jnutsy

Members

View Profile See their activity

Posts
4
Joined
September 14, 2010
Last visited
September 19, 2010

Reputation

0 Neutral

hjt log - google redirects, possibly desktoplayer.exe the cause?

jnutsy replied to jnutsy's topic in Resolved Malware Removal Logs

Hi Gammo, I followed your instructions and the log file produced is below. In terms of performance, the google search result redirects seem to have ceased, and neither explorer.exe nor system seem to be using unusual levels of CPU. However upon startup some programs such as iexplore.exe and firefox.exe still seem to be running in the background without me actually starting them Thank you. ComboFix 10-09-16.03 - Nuts 18/09/2010 15:43:40.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.608 [GMT 1:00] Running from: c:\documents and settings\Nuts\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Nuts\Desktop\CFScript.txt AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} FILE :: "c:\documents and settings\Administrator\Start Menu\Programs\Startup\uvyze.exe" "c:\documents and settings\Administrator\Start Menu\Programs\Startup\uwyqse.exe" "c:\documents and settings\Administrator\Start Menu\Programs\Startup\zywa.exe" "c:\documents and settings\Default User\Start Menu\Programs\Startup\hyto.exe" "c:\documents and settings\Default User\Start Menu\Programs\Startup\uxniar.exe" "c:\documents and settings\Default User\Start Menu\Programs\Startup\yzzop.exe" "c:\documents and settings\Richard\Start Menu\Programs\Startup\esazu.exe" "c:\documents and settings\Richard\Start Menu\Programs\Startup\woage.exe" "c:\documents and settings\Richard\Start Menu\Programs\Startup\ymyp.exe" "c:\program files\intel\wireless\bin\wlkeepersrv.exe" "c:\windows\Hwequyufomo.bin" "c:\windows\inf\unregmp2Srv.exe" "c:\windows\system32\0C831E6059.sys" "c:\windows\system32\59601E830C.sys" "c:\windows\system32\drivers\oopuhnpkpjv.sys" "c:\windows\system32\drivers\owikrfa.sys" "c:\windows\system32\drivers\rxtdrj.sys" "c:\windows\system32\shmgrateSrv.exe" "c:\windows\system32\stu2.exe" "c:\windows\Tcakuvazi.dat" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Start Menu\Programs\Startup\uvyze.exe c:\documents and settings\Administrator\Start Menu\Programs\Startup\uwyqse.exe c:\documents and settings\Administrator\Start Menu\Programs\Startup\zywa.exe c:\documents and settings\Default User\Start Menu\Programs\Startup\hyto.exe c:\documents and settings\Default User\Start Menu\Programs\Startup\uxniar.exe c:\documents and settings\Default User\Start Menu\Programs\Startup\yzzop.exe c:\documents and settings\Nuts\Application Data\Esekas\voley.exe c:\documents and settings\Nuts\Application Data\Tecuo c:\documents and settings\Nuts\Application Data\Tecuo\epoc.sue c:\documents and settings\Nuts\Application Data\Tecuo\epoc.tmp c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}\chrome.manifest c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}\chrome\content\_cfg.js c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}\chrome\content\overlay.xul c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40}\install.rdf c:\documents and settings\Richard\Start Menu\Programs\Startup\esazu.exe c:\documents and settings\Richard\Start Menu\Programs\Startup\woage.exe c:\documents and settings\Richard\Start Menu\Programs\Startup\ymyp.exe c:\program files\intel\wireless\bin\wlkeepersrv.exe c:\program files\Internet Explorer\complete.dat c:\program files\Internet Explorer\dmlconf.dat c:\program files\Microsoft\DesktopLayer.exe c:\windows\clprvro.dll c:\windows\ExplorerSrv.exe c:\windows\Hwequyufomo.bin c:\windows\inf\unregmp2Srv.exe c:\windows\system32\0C831E6059.sys c:\windows\system32\59601E830C.sys c:\windows\system32\drivers\oopuhnpkpjv.sys c:\windows\system32\shmgrateSrv.exe c:\windows\system32\stu2.exe c:\windows\Tcakuvazi.dat c:\program files\Microsoft\DesktopLayer.exe . . . . c:\windows\system32\drivers\oopuhnpkpjv.sys . . . is infected!! . . . Failed to find a valid replacement. . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_khqlmxop -------\Service_lahkdae -------\Service_yusvtjej ((((((((((((((((((((((((( Files Created from 2010-08-18 to 2010-09-18 ))))))))))))))))))))))))))))))) . 2010-09-17 22:54 . 2010-09-18 14:25 -------- d-----w- c:\program files\sys32 2010-09-17 22:54 . 2010-09-18 14:25 -------- d-----w- c:\program files\riv87 2010-09-17 10:38 . 2010-09-17 10:38 -------- d-----w- c:\windows\ie8updates 2010-09-17 07:42 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-09-17 07:42 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-09-17 07:42 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\scripting 2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\l2schemas 2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\en 2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\bits 2010-09-15 22:17 . 2010-09-15 22:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-09-15 11:34 . 2010-09-15 11:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-09-13 23:43 . 2010-09-13 23:50 -------- d-----w- c:\program files\Startup Inspector for Windows 2010-09-10 10:18 . 2010-09-15 10:17 -------- d-----w- c:\documents and settings\Nuts\Local Settings\Application Data\Temp 2010-09-09 17:00 . 2010-09-09 17:00 552 ----a-w- c:\windows\system32\d3d8caps.dat 2010-09-09 10:40 . 2010-09-09 10:40 -------- d-----w- c:\program files\Trend Micro 2010-09-07 21:19 . 2010-09-07 21:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-09-07 21:13 . 2010-09-07 21:13 -------- d-sh--w- c:\documents and settings\Nuts\IETldCache 2010-09-07 21:13 . 2010-09-07 21:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-09-07 20:15 . 2010-09-07 20:15 -------- d-----w- c:\documents and settings\Nuts\Application Data\Malwarebytes 2010-09-07 20:14 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-09-07 20:14 . 2010-09-07 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-09-07 20:14 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-09-07 20:14 . 2010-09-07 20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-07 17:01 . 2010-09-15 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-07 14:28 . 2010-09-07 14:37 -------- dc-h--w- c:\windows\ie8 2010-09-07 14:13 . 2010-09-07 14:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird 2010-09-07 14:13 . 2010-09-07 14:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird 2010-09-07 12:27 . 2010-09-07 12:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2010-09-07 12:25 . 2010-09-07 12:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-08-30 23:51 . 2010-08-30 23:51 -------- d-----w- c:\program files\iPod 2010-08-23 09:08 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-18 15:05 . 