2008-04-13 18:46 85248 c:\windows\maxdriver\nabtsfec.sys
+ 2008-09-17 23:32 . 2008-04-13 18:43 12672 c:\windows\maxdriver\mutohpen.sys
+ 2004-08-04 05:07 . 2008-04-13 18:36 15488 c:\windows\maxdriver\mssmbios.sys
+ 2005-08-16 10:18 . 2008-04-13 18:56 35072 c:\windows\maxdriver\msgpc.sys
+ 2005-08-16 10:18 . 2008-04-13 18:32 19072 c:\windows\maxdriver\msfs.sys
+ 2007-04-14 17:13 . 2008-04-13 18:46 51200 c:\windows\maxdriver\msdv.sys
+ 2005-08-17 03:24 . 2001-08-17 19:52 17280 c:\windows\maxdriver\mraid35x.sys
+ 2005-08-16 10:18 . 2008-04-13 18:39 92544 c:\windows\maxdriver\mqac.sys
+ 2005-08-16 10:18 . 2008-04-13 18:39 42368 c:\windows\maxdriver\mountmgr.sys
+ 2006-03-23 02:42 . 2001-08-17 19:48 12160 c:\windows\maxdriver\mouhid.sys
+ 2004-08-04 04:58 . 2008-04-13 18:39 23040 c:\windows\maxdriver\mouclass.sys
+ 2004-08-04 05:08 . 2008-04-13 19:00 30080 c:\windows\maxdriver\modem.sys
+ 2005-08-16 10:37 . 2004-08-10 09:45 11008 c:\windows\maxdriver\mhndrv.sys
+ 2007-04-06 03:20 . 2009-09-16 15:22 40552 c:\windows\maxdriver\mfesmfk.sys
+ 2007-04-06 03:20 . 2009-09-16 15:22 34248 c:\windows\maxdriver\mferkdk.sys
+ 2007-04-06 03:20 . 2009-09-16 15:22 35272 c:\windows\maxdriver\mfebopk.sys
+ 2007-04-06 03:19 . 2009-09-16 15:22 79816 c:\windows\maxdriver\mfeavfk.sys
+ 2004-08-04 05:07 . 2008-04-13 18:36 63744 c:\windows\maxdriver\mf.sys
+ 2008-09-17 23:32 . 2004-08-04 03:41 11868 c:\windows\maxdriver\mdmxsdk.sys
+ 2009-11-17 17:15 . 2009-11-17 17:15 63080 c:\windows\maxdriver\McPvDrv.sys
+ 2010-02-21 01:09 . 2010-01-07 22:07 38224 c:\windows\maxdriver\mbamswissarmy.sys
+ 2010-02-21 01:09 . 2010-01-07 22:07 19160 c:\windows\maxdriver\mbam.sys
+ 2006-10-29 17:39 . 2006-10-29 17:39 69824 c:\windows\maxdriver\LxrJD31d.sys
+ 2005-08-16 10:18 . 2009-06-24 11:18 92928 c:\windows\maxdriver\ksecdd.sys
+ 2006-03-23 02:41 . 2008-04-13 18:39 14592 c:\windows\maxdriver\kbdhid.sys
+ 2004-08-04 04:58 . 2008-04-13 18:39 24576 c:\windows\maxdriver\kbdclass.sys
+ 2001-08-17 19:58 . 2008-04-13 18:36 37248 c:\windows\maxdriver\isapnp.sys
+ 2005-08-16 10:33 . 2008-04-13 18:54 11264 c:\windows\maxdriver\irenum.sys
+ 2005-08-17 03:06 . 2008-04-13 18:45 46592 c:\windows\maxdriver\irbus.sys
+ 2004-11-02 21:12 . 2004-11-02 21:12 19456 c:\windows\maxdriver\iqvw32.sys
+ 2005-08-16 10:18 . 2008-04-13 19:19 75264 c:\windows\maxdriver\ipsec.sys
+ 2005-08-16 10:18 . 2008-04-13 18:57 20864 c:\windows\maxdriver\ipinip.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 32896 c:\windows\maxdriver\ipfltdrv.sys
+ 2005-08-16 10:18 . 2008-04-13 18:53 36608 c:\windows\maxdriver\ip6fw.sys
+ 2004-08-04 04:59 . 2008-04-13 18:31 36352 c:\windows\maxdriver\intelppm.sys
+ 2005-08-17 03:29 . 2001-08-17 19:52 16000 c:\windows\maxdriver\ini910u.sys
+ 2004-08-04 05:00 . 2008-04-13 18:40 42112 c:\windows\maxdriver\imapi.sys
+ 2004-08-04 05:14 . 2008-04-13 19:18 52480 c:\windows\maxdriver\i8042prt.sys
+ 2005-08-17 03:27 . 2008-04-13 18:41 18560 c:\windows\maxdriver\i2omp.sys
+ 2006-04-05 00:38 . 2007-03-08 04:20 21568 c:\windows\maxdriver\HPZius12.sys
+ 2006-04-05 00:42 . 2007-03-08 04:20 16496 c:\windows\maxdriver\HPZipr12.sys
+ 2006-04-05 00:42 . 2007-03-08 04:20 49920 c:\windows\maxdriver\HPZid412.sys
+ 2005-08-17 03:25 . 2001-08-17 20:07 25952 c:\windows\maxdriver\hpn.sys
+ 2006-03-23 02:41 . 2008-04-13 18:45 10368 c:\windows\maxdriver\hidusb.sys
+ 2004-08-04 05:08 . 2008-04-13 18:45 24960 c:\windows\maxdriver\hidparse.sys
+ 2005-08-17 03:06 . 2008-04-13 18:45 19200 c:\windows\maxdriver\hidir.sys
+ 2004-08-04 05:08 . 2008-04-13 18:45 36864 c:\windows\maxdriver\hidclass.sys
+ 2008-09-17 23:31 . 2008-04-13 18:46 25600 c:\windows\maxdriver\hidbth.sys
+ 2006-09-19 19:44 . 2009-05-18 19:17 26600 c:\windows\maxdriver\GEARAspiWDM.sys
+ 2008-09-17 23:31 . 2008-04-13 18:36 46464 c:\windows\maxdriver\gagp30kx.sys
+ 2001-08-17 19:57 . 2004-08-10 11:00 12160 c:\windows\maxdriver\fsvga.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 20480 c:\windows\maxdriver\flpydisk.sys
+ 2005-08-16 10:18 . 2008-04-13 18:33 44544 c:\windows\maxdriver\fips.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 27392 c:\windows\maxdriver\fdc.sys
+ 2004-08-04 05:00 . 2008-04-13 18:38 71168 c:\windows\maxdriver\dxg.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 10496 c:\windows\maxdriver\dxapi.sys
+ 2006-03-17 02:01 . 2005-08-12 11:20 40544 c:\windows\maxdriver\DRVNDDM.SYS
+ 2006-03-17 02:01 . 2005-09-12 09:30 89264 c:\windows\maxdriver\DRVMCDB.SYS
+ 2006-03-17 01:48 . 2008-04-13 18:45 60160 c:\windows\maxdriver\drmk.sys
+ 2005-08-17 03:23 . 2001-08-17 20:07 20192 c:\windows\maxdriver\dpti2o.sys
+ 2006-03-17 01:48 . 2008-04-13 18:45 52864 c:\windows\maxdriver\dmusic.sys
+ 2006-03-17 02:01 . 2005-08-25 18:16 22684 c:\windows\maxdriver\DLARTL_N.SYS
+ 2005-08-16 10:18 . 2008-04-13 18:40 14208 c:\windows\maxdriver\diskdump.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 36352 c:\windows\maxdriver\disk.sys
+ 2005-08-17 03:28 . 2001-08-17 19:52 14720 c:\windows\maxdriver\dac960nt.sys
+ 2004-08-04 04:59 . 2008-04-13 18:31 36736 c:\windows\maxdriver\crusoe.sys
+ 2001-08-17 19:24 . 2004-08-10 11:00 11776 c:\windows\maxdriver\cpqdap01.sys
+ 2005-08-17 03:24 . 2001-08-17 19:52 14976 c:\windows\maxdriver\cpqarray.sys
+ 2005-08-16 10:18 . 2008-04-13 19:16 49536 c:\windows\maxdriver\classpnp.sys
+ 2004-08-04 04:59 . 2008-04-13 18:40 62976 c:\windows\maxdriver\cdrom.sys
+ 2005-08-16 10:18 . 2008-04-13 19:14 63744 c:\windows\maxdriver\cdfs.sys
+ 2001-08-17 19:52 . 2004-08-10 11:00 18688 c:\windows\maxdriver\cdaudio.sys
+ 2006-03-25 14:43 . 2008-04-13 18:46 17024 c:\windows\maxdriver\ccdecode.sys
+ 2001-08-17 19:52 . 2001-08-17 19:52 13952 c:\windows\maxdriver\cbidf2k.sys
+ 2008-09-17 23:30 . 2008-04-13 18:46 18944 c:\windows\maxdriver\bthusb.sys
+ 2008-09-17 23:30 . 2008-04-13 18:46 36480 c:\windows\maxdriver\bthprint.sys
+ 2008-09-17 23:30 . 2008-04-13 18:46 37888 c:\windows\maxdriver\bthmodem.sys
+ 2008-09-17 23:30 . 2008-04-13 18:46 17024 c:\windows\maxdriver\bthenum.sys
+ 2005-08-16 10:18 . 2008-04-13 18:53 71552 c:\windows\maxdriver\bridge.sys
+ 2007-04-14 17:13 . 2008-04-13 18:46 38912 c:\windows\maxdriver\avc.sys
