cgrammie2

Is my computer clean?

102 posts in this topic

Please go to www.virustotal.com and upload the following files:

c:\windows\Tasks\At101.job

C:\windows\system32\qfoneu71.dll

Please post the resaults in your next reply.

Share this post


Link to post
Share on other sites
Please go to www.virustotal.com and upload the following files:

c:\windows\Tasks\At101.job

C:\windows\system32\qfoneu71.dll

Please post the resaults in your next reply.

Hello - I am currently at what looks like the home page for www.virustotal.com - I am trying to type in the files you instructed me to upload in what appears to be search box but none of my typing appears in the box. What am I missing?

Thanks!

Share this post


Link to post
Share on other sites
Please go to www.virustotal.com and upload the following files:

c:\windows\Tasks\At101.job

C:\windows\system32\qfoneu71.dll

Please post the resaults in your next reply.

Hello again - I replied to this earlier this evening but I can't find it posted here - so here we go again - at the virustotal.com home page I was unable to even type in the file names to be uploaded as you instructed earlier. I repeatedly tried to type these file names in what appeared to be a "search" box with no success. What am I missing here?

Thanks for your help!

Share this post


Link to post
Share on other sites

You should use Choose... button to locate and upload the files one by one.

Share this post


Link to post
Share on other sites
You should use Choose... button to locate and upload the files one by one.

This is copy of wording on the screen at www.virustotal.com - there is no choose button - and I can't type in anything. Sorry this is not working for me.

-------------------------------------------

Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Sloven

Share this post


Link to post
Share on other sites

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

File::
c:\windows\Tasks\At101.job

RenV::
c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Lexmark X1100 Series\lxbkbmgr .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
c:\program files\Windows Defender\msascui .exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-1241913026-665132261-2367862541-1006\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Share this post


Link to post
Share on other sites
Open Notepad and copy and paste the text in the code box below into it:

KillAll::

File::
c:\windows\Tasks\At101.job

RenV::
c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe
c:\program files\Adobe\Reader 8.0\Reader\reader_sl .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\Lexmark X1100 Series\lxbkbmgr .exe
c:\program files\McAfee.com\Agent\mcagent .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray .exe
c:\program files\Windows Defender\msascui .exe

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-1241913026-665132261-2367862541-1006\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Here is the new combofix log - thanks for your help!

------------------------------------------------------------------

ComboFix 10-06-16.03 - Linda Cross 06/17/2010 6:22.3.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.618 [GMT -7:00]

Running from: c:\documents and settings\Linda Cross\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Linda Cross\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\windows\Tasks\At101.job"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\win.com

c:\windows\Tasks\At101.job

.

((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))

.

2010-06-15 03:09 . 2009-10-22 20:54 37392 ----a-w- c:\windows\system32\drivers\99274762.sys

2010-06-15 03:09 . 2009-10-10 06:31 315408 ----a-w- c:\windows\system32\drivers\9927476.sys

2010-06-15 03:09 . 2009-09-26 00:59 128016 ----a-w- c:\windows\system32\drivers\99274761.sys

2010-06-08 22:39 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

2010-06-02 23:04 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-02 23:04 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-01 07:14 . 2010-06-02 05:23 7168 ----a-w- c:\windows\system32\drivers\utqxodiy.sys

2010-05-28 07:35 . 2010-05-28 07:35 -------- d-----w- C:\ea

2010-05-24 22:27 . 2010-05-24 22:27 4224 ----a-w- c:\windows\system32\drivers\RDPCDD.SYS

2010-05-24 19:59 . 2010-05-24 22:30 -------- d-----w- c:\windows\system32\MpEngineStore

2010-05-22 12:50 . 2010-06-15 05:20 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-05-20 01:55 . 2010-05-20 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard

2010-05-20 01:55 . 2010-05-20 01:55 7000064 ---ha-w- C:\SZKGFS.dat

2010-05-20 01:53 . 2010-05-20 01:53 -------- d-----w- c:\program files\Common Files\iS3