2007-02-06 11:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-09-18 15:03 . 2009-10-29 20:25 -------- d-----w- c:\program files\Microsoft 2010-09-18 14:57 . 2009-03-10 04:43 -------- d-----w- c:\documents and settings\Nuts\Application Data\Esekas 2010-09-18 14:26 . 2006-10-11 06:48 -------- d-----w- c:\documents and settings\Nuts\Application Data\Ufaf 2010-09-17 16:30 . 2009-04-01 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-09-17 16:29 . 2006-09-08 13:53 -------- d-----w- c:\program files\Microsoft Works 2010-09-17 09:25 . 2009-03-28 13:57 -------- d-----w- c:\documents and settings\Nuts\Application Data\Spotify 2010-09-17 09:10 . 2010-05-10 12:17 712704 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll 2010-09-17 09:10 . 2010-05-10 12:17 339968 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll 2010-09-17 09:10 . 2010-05-10 12:17 266240 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_dsp.dll 2010-09-17 07:24 . 2009-10-29 20:28 -------- d-----w- c:\program files\Microsoft Silverlight 2010-09-16 18:35 . 2006-09-08 13:38 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS 2010-09-16 11:21 . 2007-12-18 14:09 -------- d-----w- c:\program files\Mozilla Thunderbird 2010-09-16 11:11 . 2005-08-16 03:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2010-09-13 23:14 . 2007-01-10 13:45 -------- d-----w- c:\program files\Windows Media Connect 2 2010-09-08 13:06 . 2006-09-08 13:54 -------- d-----w- c:\program files\Dell Support 2010-09-08 13:05 . 2006-09-08 13:47 -------- d-----w- c:\program files\QuickTime 2010-09-07 22:22 . 2009-03-09 11:35 167936 ----a-w- c:\documents and settings\Nuts\Application Data\U3\temp\cleanup.exe 2010-09-07 22:22 . 2009-10-27 22:23 207872 ----a-w- c:\documents and settings\Nuts\Application Data\Sun\Java\jre1.6.0_16\lzma.dll 2010-09-07 22:20 . 2006-09-08 13:54 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\HTML\fix\DellSupportLauncher.exe 2010-09-07 22:20 . 2006-09-08 13:54 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\DellSupportLauncher.exe 2010-09-07 22:20 . 2006-09-08 13:54 119808 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\RunGdp.exe 2010-09-07 22:20 . 2006-10-10 21:13 119808 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\item_templ\coach\RunGdp.exe 2010-09-07 22:20 . 2007-03-30 10:42 94208 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\DellSommelierFix.exe 2010-09-07 22:20 . 2006-10-10 21:13 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\fix\DellSupportLauncher.exe 2010-09-07 22:20 . 2009-12-28 20:07 199168 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE 2010-09-07 22:20 . 2009-12-28 20:07 168960 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE 2010-09-07 22:20 . 2006-09-12 15:41 128000 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\CIP\DellSupportODBK.exe 2010-08-30 23:54 . 2010-07-11 16:36 -------- d-----w- c:\program files\iTunes 2010-08-30 23:51 . 2007-07-01 23:09 -------- d-----w- c:\program files\Common Files\Apple 2010-08-30 23:33 . 2010-08-30 23:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe 2010-08-17 13:17 . 2005-08-16 03:18 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-07-22 15:49 . 2005-08-16 03:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-04-16 20:39 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-06-30 12:31 . 2005-08-16 03:18 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-24 12:22 . 2005-08-16 03:18 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-23 13:44 . 2005-08-16 03:18 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2005-08-16 03:18 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2007-05-26 23:57 . 2007-05-26 23:57 251 -c--a-w- c:\program files\wt3d.ini 2008-04-25 13:32 . 2008-04-25 13:32 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll 2009-09-16 11:17 . 2006-09-12 12:51 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2010-09-09 444416] "Bhilaho"="c:\windows\clprvro.dll" [bU] "{758A8262-B6B2-65FD-92F8-28F444205964}"="c:\documents and settings\Nuts\Application Data\Esekas\voley.exe" [bU] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182] "CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2010-09-09 114688] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2010-09-08 307200] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2010-09-08 139264] "MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144] "SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-01-17 36904] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Nuts\Start Menu\Programs\Startup\ Dell Network Assistant.lnk - c:\program files\Dell Network Assistant\ezi_hnm2.exe [2007-8-27 1082664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-9-8 7168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Nuts^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Nuts\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2010-07-13 14:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] 2005-05-31 04:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-12-09 19:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX110 Series] 2008-09-26 23:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFBE.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-06-04 00:07 136176 ----atw- c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] 2007-08-03 22:33 582992 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2010-09-08 09:33 225280 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-09-07 23:41 479232 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 16:06 11520] . Contents of the 'Scheduled Tasks' folder 2010-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50] 2010-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4287233673-3878696775-4131652522-1005Core.job - c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 00:07] 2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4287233673-3878696775-4131652522-1005UA.job - c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 00:07] 2010-09-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 12:32] 2010-09-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 12:32] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.bbc.co.uk/football uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: mcafee.com DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab FF - ProfilePath - c:\documents and settings\Nuts\Application Data\Mozilla\Firefox\Profiles\j57dut8t.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?source=haiu FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll FF - plugin: c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-18 16:05 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\
- September 18, 2010
- 8 replies
hjt log - google redirects, possibly desktoplayer.exe the cause?