+ 2005-08-16 10:18 . 2008-04-13 18:51 55808 c:\windows\maxdriver\atmlane.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 31360 c:\windows\maxdriver\atmepvc.sys
+ 2005-08-16 10:18 . 2008-04-13 18:51 59904 c:\windows\maxdriver\atmarpc.sys
+ 2006-03-25 14:40 . 2002-11-05 05:00 28416 c:\windows\maxdriver\ativxstw.sys
+ 2006-03-25 14:37 . 2002-11-05 05:00 17664 c:\windows\maxdriver\ativtutw.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 63488 c:\windows\maxdriver\atinxsxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 31744 c:\windows\maxdriver\atinxbxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 73216 c:\windows\maxdriver\atintuxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 13824 c:\windows\maxdriver\atinttxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 28672 c:\windows\maxdriver\atinsnxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 52224 c:\windows\maxdriver\atinraxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 14336 c:\windows\maxdriver\atinpdxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 13824 c:\windows\maxdriver\atinmdxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 57856 c:\windows\maxdriver\atinbtxx.sys
+ 2006-03-25 14:36 . 2002-11-05 05:00 58240 c:\windows\maxdriver\atibtcap.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 34735 c:\windows\maxdriver\ati1xsxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 29455 c:\windows\maxdriver\ati1xbxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 36463 c:\windows\maxdriver\ati1tuxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 21343 c:\windows\maxdriver\ati1ttxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 26367 c:\windows\maxdriver\ati1snxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 63663 c:\windows\maxdriver\ati1rvxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 30671 c:\windows\maxdriver\ati1raxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 12047 c:\windows\maxdriver\ati1pdxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 11615 c:\windows\maxdriver\ati1mdxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 56623 c:\windows\maxdriver\ati1btxx.sys
+ 2004-08-04 04:59 . 2010-02-27 15:22 96512 c:\windows\maxdriver\atapi.sys
+ 2005-08-16 10:18 . 2008-04-13 18:57 14336 c:\windows\maxdriver\asyncmac.sys
+ 2005-08-17 03:28 . 2001-08-17 19:51 14848 c:\windows\maxdriver\asc3550.sys
+ 2005-08-17 03:29 . 2001-08-17 19:52 22400 c:\windows\maxdriver\asc3350p.sys
+ 2005-08-17 03:28 . 2001-08-17 19:52 26496 c:\windows\maxdriver\asc.sys
+ 2004-08-04 04:58 . 2008-04-13 18:51 60800 c:\windows\maxdriver\arp1394.sys
+ 2005-08-17 03:29 . 2001-08-17 19:52 12032 c:\windows\maxdriver\amsint.sys
+ 2004-08-04 04:59 . 2008-04-13 18:31 37760 c:\windows\maxdriver\amdk7.sys
+ 2004-08-04 04:59 . 2008-04-13 18:31 37376 c:\windows\maxdriver\amdk6.sys
+ 2005-08-17 03:15 . 2008-04-13 18:36 43008 c:\windows\maxdriver\amdagp.sys
+ 2005-08-17 03:15 . 2008-04-13 18:36 42752 c:\windows\maxdriver\alim1541.sys
+ 2005-08-17 03:23 . 2001-08-17 20:07 56960 c:\windows\maxdriver\aic78xx.sys
+ 2005-08-17 03:23 . 2001-08-17 20:07 55168 c:\windows\maxdriver\aic78u2.sys
+ 2005-08-17 03:22 . 2001-08-17 19:52 12800 c:\windows\maxdriver\aha154x.sys
+ 2005-08-17 03:20 . 2008-04-13 18:36 44928 c:\windows\maxdriver\agpcpq.sys
+ 2005-08-16 10:34 . 2008-04-13 18:36 42368 c:\windows\maxdriver\agp440.sys
+ 2001-08-17 19:57 . 2004-08-10 11:00 11648 c:\windows\maxdriver\acpiec.sys
+ 2005-08-17 03:29 . 2001-08-17 19:52 23552 c:\windows\maxdriver\ABP480N5.SYS
+ 2007-04-14 17:13 . 2008-04-13 18:46 48128 c:\windows\maxdriver\61883.sys
+ 2006-03-17 01:33 . 2008-04-13 18:46 53376 c:\windows\maxdriver\1394bus.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 4352 c:\windows\maxdriver\wmilib.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 5808 c:\windows\maxdriver\w810whnt.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 5808 c:\windows\maxdriver\w810wh.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 8336 c:\windows\maxdriver\w810mdfl.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 6176 c:\windows\maxdriver\w810cmnt.sys
+ 2007-03-30 17:17 . 2006-02-20 23:59 6176 c:\windows\maxdriver\w810cm.sys
+ 2005-08-17 03:31 . 2008-04-13 18:40 5376 c:\windows\maxdriver\viaide.sys
+ 2001-08-17 20:03 . 2004-08-10 11:00 4736 c:\windows\maxdriver\usbd.sys
+ 2005-08-17 03:32 . 2001-08-17 19:51 4992 c:\windows\maxdriver\toside.sys
+ 2004-08-04 04:58 . 2008-04-13 18:39 4352 c:\windows\maxdriver\swenum.sys
+ 2006-03-17 01:48 . 2008-04-13 18:45 6272 c:\windows\maxdriver\splitter.sys
+ 2008-09-17 23:33 . 2008-04-13 18:36 5888 c:\windows\maxdriver\smbali.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 5888 c:\windows\maxdriver\rootmdm.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 4224 c:\windows\maxdriver\rdpcdd.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 8832 c:\windows\maxdriver\rasacd.sys
+ 2006-03-17 01:28 . 2004-12-23 07:58 8704 c:\windows\maxdriver\PFModNT.sys
+ 2005-08-17 03:25 . 2001-08-17 20:07 5504 c:\windows\maxdriver\perc2hib.sys
+ 2001-08-17 19:51 . 2001-08-17 19:51 3328 c:\windows\maxdriver\pciide.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 6784 c:\windows\maxdriver\parvdm.sys
+ 2001-08-17 19:57 . 2004-08-10 11:00 3456 c:\windows\maxdriver\oprghdlr.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 2944 c:\windows\maxdriver\null.sys
+ 2006-03-25 14:46 . 2008-04-13 18:39 5504 c:\windows\maxdriver\mstee.sys
+ 2006-03-17 01:48 . 2008-04-13 18:39 4992 c:\windows\maxdriver\mspqm.sys
+ 2006-03-17 01:48 . 2008-04-13 18:39 5376 c:\windows\maxdriver\mspclock.sys
+ 2006-03-17 01:48 . 2008-04-13 18:39 7552 c:\windows\maxdriver\mskssrv.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 4224 c:\windows\maxdriver\mnmdd.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 7680 c:\windows\maxdriver\mcd.sys
+ 2005-08-16 10:34 . 2008-04-13 18:40 5504 c:\windows\maxdriver\intelide.sys
+ 2005-08-17 03:27 . 2008-04-13 18:41 8576 c:\windows\maxdriver\i2omgmt.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 7936 c:\windows\maxdriver\fs_rec.sys
+ 2006-03-17 01:33 . 2001-08-17 19:46 6400 c:\windows\maxdriver\enum1394.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 3328 c:\windows\maxdriver\dxgthk.sys