2010-05-20 01:53 . 2010-05-20 13:39 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-17 13:22 . 2009-10-20 21:09 -------- d-----w- c:\program files\Windows Defender

2010-06-17 13:22 . 2004-03-25 01:45 -------- d-----w- c:\program files\Lexmark X1100 Series

2010-06-17 12:18 . 2009-10-06 03:46 -------- d-----w- c:\program files\McAfee

2010-06-17 00:50 . 2009-10-06 05:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore

2010-06-15 05:20 . 2007-12-09 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-12 13:09 . 2007-10-02 20:17 -------- d-----w- c:\program files\My Kazaa Gold

2010-06-02 23:04 . 2010-04-29 03:23 -------- d-----w- c:\documents and settings\Linda Cross\Application Data\Malwarebytes

2010-06-02 23:04 . 2010-04-30 22:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-02 23:04 . 2010-04-29 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-20 17:09 . 2010-05-15 19:13 -------- d-----w- c:\program files\RegWork

2010-05-20 13:28 . 2010-05-20 12:47 7304 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg

2010-05-19 18:36 . 2010-05-17 00:40 112 ----a-w- c:\documents and settings\All Users\Application Data\JOJr2m.dat

2010-05-13 12:57 . 2009-12-21 14:13 -------- d-----w- c:\program files\VoiceScribe

2010-05-12 18:21 . 2009-10-20 21:18 221568 ------w- c:\windows\system32\MpSigStub.exe

2010-05-12 17:15 . 2009-10-06 03:36 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-05-12 16:28 . 2010-05-12 16:28 -------- d-----w- c:\program files\Common Files\McAfee

2010-05-12 16:28 . 2003-04-30 15:31 -------- d-----w- c:\program files\McAfee.com

2010-05-12 13:40 . 2010-05-12 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2010-05-12 05:27 . 2003-05-12 01:18 105656 -c--a-w- c:\documents and settings\Linda Cross\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-05-11 06:01 . 2008-05-10 05:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2010-05-06 10:41 . 2004-08-24 03:32 916480 ----a-w- c:\windows\system32\wininet.dll

2010-05-02 05:22 . 2002-08-29 10:00 1851264 ----a-w- c:\windows\system32\win32k.sys

2010-04-30 22:18 . 2003-12-31 00:10 -------- d-----w- c:\program files\Watchtower

2010-04-29 13:00 . 2010-04-29 05:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Bomgar-SCC-4BD91594

2010-04-29 02:51 . 2010-04-29 02:51 10752 ----a-w- C:\exefix_xp.com

2010-04-27 23:47 . 2010-04-27 23:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avG

2010-04-25 23:39 . 2010-04-16 23:43 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-21 17:15 . 2010-04-21 17:15 75264 ----a-w- c:\windows\system32\bfbe.sys

2010-04-20 05:30 . 2002-08-29 10:00 285696 ----a-w- c:\windows\system32\atmfd.dll

2010-04-16 23:43 . 2010-04-16 23:43 552 ----a-w- c:\windows\system32\d3d8caps.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

c:\documents and settings\Linda Cross\Start Menu\Programs\Startup\

setup_9.0.0.722_12.06.2010_23-38[1].lnk - c:\documents and settings\Linda Cross\Desktop\Virus Removal Tool\setup_9.0.0.722_12.06.2010_23-38[1]\startup.exe [2010-6-14 72208]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"=

"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=

"c:\\WINDOWS\\SYSTEM32\\java.exe"=

"c:\\Program Files\\360Share\\Gui\\360Share.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R0 99274762;99274762 Boot Guard Driver;c:\windows\SYSTEM32\DRIVERS\99274762.sys [6/14/2010 8:09 PM 37392]

R1 99274761;99274761;c:\windows\SYSTEM32\DRIVERS\99274761.sys [6/14/2010 8:09 PM 128016]

R1 bfbe;bfbe;c:\windows\SYSTEM32\bfbe.sys [4/21/2010 10:15 AM 75264]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [5/12/2010 9:33 AM 203280]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]

S1 MpKsla3c22b50;MpKsla3c22b50;\??\c:\windows\system32\MpEngineStore\MpKsla3c22b50.sys --> c:\windows\system32\MpEngineStore\MpKsla3c22b50.sys [?]

