sp60

Whitesmoke virus blocks Malwarebytes, reinstalls

18 posts in this topic

I'm not sure how this got onto my system - probably by simply visiting an infected website. It installed the WhiteSmoke program and then blocked Malwarebytes from running (I don't recall the exact error message that it produced, but it was MBAM_...<something>...(5, 0)). Then it started running some "antivirus" scan.

I was able to go into safe mode with networking and uninstall Malwarebytes, reinstall it, update it, and then remove all the things it found. I also deleted the WhiteSmoke program via the control panel. I also was able to update and run SuperAntivirus, which found a few more things I removed, but again the problem was not solved, as when I rebooted in normal mode, I got a message that the file leng2c.dll was not found, and then Malwarebytes again became disabled. However, it did give a different error message when I tried to run it: MBAM_ERROR_ENUMERATE_UNINSTALLLANGUAGES (2, 0). Once again, in safe mode, I managed to uninstall and then reinstall the latest version of Malwarebytes and remove the things it found as a result of the scan. I have attached a copy of the log Malwarebytes produced at the end of that session.

The virus made my Avast software expire, and so it was disabled, however, there was a short period of time during which I was able to reactivate Avast by typing in a name and email address. I think this virus also tried to reassign my default search engine to Bing.

In any case, I would appreciate any help from anyone who could help get rid of this thing. I am posting this now from safe mode with networking, so I am able to access the web and download and run things like DDS, and finally GMER. Here is DDS.txt. The GMER txt result and Attach files are zipped and attached to this message.

DDS (Ver_10-11-27.01) - NTFSx86 NETWORK

Run by Administrator at 13:19:28.60 on Wed 12/01/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.370 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Administrator.PANAMA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

TB: &Save Flash: {4064ea35-578d-4073-a834-c96d82cbcf40} - c:\program files\save flash\SaveFlash.dll

EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"

mRun: [WorksFUD] c:\program files\microsoft works\wkfud.exe

mRun: [Microsoft Works Portfolio] c:\program files\microsoft works\WksSb.exe /AllUsers

mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe

mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 5.0\apdproxy.exe"

mRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [<NO NAME>]

mRun: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

mRun: [WD Button Manager] WDBtnMgr.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"

mRun: [indexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"

mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini"

mRun: [brMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN

mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\common files\microsoft shared\works shared\wkcalrem.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

DPF: {00000014-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall14.cab

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - hxxp://www.vectorvest.com/install/vvonlineus/setup.exe

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab

DPF: {CAFEEFAC-0014-0002-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2_19-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

Handler: x-atng - {7e8717b0-d862-11d5-8c9e-00010304f989} - c:\program files\fidelity investments\fidelity active trader\system\atngprot.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [2006-5-15 15172]

S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-14 165584]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 67656]

S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-14 17744]

S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-25 40384]

S2 File Backup;File Backup Service;c:\program files\starfield\offSyncService.exe [2010-7-16 1310960]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-25 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-25 40384]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2004-12-25 2944]

S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [2004-12-25 3168]

S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2004-12-25 39552]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2004-12-25 60416]

S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\pavsrk.sys --> c:\windows\system32\PavSRK.sys [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-12-4 12872]

S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [2004-12-27 142336]

S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [2004-12-27 524288]

=============== Created Last 30 ================

2010-12-01 17:03:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-01 17:03:30 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-01 17:03:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 07:57:24 -------- d-----w- c:\windows\system32\wbem\repository\FS

2010-12-01 07:57:24 -------- d-----w- c:\windows\system32\wbem\Repository

2010-12-01 05:27:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)

2010-12-01 05:05:18 -------- d-sh--w- c:\documents and settings\administrator.panama\PrivacIE

2010-12-01 05:04:42 -------- d-----w- c:\docume~1\admini~1.pan\locals~1\applic~1\Adobe

2010-12-01 04:53:50 0 ----a-w- c:\windows\Jmoqanoj.bin

2010-12-01 04:51:27 -------- d-----w- c:\windows\system32\%APPDATA%

2010-12-01 04:28:21 -------- d-sh--w- c:\documents and settings\administrator.panama\IETldCache

2010-11-20 20:20:00 -------- d-----w- c:\windows\ie8updates

2010-11-20 20:15:10 -------- dc-h--w- c:\windows\ie8

2010-11-20 20:11:01 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-11-20 20:10:56 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-11-20 20:10:56 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-11-20 20:10:55 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-11-20 20:10:54 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-20 20:10:53 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-11-20 20:10:53 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-11-20 20:10:49 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-11-20 20:09:31 -------- d-----w- C:\8f1bc57f4eae3148477baeb92d48e899

2010-11-20 18:19:44 -------- d-----w- c:\program files\Starfield

2010-11-02 01:22:03 -------- d-----w- C:\abl

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53:25 974848 --sha-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 06:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl

2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr

2001-08-18 12:00:00 94784 --sh--w- c:\windows\twain.dll

2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll

2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12:02 84992 --sh--w- c:\windows\system32\olepro32.dll

2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: MAXTOR_6L080J4 rev.A93.0500 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F2E566]<<

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x82f34624]; MOV EAX, [0x82f346a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82FA0AB8]

3 CLASSPNP[0xF8606FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000059[0x82F823B8]

5 ACPI[0xF856D620] -> nt!IofCallDriver[0x804E37D5] -> [0x82FAAD98]

\Driver\atapi[0x82FA0818] -> IRP_MJ_CREATE -> 0x82F2E566

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [bP+0x0], CL; INC BP; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_6L080J4__________________________A93.0500#363632343131313330

3535322020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x82F2E3B2

user != kernel MBR !!!

sectors 156355582 (+255): user != kernel

Warning: possible TDL4 rootkit infection !

TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 13:21:45.23 ===============

Attach.zip

mbam_log_2010_12_01__13_13_43_.txt

Share this post


Link to post
Share on other sites

Hi and Welcome to the Malwarebytes' Help Forum,

You can download the programs I'd like You to run to a clean PC and then transfer them to the infected PC via usb flash drive or CD. If you are not able to do that then try to download and run them in safemode with networking!!

Some background information on what we're planning to do can be found HERE

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious-1.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please Run ComboFix by following the steps provided in exactly this sequence:

Here is a tutorial that describes how to download, install and run Combofix. Please thoroughly review it beofre proceeding:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! BEFORE downloading Combofix, temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Note: The above tutorial does not tell you to rename Combofix as I am about to instruct you to do in the following instructions, so make sure you complete the renaming step before launching Combofix.

Using ComboFix ->

Please download Combofix from one of these locations:

HERE or HERE

I want you to rename Combofix.exe as you download it to iexplore.exe

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it iexplore.exe

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers and programs.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • If You are running Windows XP, and Combofix asks to install the Recovery Console, please allow it to do so or it WILL NOT perform it's normal malware removal capabilities. This is for your safety !!

1. To Launch Combofix

Click Start --> Run, and Enter or Copy/Paste this command exactly as shown:

"%userprofile%\desktop\iexplore.exe" /killall

2. When finished, it will produce a logfile located at C:\ComboFix.txt

3. Post the contents of that log in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Please post C:\ComboFix.txt in your next reply.

Share this post


Link to post
Share on other sites

You're Welcome, sp60!!

TDSSKiller identified and removed this MBR rootkit trojan - you can read about it here:

http://secure-computer-solutions.com/blog/...p_your_mbr.html

I'm posting your logs for the benefit of anyone reading this topic and myself as well so it is easier to follow. After I review them some more, I'll be back with additional recommendations!