+ 2006-03-17 01:48 . 2008-04-13 18:45 2944 c:\windows\maxdriver\drmkaud.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 5888 c:\windows\maxdriver\dmload.sys
+ 2006-03-17 02:01 . 2005-08-25 18:16 5628 c:\windows\maxdriver\DLACDBHM.SYS
+ 2006-04-02 01:42 . 2004-05-17 06:00 9216 c:\windows\maxdriver\cx88xbar.sys
+ 2005-08-17 03:30 . 2001-08-17 19:51 6656 c:\windows\maxdriver\cmdide.sys
+ 2007-02-02 08:00 . 2007-02-02 08:00 9464 c:\windows\maxdriver\cdralw2k.sys
+ 2007-02-02 08:00 . 2007-02-02 08:00 9336 c:\windows\maxdriver\cdr4_xp.sys
+ 2005-08-17 03:28 . 2001-08-17 19:52 7680 c:\windows\maxdriver\cd20xrnt.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 4224 c:\windows\maxdriver\beep.sys
+ 2005-08-16 10:35 . 2001-08-17 19:59 3072 c:\windows\maxdriver\audstub.sys
+ 2006-03-25 14:40 . 2002-11-05 05:00 6912 c:\windows\maxdriver\atibtxbr.sys
+ 2006-03-17 01:54 . 2006-03-17 01:54 8552 c:\windows\maxdriver\asctrm.sys
+ 2006-03-25 14:58 . 2003-08-01 14:00 5056 c:\windows\maxdriver\AloPar.sys
+ 2005-08-17 03:30 . 2001-08-17 19:51 5248 c:\windows\maxdriver\aliide.sys
+ 2008-09-17 23:33 . 2008-04-13 18:46 121984 c:\windows\maxdriver\usbvideo.sys
+ 2004-08-04 05:08 . 2008-04-13 18:45 143872 c:\windows\maxdriver\usbport.sys
+ 2005-08-16 10:18 . 2008-04-13 18:39 384768 c:\windows\maxdriver\update.sys
+ 2005-08-16 10:18 . 2008-06-20 11:08 225856 c:\windows\maxdriver\tcpip6.sys
+ 2005-08-16 10:18 . 2008-06-20 11:51 361600 c:\windows\maxdriver\tcpip.sys
+ 2006-03-17 01:28 . 2005-06-07 03:40 180736 c:\windows\maxdriver\sthda.sys
+ 2006-03-17 01:27 . 2009-12-31 16:50 353792 c:\windows\maxdriver\srv.sys
+ 2008-09-17 23:33 . 2004-08-04 03:41 404990 c:\windows\maxdriver\slntamr.sys
+ 2008-09-17 23:33 . 2004-08-04 03:41 129535 c:\windows\maxdriver\slnt7554.sys
+ 2008-09-17 23:33 . 2004-08-04 03:29 166912 c:\windows\maxdriver\s3gnbm.sys
+ 2005-08-16 10:18 . 2008-05-08 14:02 203136 c:\windows\maxdriver\rmcast.sys
+ 2005-08-16 10:37 . 2008-04-14 00:13 139656 c:\windows\maxdriver\rdpwd.sys
+ 2005-08-16 10:37 . 2008-04-13 18:32 196224 c:\windows\maxdriver\rdpdr.sys
+ 2005-08-16 10:18 . 2008-04-13 19:28 175744 c:\windows\maxdriver\rdbss.sys
+ 2004-03-16 17:58 . 2008-04-13 19:19 146048 c:\windows\maxdriver\portcls.sys
+ 2004-08-04 05:07 . 2008-04-13 18:36 120192 c:\windows\maxdriver\pcmcia.sys
+ 2005-08-16 10:18 . 2008-04-13 18:34 163584 c:\windows\maxdriver\nwrdr.sys
+ 2008-09-17 23:32 . 2004-08-04 03:41 180360 c:\windows\maxdriver\ntmtlfax.sys
+ 2005-08-16 10:18 . 2008-04-13 19:15 574976 c:\windows\maxdriver\ntfs.sys
+ 2005-08-16 10:18 . 2008-04-13 19:21 162816 c:\windows\maxdriver\netbt.sys
+ 2005-08-16 10:18 . 2008-04-13 19:20 182656 c:\windows\maxdriver\ndis.sys
+ 2005-08-16 10:18 . 2008-04-13 19:17 105344 c:\windows\maxdriver\mup.sys
+ 2008-09-17 23:32 . 2004-08-04 03:29 452736 c:\windows\maxdriver\mtxparhm.sys
+ 2008-09-17 23:32 . 2004-08-04 03:41 126686 c:\windows\maxdriver\mtlmnt5.sys
+ 2006-03-17 01:27 . 2009-12-04 18:22 455424 c:\windows\maxdriver\mrxsmb.sys
+ 2005-08-16 10:18 . 2008-04-13 18:32 180608 c:\windows\maxdriver\mrxdav.sys
+ 2007-04-06 03:19 . 2009-07-16 17:32 120136 c:\windows\maxdriver\Mpfp.sys
+ 2007-04-06 03:19 . 2009-09-16 15:22 214664 c:\windows\maxdriver\mfehidk.sys
+ 2004-08-04 05:15 . 2008-04-13 19:16 141056 c:\windows\maxdriver\ks.sys
+ 2006-03-17 01:48 . 2008-04-13 18:45 172416 c:\windows\maxdriver\kmixer.sys
+ 2005-08-16 10:18 . 2008-04-13 18:57 152832 c:\windows\maxdriver\ipnat.sys
+ 2004-08-04 05:00 . 2009-10-20 16:20 265728 c:\windows\maxdriver\http.sys
+ 2008-09-17 23:31 . 2004-08-04 03:41 685056 c:\windows\maxdriver\hsfcxts2.sys
+ 2008-09-17 23:31 . 2004-08-04 03:41 220032 c:\windows\maxdriver\hsfbs2s2.sys
+ 2004-08-12 23:45 . 2004-08-12 23:45 113664 c:\windows\maxdriver\Hdaudio.sys
+ 2004-08-12 23:45 . 2008-04-13 16:36 144384 c:\windows\maxdriver\hdaudbus.sys
+ 2001-08-17 19:52 . 2001-08-17 19:52 125056 c:\windows\maxdriver\ftdisk.sys
+ 2005-08-16 10:40 . 2008-04-13 18:32 129792 c:\windows\maxdriver\fltmgr.sys
+ 2005-08-16 10:18 . 2008-04-13 19:14 143744 c:\windows\maxdriver\fastfat.sys
+ 2005-08-16 10:35 . 2004-10-15 03:30 155648 c:\windows\maxdriver\e100b325.sys
+ 2005-08-16 10:18 . 2008-04-13 18:44 153344 c:\windows\maxdriver\dmio.sys
+ 2005-08-16 10:18 . 2008-04-13 18:44 799744 c:\windows\maxdriver\dmboot.sys
+ 2005-08-17 03:28 . 2001-08-17 19:52 179584 c:\windows\maxdriver\dac2w2k.sys
+ 2006-04-02 01:42 . 2004-05-17 06:00 185216 c:\windows\maxdriver\cx88vid.sys
+ 2006-03-17 01:28 . 2005-05-26 04:34 158464 c:\windows\maxdriver\CTUSFSYN.SYS
+ 2006-03-17 01:28 . 2005-01-11 06:15 138752 c:\windows\maxdriver\CTSFM2K.SYS
+ 2006-03-17 01:28 . 2005-01-11 06:15 106496 c:\windows\maxdriver\CTOSS2K.SYS
+ 2001-08-17 20:02 . 2004-08-10 11:00 262528 c:\windows\maxdriver\cinemst2.sys
+ 2008-06-11 09:34 . 2008-06-13 11:05 272128 c:\windows\maxdriver\bthport.sys
+ 2008-09-17 23:30 . 2008-04-13 18:51 101120 c:\windows\maxdriver\bthpan.sys
+ 2005-08-16 10:18 . 2004-08-10 11:00 352256 c:\windows\maxdriver\atmuni.sys
+ 2006-03-25 14:39 . 2004-08-04 04:29 104960 c:\windows\maxdriver\atinrvxx.sys
+ 2008-09-17 23:30 . 2004-08-04 03:29 327040 c:\windows\maxdriver\ati2mtaa.sys
+ 2005-08-16 10:18 . 2008-08-14 10:04 138496 c:\windows\maxdriver\afd.sys
+ 2006-03-17 01:48 . 2008-04-13 16:39 142592 c:\windows\maxdriver\aec.sys
+ 2005-08-17 03:23 . 2001-08-17 20:07 101888 c:\windows\maxdriver\adpu160m.sys
+ 2004-08-04 05:07 . 2008-04-13 18:36 187776 c:\windows\maxdriver\acpi.sys
+ 2009-08-04 20:06 . 2009-08-04 20:06 132352 c:\windows\Downloaded Program Files\as2stubie.dll
+ 2006-03-17 01:28 . 2005-03-25 22:11 1350272 c:\windows\maxdriver\sigfilt.sys
+ 2010-02-27 15:22 . 2009-12-12 03:48 1041920 c:\windows\maxdriver\pevFind.exe
+ 2005-08-16 10:35 . 2004-08-04 04:29 1897408 c:\windows\maxdriver\nv4_mini.sys
+ 2008-09-17 23:32 . 2004-08-04 03:41 1309184 c:\windows\maxdriver\mtlstrm.sys
+ 2008-09-17 23:31 . 2004-08-04 03:41 1041536 c:\windows\maxdriver\hsfdpsp2.sys
+ 2006-03-17 01:28 . 2005-08-04 10:10 1273344 c:\windows\maxdriver\ati2mtag.sys
.
-- Snapshot reset to current date --