S3 diskchk;diskchk;\??\c:\windows\system32\diskchk.sys --> c:\windows\system32\diskchk.sys [?]

S3 utqxodiy;AVZ Kernel Driver;c:\windows\SYSTEM32\DRIVERS\utqxodiy.sys [6/1/2010 12:14 AM 7168]

.

Contents of the 'Scheduled Tasks' folder

2010-06-12 c:\windows\Tasks\McDefragTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 19:22]

2010-06-01 c:\windows\Tasks\McQcTask.job

- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-05-12 19:22]

2010-06-17 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2010-06-17 c:\windows\Tasks\User_Feed_Synchronization-{0BF8426D-E159-4E88-8E75-FD433358A530}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://phoenix.cox.net/cci/home

uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = iexplore

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

Trusted Zone: alpineaccess.com

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: musicmatch.com\online

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

- - - - ORPHANS REMOVED - - - -

ActiveSetup-{33E00BF6-D344-4362-838B-2F9790234042} - qfoneu71.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-06-17 06:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\TMP0000000D12799D3B6FDF5B1A

scan completed successfully

hidden files: 1

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1241913026-665132261-2367862541-1006\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3016)

c:\windows\system32\WININET.dll

c:\program files\McAfee\SiteAdvisor\saHook.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\IME\SPGRMR.DLL

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\McAfee\MSK\MskSrver.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe

.

**************************************************************************

.

Completion time: 2010-06-17 06:57:49 - machine was rebooted

ComboFix-quarantined-files.txt 2010-06-17 13:57

ComboFix2.txt 2010-06-15 06:00

ComboFix3.txt 2010-04-29 05:12

Pre-Run: 41,340,379,136 bytes free

Post-Run: 41,395,646,464 bytes free

- - End Of File - - 382E4B91A7D91FC420F2A6BE66315549

Share this post


Link to post
Share on other sites
How are things running now?

things are mostly running fine - just seem to still be getting redirects when doing google searches. does this still indicate a virus problem?

Share this post


Link to post
Share on other sites

Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Share this post


Link to post
Share on other sites
Please read the following through carefully so that you understand what to do.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)
    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

HELLO!

Just ran TDSSKiller - What's next? Here is the log:

------------------------------------------------------------------------------

19:14:00:890 2232 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48

19:14:00:890 2232 ================================================================================

19:14:00:890 2232 SystemInfo:

19:14:00:890 2232 OS Version: 5.1.2600 ServicePack: 3.0

19:14:00:890 2232 Product type: Workstation

19:14:00:890 2232 ComputerName: GRAMMIE

19:14:00:890 2232 UserName: Linda Cross

19:14:00:890 2232 Windows directory: C:\WINDOWS

19:14:00:890 2232 Processor architecture: Intel x86

19:14:00:890 2232 Number of processors: 1

19:14:00:890 2232 Page size: 0x1000

19:14:00:906 2232 Boot type: Normal boot

19:14:00:906 2232 ================================================================================

19:14:01:515 2232 Initialize success

19:14:01:515 2232

19:14:01:515 2232 Scanning Services ...

19:14:01:968 2232 Raw services enum returned 362 services

19:14:01:984 2232

19:14:01:984 2232 Scanning Drivers ...

19:14:03:812 2232 99274761 (7dd41b7ac1fbb1dbf20bb1f4e4fbe58c) C:\WINDOWS\system32\DRIVERS\99274761.sys

19:14:04:156 2232 99274762 (a305fad3719c5db0c13d1c2bfd08a04d) C:\WINDOWS\system32\DRIVERS\99274762.sys

19:14:04:562 2232 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS

19:14:04:828 2232 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

19:14:05:093 2232 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

19:14:05:343 2232 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys

19:14:05:578 2232 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys

19:14:05:890 2232 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

19:14:06:046 2232 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

19:14:06:171 2232 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\System32\DRIVERS\agp440.sys