jnutsy replied to jnutsy's topic in Resolved Malware Removal Logs

Hi, Sorry I realised my firewall was still active. I disabled it and combofix worked. Below is the log. Thanks again for the support with this. ComboFix 10-09-16.03 - Nuts 17/09/2010 23:16:50.3.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.595 [GMT 1:00] Running from: c:\documents and settings\Nuts\Desktop\ComboFix.exe AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate c:\documents and settings\All Users\Application Data\Macromedia\SwUpdate\Flags.dtd c:\documents and settings\Nuts\Application Data\Fyruka c:\documents and settings\Nuts\Application Data\Fyruka\izys.osu c:\documents and settings\Nuts\Application Data\Fyruka\izys.tmp c:\documents and settings\Nuts\Application Data\Lixee c:\documents and settings\Nuts\Application Data\Lixee\xaxao.exe c:\documents and settings\Nuts\Local Settings\Application Data\Windows Server c:\documents and settings\Nuts\Local Settings\Application Data\Windows Server\flags.ini c:\documents and settings\Nuts\Local Settings\Application Data\Windows Server\server.dat c:\documents and settings\Nuts\Local Settings\Application Data\Windows Server\uses32.dat c:\program files\Internet Explorer\complete.dat c:\program files\Internet Explorer\dmlconf.dat c:\program files\Microsoft\DesktopLayer.exe c:\windows\acikilomi.dll c:\windows\clprvro.dll c:\windows\ExplorerSrv.exe c:\windows\kdcoms.dll c:\windows\system32\drivers\str.sys c:\windows\system32\qtplugin.exe c:\windows\system32\Thumbs.db D:\Autorun.inf c:\windows\system32\drivers\oopuhnpkpjv.sys . . . is infected!! . . . Failed to find a valid replacement. . ((((((((((((((((((((((((( Files Created from 2010-08-17 to 2010-09-17 ))))))))))))))))))))))))))))))) . 2010-09-17 10:38 . 2010-09-17 10:38 -------- d-----w- c:\windows\ie8updates 2010-09-17 07:42 . 2010-06-24 12:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2010-09-17 07:42 . 2010-06-24 12:21 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll 2010-09-17 07:42 . 2010-06-24 12:21 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll 2010-09-16 14:03 . 2010-09-16 19:55 73856 ----a-w- c:\windows\system32\drivers\oopuhnpkpjv.sys 2010-09-16 13:23 . 2010-09-16 13:23 -------- d-----w- c:\documents and settings\Nuts\Application Data\Tecuo 2010-09-16 12:21 . 2010-09-16 12:21 -------- d-----w- c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} 2010-09-16 11:06 . 2010-09-16 11:06 53760 ----a-w- c:\windows\system32\shmgrateSrv.exe 2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\scripting 2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\l2schemas 2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\en 2010-09-16 11:04 . 2010-09-16 11:04 -------- d-----w- c:\windows\system32\bits 2010-09-15 22:17 . 2010-09-15 22:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache 2010-09-15 11:34 . 2010-09-15 11:34 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2010-09-13 23:43 . 2010-09-13 23:50 -------- d-----w- c:\program files\Startup Inspector for Windows 2010-09-10 10:18 . 2010-09-15 10:17 -------- d-----w- c:\documents and settings\Nuts\Local Settings\Application Data\Temp 2010-09-09 17:00 . 2010-09-09 17:00 552 ----a-w- c:\windows\system32\d3d8caps.dat 2010-09-09 10:40 . 2010-09-09 10:40 -------- d-----w- c:\program files\Trend Micro 2010-09-07 21:19 . 2010-09-07 21:19 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2010-09-07 21:13 . 2010-09-07 21:13 -------- d-sh--w- c:\documents and settings\Nuts\IETldCache 2010-09-07 21:13 . 2010-09-07 21:13 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache 2010-09-07 20:15 . 2010-09-07 20:15 -------- d-----w- c:\documents and settings\Nuts\Application Data\Malwarebytes 2010-09-07 20:14 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-09-07 20:14 . 2010-09-07 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-09-07 20:14 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-09-07 20:14 . 2010-09-07 20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-07 17:01 . 2010-09-15 23:02 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-07 14:28 . 2010-09-07 14:37 -------- dc-h--w- c:\windows\ie8 2010-09-07 14:13 . 2010-09-07 14:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Thunderbird 2010-09-07 14:13 . 2010-09-07 14:13 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Thunderbird 2010-09-07 12:27 . 2010-09-07 12:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM 2010-09-07 12:26 . 2004-08-10 04:00 24576 ----a-w- c:\windows\system32\stu2.exe 2010-09-07 12:25 . 2010-09-07 12:26 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe 2010-09-07 00:04 . 2010-09-17 10:04 120 ----a-w- c:\windows\Tcakuvazi.dat 2010-09-07 00:04 . 2010-09-17 07:26 0 ----a-w- c:\windows\Hwequyufomo.bin 2010-08-30 23:51 . 2010-08-30 23:51 -------- d-----w- c:\program files\iPod 2010-08-23 09:08 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-09-17 22:33 . 2007-02-06 11:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2010-09-17 22:32 . 2009-10-29 20:25 -------- d-----w- c:\program files\Microsoft 2010-09-17 16:30 . 2009-04-01 21:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2010-09-17 16:29 . 2006-09-08 13:53 -------- d-----w- c:\program files\Microsoft Works 2010-09-17 09:25 . 2009-03-28 13:57 -------- d-----w- c:\documents and settings\Nuts\Application Data\Spotify 2010-09-17 09:10 . 2010-05-10 12:17 712704 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_sdkmanager.dll 2010-09-17 09:10 . 2010-05-10 12:17 339968 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_musicid_file.dll 2010-09-17 09:10 . 2010-05-10 12:17 266240 ----a-w- c:\documents and settings\Nuts\Application Data\Spotify\Gracenote\gnsdk_dsp.dll 2010-09-17 07:24 . 2009-10-29 20:28 -------- d-----w- c:\program files\Microsoft Silverlight 2010-09-16 18:35 . 2006-09-08 13:38 16128 ----a-w- c:\windows\system32\drivers\APPDRV.SYS 2010-09-16 11:21 . 2007-12-18 14:09 -------- d-----w- c:\program files\Mozilla Thunderbird 2010-09-16 11:11 . 2005-08-16 03:41 88859 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat 2010-09-13 23:22 . 2010-09-13 23:16 53760 ----a-w- c:\windows\inf\unregmp2Srv.exe 2010-09-13 23:14 . 2007-01-10 13:45 -------- d-----w- c:\program files\Windows Media Connect 2 2010-09-08 13:06 . 2006-09-08 13:54 -------- d-----w- c:\program files\Dell Support 2010-09-08 13:05 . 2006-09-08 13:47 -------- d-----w- c:\program files\QuickTime 2010-09-07 22:22 . 2009-03-09 11:35 167936 ----a-w- c:\documents and settings\Nuts\Application Data\U3\temp\cleanup.exe 2010-09-07 22:22 . 2009-10-27 22:23 207872 ----a-w- c:\documents and settings\Nuts\Application Data\Sun\Java\jre1.6.0_16\lzma.dll 2010-09-07 22:20 . 2006-09-08 13:54 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\HTML\fix\DellSupportLauncher.exe 2010-09-07 22:20 . 2006-09-08 13:54 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\HTML\fix\DellSupportLauncher.exe 2010-09-07 22:20 . 2006-09-08 13:54 119808 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\item_templ\coach\RunGdp.exe 2010-09-07 22:20 . 