klm0824 · Feb 28, 2010

combofix part 3:

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtstur]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk]
path=c:\documents and settings\Mom\Start Menu\Programs\Startup\WD Anywhere Backup Launcher.lnk
backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 06:55 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 21:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McPvTray]
2009-11-17 17:15 670312 ----a-w- c:\program files\McAfee\Anti-Theft\McPvTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-05-01 01:24 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 10:19 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 10:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-05-01 01:24 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-01-30 10:50 438272 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 23:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"67:UDP"= 67:UDP

HCP Discovery Service

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/17/2009 11:15 AM 63080]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/27/2010 9:19 PM 28552]
R2 CX88XBAR;Video Advantage PCI Crossbar;c:\windows\system32\drivers\cx88xbar.sys [4/1/2006 7:42 PM 9216]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/25/2008 8:55 PM 93320]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 4:52 AM 106496]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 w810mdmm;w810mdmm;c:\windows\system32\drivers\w810mdmm.sys --> c:\windows\system32\drivers\w810mdmm.sys [?]
S2 gupdate1c95ff64fbe87d0;Google Update Service (gupdate1c95ff64fbe87d0);c:\program files\Google\Update\GoogleUpdate.exe [12/16/2008 9:19 PM 133104]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 1:43 PM 204800]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/24/2010 1:39 PM 11520]
S4 AutoSyncService;Memeo AutoSync ;c:\program files\Memeo\AutoSync\MemeoService.exe [7/6/2007 4:28 PM 31768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-02-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-20 06:55]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-17 15:49]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-17 15:49]

2010-02-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-06 17:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-06 17:22]

2010-02-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://batonrouge.cox.net/cci/home
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: att.net\my
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: nascar.com\www
Trusted Zone: windowsupdate.com\download
Trusted Zone: yahoo.com\us.f519.mail
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.10/uploader2.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{17599003-a66e-4467-8891-1d57c3e43fcd} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 12:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x8B07C8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28
\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8
\Driver\atapi -> atapi.sys @ 0xb9f14b3a
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3930530056-1653841120-937661522-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-02-28 12:55:58
ComboFix-quarantined-files.txt 2010-02-28 18:55
ComboFix2.txt 2010-02-26 22:40
ComboFix3.txt 2008-03-16 17:45

Pre-Run: 432,194,105,344 bytes free
Post-Run: 432,197,906,432 bytes free

- - End Of File - - 9E99B61DEB440503F2D62A53D34D67FC

klm0824 · Feb 28, 2010

I checked the google links, and it still redirects. I googled redirect virus and it sent me to "apartmentfinder.com" and knows the town I live in.

hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:20 PM, on 2/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Java\jre6\bin\jusched.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://batonrouge.cox.net/cci/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: (no name) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [EEventManager] C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\Hewlett-Packard\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://my.att.net
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://www.nascar.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} (UploadListView Class) - http://picasaweb.google.com/s/v/59.10/uploader2.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/52.09/uploader2.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1205631147421
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_games/sony/davinci/DVCDownloadControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5488/mcfscan.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: awtstur - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - Unknown owner - C:\Program Files\Common Files\EPSON\eEBAPI\SAgent2.exe (file missing)
O23 - Service: EPSON V5 Service4(01) (EPSON_EB_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
O23 - Service: Google Update Service (gupdate1c95ff64fbe87d0) (gupdate1c95ff64fbe87d0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: RosettaStoneDaemon - Rosetta Stone Ltd. - C:\Program Files\RosettaStoneLtdServices\RosettaStoneDaemon.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
O23 - Service: WD Drive Manager Service (WDBtnMgrSvc.exe) - WDC - C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe

--
End of file - 15345 bytes

klm0824 · Feb 28, 2010

should i upgrade to IE8?

katana · Feb 28, 2010

Let's just try something before you upgrade.