19:14:06:578 2232 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys

19:14:06:937 2232 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys

19:14:07:281 2232 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys

19:14:07:484 2232 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys

19:14:07:781 2232 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys

19:14:07:968 2232 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\System32\DRIVERS\alim1541.sys

19:14:08:109 2232 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\System32\DRIVERS\amdagp.sys

19:14:08:250 2232 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys

19:14:08:578 2232 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys

19:14:08:890 2232 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys

19:14:09:062 2232 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys

19:14:09:281 2232 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

19:14:09:421 2232 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

19:14:09:578 2232 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

19:14:09:687 2232 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

19:14:09:781 2232 bcm4sbxp (f5c0d3c93235a455cdd13c954adf1a80) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

19:14:10:000 2232 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys

19:14:10:250 2232 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

19:14:10:343 2232 bfbe (84e3616024c57c8c49d5810c5e8df09d) C:\WINDOWS\system32\bfbe.sys

19:14:10:343 2232 Suspicious file (NoAccess): C:\WINDOWS\system32\bfbe.sys. md5: 84e3616024c57c8c49d5810c5e8df09d

19:14:10:500 2232 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys

19:14:10:625 2232 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

19:14:10:781 2232 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys

19:14:10:953 2232 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

19:14:11:093 2232 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

19:14:11:203 2232 Cdr4_xp (bf79e659c506674c0497cc9c61f1a165) C:\WINDOWS\system32\drivers\Cdr4_xp.sys

19:14:11:343 2232 Cdralw2k (2c41cd49d82d5fd85c72d57b6ca25471) C:\WINDOWS\system32\drivers\Cdralw2k.sys

19:14:11:468 2232 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

19:14:11:593 2232 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys

19:14:11:796 2232 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys

19:14:11:968 2232 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys

19:14:12:093 2232 CO_Mon (6be1d6403727bdd8a2b2568dbe6bfb8b) C:\WINDOWS\system32\Drivers\CO_Mon.sys

19:14:12:296 2232 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys

19:14:12:437 2232 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys

19:14:12:562 2232 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys

19:14:12:750 2232 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

19:14:12:921 2232 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

19:14:13:093 2232 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

19:14:13:203 2232 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

19:14:13:312 2232 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

19:14:13:437 2232 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys

19:14:13:562 2232 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

19:14:13:734 2232 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys

19:14:13:937 2232 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys

19:14:14:078 2232 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys

19:14:14:312 2232 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys

19:14:14:468 2232 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

19:14:14:593 2232 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

19:14:14:718 2232 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

19:14:14:859 2232 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

19:14:14:984 2232 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

19:14:15:109 2232 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

19:14:15:234 2232 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

19:14:15:406 2232 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

19:14:15:546 2232 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

19:14:15:656 2232 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys

19:14:15:843 2232 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

19:14:16:125 2232 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

19:14:16:281 2232 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\System32\DRIVERS\i2omp.sys

19:14:16:546 2232 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

19:14:16:812 2232 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys

19:14:16:953 2232 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys

19:14:17:093 2232 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys

19:14:17:234 2232 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys

19:14:17:453 2232 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys

19:14:17:593 2232 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys

19:14:17:718 2232 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys

19:14:17:843 2232 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys

19:14:17:984 2232 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys

19:14:18:109 2232 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys

19:14:18:265 2232 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys

19:14:18:531 2232 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

19:14:18:671 2232 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys

19:14:18:859 2232 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\System32\DRIVERS\intelide.sys

19:14:18:984 2232 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

19:14:19:109 2232 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

19:14:19:234 2232 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

19:14:19:500 2232 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

19:14:19:640 2232 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

19:14:19:781 2232 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

19:14:19:890 2232 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

19:14:20:046 2232 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

19:14:20:187 2232 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

19:14:20:546 2232 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys

19:14:20:796 2232 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

19:14:20:937 2232 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

19:14:21:093 2232 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys

19:14:21:218 2232 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys

19:14:21:421 2232 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys

19:14:21:640 2232 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys

19:14:21:843 2232 mfehidk (317997eb32fe039e7881704e596a2ed1) C:\WINDOWS\system32\drivers\mfehidk.sys