TDSSKiller Log:

2010/12/01 23:01:00.0578 TDSS rootkit removing tool 2.4.10.0 Nov 28 2010 18:35:56

2010/12/01 23:01:00.0578 ================================================================================

2010/12/01 23:01:00.0578 SystemInfo:

2010/12/01 23:01:00.0578

2010/12/01 23:01:00.0578 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/01 23:01:00.0578 Product type: Workstation

2010/12/01 23:01:00.0578 ComputerName: PANAMA

2010/12/01 23:01:00.0593 UserName: Administrator

2010/12/01 23:01:00.0593 Windows directory: C:\WINDOWS

2010/12/01 23:01:00.0593 System windows directory: C:\WINDOWS

2010/12/01 23:01:00.0593 Processor architecture: Intel x86

2010/12/01 23:01:00.0593 Number of processors: 1

2010/12/01 23:01:00.0593 Page size: 0x1000

2010/12/01 23:01:00.0593 Boot type: Safe boot with network

2010/12/01 23:01:00.0593 ================================================================================

2010/12/01 23:01:01.0093 Initialize success

2010/12/01 23:01:21.0078 ================================================================================

2010/12/01 23:01:21.0078 Scan started

2010/12/01 23:01:21.0078 Mode: Manual;

2010/12/01 23:01:21.0078 ================================================================================

2010/12/01 23:01:26.0078 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2010/12/01 23:01:27.0359 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/01 23:01:27.0859 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/12/01 23:01:28.0781 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/01 23:01:29.0250 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/01 23:01:29.0734 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/12/01 23:01:33.0328 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\aspi32.sys

2010/12/01 23:01:33.0859 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2010/12/01 23:01:34.0328 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2010/12/01 23:01:34.0781 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2010/12/01 23:01:35.0296 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2010/12/01 23:01:35.0812 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2010/12/01 23:01:36.0234 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/01 23:01:36.0640 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/01 23:01:37.0453 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/01 23:01:37.0937 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/01 23:01:38.0500 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/01 23:01:38.0953 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys

2010/12/01 23:01:39.0437 brparimg (e05d9eda91c1b2c4c4f6f5a6d5b14b58) C:\WINDOWS\system32\DRIVERS\BrParImg.sys

2010/12/01 23:01:39.0953 BrParWdm (108d5c678411ac5b53d51756177d50a4) C:\WINDOWS\system32\Drivers\BrParwdm.sys

2010/12/01 23:01:40.0406 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

2010/12/01 23:01:40.0890 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\WINDOWS\system32\Drivers\BrSerIf.sys

2010/12/01 23:01:41.0375 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys

2010/12/01 23:01:41.0828 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\WINDOWS\system32\Drivers\BrUsbSer.sys

2010/12/01 23:01:42.0343 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/01 23:01:43.0156 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/01 23:01:43.0578 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/01 23:01:44.0000 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/01 23:01:44.0828 Cinemsup (f6a0f51706cb4b0d5b8718ff69f831ba) C:\WINDOWS\system32\drivers\Cinemsup.sys

2010/12/01 23:01:47.0031 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/01 23:01:47.0500 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS

2010/12/01 23:01:48.0218 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/01 23:01:48.0890 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/01 23:01:49.0296 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/01 23:01:49.0718 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/01 23:01:50.0531 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/01 23:01:51.0156 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/01 23:01:51.0656 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/12/01 23:01:52.0140 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/01 23:01:52.0515 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/12/01 23:01:52.0968 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/01 23:01:53.0437 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/01 23:01:53.0921 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/01 23:01:54.0328 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/12/01 23:01:54.0812 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/12/01 23:01:55.0265 gmer (b56eb0a2210980e76390bd670bcb618b) C:\WINDOWS\system32\DRIVERS\gmer.sys

2010/12/01 23:01:55.0718 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/01 23:01:56.0171 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/12/01 23:01:57.0484 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/01 23:01:58.0812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/01 23:01:59.0281 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/01 23:02:00.0125 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/12/01 23:02:00.0562 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/12/01 23:02:01.0031 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/01 23:02:01.0484 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/01 23:02:01.0968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/01 23:02:02.0453 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/01 23:02:02.0984 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/01 23:02:03.0421 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/01 23:02:03.0875 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/01 23:02:04.0328 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/01 23:02:04.0812 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/01 23:02:05.0328 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/01 23:02:06.0406 ltmodem5 (829ef680a308c12e2a80e5e0da0d958d) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys

2010/12/01 23:02:07.0093 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys

2010/12/01 23:02:07.0531 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/01 23:02:08.0046 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/01 23:02:08.0500 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/12/01 23:02:08.0968 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/01 23:02:09.0375 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/01 23:02:09.0796 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/01 23:02:10.0687 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/01 23:02:11.0281 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/01 23:02:11.0875 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/01 23:02:12.0375 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/01 23:02:12.0781 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/01 23:02:13.0250 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/01 23:02:13.0656 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/01 23:02:14.0125 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/01 23:02:14.0640 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/01 23:02:15.0140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/01 23:02:15.0562 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/01 23:02:16.0015 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/01 23:02:16.0484 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/01 23:02:16.0937 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/01 23:02:17.0453 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/01 23:02:18.0031 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/01 23:02:18.0656 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/01 23:02:19.0234 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/01 23:02:19.0984 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/12/01 23:02:20.0968 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys

2010/12/01 23:02:21.0562 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/01 23:02:22.0000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/01 23:02:22.0515 OMCI (e1e54131462b63efefaf14aca8e4012b) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

2010/12/01 23:02:23.0015 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/01 23:02:23.0500 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/01 23:02:23.0921 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/01 23:02:24.0687 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/01 23:02:25.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/12/01 23:02:26.0406 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys

2010/12/01 23:02:29.0328 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/01 23:02:29.0796 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/12/01 23:02:30.0265 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/01 23:02:30.0718 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/01 23:02:31.0125 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/12/01 23:02:31.0546 PzWDM (36cf3653d367cbc72a38625543f3d4d1) C:\WINDOWS\system32\Drivers\PzWDM.sys

2010/12/01 23:02:33.0875 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/01 23:02:34.0328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/01 23:02:34.0812 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/01 23:02:35.0250 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/01 23:02:35.0750 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/01 23:02:36.0234 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/01 23:02:36.0750 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/01 23:02:37.0234 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/01 23:02:37.0578 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2010/12/01 23:02:37.0828 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

2010/12/01 23:02:38.0046 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

2010/12/01 23:02:38.0562 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/01 23:02:39.0093 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/01 23:02:39.0531 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/12/01 23:02:40.0078 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/01 23:02:41.0343 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/01 23:02:41.0828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/01 23:02:42.0468 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/01 23:02:43.0140 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/01 23:02:43.0562 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/01 23:02:45.0625 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/01 23:02:46.0171 tbcspud (4e296e262ae499e3b1697798a9084451) C:\WINDOWS\system32\drivers\tbcspud.sys

2010/12/01 23:02:46.0843 tbcwdm (fc855b65379f621a34c4309c31f754eb) C:\WINDOWS\system32\drivers\tbcwdm.sys

2010/12/01 23:02:47.0546 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/01 23:02:47.0984 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/01 23:02:48.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/01 23:02:48.0765 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/01 23:02:49.0703 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/01 23:02:50.0671 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/01 23:02:51.0296 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/12/01 23:02:51.0750 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/01 23:02:52.0218 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/01 23:02:52.0703 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/12/01 23:02:53.0187 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/01 23:02:53.0609 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/12/01 23:02:54.0062 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/01 23:02:54.0921 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/01 23:02:55.0453 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/01 23:02:56.0359 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/01 23:02:57.0031 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/12/01 23:02:57.0546 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/12/01 23:02:58.0031 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/12/01 23:02:58.0281 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/12/01 23:02:58.0296 ================================================================================

2010/12/01 23:02:58.0296 Scan finished

2010/12/01 23:02:58.0296 ================================================================================

2010/12/01 23:02:58.0343 Detected object count: 1

2010/12/01 23:03:06.0156 \HardDisk0 - will be cured after reboot

2010/12/01 23:03:06.0156 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure

2010/12/01 23:03:54.0234 Deinitialize success

================

Your Combofix Log:

ComboFix 10-12-01.01 - Administrator 12/01/2010 23:30:49.3.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.362 [GMT -5:00]

Running from: c:\documents and settings\Administrator.PANAMA\Desktop\ComboFix.exe

Command switches used :: /killall

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((( Files Created from 2010-11-02 to 2010-12-02 )))))))))))))))))))))))))))))))

.