2006-10-10 21:13 119808 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\item_templ\coach\RunGdp.exe 2010-09-07 22:20 . 2007-03-30 10:42 94208 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\DellSommelierFix.exe 2010-09-07 22:20 . 2006-10-10 21:13 123904 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\HTML\fix\DellSupportLauncher.exe 2010-09-07 22:20 . 2009-12-28 20:07 199168 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE 2010-09-07 22:20 . 2009-12-28 20:07 168960 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE 2010-09-07 22:20 . 2006-09-12 15:41 128000 -c--a-w- c:\documents and settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\CIP\DellSupportODBK.exe 2010-08-30 23:54 . 2010-07-11 16:36 -------- d-----w- c:\program files\iTunes 2010-08-30 23:51 . 2007-07-01 23:09 -------- d-----w- c:\program files\Common Files\Apple 2010-08-30 23:33 . 2010-08-30 23:33 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe 2010-08-17 13:17 . 2005-08-16 03:18 58880 ----a-w- c:\windows\system32\spoolsv.exe 2010-07-22 15:49 . 2005-08-16 03:18 590848 ----a-w- c:\windows\system32\rpcrt4.dll 2010-07-22 05:57 . 2009-04-16 20:39 5120 ----a-w- c:\windows\system32\xpsp4res.dll 2010-06-30 12:31 . 2005-08-16 03:18 149504 ----a-w- c:\windows\system32\schannel.dll 2010-06-24 12:22 . 2005-08-16 03:18 916480 ----a-w- c:\windows\system32\wininet.dll 2010-06-23 13:44 . 2005-08-16 03:18 1851904 ----a-w- c:\windows\system32\win32k.sys 2010-06-21 15:27 . 2005-08-16 03:18 354304 ----a-w- c:\windows\system32\drivers\srv.sys 2007-05-26 23:57 . 2007-05-26 23:57 251 -c--a-w- c:\program files\wt3d.ini 2008-04-25 13:32 . 2008-04-25 13:32 5817064 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll 2009-09-16 11:17 . 2006-09-12 12:51 88 --sh--r- c:\windows\system32\0C831E6059.sys 2009-02-06 13:44 . 2006-09-12 20:57 56 --sh--r- c:\windows\system32\59601E830C.sys 2009-09-16 11:17 . 2006-09-12 12:51 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2010-09-09 444416] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182] "CTSVolFE.exe"="c:\program files\Creative\Mixer\CTSVolFE.exe" [2010-09-09 114688] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2010-09-08 307200] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2010-09-08 139264] "MskAgentexe"="c:\program files\McAfee\MSK\MskAgent.exe" [2007-01-17 152144] "SiteAdvisor"="c:\program files\SiteAdvisor\6172\SiteAdv.exe" [2007-01-17 36904] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-27 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Default User\Start Menu\Programs\Startup\ hyto.exe [2010-9-15 116224] uxniar.exe [2010-9-17 108032] yzzop.exe [2010-9-8 105984] c:\documents and settings\Administrator\Start Menu\Programs\Startup\ uvyze.exe [2010-9-17 108032] uwyqse.exe [2010-9-15 116224] zywa.exe [2010-9-8 105984] c:\documents and settings\Richard\Start Menu\Programs\Startup\ esazu.exe [2010-9-15 116224] woage.exe [2010-9-8 105984] ymyp.exe [2010-9-17 108032] c:\documents and settings\Nuts\Start Menu\Programs\Startup\ Dell Network Assistant.lnk - c:\program files\Dell Network Assistant\ezi_hnm2.exe [2007-8-27 1082664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Dell Network Assistant.lnk - c:\windows\Installer\{0240BDFB-2995-4A3F-8C96-18D41282B716}\Icon0240BDFB3.exe [2006-9-8 7168] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,,c:\program files\intel\wireless\bin\wlkeepersrv.exe" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Nuts^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk] path=c:\documents and settings\Nuts\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier] 2010-07-13 14:10 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla] 2005-05-31 04:33 122941 ----a-w- c:\windows\system32\dla\tfswctrl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher] 2005-12-09 19:29 49152 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX110 Series] 2008-09-26 23:00 199680 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIFBE.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update] 2010-06-04 00:07 136176 ----atw- c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] 2010-07-21 14:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcagent_exe] 2007-08-03 22:33 582992 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] 2010-09-08 09:33 225280 ----a-w- c:\program files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] 2010-09-07 23:41 479232 ----a-w- c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10421:UDP"= 10421:UDP:SingleClick Discovery Protocol "10426:UDP"= 10426:UDP:SingleClick ICC S0 khqlmxop;khqlmxop;c:\windows\system32\drivers\oopuhnpkpjv.sys [16/09/2010 15:03 73856] S0 lahkdae;lahkdae;c:\windows\system32\drivers\owikrfa.sys --> c:\windows\system32\drivers\owikrfa.sys [?] S0 yusvtjej;yusvtjej;c:\windows\system32\drivers\rxtdrj.sys --> c:\windows\system32\drivers\rxtdrj.sys [?] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [06/05/2008 16:06 11520] . Contents of the 'Scheduled Tasks' folder 2010-09-15 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50] 2010-09-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4287233673-3878696775-4131652522-1005Core.job - c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 00:07] 2010-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4287233673-3878696775-4131652522-1005UA.job - c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-04 00:07] 2010-09-15 c:\windows\Tasks\McDefragTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 12:32] 2010-09-01 c:\windows\Tasks\McQcTask.job - c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 12:32] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.bbc.co.uk/football uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 Trusted Zone: internet Trusted Zone: mcafee.com DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab FF - ProfilePath - c:\documents and settings\Nuts\Application Data\Mozilla\Firefox\Profiles\j57dut8t.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?source=haiu FF - component: c:\program files\SiteAdvisor\6253\FF\components\FFHook.dll FF - plugin: c:\documents and settings\Nuts\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ FF - HiddenExtension: XULRunner: {11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} - c:\documents and settings\Nuts\Local Settings\Application Data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); . - - - - ORPHANS REMOVED - - - - HKCU-Run-Bhilaho - c:\windows\clprvro.dll HKCU-Run-{758A8262-B6B2-65FD-92F8-28F444205964} - c:\documents and settings\Nuts\Application Data\Lixee\xaxao.exe HKLM-Run-Qfabowetureto - c:\windows\acikilomi.dll SafeBoot-klmdb.sys MSConfigStartUp-Bhilaho - c:\windows\clprvro.dll MSConfigStartUp-Qfabowetureto - c:\windows\acikilomi.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-09-17 23:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}] @Denied: (A 2) (Everyone) @="IFlashBroker4" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" [HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\
- September 17, 2010
- 8 replies
hjt log - google redirects, possibly desktoplayer.exe the cause?