19:14:22:078 2232 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys

19:14:22:343 2232 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys

19:14:22:562 2232 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys

19:14:22:765 2232 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

19:14:22:875 2232 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

19:14:23:000 2232 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

19:14:23:203 2232 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

19:14:23:343 2232 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

19:14:23:500 2232 MPFP (136157e79849b9e5316ba4008d6075a8) C:\WINDOWS\system32\Drivers\Mpfp.sys

19:14:23:812 2232 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys

19:14:23:953 2232 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

19:14:24:125 2232 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

19:14:24:437 2232 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

19:14:24:562 2232 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

19:14:24:687 2232 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

19:14:24:843 2232 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

19:14:24:968 2232 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

19:14:25:093 2232 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

19:14:25:234 2232 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

19:14:25:406 2232 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

19:14:25:531 2232 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

19:14:25:671 2232 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

19:14:25:812 2232 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

19:14:25:953 2232 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

19:14:26:078 2232 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

19:14:26:203 2232 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

19:14:26:359 2232 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

19:14:26:515 2232 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

19:14:26:671 2232 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

19:14:26:921 2232 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

19:14:27:046 2232 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

19:14:27:171 2232 omci (1d98907d80461371437a7c898c58c8ae) C:\WINDOWS\system32\DRIVERS\omci.sys

19:14:27:359 2232 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys

19:14:27:484 2232 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

19:14:27:640 2232 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

19:14:27:781 2232 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

19:14:27:906 2232 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

19:14:28:062 2232 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

19:14:28:203 2232 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

19:14:28:390 2232 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys

19:14:28:578 2232 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys

19:14:28:718 2232 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

19:14:28:843 2232 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

19:14:28:953 2232 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

19:14:29:078 2232 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

19:14:29:156 2232 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys

19:14:29:390 2232 PxHelp20 (db3b30c3a4cdcf07e164c14584d9d0f2) C:\WINDOWS\system32\Drivers\PxHelp20.sys

19:14:29:593 2232 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys

19:14:29:718 2232 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys

19:14:29:843 2232 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys

19:14:29:968 2232 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys

19:14:30:109 2232 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys

19:14:30:250 2232 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

19:14:30:390 2232 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

19:14:30:515 2232 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

19:14:30:640 2232 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

19:14:30:750 2232 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

19:14:30:906 2232 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.SYS

19:14:31:031 2232 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

19:14:31:156 2232 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

19:14:31:343 2232 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

19:14:31:484 2232 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

19:14:31:609 2232 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

19:14:31:750 2232 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

19:14:31:875 2232 setup_9.0.0.722_12.06.2010_23-38[1]drv (66ef49622baa18e4d4f1fe4bae1d51b8) C:\WINDOWS\system32\DRIVERS\9927476.sys

19:14:32:187 2232 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

19:14:32:359 2232 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\System32\DRIVERS\sisagp.sys

19:14:32:484 2232 smwdm (70b8dd8707dbf6142530c106365df67d) C:\WINDOWS\system32\drivers\smwdm.sys

19:14:32:796 2232 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys

19:14:33:000 2232 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

19:14:33:140 2232 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

19:14:33:312 2232 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

19:14:33:531 2232 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

19:14:33:656 2232 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

19:14:33:796 2232 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys

19:14:33:984 2232 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys

19:14:34:171 2232 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys

19:14:34:406 2232 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys

19:14:34:546 2232 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys

19:14:34:734 2232 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

19:14:34:875 2232 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

19:14:35:031 2232 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

19:14:35:171 2232 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

19:14:35:312 2232 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

19:14:35:453 2232 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys

19:14:35:593 2232 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys

19:14:35:828 2232 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

19:14:35:953 2232 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys

19:14:36:156 2232 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

19:14:36:343 2232 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

19:14:36:500 2232 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

19:14:36:625 2232 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

19:14:36:765 2232 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

19:14:36:890 2232 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

19:14:37:015 2232 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

19:14:37:140 2232 utqxodiy (524d8d450622db4a7875b111c299a76b) C:\WINDOWS\system32\Drivers\utqxodiy.sys