2010-12-01 17:03 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-01 17:03 . 2010-12-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 17:03 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-01 07:57 . 2010-12-01 07:57 -------- d-----w- c:\windows\system32\wbem\Repository

2010-12-01 05:05 . 2010-12-01 05:05 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\PrivacIE

2010-12-01 05:04 . 2010-12-01 05:05 -------- d-----w- c:\documents and settings\Administrator.PANAMA\Local Settings\Application Data\Adobe

2010-12-01 04:53 . 2010-12-01 06:33 0 ----a-w- c:\windows\Jmoqanoj.bin

2010-12-01 04:53 . 2010-12-01 04:53 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE

2010-12-01 04:51 . 2010-12-01 04:51 -------- d-----w- c:\windows\system32\%APPDATA%

2010-12-01 04:28 . 2010-12-01 04:28 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\IETldCache

2010-12-01 03:05 . 2010-12-01 03:05 -------- d-----w- c:\documents and settings\LocalService\IETldCache

2010-12-01 02:38 . 2010-12-01 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-11-20 21:49 . 2010-11-20 21:49 -------- d-sh--w- c:\documents and settings\Bonnie\IECompatCache

2010-11-20 21:47 . 2010-11-20 21:47 -------- d-sh--w- c:\documents and settings\Bonnie\PrivacIE

2010-11-20 21:44 . 2010-11-20 21:44 -------- d-sh--w- c:\documents and settings\Bonnie\IETldCache

2010-11-20 20:15 . 2010-11-20 20:17 -------- dc-h--w- c:\windows\ie8

2010-11-20 20:11 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-11-20 20:10 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-11-20 20:10 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-11-20 20:10 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-11-20 20:10 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-20 20:10 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-11-20 20:10 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-11-20 20:10 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-11-20 20:09 . 2010-11-20 20:09 -------- d-----w- C:\8f1bc57f4eae3148477baeb92d48e899

2010-11-20 18:19 . 2010-11-20 18:20 -------- d-----w- c:\program files\Starfield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 16:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2001-08-18 12:00 974848 --sha-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:50 . 2010-05-18 05:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 06:29 . 2010-05-18 05:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2001-08-18 12:00 94784 --sh--w- c:\windows\twain.dll

2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12 343040 --sha-w- c:\windows\system32\msvcrt.dll

2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12 84992 --sh--w- c:\windows\system32\olepro32.dll

2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]

"nwiz"="nwiz.exe" [2003-07-28 323584]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"WD Button Manager"="WDBtnMgr.exe" [2009-11-24 335872]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-11-29 963976]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-11-29 443728]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-4-28 25214]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-10-12 15:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Media Player Classic\\mplayerc.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [5/15/2006 9:51 AM 15172]

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 1:50 PM 12872]

S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 67656]

S2 File Backup;File Backup Service;c:\program files\Starfield\offSyncService.exe [7/16/2010 1:47 PM 1310960]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/25/2004 10:02 AM 2944]

S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/25/2004 10:02 AM 3168]

S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/25/2004 10:02 AM 39552]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/25/2004 10:02 AM 60416]

S3 PavSRK.sys;PavSRK.sys;\??\c:\windows\system32\PavSRK.sys --> c:\windows\system32\PavSRK.sys [?]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 12872]

S3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/27/2004 11:01 PM 142336]

S3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/27/2004 11:01 PM 524288]

.

Contents of the 'Scheduled Tasks' folder

2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-01 23:45

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-796845957-1390067357-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,42,27,7b,d0,a3,95,4e,9d,27,7e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b9,42,27,7b,d0,a3,95,4e,9d,27,7e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55,

c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55,

c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(428)

c:\program files\SUPERAntiSpyware\SASWINLO.DLL

c:\windows\system32\WININET.dll

c:\windows\system32\l3codeca.acm

c:\windows\system32\ac3filter.acm

- - - - - - - > 'explorer.exe'(804)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2010-12-01 23:51:53 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-02 04:51

ComboFix2.txt 2008-12-24 15:39

Pre-Run: 11,575,459,840 bytes free

Post-Run: 11,835,793,408 bytes free

- - End Of File - - ACBEA61F811A48E7A8782A15D8B71D5B

Share this post


Link to post
Share on other sites

Hi sp60,

That looks a lot better. How are things running now??

Now we have to run Combofix again, but this time we'll use a script that's customized for you (not all of the items specified are malicious - they may only represent leftover remnants or items that require further investigation/tweaking):

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

Please post back the log (C:\Combofix.txt) that opens when it finishes.

KillALL::

Driver::
PavSRK.sys

File::
c:\windows\Jmoqanoj.bin
c:\windows\system32\PavSRK.sys

DirLook::
C:\8f1bc57f4eae3148477baeb92d48e899
C:\abl
c:\windows\system32\%APPDATA%

Reglock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

Share this post


Link to post
Share on other sites

Hi negster22,

Thanks once again!! In the past couple of days, everything seems to be running fairly normally. I ran SUperAntivirus again and it found only one problem item in addition to the usual tracking cookies, called malware.trace, shich I deleted. But in general, things seem to be running fairly ok.

I ran Combofix again as you instructed, and here is the log. I ran it originally in safe mode with networking, and then when it rebooted, I allowed it to come up in normal mode. Anyway, here is the latest ComboFix log. I see that it does mention WhiteSmoke in there, which probably means some traces of that thing perhaps still remain on my system:

ComboFix 10-12-01.01 - Administrator 12/03/2010 20:13:03.4.1 - x86 NETWORK

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.372 [GMT -5:00]

Running from: c:\documents and settings\Administrator.PANAMA\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Administrator.PANAMA\Desktop\CFScript.txt

FILE ::

"c:\windows\Jmoqanoj.bin"

"c:\windows\system32\PavSRK.sys"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Jmoqanoj.bin

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_PAVSRK.SYS

-------\Service_PavSRK.sys

((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))

.

2010-12-03 06:40 . 2010-12-03 06:40 -------- d-----w- c:\program files\IObit

2010-12-01 17:03 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-01 17:03 . 2010-12-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 17:03 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-01 07:57 . 2010-12-01 07:57 -------- d-----w- c:\windows\system32\wbem\Repository

2010-12-01 05:05 . 2010-12-01 05:05 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\PrivacIE

2010-12-01 05:04 . 2010-12-01 05:05 -------- d-----w- c:\documents and settings\Administrator.PANAMA\Local Settings\Application Data\Adobe

2010-12-01 04:53 . 2010-12-01 04:53 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE

2010-12-01 04:51 . 2010-12-01 04:51 -------- d-----w- c:\windows\system32\%APPDATA%

2010-12-01 04:28 . 2010-12-01 04:28 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\IETldCache

2010-12-01 03:05 . 2010-12-01 03:05 -------- d-----w- c:\documents and settings\LocalService\IETldCache

2010-12-01 02:38 . 2010-12-01 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-11-20 21:49 . 2010-11-20 21:49 -------- d-sh--w- c:\documents and settings\Bonnie\IECompatCache

2010-11-20 21:47 . 2010-11-20 21:47 -------- d-sh--w- c:\documents and settings\Bonnie\PrivacIE

2010-11-20 21:44 . 2010-11-20 21:44 -------- d-sh--w- c:\documents and settings\Bonnie\IETldCache

2010-11-20 20:15 . 2010-11-20 20:17 -------- dc-h--w- c:\windows\ie8

2010-11-20 20:11 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-11-20 20:10 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-11-20 20:10 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-11-20 20:10 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-11-20 20:10 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-20 20:10 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-11-20 20:10 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-11-20 20:10 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-11-20 20:09 . 2010-11-20 20:09 -------- d-----w- C:\8f1bc57f4eae3148477baeb92d48e899

2010-11-20 18:19 . 2010-11-20 18:20 -------- d-----w- c:\program files\Starfield

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 16:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2001-08-18 12:00 974848 --sha-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:50 . 2010-05-18 05:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 06:29 . 2010-05-18 05:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2001-08-18 12:00 94784 --sh--w- c:\windows\twain.dll

2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe

.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

---- Directory of C:\8f1bc57f4eae3148477baeb92d48e899 ----

2009-03-08 19:22 . 2009-03-08 19:22 36864 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iedvtool.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 12288 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtml.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 1241088 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieframe.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 3584 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inseng.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 5120 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iernonce.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsdebuggeride.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 7168 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakeng.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 49152 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msrating.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iertutil.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 11264 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\vbscript.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsprofilercore.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 40960 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\webcheck.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 6144 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\winfxdocobj.exe.mui