jnutsy replied to jnutsy's topic in Resolved Malware Removal Logs

Hi Gammo, Thank you very much for your help. I followed your instructions, but halfway through scanning with combofix (after about 6 sections had been completed) the computer crashed and took me to a blue screen. The error message on this page said something along the lines of 'page file error' - although I can't remember exactly what the message was. Below is the log file from TDDSkiller: Thanks again, I really appreciate your time. 2010/09/16 19:23:21.0093 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44 2010/09/16 19:23:21.0093 ================================================================================ 2010/09/16 19:23:21.0093 SystemInfo: 2010/09/16 19:23:21.0093 2010/09/16 19:23:21.0093 OS Version: 5.1.2600 ServicePack: 3.0 2010/09/16 19:23:21.0093 Product type: Workstation 2010/09/16 19:23:21.0093 ComputerName: JAMES 2010/09/16 19:23:21.0093 UserName: Nuts 2010/09/16 19:23:21.0093 Windows directory: C:\WINDOWS 2010/09/16 19:23:21.0093 System windows directory: C:\WINDOWS 2010/09/16 19:23:21.0093 Processor architecture: Intel x86 2010/09/16 19:23:21.0093 Number of processors: 2 2010/09/16 19:23:21.0093 Page size: 0x1000 2010/09/16 19:23:21.0093 Boot type: Normal boot 2010/09/16 19:23:21.0093 ================================================================================ 2010/09/16 19:23:22.0000 Initialize success 2010/09/16 19:23:29.0390 ================================================================================ 2010/09/16 19:23:29.0390 Scan started 2010/09/16 19:23:29.0390 Mode: Manual; 2010/09/16 19:23:29.0390 ================================================================================ 2010/09/16 19:23:32.0796 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS 2010/09/16 19:23:33.0265 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys 2010/09/16 19:23:33.0890 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys 2010/09/16 19:23:34.0468 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys 2010/09/16 19:23:35.0046 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys 2010/09/16 19:23:35.0531 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys 2010/09/16 19:23:36.0234 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys 2010/09/16 19:23:36.0859 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys 2010/09/16 19:23:37.0593 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys 2010/09/16 19:23:38.0218 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys 2010/09/16 19:23:38.0718 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys 2010/09/16 19:23:39.0187 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys 2010/09/16 19:23:40.0500 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys 2010/09/16 19:23:41.0531 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys 2010/09/16 19:23:42.0234 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys 2010/09/16 19:23:42.0859 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys 2010/09/16 19:23:43.0609 APPDRV (983e5142be54f86ba81557f5d80ebcf0) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 2010/09/16 19:23:43.0609 Suspicious file (Forged): C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS. Real md5: 983e5142be54f86ba81557f5d80ebcf0, Fake md5: ec94e05b76d033b74394e7b2175103cf 2010/09/16 19:23:43.0609 APPDRV - detected Rootkit.Win32.TDSS.tdl3 (0) 2010/09/16 19:23:44.0234 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys 2010/09/16 19:23:44.0750 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys 2010/09/16 19:23:45.0328 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys 2010/09/16 19:23:45.0796 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys 2010/09/16 19:23:46.0203 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys 2010/09/16 19:23:46.0296 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys 2010/09/16 19:23:47.0312 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys 2010/09/16 19:23:47.0796 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys 2010/09/16 19:23:48.0484 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 2010/09/16 19:23:49.0140 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys 2010/09/16 19:23:49.0468 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys 2010/09/16 19:23:49.0640 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys 2010/09/16 19:23:50.0093 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys 2010/09/16 19:23:50.0250 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys 2010/09/16 19:23:50.0359 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys 2010/09/16 19:23:50.0625 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys 2010/09/16 19:23:51.0125 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys 2010/09/16 19:23:51.0390 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys 2010/09/16 19:23:51.0843 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys 2010/09/16 19:23:52.0390 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys 2010/09/16 19:23:52.0687 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys 2010/09/16 19:23:53.0015 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys 2010/09/16 19:23:53.0281 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys 2010/09/16 19:23:53.0468 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys 2010/09/16 19:23:54.0250 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys 2010/09/16 19:23:54.0781 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys 2010/09/16 19:23:56.0281 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys 2010/09/16 19:23:57.0406 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys 2010/09/16 19:23:58.0046 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys 2010/09/16 19:23:58.0906 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys 2010/09/16 19:23:59.0609 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys 2010/09/16 19:24:00.0109 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys 2010/09/16 19:24:00.0718 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys 2010/09/16 19:24:00.0906 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys 2010/09/16 19:24:01.0656 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys 2010/09/16 19:24:02.0296 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys 2010/09/16 19:24:02.0859 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys 2010/09/16 19:24:03.0359 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys 2010/09/16 19:24:03.0937 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys 2010/09/16 19:24:04.0531 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys 2010/09/16 19:24:05.0062 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys 2010/09/16 19:24:06.0281 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys 2010/09/16 19:24:08.0218 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 2010/09/16 19:24:09.0328 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys 2010/09/16 19:24:10.0765 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 2010/09/16 19:24:13.0250 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys 2010/09/16 19:24:14.0656 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys 2010/09/16 19:24:15.0656 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys 2010/09/16 19:24:16.0203 