Please try running a vanilla IE as follows:

Start > All Programs > Accessories > System Tools - IE (No Add-Ons)

See if you are still getting the redirects.

If you are still getting them, please do the following

Download TDSSKiller.zip and extract TDSSKiller.exe to your Desktop.

Double-click TDSSKiller.exe and follow the prompts to run it.

When finished, it will prompt you to press any key.

It will produce a log here > C:\TDSSKiller.2.2.7_date_time_log.txt

Please navigate to the file, double-click to open it, and copy/paste the contents in your next reply.

klm0824 · Feb 28, 2010

IE was was NOT HAPPY when trying to run with no add ons... :laugh:
Ran the TDSS

15:29:58:671 5084 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
15:29:58:671 5084 ================================================================================
15:29:58:671 5084 SystemInfo:

15:29:58:671 5084 OS Version: 5.1.2600 ServicePack: 3.0
15:29:58:671 5084 Product type: Workstation
15:29:58:671 5084 ComputerName: KATHY
15:29:58:671 5084 UserName: Mom
15:29:58:671 5084 Windows directory: C:\WINDOWS
15:29:58:671 5084 Processor architecture: Intel x86
15:29:58:671 5084 Number of processors: 2
15:29:58:671 5084 Page size: 0x1000
15:29:58:687 5084 Boot type: Normal boot
15:29:58:687 5084 ================================================================================
15:29:58:687 5084 UnloadDriverW: NtUnloadDriver error 2
15:29:58:687 5084 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
15:29:58:859 5084 Initialize success
15:29:58:859 5084
15:29:58:859 5084 Scanning Services ...
15:29:58:859 5084 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
15:29:58:859 5084 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:29:58:859 5084 wfopen_ex: Trying to KLMD file open
15:29:58:859 5084 wfopen_ex: File opened ok (Flags 2)
15:29:58:859 5084 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
15:29:58:859 5084 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
15:29:58:859 5084 wfopen_ex: Trying to KLMD file open
15:29:58:859 5084 wfopen_ex: File opened ok (Flags 2)
15:29:59:296 5084 GetAdvancedServicesInfo: Raw services enum returned 433 services
15:29:59:328 5084 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
15:29:59:328 5084 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
15:29:59:328 5084
15:29:59:328 5084 Scanning Kernel memory ...
15:29:59:328 5084 Devices to scan: 12
15:29:59:328 5084
15:29:59:328 5084 Driver Name: Disk
15:29:59:328 5084 IRP_MJ_CREATE : BA0EEBB0
15:29:59:328 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:328 5084 IRP_MJ_CLOSE : BA0EEBB0
15:29:59:328 5084 IRP_MJ_READ : BA0E8D1F
15:29:59:328 5084 IRP_MJ_WRITE : BA0E8D1F
15:29:59:328 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:328 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:328 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:328 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:328 5084 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
15:29:59:328 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:328 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:328 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:328 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:328 5084 IRP_MJ_DEVICE_CONTROL : BA0E93BB
15:29:59:328 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
15:29:59:328 5084 IRP_MJ_SHUTDOWN : BA0E92E2
15:29:59:328 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:328 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:328 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:328 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:328 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:328 5084 IRP_MJ_POWER : BA0EAC82
15:29:59:328 5084 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
15:29:59:328 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:328 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:328 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:328 5084 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:59:328 5084 sion
15:29:59:328 5084 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:59:328 5084
15:29:59:328 5084 Driver Name: Disk
15:29:59:328 5084 IRP_MJ_CREATE : BA0EEBB0
15:29:59:328 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:328 5084 IRP_MJ_CLOSE : BA0EEBB0
15:29:59:328 5084 IRP_MJ_READ : BA0E8D1F
15:29:59:328 5084 IRP_MJ_WRITE : BA0E8D1F
15:29:59:328 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:328 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:328 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:328 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:328 5084 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
15:29:59:328 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:328 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:328 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:328 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:328 5084 IRP_MJ_DEVICE_CONTROL : BA0E93BB
15:29:59:328 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
15:29:59:328 5084 IRP_MJ_SHUTDOWN : BA0E92E2
15:29:59:328 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:328 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:328 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:328 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:328 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:328 5084 IRP_MJ_POWER : BA0EAC82
15:29:59:328 5084 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
15:29:59:328 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:328 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:328 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:328 5084 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:59:328 5084 sion
15:29:59:343 5084 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:59:343 5084
15:29:59:343 5084 Driver Name: Disk
15:29:59:343 5084 IRP_MJ_CREATE : BA0EEBB0
15:29:59:343 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:343 5084 IRP_MJ_CLOSE : BA0EEBB0
15:29:59:343 5084 IRP_MJ_READ : BA0E8D1F
15:29:59:343 5084 IRP_MJ_WRITE : BA0E8D1F
15:29:59:343 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:343 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:343 5084 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
15:29:59:343 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_DEVICE_CONTROL : BA0E93BB
15:29:59:343 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
15:29:59:343 5084 IRP_MJ_SHUTDOWN : BA0E92E2
15:29:59:343 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:343 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:343 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:343 5084 IRP_MJ_POWER : BA0EAC82
15:29:59:343 5084 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
15:29:59:343 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:343 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:343 5084 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:59:343 5084 sion
15:29:59:343 5084 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:59:343 5084
15:29:59:343 5084 Driver Name: Disk
15:29:59:343 5084 IRP_MJ_CREATE : BA0EEBB0
15:29:59:343 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:343 5084 IRP_MJ_CLOSE : BA0EEBB0
15:29:59:343 5084 IRP_MJ_READ : BA0E8D1F
15:29:59:343 5084 IRP_MJ_WRITE : BA0E8D1F
15:29:59:343 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:343 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:343 5084 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
15:29:59:343 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_DEVICE_CONTROL : BA0E93BB
15:29:59:343 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
15:29:59:343 5084 IRP_MJ_SHUTDOWN : BA0E92E2
15:29:59:343 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:343 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:343 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:343 5084 IRP_MJ_POWER : BA0EAC82
15:29:59:343 5084 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
15:29:59:343 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:343 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:343 5084 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:59:343 5084 sion
15:29:59:343 5084 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:59:343 5084
15:29:59:343 5084 Driver Name: USBSTOR
15:29:59:343 5084 IRP_MJ_CREATE : BA3FD218
15:29:59:343 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:343 5084 IRP_MJ_CLOSE : BA3FD218
15:29:59:343 5084 IRP_MJ_READ : BA3FD23C
15:29:59:343 5084 IRP_MJ_WRITE : BA3FD23C
15:29:59:343 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:343 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:343 5084 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:343 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_DEVICE_CONTROL : BA3FD180
15:29:59:343 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3F89E6
15:29:59:343 5084 IRP_MJ_SHUTDOWN : 804F4562
15:29:59:343 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:343 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:343 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:343 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:343 5084 IRP_MJ_POWER : BA3FC5F0
15:29:59:343 5084 IRP_MJ_SYSTEM_CONTROL : BA3FAA6E
15:29:59:343 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:343 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:343 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:359 5084 siohd: 0
15:29:59:359 5084 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
15:29:59:359 5084
15:29:59:359 5084 Driver Name: USBSTOR
15:29:59:359 5084 IRP_MJ_CREATE : BA3FD218
15:29:59:359 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:359 5084 IRP_MJ_CLOSE : BA3FD218
15:29:59:359 5084 IRP_MJ_READ : BA3FD23C
15:29:59:359 5084 IRP_MJ_WRITE : BA3FD23C
15:29:59:359 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:359 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:359 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:375 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:375 5084 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_DEVICE_CONTROL : BA3FD180
15:29:59:375 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3F89E6
15:29:59:375 5084 IRP_MJ_SHUTDOWN : 804F4562
15:29:59:375 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:375 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:375 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:375 5084 IRP_MJ_POWER : BA3FC5F0
15:29:59:375 5084 IRP_MJ_SYSTEM_CONTROL : BA3FAA6E