2009-03-08 19:22 . 2009-03-08 19:22 3584 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieui.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshta.exe.mui

2009-03-08 19:22 . 2009-03-08 19:22 20480 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsdbgui.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 12288 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\hmmapi.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 77824 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iesetup.dll.mui

2009-03-08 19:22 . 2009-03-08 19:22 122880 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetcpl.cpl.mui

2009-03-08 19:22 . 2009-03-08 19:22 3584 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\admparse.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 53248 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\wininet.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 12288 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iexplore.exe.mui

2009-03-08 19:21 . 2009-03-08 19:21 20480 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\occache.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 57344 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtmler.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 4608 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iepeers.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 2771706 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetres.adm

2009-03-08 19:21 . 2009-03-08 19:21 40960 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\urlmon.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 13460 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetcorp.iem

2009-03-08 19:21 . 2009-03-08 19:21 40960 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieaksie.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 2560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeedsbs.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 4096 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\licmgr10.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 10240 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\advpack.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 4096 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ie4uinit.exe.mui

2009-03-08 19:21 . 2009-03-08 19:21 118784 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakui.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 13312 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jscript.dll.mui

2009-03-08 19:21 . 2009-03-08 19:21 37836 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetset.iem

2009-03-08 19:20 . 2009-03-08 19:20 8704 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\icardie.dll.mui

2009-03-08 19:20 . 2009-03-08 19:20 81920 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iedkcs32.dll.mui

2009-03-08 19:20 . 2009-03-08 19:20 16384 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsprofilerui.dll.mui

2009-03-08 19:20 . 2009-03-08 19:20 10752 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\html.iec.mui

2009-03-08 19:09 . 2009-03-08 19:09 391536 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iedkcs32.dll

2009-03-08 19:09 . 2009-03-08 19:09 638816 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iexplore.exe

2009-03-08 09:41 . 2009-03-08 09:41 5937152 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtml.dll

2009-03-08 09:39 . 2009-03-08 09:39 11063808 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieframe.dll

2009-03-08 09:35 . 2009-03-08 09:35 742912 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iedvtool.dll

2009-03-08 09:35 . 2009-03-08 09:35 233984 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsprofilerui.dll

2009-03-08 09:35 . 2009-03-08 09:35 385024 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\html.iec

2009-03-08 09:35 . 2009-03-08 09:35 144384 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\extexport.exe

2009-03-08 09:35 . 2009-03-08 09:35 2048 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iecompat.dll

2009-03-08 09:35 . 2009-03-08 09:35 118272 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsprofilercore.dll

2009-03-08 09:35 . 2009-03-08 09:35 521216 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsdbgui.dll

2009-03-08 09:35 . 2009-03-08 09:35 121344 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsdebuggeride.dll

2009-03-08 09:34 . 2009-03-08 09:34 914944 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\wininet.dll

2009-03-08 09:34 . 2009-03-08 09:34 1206784 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\urlmon.dll

2009-03-08 09:34 . 2009-03-08 09:34 1469440 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inetcpl.cpl

2009-03-08 09:34 . 2009-03-08 09:34 236544 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\webcheck.dll

2009-03-08 09:34 . 2009-03-08 09:34 208384 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\winfxdocobj.exe

2009-03-08 09:34 . 2009-03-08 09:34 43008 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\licmgr10.dll

2009-03-08 09:34 . 2009-03-08 09:34 105984 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\url.dll

2009-03-08 09:34 . 2009-03-08 09:34 193536 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msrating.dll

2009-03-08 09:34 . 2009-03-08 09:34 109568 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\occache.dll

2009-03-08 09:33 . 2009-03-08 09:33 246784 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieproxy.dll

2009-03-08 09:33 . 2009-03-08 09:33 759296 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\vgx.dll

2009-03-08 09:33 . 2009-03-08 09:33 18944 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\corpol.dll

2009-03-08 09:33 . 2009-03-08 09:33 25600 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jsproxy.dll

2009-03-08 09:33 . 2009-03-08 09:33 12288 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\xpshims.dll

2009-03-08 09:33 . 2009-03-08 09:33 726528 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\jscript.dll

2009-03-08 09:33 . 2009-03-08 09:33 229376 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieaksie.dll

2009-03-08 09:33 . 2009-03-08 09:33 420352 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\vbscript.dll

2009-03-08 09:33 . 2009-03-08 09:33 125952 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakeng.dll

2009-03-08 09:32 . 2009-03-08 09:32 72704 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\admparse.dll

2009-03-08 09:32 . 2009-03-08 09:32 173056 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ie4uinit.exe

2009-03-08 09:32 . 2009-03-08 09:32 163840 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakui.dll

2009-03-08 09:32 . 2009-03-08 09:32 36864 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieudinit.exe

2009-03-08 09:32 . 2009-03-08 09:32 55808 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iernonce.dll

2009-03-08 09:32 . 2009-03-08 09:32 71680 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iesetup.dll

2009-03-08 09:32 . 2009-03-08 09:32 3072 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieudinit.exe.mui

2009-03-08 09:32 . 2009-03-08 09:32 128512 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\advpack.dll

2009-03-08 09:32 . 2009-03-08 09:32 94720 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\inseng.dll

2009-03-08 09:32 . 2009-03-08 09:32 594432 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeeds.dll

2009-03-08 09:32 . 2009-03-08 09:32 1985024 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iertutil.dll

2009-03-08 09:32 . 2009-03-08 09:32 611840 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mstime.dll

2009-03-08 09:31 . 2009-03-08 09:31 183808 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iepeers.dll

2009-03-08 09:31 . 2009-03-08 09:31 13312 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeedssync.exe

2009-03-08 09:31 . 2009-03-08 09:31 59904 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\icardie.dll

2009-03-08 09:31 . 2009-03-08 09:31 55296 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeedsbs.dll

2009-03-08 09:31 . 2009-03-08 09:31 348160 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\dxtmsft.dll

2009-03-08 09:31 . 2009-03-08 09:31 216064 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\dxtrans.dll

2009-03-08 09:31 . 2009-03-08 09:31 34816 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\imgutil.dll

2009-03-08 09:31 . 2009-03-08 09:31 46592 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\pngfilt.dll

2009-03-08 09:31 . 2009-03-08 09:31 66560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtmled.dll

2009-03-08 09:31 . 2009-03-08 09:31 48128 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtmler.dll

2009-03-08 09:31 . 2009-03-08 09:31 45568 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshta.exe

2009-03-08 09:31 . 2009-03-08 09:31 1638912 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\mshtml.tlb

2009-03-08 09:30 . 2009-03-08 09:30 66560 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\tdc.ocx

2009-03-08 09:24 . 2009-03-08 09:24 68608 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\hmmapi.dll

2009-03-08 09:22 . 2009-03-08 09:22 164352 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieui.dll

2009-03-08 09:22 . 2009-03-08 09:22 156160 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msls31.dll

2009-03-08 09:15 . 2009-03-08 09:15 57667 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieuinit.inf

2009-03-08 09:11 . 2009-03-08 09:11 445952 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieapfltr.dll

2009-03-08 08:45 . 2009-03-08 08:45 460 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\install.ins

2009-02-21 06:21 . 2009-02-21 06:21 529818 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iexplore.chm

2009-02-07 02:07 . 2009-02-07 02:07 3698584 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieapfltr.dat

2009-01-12 02:05 . 2009-01-12 02:05 2649 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ie8props.propdesc

2009-01-12 02:05 . 2009-01-12 02:05 12593 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieeula.chm

2009-01-12 02:05 . 2009-01-12 02:05 13874 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\iesupp.chm

2009-01-07 23:21 . 2009-01-07 23:21 1876 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeeds.mof

2009-01-07 23:21 . 2009-01-07 23:21 1938 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msfeedsbs.mof

2009-01-07 23:21 . 2009-01-07 23:21 26144 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\spupdsvc.exe

2009-01-07 23:20 . 2009-01-07 23:20 16928 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\spmsg.dll

2009-01-07 23:20 . 2009-01-07 23:20 231456 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\spuninst.exe