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys 2010/09/16 19:24:17.0453 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys 2010/09/16 19:24:19.0109 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 2010/09/16 19:24:19.0937 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 2010/09/16 19:24:20.0656 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys 2010/09/16 19:24:21.0671 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys 2010/09/16 19:24:23.0109 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys 2010/09/16 19:24:23.0562 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys 2010/09/16 19:24:24.0718 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 2010/09/16 19:24:25.0484 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys 2010/09/16 19:24:26.0750 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys 2010/09/16 19:24:28.0859 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys 2010/09/16 19:24:30.0234 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys 2010/09/16 19:24:31.0531 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys 2010/09/16 19:24:32.0500 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 2010/09/16 19:24:33.0171 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys 2010/09/16 19:24:34.0109 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys 2010/09/16 19:24:35.0140 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys 2010/09/16 19:24:35.0765 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys 2010/09/16 19:24:36.0265 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys 2010/09/16 19:24:37.0046 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys 2010/09/16 19:24:37.0203 Suspicious service (Hidden): khqlmxop 2010/09/16 19:24:38.0140 khqlmxop (413844bbab192fda33297827a82c02c4) C:\WINDOWS\system32\drivers\oopuhnpkpjv.sys 2010/09/16 19:24:38.0140 Suspicious file (Hidden): C:\WINDOWS\system32\drivers\oopuhnpkpjv.sys. md5: 413844bbab192fda33297827a82c02c4 2010/09/16 19:24:38.0140 khqlmxop - detected Hidden service (1) 2010/09/16 19:24:39.0203 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys 2010/09/16 19:24:39.0656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys 2010/09/16 19:24:40.0781 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 2010/09/16 19:24:41.0218 mfeavfk (f5250976c1334c1e4feceddcdf02353e) C:\WINDOWS\system32\drivers\mfeavfk.sys 2010/09/16 19:24:41.0359 mfebopk (787702627cc0770f45206f4034390580) C:\WINDOWS\system32\drivers\mfebopk.sys 2010/09/16 19:24:41.0750 mfehidk (241c09c7d8c589ea1d72a36e6578e42c) C:\WINDOWS\system32\drivers\mfehidk.sys 2010/09/16 19:24:41.0890 mferkdk (a321c17fadad2665c455c6d39e465fe0) C:\WINDOWS\system32\drivers\mferkdk.sys 2010/09/16 19:24:42.0765 mfesmfk (1fbdd2eb37ce910d6cee60140c400b6a) C:\WINDOWS\system32\drivers\mfesmfk.sys 2010/09/16 19:24:42.0921 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys 2010/09/16 19:24:43.0781 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys 2010/09/16 19:24:44.0437 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys 2010/09/16 19:24:45.0031 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys 2010/09/16 19:24:45.0984 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys 2010/09/16 19:24:47.0203 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys 2010/09/16 19:24:48.0250 MPFP (b53a1134237a49a10352d5dd54bb2a54) C:\WINDOWS\system32\Drivers\Mpfp.sys 2010/09/16 19:24:48.0875 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys 2010/09/16 19:24:49.0531 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys 2010/09/16 19:24:50.0406 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 2010/09/16 19:24:51.0046 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys 2010/09/16 19:24:51.0828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys 2010/09/16 19:24:52.0578 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys 2010/09/16 19:24:53.0343 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys 2010/09/16 19:24:54.0296 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys 2010/09/16 19:24:54.0828 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys 2010/09/16 19:24:55.0578 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys 2010/09/16 19:24:56.0156 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys 2010/09/16 19:24:56.0828 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys 2010/09/16 19:24:57.0484 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys 2010/09/16 19:24:58.0531 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys 2010/09/16 19:24:59.0281 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys 2010/09/16 19:25:00.0093 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys 2010/09/16 19:25:00.0843 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys 2010/09/16 19:25:01.0484 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys 2010/09/16 19:25:02.0890 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys 2010/09/16 19:25:03.0734 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys 2010/09/16 19:25:04.0437 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 2010/09/16 19:25:05.0218 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys 2010/09/16 19:25:05.0734 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys 2010/09/16 19:25:06.0281 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys 2010/09/16 19:25:06.0843 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys 2010/09/16 19:25:07.0562 Packet (8f856dae19383bd69db444004d5d4f50) C:\WINDOWS\system32\DRIVERS\packet.sys 2010/09/16 19:25:07.0968 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys 2010/09/16 19:25:08.0140 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys 2010/09/16 19:25:08.0546 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys 2010/09/16 19:25:09.0062 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys 2010/09/16 19:25:10.0671 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys 2010/09/16 19:25:11.0109 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys 2010/09/16 19:25:12.0500 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys 2010/09/16 19:25:12.0968 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys 2010/09/16 19:25:13.0906 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys 2010/09/16 19:25:14.0437 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys 2010/09/16 19:25:14.0875 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys 2010/09/16 19:25:15.0656 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys 2010/09/16 19:25:15.0937 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys 2010/09/16 19:25:16.0062 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys 2010/09/16 19:25:16.0718 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys 2010/09/16 19:25:17.0812 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys 2010/09/16 19:25:18.0031 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys 2010/09/16 19:25:18.0265 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys 2010/09/16 19:25:18.0796 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 2010/09/16 19:25:19.