19:14:37:390 2232 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

19:14:37:531 2232 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\System32\DRIVERS\viaagp.sys

19:14:37:671 2232 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys

19:14:37:796 2232 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

19:14:37:921 2232 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

19:14:38:062 2232 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

19:14:38:203 2232 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

19:14:38:406 2232 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

19:14:38:531 2232 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

19:14:38:671 2232 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

19:14:38:812 2232 {6080A529-897E-4629-A488-ABA0C29B635E} (afeffe0f8805fcd47b05cf1fbde08092) C:\WINDOWS\system32\drivers\ialmsbw.sys

19:14:38:984 2232 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (85a36991a5ceaf9e65c4b743210e759b) C:\WINDOWS\system32\drivers\ialmkchw.sys

19:14:39:046 2232

19:14:39:046 2232 Completed

19:14:39:046 2232

19:14:39:046 2232 Results:

19:14:39:062 2232 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

19:14:39:062 2232 File objects infected / cured / cured on reboot: 0 / 0 / 0

19:14:39:062 2232

19:14:39:062 2232 KLMD(ARK) unloaded successfully

Share this post


Link to post
Share on other sites

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Share this post


Link to post
Share on other sites
Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Think there is a problem - I never got past the 2nd bullet item in your instructions. I downloaded Dr.Web CureIt as instructed (it took 15-20 minutes to download). When download finished I disabled anti-virus and disconnected from the internet. Received a prompt to run Dr.Web - clicked on run - waited about 1/2 hour and received no other prompts - received no indication that any scan was happening or anything. Tried to uninstall or delete from my desktop - received this message: "Error deleting file or folder - Cannot delete Dr.Web-Cureit: Access denied. Make sure the disk is not full or write protected and that the file is not currently in use." I checked Task Manager which doesn't show ANY programs running. Please let me know what to do next.

I'm going to try to delete Dr. Web from my desktop and then download again while waiting for your comments.

Thank you!

Share this post


Link to post
Share on other sites

I was able to figure out how to boot up in safe mode but now I can't find your comments previous to this one - I think it was a link to download something in safe mode - sorry - I'm having a LOT of bringing up your latest replies to my questions! Also have a lot of difficulty logging out of the forum - what next?

Share this post


Link to post
Share on other sites
I was able to figure out how to boot up in safe mode but now I can't find your comments previous to this one - I think it was a link to download something in safe mode - sorry - I'm having a LOT of bringing up your latest replies to my questions! Also have a lot of difficulty logging out of the forum - what next?

Hello!

Have completed the Dr Web scan - looks like the log downloaded into an MS-Excel file instead of notepad - copied it below and also attached file to this reply - there's something called setup_XP - Notepad file which I have also copied below. I also ran mbam scan very early this morning and have copied the log below as well.

-----------------------------------------------------------------------------------------

DrWeb.csv log (file also attached) - scan run 6/19/10

7da515163ba3b90.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da515163ba3b90.bup;Win32.HLLC.Asdas.7;;

7da515163ba3b90.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;

7da5156b76d0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5156b76d0.bup;Win32.HLLC.Asdas.7;;

7da5156b76d0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;

7da516132a3a5d0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da516132a3a5d0.bup;Trojan.Fakealert.15575;;

7da516132a3a5d0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;

7da5e1082800.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e1082800.bup;Trojan.DownLoad1.58684;;

7da5e1082800.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;

7da5e1082c2ce0.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e1082c2ce0.bup;Trojan.DownLoad1.58684;;

7da5e1082c2ce0.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;

7da5e14272c2e60.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e14272c2e60.bup;Trojan.DownLoad1.58684;;

7da5e14272c2e60.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;

7da5e152922980.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e152922980.bup;Trojan.DownLoad1.58684;;