2009-01-07 23:20 . 2009-01-07 23:20 134144 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\sqmapi.dll

2009-01-07 23:20 . 2009-01-07 23:20 1022976 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\browseui.dll

2009-01-07 23:20 . 2009-01-07 23:20 1497088 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\shdocvw.dll

2009-01-07 23:20 . 2009-01-07 23:20 474112 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\shlwapi.dll

2009-01-07 23:20 . 2009-01-07 23:20 19884 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\feeddisc.wav

2009-01-07 23:20 . 2009-01-07 23:20 23308 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\infobar.wav

2009-01-07 23:20 . 2009-01-07 23:20 11340 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\navstart.wav

2009-01-07 23:20 . 2009-01-07 23:20 85548 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\popupblk.wav

2009-01-07 23:20 . 2009-01-07 23:20 8798 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\icrav03.rat

2009-01-07 23:20 . 2009-01-07 23:20 65 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\occache.ini

2009-01-07 23:20 . 2009-01-07 23:20 1988 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ticrf.rat

2009-01-07 23:20 . 2009-01-07 23:20 65 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\webcheck.ini

2009-01-07 23:20 . 2009-01-07 23:20 54279 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\ieakmmc.chm

2009-01-07 23:20 . 2009-01-07 23:20 265720 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\msdbg2.dll

2009-01-07 23:20 . 2009-01-07 23:20 355832 ----a-w- c:\8f1bc57f4eae3148477baeb92d48e899\pdm.dll

---- Directory of C:\abl ----

---- Directory of c:\windows\system32\%APPDATA% ----

2010-12-01 04:51 . 2010-12-01 04:52 86 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log

2010-12-01 04:51 . 2010-07-07 09:44 234304 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx

2010-12-01 04:51 . 2010-07-07 09:45 31743 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr

2010-12-01 04:51 . 2010-06-14 15:32 152 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt

2010-12-01 04:51 . 2010-07-07 09:45 473 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin

2010-12-01 04:51 . 2010-07-07 09:45 3525401 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab

2010-12-01 04:51 . 2010-07-07 09:45 567840 ----a-w- c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2010-02-01 42392]

"Starfield Updater"="c:\program files\Starfield\StarfieldUpdate.exe" [2010-11-20 32960]

"wben"="c:\program files\Starfield\wben.exe" [2010-11-08 1074384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]

"nwiz"="nwiz.exe" [2003-07-28 323584]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"WD Button Manager"="WDBtnMgr.exe" [2009-11-24 335872]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-4-28 25214]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Media Player Classic\\mplayerc.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [5/15/2006 9:51 AM 15172]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 1:50 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 67656]

R2 File Backup;File Backup Service;c:\program files\Starfield\offSyncService.exe [7/16/2010 1:47 PM 1310960]

R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/27/2004 11:01 PM 142336]

R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/27/2004 11:01 PM 524288]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/25/2004 10:02 AM 2944]

S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/25/2004 10:02 AM 3168]

S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/25/2004 10:02 AM 39552]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/25/2004 10:02 AM 60416]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 12872]

.

Contents of the 'Scheduled Tasks' folder

2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: news-antique.com\www

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-03 20:27

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55,

c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55,

c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3832)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\iPod Access for Windows\iPAHelper.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Dantz\Retrospect\retrorun.exe

c:\progra~1\Dantz\RETROS~1\wdsvc.exe

c:\windows\system32\WDBtnMgr.exe

c:\program files\Brother\ControlCenter3\brccMCtl.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Brother\Brmfcmon\BrMfcmon.exe

.

**************************************************************************

.

Completion time: 2010-12-03 20:35:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-04 01:35

ComboFix2.txt 2008-12-24 15:39

Pre-Run: 11,454,832,640 bytes free

Post-Run: 10,870,611,968 bytes free

- - End Of File - - 8B37A9629B17C20E90B9084353700916

Share this post


Link to post
Share on other sites

You're welcome and I'm glad to hear your PC is running well again!!!

I can now see where Whitesmoke hid all of its installation components in the Combofix log.

We have to run Combofix again with a new CFScript to both delete and submit those Whitesmoke files for analysis- but please launch Combofix in NORMAL MODE (not safe mode)!!!

1. Open Notepad, and on the Notepad menu, choose "Format" and make sure that Word Wrap is UNchecked (disabled).

2. Copy/Paste the text in the code box below and save it to your desktop as CFScript.txt

3. Disable all anti-malware and antivirus active protection by referring to these directions HERE

4. Close All Open Windows and Browsers,

CFScriptB-4.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

This will cause ComboFix to run again.

If ComboFix prompts you to update to a newer version, make sure you allow it to update.

Combofix should prompt You to upload files during the Fix, when it does please give it your permission to do so!!

Please post back the log (C:\Combofix.txt) that opens when it finishes.

http://forums.malwarebytes.org/index.php?act=post&do=reply_post&f=7&t=69183

KillAll::

Folder::
C:\abl

Collect::[4]
c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log
c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx
c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr
c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt
c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin
c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab
c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab

Have you scanned those 8 files at Virustotal yet?

I still need to see your Anti-rootkit (ARK) Full scan log - ARK.txt

Share this post


Link to post
Share on other sites

ok, negster22,

I did all you instructed, and the resulting ComboFix log is below. I did scan all 8 of those files through Virustotal, and none of them resulted in any virus flags appearing. The ark.txt file I got originally was included in the Attach.zip file of my original post, but I pasted it here again following the ComboFix log. If you want me to generate another one now, please let me know. Thanks again!

ComboFix 10-12-03.01 - Bonnie 12/03/2010 22:20:37.5.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.187 [GMT -5:00]

Running from: c:\documents and settings\Bonnie\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Bonnie\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt

file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab

file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr

file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab

file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin

file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx

file zipped: c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\abl

c:\windows\system32\%APPDATA%\WhiteSmokeSetup\config.txt

c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.cab

c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data1.hdr

c:\windows\system32\%APPDATA%\WhiteSmokeSetup\data2.cab

c:\windows\system32\%APPDATA%\WhiteSmokeSetup\layout.bin

c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.inx

c:\windows\system32\%APPDATA%\WhiteSmokeSetup\setup.log

.

((((((((((((((((((((((((( Files Created from 2010-11-04 to 2010-12-04 )))))))))))))))))))))))))))))))

.

2010-12-04 02:23 . 2010-09-07 15:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-12-04 02:23 . 2010-09-07 15:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-12-04 02:23 . 2010-09-07 15:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-12-04 02:23 . 2010-09-07 15:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-12-04 02:23 . 2010-09-07 15:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-12-04 02:23 . 2010-09-07 15:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-12-04 02:23 . 2010-09-07 15:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-12-04 02:23 . 2010-09-07 16:12 38848 ----a-w- c:\windows\avastSS.scr

2010-12-04 02:23 . 2010-09-07 16:11 167592 ----a-w- c:\windows\system32\aswBoot.exe

2010-12-03 06:40 . 2010-12-03 06:40 -------- d-----w- c:\program files\IObit

2010-12-03 06:40 . 2010-12-03 06:40 -------- d-----w- c:\documents and settings\Bonnie\Application Data\IObit

2010-12-01 17:03 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-12-01 17:03 . 2010-12-01 17:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-01 17:03 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-12-01 07:57 . 2010-12-01 07:57 -------- d-----w- c:\windows\system32\wbem\Repository

2010-12-01 05:05 . 2010-12-01 05:05 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\PrivacIE

2010-12-01 05:04 . 2010-12-01 05:05 -------- d-----w- c:\documents and settings\Administrator.PANAMA\Local Settings\Application Data\Adobe

2010-12-01 04:53 . 2010-12-01 07:56 -------- d-----w- c:\documents and settings\Bonnie\Local Settings\Application Data\{F0187684-22BB-4EB6-BC86-A62A71B058FB}

2010-12-01 04:53 . 2010-12-01 04:53 -------- d-----w- c:\documents and settings\NetworkService\PrivacIE

2010-12-01 04:51 . 2010-12-01 04:51 -------- d-----w- c:\windows\system32\%APPDATA%

2010-12-01 04:28 . 2010-12-01 04:28 -------- d-sh--w- c:\documents and settings\Administrator.PANAMA\IETldCache