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys 2010/09/16 19:25:19.0078 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys 2010/09/16 19:25:19.0218 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys 2010/09/16 19:25:19.0890 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys 2010/09/16 19:25:20.0343 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys 2010/09/16 19:25:20.0890 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys 2010/09/16 19:25:21.0109 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys 2010/09/16 19:25:21.0718 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 2010/09/16 19:25:22.0109 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 2010/09/16 19:25:22.0250 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 2010/09/16 19:25:22.0812 s24trans (2c0e9e777ab1849b43494626c1f308b5) C:\WINDOWS\system32\DRIVERS\s24trans.sys 2010/09/16 19:25:23.0156 SCDEmu (c23dbd9bfba8b1170706e0896b3cf7da) C:\WINDOWS\system32\drivers\SCDEmu.sys 2010/09/16 19:25:23.0281 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys 2010/09/16 19:25:23.0625 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys 2010/09/16 19:25:23.0781 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys 2010/09/16 19:25:24.0125 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys 2010/09/16 19:25:24.0250 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys 2010/09/16 19:25:24.0562 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys 2010/09/16 19:25:24.0687 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys 2010/09/16 19:25:25.0609 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys 2010/09/16 19:25:25.0734 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys 2010/09/16 19:25:26.0125 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys 2010/09/16 19:25:26.0546 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys 2010/09/16 19:25:26.0921 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys 2010/09/16 19:25:27.0312 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys 2010/09/16 19:25:27.0531 ssm_bus (df5c19f053eff7f8ba25d73aea899656) C:\WINDOWS\system32\DRIVERS\ssm_bus.sys 2010/09/16 19:25:27.0968 ssm_mdfl (5347169fa449eabc4d0728ae39fab926) C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys 2010/09/16 19:25:28.0093 ssm_mdm (7aae23dd105eed15c4f45fc269fa42a9) C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys 2010/09/16 19:25:28.0437 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys 2010/09/16 19:25:28.0609 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys 2010/09/16 19:25:29.0031 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys 2010/09/16 19:25:29.0187 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys 2010/09/16 19:25:29.0609 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys 2010/09/16 19:25:29.0890 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys 2010/09/16 19:25:30.0031 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys 2010/09/16 19:25:30.0468 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys 2010/09/16 19:25:30.0843 SynTP (fa2daa32bed908023272a0f77d625dae) C:\WINDOWS\system32\DRIVERS\SynTP.sys 2010/09/16 19:25:31.0531 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys 2010/09/16 19:25:32.0156 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys 2010/09/16 19:25:32.0531 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys 2010/09/16 19:25:32.0625 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys 2010/09/16 19:25:32.0984 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys 2010/09/16 19:25:33.0515 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys 2010/09/16 19:25:33.0843 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys 2010/09/16 19:25:33.0984 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys 2010/09/16 19:25:34.0078 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys 2010/09/16 19:25:34.0656 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys 2010/09/16 19:25:35.0125 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys 2010/09/16 19:25:35.0359 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys 2010/09/16 19:25:35.0796 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys 2010/09/16 19:25:35.0921 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys 2010/09/16 19:25:36.0140 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys 2010/09/16 19:25:36.0312 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys 2010/09/16 19:25:36.0750 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys 2010/09/16 19:25:37.0093 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys 2010/09/16 19:25:37.0593 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys 2010/09/16 19:25:38.0296 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys 2010/09/16 19:25:39.0171 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys 2010/09/16 19:25:39.0796 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys 2010/09/16 19:25:40.0296 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys 2010/09/16 19:25:40.0937 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys 2010/09/16 19:25:41.0046 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 2010/09/16 19:25:41.0390 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys 2010/09/16 19:25:41.0515 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys 2010/09/16 19:25:41.0875 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys 2010/09/16 19:25:42.0531 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys 2010/09/16 19:25:43.0093 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys 2010/09/16 19:25:44.0109 w39n51 (95c7421f8bafc85ba09d33364058937d) C:\WINDOWS\system32\DRIVERS\w39n51.sys 2010/09/16 19:25:44.0687 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys 2010/09/16 19:25:45.0187 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys 2010/09/16 19:25:47.0453 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys 2010/09/16 19:25:47.0984 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 2010/09/16 19:25:48.0609 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 2010/09/16 19:25:49.0125 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys 2010/09/16 19:25:49.0703 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys 2010/09/16 19:25:50.0421 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys 2010/09/16 19:25:50.0984 ================================================================================ 2010/09/16 19:25:50.0984 Scan finished 2010/09/16 19:25:50.0984 ================================================================================ 2010/09/16 19:25:51.0000 Detected object count: 2 2010/09/16 19:26:24.0687 APPDRV (983e5142be54f86ba81557f5d80ebcf0) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 2010/09/16 19:26:24.0687 Suspicious file (Forged): C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS. Real md5: 983e5142be54f86ba81557f5d80ebcf0, Fake md5: ec94e05b76d033b74394e7b2175103cf 2010/09/16 19:26:52.0375 Backup copy not found, trying to cure infected file.. 2010/09/16 19:26:52.0375 Cure success, using it.. 2010/09/16 19:26:52.0468 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS - will be cured after reboot 2010/09/16 19:26:52.0468 Rootkit.Win32.TDSS.tdl3(APPDRV) - User select action: Cure 2010/09/16 19:26:52.0468 Hidden service(khqlmxop) - User select action: Skip 2010/09/16 19:30:07.0812 Deinitialize success
- September 16, 2010
- 8 replies
hjt log - google redirects, possibly desktoplayer.exe the cause?