15:29:59:375 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:375 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:375 5084 siohd: 0
15:29:59:375 5084 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
15:29:59:375 5084
15:29:59:375 5084 Driver Name: USBSTOR
15:29:59:375 5084 IRP_MJ_CREATE : BA3FD218
15:29:59:375 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:375 5084 IRP_MJ_CLOSE : BA3FD218
15:29:59:375 5084 IRP_MJ_READ : BA3FD23C
15:29:59:375 5084 IRP_MJ_WRITE : BA3FD23C
15:29:59:375 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:375 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:375 5084 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_DEVICE_CONTROL : BA3FD180
15:29:59:375 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3F89E6
15:29:59:375 5084 IRP_MJ_SHUTDOWN : 804F4562
15:29:59:375 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:375 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:375 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:375 5084 IRP_MJ_POWER : BA3FC5F0
15:29:59:375 5084 IRP_MJ_SYSTEM_CONTROL : BA3FAA6E
15:29:59:375 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:375 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:375 5084 siohd: 0
15:29:59:375 5084 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
15:29:59:375 5084
15:29:59:375 5084 Driver Name: USBSTOR
15:29:59:375 5084 IRP_MJ_CREATE : BA3FD218
15:29:59:375 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:375 5084 IRP_MJ_CLOSE : BA3FD218
15:29:59:375 5084 IRP_MJ_READ : BA3FD23C
15:29:59:375 5084 IRP_MJ_WRITE : BA3FD23C
15:29:59:375 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:375 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:375 5084 IRP_MJ_FLUSH_BUFFERS : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:375 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_DEVICE_CONTROL : BA3FD180
15:29:59:375 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA3F89E6
15:29:59:375 5084 IRP_MJ_SHUTDOWN : 804F4562
15:29:59:375 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:375 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:375 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:375 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:375 5084 IRP_MJ_POWER : BA3FC5F0
15:29:59:375 5084 IRP_MJ_SYSTEM_CONTROL : BA3FAA6E
15:29:59:375 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:375 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:375 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:375 5084 siohd: 0
15:29:59:390 5084 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: Clean
15:29:59:390 5084
15:29:59:390 5084 Driver Name: Disk
15:29:59:390 5084 IRP_MJ_CREATE : BA0EEBB0
15:29:59:390 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:390 5084 IRP_MJ_CLOSE : BA0EEBB0
15:29:59:390 5084 IRP_MJ_READ : BA0E8D1F
15:29:59:390 5084 IRP_MJ_WRITE : BA0E8D1F
15:29:59:390 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:390 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:390 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:390 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:390 5084 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
15:29:59:390 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:390 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:390 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:390 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:390 5084 IRP_MJ_DEVICE_CONTROL : BA0E93BB
15:29:59:390 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
15:29:59:390 5084 IRP_MJ_SHUTDOWN : BA0E92E2
15:29:59:390 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:390 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:390 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:390 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:390 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:390 5084 IRP_MJ_POWER : BA0EAC82
15:29:59:390 5084 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
15:29:59:390 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:390 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:390 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:390 5084 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:59:390 5084 sion
15:29:59:390 5084 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:59:390 5084
15:29:59:390 5084 Driver Name: Disk
15:29:59:390 5084 IRP_MJ_CREATE : BA0EEBB0
15:29:59:390 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:390 5084 IRP_MJ_CLOSE : BA0EEBB0
15:29:59:390 5084 IRP_MJ_READ : BA0E8D1F
15:29:59:390 5084 IRP_MJ_WRITE : BA0E8D1F
15:29:59:390 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:390 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:390 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:390 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:390 5084 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
15:29:59:390 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:390 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:390 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:390 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:390 5084 IRP_MJ_DEVICE_CONTROL : BA0E93BB
15:29:59:390 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
15:29:59:390 5084 IRP_MJ_SHUTDOWN : BA0E92E2
15:29:59:390 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:390 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:390 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:390 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:390 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:390 5084 IRP_MJ_POWER : BA0EAC82
15:29:59:390 5084 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
15:29:59:390 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:390 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:390 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:390 5084 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:59:406 5084 sion
15:29:59:406 5084 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:59:406 5084
15:29:59:406 5084 Driver Name: Disk
15:29:59:406 5084 IRP_MJ_CREATE : BA0EEBB0
15:29:59:406 5084 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
15:29:59:406 5084 IRP_MJ_CLOSE : BA0EEBB0
15:29:59:406 5084 IRP_MJ_READ : BA0E8D1F
15:29:59:406 5084 IRP_MJ_WRITE : BA0E8D1F
15:29:59:406 5084 IRP_MJ_QUERY_INFORMATION : 804F4562
15:29:59:406 5084 IRP_MJ_SET_INFORMATION : 804F4562
15:29:59:406 5084 IRP_MJ_QUERY_EA : 804F4562
15:29:59:406 5084 IRP_MJ_SET_EA : 804F4562
15:29:59:406 5084 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
15:29:59:406 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
15:29:59:406 5084 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
15:29:59:406 5084 IRP_MJ_DIRECTORY_CONTROL : 804F4562
15:29:59:406 5084 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
15:29:59:406 5084 IRP_MJ_DEVICE_CONTROL : BA0E93BB
15:29:59:406 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
15:29:59:406 5084 IRP_MJ_SHUTDOWN : BA0E92E2
15:29:59:406 5084 IRP_MJ_LOCK_CONTROL : 804F4562
15:29:59:406 5084 IRP_MJ_CLEANUP : 804F4562
15:29:59:406 5084 IRP_MJ_CREATE_MAILSLOT : 804F4562
15:29:59:406 5084 IRP_MJ_QUERY_SECURITY : 804F4562
15:29:59:406 5084 IRP_MJ_SET_SECURITY : 804F4562
15:29:59:406 5084 IRP_MJ_POWER : BA0EAC82
15:29:59:406 5084 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
15:29:59:406 5084 IRP_MJ_DEVICE_CHANGE : 804F4562
15:29:59:406 5084 IRP_MJ_QUERY_QUOTA : 804F4562
15:29:59:406 5084 IRP_MJ_SET_QUOTA : 804F4562
15:29:59:406 5084 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
15:29:59:406 5084 sion
15:29:59:406 5084 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
15:29:59:406 5084
15:29:59:406 5084 Driver Name: atapi
15:29:59:406 5084 IRP_MJ_CREATE : B9F14B3A
15:29:59:406 5084 IRP_MJ_CREATE_NAMED_PIPE : B9F14B3A
15:29:59:406 5084 IRP_MJ_CLOSE : B9F14B3A
15:29:59:406 5084 IRP_MJ_READ : B9F14B3A
15:29:59:406 5084 IRP_MJ_WRITE : B9F14B3A
15:29:59:406 5084 IRP_MJ_QUERY_INFORMATION : B9F14B3A
15:29:59:406 5084 IRP_MJ_SET_INFORMATION : B9F14B3A
15:29:59:406 5084 IRP_MJ_QUERY_EA : B9F14B3A
15:29:59:406 5084 IRP_MJ_SET_EA : B9F14B3A
15:29:59:406 5084 IRP_MJ_FLUSH_BUFFERS : B9F14B3A
15:29:59:406 5084 IRP_MJ_QUERY_VOLUME_INFORMATION : B9F14B3A
15:29:59:406 5084 IRP_MJ_SET_VOLUME_INFORMATION : B9F14B3A
15:29:59:406 5084 IRP_MJ_DIRECTORY_CONTROL : B9F14B3A
15:29:59:406 5084 IRP_MJ_FILE_SYSTEM_CONTROL : B9F14B3A
15:29:59:406 5084 IRP_MJ_DEVICE_CONTROL : B9F14B3A
15:29:59:406 5084 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9F14B3A
15:29:59:406 5084 IRP_MJ_SHUTDOWN : B9F14B3A
15:29:59:406 5084 IRP_MJ_LOCK_CONTROL : B9F14B3A
15:29:59:406 5084 IRP_MJ_CLEANUP : B9F14B3A
15:29:59:406 5084 IRP_MJ_CREATE_MAILSLOT : B9F14B3A
15:29:59:406 5084 IRP_MJ_QUERY_SECURITY : B9F14B3A
15:29:59:406 5084 IRP_MJ_SET_SECURITY : B9F14B3A
15:29:59:406 5084 IRP_MJ_POWER : B9F14B3A
15:29:59:406 5084 IRP_MJ_SYSTEM_CONTROL : B9F14B3A
15:29:59:406 5084 IRP_MJ_DEVICE_CHANGE : B9F14B3A
15:29:59:406 5084 IRP_MJ_QUERY_QUOTA : B9F14B3A
15:29:59:406 5084 IRP_MJ_SET_QUOTA : B9F14B3A
15:29:59:406 5084 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
15:29:59:406 5084 TDL3_IrpHookDetect: New IrpHandler addr: 8B07C8C8
15:29:59:406 5084 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
15:29:59:406 5084 Driver "atapi" Irp handler infected by TDSS rootkit ... 15:29:59:406 5084 cured
15:29:59:406 5084 siohd: 0
15:29:59:421 5084 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
15:29:59:421 5084 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 15:29:59:421 5084 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
15:29:59:421 5084 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
15:29:59:562 5084 vfvi6
15:29:59:671 5084 !dsvbh1
15:30:00:671 5084 dsvbh2
15:30:00:671 5084 fdfb2
15:30:00:671 5084 Backup copy found, using it..
15:30:00:703 5084 will be cured on next reboot
15:30:00:703 5084 Reboot required for cure complete..
15:30:00:828 5084 Cure on reboot scheduled successfully
15:30:00:828 5084
15:30:00:828 5084 Completed
15:30:00:828 5084
15:30:00:828 5084 Results:
15:30:00:828 5084 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
15:30:00:843 5084 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
15:30:00:843 5084 File objects infected / cured / cured on reboot: 1 / 0 / 1
15:30:00:843 5084
15:30:00:843 5084 UnloadDriverW: NtUnloadDriver error 1
15:30:00:843 5084 KLMD_Unload: UnloadDriverW(klmd21) error 1
15:30:00:843 5084 KLMD(ARK) unloaded successfully