2010-12-01 03:05 . 2010-12-01 03:05 -------- d-----w- c:\documents and settings\LocalService\IETldCache

2010-12-01 02:38 . 2010-12-01 02:38 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-11-20 21:49 . 2010-11-20 21:49 -------- d-sh--w- c:\documents and settings\Bonnie\IECompatCache

2010-11-20 21:47 . 2010-11-20 21:47 -------- d-sh--w- c:\documents and settings\Bonnie\PrivacIE

2010-11-20 21:44 . 2010-11-20 21:44 -------- d-sh--w- c:\documents and settings\Bonnie\IETldCache

2010-11-20 20:15 . 2010-11-20 20:17 -------- dc-h--w- c:\windows\ie8

2010-11-20 20:11 . 2010-08-26 11:08 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-11-20 20:10 . 2010-09-10 05:58 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-11-20 20:10 . 2010-09-10 05:58 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-11-20 20:10 . 2010-09-10 05:58 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2010-11-20 20:10 . 2010-09-10 05:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-11-20 20:10 . 2010-09-10 05:58 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-11-20 20:10 . 2010-09-10 05:58 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-11-20 20:10 . 2010-09-10 05:58 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-11-20 20:09 . 2010-11-20 20:09 -------- d-----w- C:\8f1bc57f4eae3148477baeb92d48e899

2010-11-20 18:23 . 2010-11-20 18:23 -------- d-----w- c:\documents and settings\Bonnie\Local Settings\Application Data\offsync

2010-11-20 18:19 . 2010-11-20 18:20 -------- d-----w- c:\program files\Starfield

2010-11-20 18:19 . 2010-11-20 18:19 -------- d-----w- c:\documents and settings\Bonnie\Local Settings\Application Data\Starfield

2010-11-20 06:26 . 2010-11-20 06:26 -------- d-----w- c:\documents and settings\Bonnie\Application Data\ScanSoft

2010-11-19 16:38 . 2010-11-19 16:38 -------- d-----w- c:\documents and settings\Bonnie\Local Settings\Application Data\MagicSoftware

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-18 16:23 . 2001-08-18 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2001-08-18 12:00 974848 --sha-w- c:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2001-08-18 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2001-08-18 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll

2010-09-15 08:50 . 2010-05-18 05:25 472808 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-15 06:29 . 2010-05-18 05:25 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-09-10 05:58 . 2001-08-18 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-09-10 05:58 . 2001-08-18 12:00 43520 ------w- c:\windows\system32\licmgr10.dll

2010-09-10 05:58 . 2001-08-18 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl

2001-08-18 12:00 94784 --sh--w- c:\windows\twain.dll

2008-04-14 00:12 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 00:12 57344 --sh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12 551936 --sh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12 11776 --sh--w- c:\windows\system32\regsvr32.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PxDotNetLoader"="c:\program files\Fidelity Investments\Fidelity Active Trader\System\ATPStartupAssistant.exe" [2010-02-01 42392]

"Starfield Updater"="c:\program files\Starfield\StarfieldUpdate.exe" [2010-11-20 32960]

"wben"="c:\program files\Starfield\wben.exe" [2010-11-08 1074384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-07-28 4841472]

"nwiz"="nwiz.exe" [2003-07-28 323584]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]

"WorksFUD"="c:\program files\Microsoft Works\wkfud.exe" [2001-10-06 24576]

"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2001-08-23 331830]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2001-08-17 28738]

"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-12-22 67752]

"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2008-03-29 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]

"WD Button Manager"="WDBtnMgr.exe" [2009-11-24 335872]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]

"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-10-11 29984]

"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-10-11 46368]

"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]

"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-02-10 745472]

"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2007-10-30 77824]

"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Bonnie\Start Menu\Programs\Startup\

Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2005-4-28 25214]

Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Media Player Classic\\mplayerc.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [5/15/2006 9:51 AM 15172]

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/3/2010 9:23 PM 165584]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 1:50 PM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 1:50 PM 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/3/2010 9:23 PM 17744]

R2 File Backup;File Backup Service;c:\program files\Starfield\offSyncService.exe [7/16/2010 1:47 PM 1310960]

R3 tbcspud;Santa Cruz Driver;c:\windows\system32\drivers\tbcspud.sys [12/27/2004 11:01 PM 142336]

R3 tbcwdm;Santa Cruz WDM Driver;c:\windows\system32\drivers\tbcwdm.sys [12/27/2004 11:01 PM 524288]

S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [12/25/2004 10:02 AM 2944]

S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\drivers\BrParImg.sys [12/25/2004 10:02 AM 3168]

S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [12/25/2004 10:02 AM 39552]

S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [12/25/2004 10:02 AM 60416]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 1:50 PM 12872]

.

Contents of the 'Scheduled Tasks' folder

2010-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: news-antique.com\www

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-03 22:43

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]

"Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55,

c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

@DACL=(02 0000)

"Installed"="1"

"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

@DACL=(02 0000)

"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]

"Version"=hex:b0,e6,01,12,c3,e7,26,8a,6e,3c,bd,57,64,39,50,7a,31,e4,26,5f,55,

c9,a9,d5,6a,23,84,f3,9c,c9,27,25,bd,57,b1,e4,02,a7,0a,39,27,73,e9,c6,54,88,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3864)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\program files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

c:\windows\system32\WDBtnMgr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\iPod Access for Windows\iPAHelper.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Brother\ControlCenter3\brccMCtl.exe

c:\windows\system32\nvsvc32.exe

c:\program files\Brother\Brmfcmon\BrMfcmon.exe

c:\program files\Dantz\Retrospect\retrorun.exe

c:\progra~1\Dantz\RETROS~1\wdsvc.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2010-12-03 22:58:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-12-04 03:58

ComboFix2.txt 2010-12-04 01:35

ComboFix3.txt 2008-12-24 15:39

Pre-Run: 9,651,920,896 bytes free

Post-Run: 9,891,487,744 bytes free

- - End Of File - - 54D08A5AA538171B1AD0907B453670DB

GMER 1.0.15.15530 - http://www.gmer.net

Rootkit scan 2010-12-01 18:07:34

Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 MAXTOR_6L080J4 rev.A93.0500

Running: ztufz8jc.exe; Driver: C:\DOCUME~1\ADMINI~1.PAN\LOCALS~1\Temp\awtdapow.sys

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\PzWDM.sys entry point in "init" section [0xF89CE30E]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[804] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CC000A

.text C:\WINDOWS\System32\svchost.exe[804] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CD000A

.text C:\WINDOWS\System32\svchost.exe[804] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CB000C

.text C:\WINDOWS\System32\svchost.exe[804] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00FA000A

.text C:\WINDOWS\Explorer.EXE[1316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE000A

.text C:\WINDOWS\Explorer.EXE[1316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CF000A

.text C:\WINDOWS\Explorer.EXE[1316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CD000C

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 82F1F3B2

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F1F3B2

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 82F1F3B2

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 82F1F3B2

Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMAXTOR_6L080J4__________________________A93.0500#363632343131313330

3535322020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InprocHandler32@ ole32.dll

Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\LocalServer32@ C:\PROGRA~1\MICROS~2\OFFICE11\WINWORD.EXE /Automation

Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\LocalServer32@LocalServer32 ']gAVn-}f(ZXfeAR6.jiWORDFiles>P`os,1@SW=P7v6GPl]Xh /Automation?

Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\ProgID@ Word.Application.11

Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\VersionIndependentProgID@ Word.Application

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version

Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xB0 0xE6 0x01 0x12 ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sectors 156355328 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites

I need you to run TDSSKiller again and please post back that log:

http://support.kaspersky.com/viruses/solutions?qid=208280684

Then run mbr.exe as follows:

Open a command prompt (click Start -> Run, type cmd, and hit Enter)

Copy / Paste the following command at the command prompt, and hit Enter

mbr.exe -t -s > "%userprofile%\desktop\mbr.log"

The mbr results will be written to a log file on your desktop after a couple minutes.

Open the log it created by double-clicking mbr.log, and copy/paste the contents of mbr.log into your next reply.

I will be away until Wednesday, so if I don't reply to you later, I'll reply on Wednesday once I see the above two logs.