7da5e152922980.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;

7da5e6162f1190.bup\stream000;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine\7da5e6162f1190.bup;Trojan.DownLoad1.58684;;

7da5e6162f1190.bup;C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Quarantine;Container contains infected objects;Moved.;

mcinst.exe;C:\Program Files\Common Files\McAfee\Installer;Probably BACKDOOR.Trojan;Incurable.Moved.;

A0297549.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2024;Probably BACKDOOR.Trojan;Incurable.Moved.;

A0298101.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2030;Probably BACKDOOR.Trojan;Incurable.Moved.;

A0298294.reg;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2030;Trojan.StartPage.1505;Deleted.;

---------------------------------------------------------------------------------------------------------

[Windows]

FilesTypes = EXE,COM,DLL,SYS,VXD,OV?,BAT,BIN,DRV,PRG,BOO,SCR,CMD,386,FON,DO?

FilesTypes = XL?,WIZ,RTF,CL*,HT*,VB*,JS*,INF,PP?,OBJ,LIB,PIF,HLP,MD?,INI,MBR

FilesTypes = IMG,CSC,CPL,MBP,SH,SHB,SHS,SHT*,CHM,REG,XML,PRC,ASP,LSP,MSO,OBD

FilesTypes = THE*,NWS,SWF,MPP,OCX,VS*,DVB,CPY,BMP,RPM,ISO,DEB,AR?,ZIP,R??,GZ

FilesTypes = Z,TGZ,TAR,TAZ,CAB,LHA,LZH,BZ2,MSG,EML,7Z,CPIO,TBB

UserMasks = "*.EXE","*.COM","*.DLL","*.SYS","*.VXD","*.OV?","*.BAT","*.BIN"

UserMasks = "*.DRV","*.PRG","*.BOO","*.SCR","*.CMD","*.386","*.FON","*.DO?"

UserMasks = "*.XL?","*.WIZ","*.RTF","*.CL*","*.HT*","*.VB*","*.JS*","*.INF"

UserMasks = "*.PP?","*.OBJ","*.LIB","*.PIF","*.HLP","*.MD?","*.INI","*.MBR"

UserMasks = "*.IMG","*.CSC","*.CPL","*.MBP","*.SH","*.SHB","*.SHS","*.SHT*"

UserMasks = "*.CHM","*.REG","*.XML","*.PRC","*.ASP","*.LSP","*.MSO","*.OBD"

UserMasks = "*.THE*","*.NWS","*.SWF","*.MPP","*.OCX","*.VS*","*.DVB","*.CPY"

UserMasks = "*.BMP","*.RPM","*.ISO","*.DEB","*.AR?","*.ZIP","*.R??","*.GZ"

UserMasks = "*.Z","*.TGZ","*.TAR","*.TAZ","*.CAB","*.LHA","*.LZH","*.BZ2"

UserMasks = "*.MSG","*.EML","*.7Z","*.CPIO","*.TBB"

ScanFiles = All

HeuristicAnalysis = Yes

CheckArchives = Yes

CheckEMailFiles = No

InfectedFiles = Cure

SuspiciousFiles = Report

IncurableFiles = Move

ActionAdware = Report

ActionDialers = Report

ActionJokes = Report

ActionRiskware = Report

ActionHacktools = Report

ActionInfectedArchive = Move

ActionInfectedMail = Report

ActionInfectedContainer = Move

RebootMode = Prompt

CheckHOSTSFile = Yes

RenameFilesTo = #??

MoveFilesTo = "%USERPROFILE%\DoctorWeb\Quarantine\"

ExcludePaths = "%USERPROFILE%\DoctorWeb\Quarantine"

ExcludeFiles = "*.7z","*.ar?","*.bz2","*.cab","*.img","*.iso","*.jar","*.lzh"

ExcludeFiles = "*.mdf","*.nrg","*.rar","*.tar","*.tgz","*.vmdk","*.zip"

VirusBase = "*."