jnutsy posted a topic in Resolved Malware Removal Logs

Hi, I've been having problems with my laptop recently, google results keep redirecting me to suspicious websites or other search engines, and some strange .exe processes seem to be running on startup. Sometimes new tabs open in firefox taking me to suspicious websites. Also system.exe and explorer.exe appear to be using a huge amount of CPU compared to before these problems. Other programs such as firefox and internet explorer also seem to be running in the background, according to task manager, even if I haven't started them up myself. Below is the most recent Malwarebytes Anti - Malware log, along with dds.txt log. Attached is the attach.txt file as requested. I did try to run GMER Rootkit Scanner, but it kept shutting my laptop down after about 5 minutes of scanning and giving me a blue screen telling me there was something like a 'hard problem'. Rebooting the laptop using the power button allowed me to restart windows though. Thank you very much in advance, I would really appreciate any help! p.s please let me know if you want me to post a hijackthis log, I wasn't sure if I was supposed to do this. Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4564 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 14/09/2010 14:11:13 mbam-log-2010-09-14 (14-11-13).txt Scan type: Quick scan Objects scanned: 160428 Time elapsed: 37 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 3 Registry Data Items Infected: 6 Folders Infected: 0 Files Infected: 7 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{758a8262-b6b2-65fd-92f8-28f444205964} (Spyware.Passwords.XGen) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{d00515b6-c4de-5dd7-a492-e1c9a711015f} (Trojan.ZbotR.Gen) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{db174a6f-bf20-d79f-eae3-29bc55731634} (Trojan.ZbotR.Gen) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer.Gen) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer.Gen) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Passwords.XGen) -> Data: c:\windows\explorersrv.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.PWS) -> Data: c:\program files\java\jre6\bin\jqsnotifysrv.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\intel\wireless\bin\s24evmonsrv.exe,c:\program files\microsoft\desktoplayer.exe,c:\program files\java\jre6\bin\jqsnotifysrv.exe,c:\windows\explorersrv.exe) Good: (userinit.exe) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Nuts\Application Data\Noulmi\pivia.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. C:\WINDOWS\ExplorerSrv.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully. C:\Program Files\Java\jre6\bin\jqsnotifySrv.exe (Trojan.PWS) -> Quarantined and deleted successfully. C:\Program Files\Microsoft\desktoplayer.exe (Trojan.Agent) -> Delete on reboot. C:\Documents and Settings\Nuts\Local Settings\Temp\0.011684359799158717.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\Nuts\Application Data\Vaucb\yvav.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully. C:\Documents and Settings\Nuts\Application Data\Igli\upac.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully. DDS (Ver_10-03-17.01) - NTFSx86 Run by Nuts at 14:38:48.93 on 14/09/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.332 [GMT 1:00] AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83} FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Dell Network Assistant\hnm_svc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\program files\common files\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\McAfee\MSK\MskSrver.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe svchost.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\WINDOWS\system32\wuauclt.exe C:\Program Files\McAfee\MPS\mpsevh.exe "C:\WINDOWS\system32\svchost.exe" C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Creative\Mixer\CTSVolFE.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\McAfee\MSK\MskAgent.exe C:\Program Files\SiteAdvisor\6172\SiteAdv.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Dell Network Assistant\ezi_hnm2.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\Documents and Settings\Nuts\Desktop\dds.scr ============== Pseudo HJT Report =============== uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = hxxp://www.bbc.co.uk/football uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mWinlogon: Userinit=c:\windows\system32\userinit.exe,,c:\program files\intel\wireless\bin\s24evmonsrv.exe,c:\program files\microsoft\desktoplayer.exe TB: {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - No File TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6253\SiteAdv.dll uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [bhilaho] rundll32.exe "c:\windows\clprvro.dll",Startup mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [CTSVolFE.exe] "c:\program files\creative\mixer\CTSVolFE.exe" /r mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [<NO NAME>] mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [MskAgentexe] c:\program files\mcafee\msk\MskAgent.exe mRun: [siteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto mRun: [nonep] c:\program files\riv87\oops.exe dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE StartupFolder: c:\docume~1\nuts\startm~1\programs\startup\dellne~1.lnk - c:\program files\dell network assistant\ezi_hnm2.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellne~1.lnk - c:\windows\installer\{0240bdfb-2995-4a3f-8c96-18d41282b716}\Icon0240BDFB3.exe IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: internet Trusted Zone: mcafee.com DPF: 55963676-2F5E-4BAF-AC28-CF26AA587566 - vpnweb.cab DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6253\SiteAdv.dll Notify: igfxcui - igfxdev.dll SSODL: considerateness - {4d993022-0899-4599-b4b6-0f887d0802e6} - No File SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll STS: {4d993022-0899-4599-b4b6-0f887d0802e6} - No File ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\nuts\applic~1\mozilla\firefox\profiles\j57dut8t.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?source=haiu FF - component: c:\program files\siteadvisor\6253\ff\components\FFHook.dll FF - plugin: c:\documents and settings\nuts\local settings\application data\google\update\1.2.183.29\npGoogleOneClick8.dll FF - plugin: c:\program files\microsoft\office live\npOLW.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: XULRunner: {11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} - c:\documents and settings\nuts\local settings\application data\{11CB0CE1-D3FB-4F32-A560-1CFDCF0F7C40} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24); c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R2 McAfee HackerWatch Service;McAfee HackerWatch Service;c:\program files\common files\mcafee\hackerwatch\HWAPI.exe [2007-2-10 540776] R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-2-10 353368] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 McRedirector;McAfee Redirector Service;c:\progra~1\common~1\mcafee\redirsvc\redirsvc.exe [2007-2-10 256096] R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-2-10 144960] R2 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-2-10 643664] R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2007-2-10 71496] R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2007-2-10 34184] R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2007-2-10 170408] R3 mferkdk;McAfee Inc.;c:\windows\system32\drivers\mferkdk.sys [2007-2-10 32008] R3 mfesmfk;McAfee Inc.;c:\windows\system32\drivers\mfesmfk.sys [2007-2-10 37480] S0 lahkdae;lahkdae;c:\windows\system32\drivers\owikrfa.sys --> c:\windows\system32\drivers\owikrfa.sys [?] S0 yusvtjej;yusvtjej;c:\windows\system32\drivers\rxtdrj.sys --> c:\windows\system32\drivers\rxtdrj.sys [?] S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?] S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520] =============== Created Last 30 ================ 2010-09-14 13:25:53 53760 ----a-w- c:\windows\ExplorerSrv.exe 2010-09-14 13:23:57 0 ----a-w- c:\documents and settings\nuts\defogger_reenable 2010-09-13 23:52:25 0 d-----w- c:\docume~1\nuts\applic~1\wsInspector 2010-09-13 23:43:25 0 d-----w- c:\program files\Startup Inspector for Windows 2010-09-13 16:58:16 0 d-----w- c:\program files\sys32 2010-09-10 10:14:29 0 d-----w- c:\program files\riv87 2010-09-09 17:00:51 552 ----a-w- c:\windows\system32\d3d8caps.dat 2010-09-09 10:40:08 0 d-----w- c:\program files\Trend Micro 2010-09-08 09:09:57 1598 ----a-w- c:\documents and settings\nuts\.recently-used.xbel 2010-09-07 23:51:59 0 d-sh--w- c:\documents and settings\nuts\IECompatCache 2010-09-07 21:13:46 0 d-sh--w- c:\documents and settings\nuts\IETldCache 2010-09-07 20:15:03 0 d-----w- c:\docume~1\nuts\applic~1\Malwarebytes 2010-09-07 20:14:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-09-07 20:14:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes 2010-09-07 20:14:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-09-07 20:14:41 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-09-07 17:01:26 664 ----a-w- c:\windows\system32\d3d9caps.dat 2010-09-07 14:28:55 0 dc-h--w- c:\windows\ie8 2010-09-07 12:26:06 24576 ----a-w- c:\windows\system32\stu2.exe 2010-09-07 00:04:04 120 ----a-w- c:\windows\Tcakuvazi.dat 2010-09-07 00:04:04 0 ----a-w- c:\windows\Hwequyufomo.bin 2010-08-30 23:51:53 0 d-----w- c:\program files\iPod 2010-08-27 10:15:54 44 ----a-w- c:\windows\kdcoms.dll 2010-08-23 09:08:51 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe ==================== Find3M ==================== 2010-09-13 23:22:35 53760 ----a-w- c:\windows\inf\unregmp2Srv.exe 2010-09-07 12:26:04 31744 ----a-w- c:\windows\system32\userinit.exe 2007-05-26 23:57:46 251 -c--a-w- c:\program files\wt3d.ini 2009-09-16 11:17:18 88 --sh--r- c:\windows\system32\0C831E6059.sys 2009-02-06 13:44:08 56 --sh--r- c:\windows\system32\59601E830C.sys 2009-09-16 11:17:19 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 14:40:53.70 =============== Attach.zip
- September 14, 2010
- 8 replies

Sign In

jnutsy

Posts

Joined

Last visited

Reputation

hjt log - google redirects, possibly desktoplayer.exe the cause?

hjt log - google redirects, possibly desktoplayer.exe the cause?

hjt log - google redirects, possibly desktoplayer.exe the cause?

hjt log - google redirects, possibly desktoplayer.exe the cause?

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information