katana · Feb 28, 2010

HA !!

It looks like we have tracked it down.

Please run Combofix again, and let me know if the redirects continue after.

klm0824 · Feb 28, 2010

YES!!! All is working now. Thank you so much for being so patient and diligent.
Any words of wisdom on how to prevent this from happening again?

combofix log:

ComboFix 10-02-27.04 - Mom 02/28/2010 15:56:35.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2445 [GMT -6:00]
Running from: c:\documents and settings\Mom\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-01-28 to 2010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 03:19 . 2009-06-30 15:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-28 03:19 . 2010-02-28 03:19 -------- d-----w- c:\program files\Panda Security
2010-02-27 15:17 . 2010-02-27 15:23 -------- d-----w- c:\windows\maxdriver
2010-02-22 03:30 . 2010-02-22 03:30 -------- d-----w- C:\Rooter$
2010-02-21 03:01 . 2010-02-21 03:00 38784 ----a-w- c:\documents and settings\Mom\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-21 03:01 . 2010-02-21 03:01 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-21 02:59 . 2010-02-21 02:59 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-02-21 02:59 . 2010-02-21 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-02-21 01:09 . 2010-02-21 01:09 -------- d-----w- c:\documents and settings\Mom\Application Data\Malwarebytes
2010-02-21 01:09 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-21 01:09 . 2010-02-21 01:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-21 01:09 . 2010-02-21 01:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-21 01:09 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 22:20 . 2010-02-18 22:21 -------- d-----w- C:\rsit
2010-02-15 01:51 . 2010-02-15 01:51 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\Yahoo!
2010-02-13 03:13 . 2010-02-27 15:44 -------- d-----w- c:\program files\SpywareBlaster
2010-02-12 23:00 . 2010-02-12 23:00 50354 ----a-w- c:\documents and settings\Mom\Application Data\Facebook\uninstall.exe
2010-02-12 23:00 . 2010-02-12 23:00 -------- d-----w- c:\documents and settings\Mom\Application Data\Facebook
2010-02-12 01:18 . 2010-02-12 01:18 -------- d-----w- c:\program files\ERUNT
2010-02-11 23:17 . 2010-02-11 23:17 -------- d-----w- c:\program files\Flip Video
2010-02-11 23:17 . 2010-02-11 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Flip Video
2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Mom\Application Data\Facebook\axfbootloader.dll
2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Mom\Application Data\Facebook\npfbplugin_1_0_1.dll
2010-01-30 19:53 . 2010-01-30 19:53 -------- d--h--w- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 21:55 . 2008-07-30 01:15 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 21:31 . 2004-08-04 04:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-24 15:16 . 2009-10-02 20:40 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-22 02:33 . 2006-03-26 05:45 -------- d-----w- c:\program files\quicken
2010-02-21 03:03 . 2006-03-23 04:03 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-20 13:57 . 2006-03-17 01:33 90112 ----a-w- c:\windows\DUMP6021.tmp
2010-02-19 03:57 . 2006-03-17 02:01 -------- d-----w- c:\program files\McAfee
2010-02-11 23:16 . 2008-12-26 03:12 -------- d-----w- c:\program files\Pure Digital Technologies
2010-02-07 16:55 . 2007-09-29 02:45 -------- d-----w- c:\program files\Google
2010-02-02 06:55 . 2008-12-17 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-30 22:14 . 2006-03-17 01:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-27 02:15 . 2009-09-20 00:34 696320 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-01-24 19:42 . 2010-01-24 19:42 -------- d-----w- c:\program files\Common Files\eSellerate
2010-01-24 19:40 . 2010-01-24 19:40 8854 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2010-01-24 19:40 . 2010-01-24 19:40 40960 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2010-01-24 19:40 . 2010-01-24 19:40 10134 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2010-01-24 19:40 . 2010-01-24 19:40 -------- d-----w- c:\program files\Western Digital Technologies
2010-01-24 19:39 . 2008-08-13 22:02 -------- d-----w- c:\program files\Western Digital
2010-01-12 00:54 . 2010-01-12 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\RosettaStoneLtdServices
2010-01-12 00:52 . 2010-01-12 00:52 -------- d-----w- c:\program files\RosettaStoneLtdServices
2010-01-05 10:00 . 2005-08-16 10:18 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2009-04-08 23:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-16 10:18 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-03 21:23 . 2010-01-03 21:01 -------- d-----w- c:\program files\Family Tree Maker 2010
2010-01-03 21:04 . 2010-01-03 21:04 -------- d-----w- c:\program files\Windows Media Components
2010-01-03 21:04 . 2010-01-03 21:04 -------- d-----w- c:\program files\Microsoft.NET
2010-01-03 21:04 . 2010-01-03 21:04 1078 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}\DocumentationShortcu_EDEA8AB776834ED2AA19E6C078064C0D.exe
2010-01-03 21:04 . 2010-01-03 21:04 10134 ----a-r- c:\documents and settings\Mom\Application Data\Microsoft\Installer\{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}\ARPPRODUCTICON.exe
2010-01-03 21:04 . 2010-01-03 21:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-03 21:04 . 2010-01-03 21:04 -------- d-----w- c:\program files\Microsoft WSE
2010-01-03 21:03 . 2010-01-03 21:01 -------- d-----w- c:\program files\BCL Technologies
2009-12-31 16:50 . 2006-03-17 01:27 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2005-08-16 10:37 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 07:08 . 2005-08-16 10:18 33280 ------w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2005-08-16 10:18 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 04:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2006-03-17 01:27 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2008-03-31 01:17 . 2006-03-23 04:05 104 --sh--r- c:\windows\system32\59C154333E.sys
.