LogToFile = Yes

OverwriteLog = No

LogScanned = No

LogPacked = Yes

LogArchived = No

LogFileName = "%USERPROFILE%\DoctorWeb\CureIt.log"

LogFormat = ANSI

LngFileName = ""

ShowProgressBar = Yes

ScanPriority = 50

EnginePath = "setup.dll"

TestMemory = Yes

TestStartup = Yes

AutoSaveSettings = Yes

ScanSubDirectories = Yes

PromptOnAction = Yes

PlaySounds = No

UseDiskForSwap = Yes

AlertWav = "alert.wav"

CuredWav = "cured.wav"

DeletedWav = "deleted.wav"

RenamedWav = "renamed.wav"

MovedWav = "moved.wav"

FinishWav = "finish.wav"

ErrorWav = "error.wav"

UpdateAllFiles = No

UpdateVirusBasesOnly = No

OnUpdateRun = ""

UpdateRebootMode = prompt

ScanFDD = No

ScanHDD = Yes

ScanCD = No

ScanNet = No

LimitLog = Yes

MaxLogSize = 2048

RestoreAccessDate = No

WaitAfterScan = Yes

LogStatistics = Yes

EnableDeleteArchiveAction = No

DisableHotReconfigure = No

-----------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4214

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/19/2010 5:53:07 AM

mbam-log-2010-06-19 (05-53-07).txt

Scan type: Full scan (C:\|)

Objects scanned: 220301

Time elapsed: 1 hour(s), 36 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\DRIVERS\76414411.sys (Rootkit.Agent.H) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

That's good! :P

How are things after... all?

Share this post


Link to post
Share on other sites
That's good! :P

How are things after... all?

Hi Borislav -

Things appear to be good so far but I'm still getting internet redirects when I do google searches. Why? This has been a nightmare - any more suggestions?

I really appreciate the help you've given during this time! Thank you!!!

Share this post


Link to post
Share on other sites

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Share this post


Link to post
Share on other sites
ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however may need to disable your current installed Anti-Virus, how to do so can be read here.

  • Please go here then click on: EOLS1.gif
  • Select the option YES, I accept the Terms of Use then click on: EOLS2.gif
  • When prompted allow the Add-On/Active X to install.
  • Now click on Advanced Settings and select the following:

    • Remove found threats
    • Scan archives
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology

[*]Now click on: EOLS3.gif

[*]The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.

[*]When completed the Online Scan will begin automatically.

[*]Do not touch either the Mouse or keyboard during the scan otherwise it may stall.

[*]When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!

[*]Now click on: EOLS4.gif

[*]Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.

[*]Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Here is the ESET scan log - Could this be a false positive? I uninstalled Spybot days ago.

Thanks for your help!

----------------------------------------------------------------------------

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=80d996b05ef17b4aa891bb4f11c48b12

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-06-20 04:30:53

# local_time=2010-06-20 09:30:53 (-0700, US Mountain Standard Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1024 16777215 100 0 0 0 0 0

# compatibility_mode=5121 16776613 100 96 3273987 29878357 0 0

# compatibility_mode=6143 16777215 0 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=83035

# found=1

# cleaned=1

# scan_time=6227

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FraudDataProtection18.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Share this post


Link to post
Share on other sites

Download RootRepeal Beta on your desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Share this post


Link to post
Share on other sites
Download RootRepeal Beta on your desktop.

  • Double click RootRepeal.exe to start the program
  • Click on the Report tab at the bottom of the program window
  • Click the Scan button
  • In the Select Scan dialog, check:

    • Drivers
    • Files
    • Processes
    • SSDT
    • Stealth Objects
    • Hidden Services

    [*]Click the OK button

    [*]In the next dialog, select all drives showing

    [*]Click OK to start the scan

    Note: The scan can take some time.
    DO NOT
    run any other programs while the scan is running

    [*]When the scan is complete, the Save Report button will become available

    [*]Click this and save the report to your Desktop as RootRepeal.txt

    [*]Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

Tried to download rootrepeal - would not initialize - also received message that "Windows Virtual Minimum Memor Too Low" - my computer is also running a bit sluggish now as well.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.