Share this post


Link to post
Share on other sites

ok, negster22, I have done as you instructed and have included the two logs below. TDSS Killer found no threats (infection not found). The TDSS KIller log appers below, followed by the mbr log file.

However, I have noticed my system running more slowly. When I unzip or unrar a file, it takes a lot longer than usual, and I also noticed that copying backup files onto DVD takes longer because the write speed doesn't seem to want to go much more quickly than 2x or 3x. Not sure what got changed, but I did run the latest free version of Advanced System Care 3, and the changes it made (defrag, registry cleanup, etc.) didn't seem to make much difference.

2010/12/04 18:50:14.0187 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01

2010/12/04 18:50:14.0187 ================================================================================

2010/12/04 18:50:14.0187 SystemInfo:

2010/12/04 18:50:14.0187

2010/12/04 18:50:14.0187 OS Version: 5.1.2600 ServicePack: 3.0

2010/12/04 18:50:14.0187 Product type: Workstation

2010/12/04 18:50:14.0187 ComputerName: PANAMA

2010/12/04 18:50:14.0187 UserName: Bonnie

2010/12/04 18:50:14.0187 Windows directory: C:\WINDOWS

2010/12/04 18:50:14.0187 System windows directory: C:\WINDOWS

2010/12/04 18:50:14.0187 Processor architecture: Intel x86

2010/12/04 18:50:14.0187 Number of processors: 1

2010/12/04 18:50:14.0187 Page size: 0x1000

2010/12/04 18:50:14.0187 Boot type: Normal boot

2010/12/04 18:50:14.0187 ================================================================================

2010/12/04 18:50:14.0656 Initialize success

2010/12/04 18:50:37.0093 ================================================================================

2010/12/04 18:50:37.0093 Scan started

2010/12/04 18:50:37.0093 Mode: Manual;

2010/12/04 18:50:37.0093 ================================================================================

2010/12/04 18:50:39.0109 Aavmker4 (8d488938e2f7048906f1fbd3af394887) C:\WINDOWS\system32\drivers\Aavmker4.sys

2010/12/04 18:50:40.0000 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/12/04 18:50:40.0406 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/12/04 18:50:41.0000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/12/04 18:50:41.0421 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/12/04 18:50:41.0750 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/12/04 18:50:44.0484 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\aspi32.sys

2010/12/04 18:50:44.0781 aswFsBlk (a0d86b8ac93ef95620420c7a24ac5344) C:\WINDOWS\system32\drivers\aswFsBlk.sys

2010/12/04 18:50:45.0093 aswMon2 (7d880c76a285a41284d862e2d798ec0d) C:\WINDOWS\system32\drivers\aswMon2.sys

2010/12/04 18:50:45.0453 aswRdr (69823954bbd461a73d69774928c9737e) C:\WINDOWS\system32\drivers\aswRdr.sys

2010/12/04 18:50:45.0781 aswSP (7ecc2776638b04553f9a85bd684c3abf) C:\WINDOWS\system32\drivers\aswSP.sys

2010/12/04 18:50:46.0125 aswTdi (095ed820a926aa8189180b305e1bcfc9) C:\WINDOWS\system32\drivers\aswTdi.sys

2010/12/04 18:50:46.0468 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/12/04 18:50:46.0796 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/12/04 18:50:47.0421 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/12/04 18:50:47.0765 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/12/04 18:50:48.0093 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/12/04 18:50:48.0453 brfilt (4ba311473e0d8557827e6f2fe33a8095) C:\WINDOWS\system32\Drivers\Brfilt.sys

2010/12/04 18:50:48.0812 brparimg (e05d9eda91c1b2c4c4f6f5a6d5b14b58) C:\WINDOWS\system32\DRIVERS\BrParImg.sys

2010/12/04 18:50:49.0140 BrParWdm (108d5c678411ac5b53d51756177d50a4) C:\WINDOWS\system32\Drivers\BrParwdm.sys

2010/12/04 18:50:49.0484 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys

2010/12/04 18:50:49.0796 BrSerIf (1a5fc78e41840edf79d65ec16eff2787) C:\WINDOWS\system32\Drivers\BrSerIf.sys

2010/12/04 18:50:50.0125 BrSerWDM (8e06cd96e00472c03770a697d04031c0) C:\WINDOWS\system32\Drivers\BrSerWdm.sys

2010/12/04 18:50:50.0500 BrUsbSer (a24c7b39602218f8dbdb2b6704325fc7) C:\WINDOWS\system32\Drivers\BrUsbSer.sys

2010/12/04 18:50:50.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/12/04 18:50:51.0468 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/12/04 18:50:51.0796 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/12/04 18:50:52.0125 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/12/04 18:50:52.0890 Cinemsup (f6a0f51706cb4b0d5b8718ff69f831ba) C:\WINDOWS\system32\drivers\Cinemsup.sys

2010/12/04 18:50:54.0812 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/12/04 18:50:55.0218 DM9102 (51ef6ca3d57055fed6ab99021d562443) C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS

2010/12/04 18:50:55.0906 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/12/04 18:50:56.0531 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/12/04 18:50:56.0890 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/12/04 18:50:57.0218 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/12/04 18:50:57.0812 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/12/04 18:50:58.0218 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/12/04 18:50:58.0625 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/12/04 18:50:58.0937 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/12/04 18:50:59.0281 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/12/04 18:50:59.0640 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/12/04 18:51:00.0000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/12/04 18:51:00.0359 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/12/04 18:51:00.0703 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys

2010/12/04 18:51:01.0031 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

2010/12/04 18:51:01.0375 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/12/04 18:51:01.0750 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/12/04 18:51:02.0750 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/12/04 18:51:03.0859 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/12/04 18:51:04.0250 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/12/04 18:51:05.0000 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/12/04 18:51:05.0375 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/12/04 18:51:05.0765 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/12/04 18:51:06.0140 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/12/04 18:51:06.0562 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/12/04 18:51:06.0968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/12/04 18:51:07.0406 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/12/04 18:51:07.0828 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/12/04 18:51:08.0187 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/12/04 18:51:08.0609 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/12/04 18:51:09.0062 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/12/04 18:51:09.0500 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/12/04 18:51:10.0453 ltmodem5 (829ef680a308c12e2a80e5e0da0d958d) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys

2010/12/04 18:51:11.0031 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys

2010/12/04 18:51:11.0343 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/12/04 18:51:11.0687 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/12/04 18:51:12.0000 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

2010/12/04 18:51:12.0296 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/12/04 18:51:12.0609 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/12/04 18:51:12.0953 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/12/04 18:51:13.0625 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/12/04 18:51:14.0125 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/12/04 18:51:14.0640 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/12/04 18:51:14.0937 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/12/04 18:51:15.0234 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/12/04 18:51:15.0562 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/12/04 18:51:15.0890 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/12/04 18:51:16.0203 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/12/04 18:51:16.0609 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/12/04 18:51:16.0984 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/12/04 18:51:17.0250 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/12/04 18:51:17.0578 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/12/04 18:51:17.0906 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/12/04 18:51:18.0218 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/12/04 18:51:18.0546 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/12/04 18:51:18.0968 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/12/04 18:51:19.0421 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/12/04 18:51:19.0937 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/12/04 18:51:20.0625 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/12/04 18:51:21.0578 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys

2010/12/04 18:51:22.0171 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/12/04 18:51:22.0500 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/12/04 18:51:22.0875 OMCI (e1e54131462b63efefaf14aca8e4012b) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS

2010/12/04 18:51:23.0265 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/12/04 18:51:23.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/12/04 18:51:24.0000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/12/04 18:51:24.0312 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/12/04 18:51:25.0312 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/12/04 18:51:25.0718 Pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\Pcouffin.sys

2010/12/04 18:51:27.0593 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/12/04 18:51:27.0937 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys

2010/12/04 18:51:28.0250 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/12/04 18:51:28.0562 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/12/04 18:51:28.0984 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/12/04 18:51:29.0296 PzWDM (36cf3653d367cbc72a38625543f3d4d1) C:\WINDOWS\system32\Drivers\PzWDM.sys