((((((((((((((((((((((((((((( SnapShot_2010-02-28_18.53.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-28 21:32 . 2010-02-28 21:32 16384 c:\windows\Temp\Perflib_Perfdata_2b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2009-01-12 669520]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtstur]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Driver]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Personal Coach.lnk
backup=c:\windows\pss\Personal Coach.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=c:\windows\pss\ymetray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Mom^Start Menu^Programs^Startup^WD Anywhere Backup Launcher.lnk]
path=c:\documents and settings\Mom\Start Menu\Programs\Startup\WD Anywhere Backup Launcher.lnk
backup=c:\windows\pss\WD Anywhere Backup Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Updater]
2010-02-02 06:55 160752 ----a-w- c:\program files\Google\Google Updater\GoogleUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-03-12 03:34 49152 ----a-w- c:\program files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-21 21:36 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McPvTray]
2009-11-17 17:15 670312 ----a-w- c:\program files\McAfee\Anti-Theft\McPvTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2008-12-12 18:46 9555968 ----a-w- c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 06:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2009-05-01 01:24 214536 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 10:19 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-11 10:17 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-05-01 01:24 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Drive Manager]
2008-01-30 10:50 438272 ----a-w- c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-08-30 23:43 4670704 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneLtdServices.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Ltd Services
"c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe"= c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe:127.0.0.1/255.255.255.255:Enabled:Rosetta Stone Daemon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"67:UDP"= 67:UDP

HCP Discovery Service

R0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys [11/17/2009 11:15 AM 63080]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2/27/2010 9:19 PM 28552]
R2 CX88XBAR;Video Advantage PCI Crossbar;c:\windows\system32\drivers\cx88xbar.sys [4/1/2006 7:42 PM 9216]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/25/2008 8:55 PM 93320]
R2 RosettaStoneDaemon;RosettaStoneDaemon;c:\program files\RosettaStoneLtdServices\RosettaStoneDaemon.exe [9/3/2009 3:44 PM 444224]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [1/30/2008 4:52 AM 106496]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S1 w810mdmm;w810mdmm;c:\windows\system32\drivers\w810mdmm.sys --> c:\windows\system32\drivers\w810mdmm.sys [?]
S2 gupdate1c95ff64fbe87d0;Google Update Service (gupdate1c95ff64fbe87d0);c:\program files\Google\Update\GoogleUpdate.exe [12/16/2008 9:19 PM 133104]
S2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 1:43 PM 204800]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [1/24/2010 1:39 PM 11520]
S4 AutoSyncService;Memeo AutoSync ;c:\program files\Memeo\AutoSync\MemeoService.exe [7/6/2007 4:28 PM 31768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMDB
*Deregistered* - klmdb

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-02-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-11-20 06:55]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-17 15:49]

2010-02-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-17 15:49]

2010-02-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-06 17:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-06 17:22]

2010-02-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://batonrouge.cox.net/cci/home
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-inc&channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
Trusted Zone: att.net\my
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.update
Trusted Zone: microsoft.com\update
Trusted Zone: nascar.com\www
Trusted Zone: windowsupdate.com\download
Trusted Zone: yahoo.com\us.f519.mail
DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} - hxxp://picasaweb.google.com/s/v/59.10/uploader2.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{17599003-a66e-4467-8891-1d57c3e43fcd} - (no file)
SafeBoot-klmdb.sys

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-28 16:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3930530056-1653841120-937661522-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1452)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-02-28 16:05:51
ComboFix-quarantined-files.txt 2010-02-28 22:05
ComboFix2.txt 2010-02-28 18:56
ComboFix3.txt 2010-02-26 22:40
ComboFix4.txt 2008-03-16 17:45

Pre-Run: 432,207,953,920 bytes free
Post-Run: 432,197,853,184 bytes free

- - End Of File - - 2EDC8113C6A3998094C4D01167A2D450

katana · Feb 28, 2010

klm0824 said:
1) Thank you so much for being so patient and diligent.
2) Any words of wisdom on how to prevent this from happening again?

1) Not a problem, I'm just sorry I didn't spot it sooner.
2) Since you mention it

: .... have a look below, I have given a few tips for staying clean and clear.

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix

This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

You can also delete any logs we have produced and any other tools we have downloaded.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy <<< A must have program
- It includes host protection and registry protection
- A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware <<< A New and effective program
a-squared Free <<< A good "realtime" or "on demand" scanner
superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol
- An excellent startup manager and then some !!
- Notifies you if programs are added to startup
- Allows delayed startup
- A must have addition
SpywareBlaster 4.0
- SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2
- SpywareGuard provides real-time protection against spyware.
- Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut
- Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS
- This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
- For information on how to download and install, please read this tutorial by WinHelp2002.
- Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
    - Change the Download signed ActiveX controls to Prompt
    - Change the Download unsigned ActiveX controls to Disable
    - Change the Initialise and script ActiveX controls not marked as safe to Disable
    - Change the Installation of desktop items to Prompt
    - Change the Launching programs and files in an IFRAME to Prompt
    - Change the Navigate sub-frames across different domains to Prompt
    - When all these settings have been made, click on the OK button.
    - If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
- FireFox
  - With many addons available that make customization easy this is a very popular choice
  - NoScript and AdBlockPlus addons are essential
- Opera
  - Another popular alternative
- Netscape
  - Another popular alternative
  - Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner
- Free and very simple to use
CCleaner
- Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

klm0824 · Feb 28, 2010

All is well, thanks.
I have followed many recommendations you posted, and have adjusted security settings some.

Again, thank you so much.
Hope you have a wonderful week.

redirecting problem, please help (Resolved)

klm0824

New member

katana

Security Expert-Emeritus

klm0824

New member

katana

Security Expert-Emeritus

klm0824

New member

katana

Security Expert-Emeritus

klm0824

New member

katana

Security Expert-Emeritus

klm0824

New member

klm0824

New member

klm0824

New member

klm0824

New member

klm0824

New member

katana

Security Expert-Emeritus

klm0824

New member

katana

Security Expert-Emeritus

klm0824

New member

katana

Security Expert-Emeritus

klm0824

New member