2010/12/04 18:51:31.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/12/04 18:51:31.0328 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/12/04 18:51:31.0718 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/12/04 18:51:32.0015 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/12/04 18:51:32.0359 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/12/04 18:51:32.0750 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/12/04 18:51:33.0125 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/12/04 18:51:33.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/12/04 18:51:33.0718 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

2010/12/04 18:51:33.0859 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

2010/12/04 18:51:33.0953 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

2010/12/04 18:51:34.0343 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/12/04 18:51:34.0687 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/12/04 18:51:35.0000 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/12/04 18:51:35.0328 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/12/04 18:51:36.0203 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/12/04 18:51:36.0531 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/12/04 18:51:36.0984 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/12/04 18:51:37.0437 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/12/04 18:51:37.0765 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/12/04 18:51:39.0218 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/12/04 18:51:39.0593 tbcspud (4e296e262ae499e3b1697798a9084451) C:\WINDOWS\system32\drivers\tbcspud.sys

2010/12/04 18:51:40.0125 tbcwdm (fc855b65379f621a34c4309c31f754eb) C:\WINDOWS\system32\drivers\tbcwdm.sys

2010/12/04 18:51:40.0750 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/12/04 18:51:41.0156 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/12/04 18:51:41.0484 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/12/04 18:51:41.0828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/12/04 18:51:42.0484 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/12/04 18:51:43.0203 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/12/04 18:51:43.0671 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/12/04 18:51:44.0078 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/12/04 18:51:44.0390 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/12/04 18:51:44.0703 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/12/04 18:51:45.0046 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/12/04 18:51:45.0437 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/12/04 18:51:45.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/12/04 18:51:46.0406 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/12/04 18:51:46.0765 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/12/04 18:51:47.0343 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/12/04 18:51:47.0812 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/12/04 18:51:48.0140 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/12/04 18:51:48.0500 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/12/04 18:51:48.0828 ================================================================================

2010/12/04 18:51:48.0828 Scan finished

2010/12/04 18:51:48.0843 ================================================================================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: MAXTOR_6L080J4 rev.A93.0500 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully

user: MBR read successfully

Disk trace:

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys

1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x82FA1AB8]

3 CLASSPNP[0xF85F6FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000057[0x82F78F18]

5 ACPI[0xF856D620] -> nt!IofCallDriver[0x804E37D5] -> \Device\Ide\IdeDeviceP0T0L0-3[0x82F66940]

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

user & kernel MBR OK

Share this post


Link to post
Share on other sites

OK that's good. but since there are discrepancies between what the ARK is finding:

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

Disk \Device\Harddisk0\DR0 sectors 156355328 (+255): rootkit-like behavior;

---- EOF - GMER 1.0.15 ----

and what TDSSKIller and mbr.exe is reporting (no rootkit activity), I need You to run a full ARK scan again and post back the scan report. Make sure you:

1. Reboot prior to performing the scan

2. Save the scan results to another file this time like ARK2.txt.

Share this post


Link to post
Share on other sites

GMER will not run (i.e., it hangs) in both safe mode and in normal mode. In safe mode, the place where it hangs is C:\WINDOWS\system32\drivers\intelide.sys

In normal mode, I think it was at HTTP.sys

Share this post


Link to post
Share on other sites

Please also download MBRCheck to your desktop

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

  • Double click MBRCheck.exe to run (Vista and Win 7 users should right-click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread

Share this post


Link to post
Share on other sites

Hi negster22,

Welcome back! The MBRCheck log file is below.

As I mentioned before, for some reason, various things are now running more slowly on my system. For example, Winrar seems a lot slower in extracting or compacting files, and when using ImgBrn to back up files onto disk, my burner won't write any faster than about 2x, when it normally can write much faster than that. So I'd appreciate any guidance you might have on how to restore the speed of the system to what it was before the virus hit.

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000001d

Kernel Drivers (total 131):

0x804D7000 \WINDOWS\system32\ntoskrnl.exe

0x806EE000 \WINDOWS\system32\hal.dll

0xF8AB6000 \WINDOWS\system32\KDCOM.DLL

0xF89C6000 \WINDOWS\system32\BOOTVID.dll

0xF8567000 ACPI.sys

0xF8AB8000 \WINDOWS\System32\DRIVERS\WMILIB.SYS

0xF8556000 pci.sys

0xF85B6000 isapnp.sys

0xF8ABA000 intelide.sys

0xF8836000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

0xF85C6000 MountMgr.sys

0xF8537000 ftdisk.sys

0xF883E000 PartMgr.sys

0xF85D6000 VolSnap.sys

0xF851F000 atapi.sys

0xF85E6000 disk.sys

0xF85F6000 \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

0xF84FF000 fltmgr.sys

0xF84ED000 sr.sys

0xF8846000 PxHelp20.sys

0xF89CA000 PzWDM.sys

0xF84D6000 KSecDD.sys

0xF8449000 Ntfs.sys

0xF841C000 NDIS.sys

0xF8402000 Mup.sys

0xF8606000 agp440.sys

0xF8736000 \SystemRoot\System32\DRIVERS\intelppm.sys

0xF7AB9000 \SystemRoot\System32\DRIVERS\nv4_mini.sys

0xF7AA5000 \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS

0xF88FE000 \SystemRoot\System32\DRIVERS\DM9PCI5.SYS

0xF7A0A000 \SystemRoot\system32\DRIVERS\ltmdmnt.sys

0xF8906000 \SystemRoot\System32\Drivers\Modem.SYS

0xF79E7000 \SystemRoot\system32\drivers\tbcspud.sys

0xF8CB2000 \SystemRoot\system32\drivers\tbcos.sys

0xF79C4000 \SystemRoot\system32\drivers\ks.sys

0xF8746000 \SystemRoot\System32\DRIVERS\i8042prt.sys

0xF890E000 \SystemRoot\System32\DRIVERS\mouclass.sys

0xF8916000 \SystemRoot\System32\DRIVERS\kbdclass.sys

0xF891E000 \SystemRoot\System32\DRIVERS\fdc.sys

0xF8756000 \SystemRoot\System32\DRIVERS\serial.sys

0xF7EA9000 \SystemRoot\System32\DRIVERS\serenum.sys

0xF79B0000 \SystemRoot\System32\DRIVERS\parport.sys

0xF8766000 \SystemRoot\system32\DRIVERS\imapi.sys

0xF8776000 \SystemRoot\System32\DRIVERS\cdrom.sys

0xF7C81000 \SystemRoot\System32\DRIVERS\redbook.sys

0xF7EA5000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xF8926000 \SystemRoot\System32\DRIVERS\usbuhci.sys

0xF798C000 \SystemRoot\System32\DRIVERS\USBPORT.SYS

0xF8CBB000 \SystemRoot\System32\DRIVERS\audstub.sys

0xF7C71000 \SystemRoot\System32\DRIVERS\rasl2tp.sys

0xF7E99000 \SystemRoot\System32\DRIVERS\ndistapi.sys

0xF7975000 \SystemRoot\System32\DRIVERS\ndiswan.sys

0xF7C61000 \SystemRoot\System32\DRIVERS\raspppoe.sys

0xF7C51000 \SystemRoot\System32\DRIVERS\raspptp.sys

0xF892E000 \SystemRoot\System32\DRIVERS\TDI.SYS

0xF7964000 \SystemRoot\System32\DRIVERS\psched.sys

0xF7C41000 \SystemRoot\System32\DRIVERS\msgpc.sys

0xF8936000 \SystemRoot\System32\DRIVERS\ptilink.sys

0xF893E000 \SystemRoot\System32\DRIVERS\raspti.sys

0xF7C31000 \SystemRoot\System32\Drivers\Pcouffin.sys

0xF7C21000 \SystemRoot\System32\DRIVERS\termdd.sys

0xF8AFE000 \SystemRoot\System32\DRIVERS\swenum.sys

0xF7906000 \SystemRoot\System32\DRIVERS\update.sys

0xF8A5A000 \SystemRoot\System32\DRIVERS\mssmbios.sys

0xF7C11000 \SystemRoot\System32\DRIVERS\usbhub.sys

0xF8B00000 \SystemRoot\System32\DRIVERS\USBD.SYS

0xF7C01000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xF8A8E000 \SystemRoot\system32\drivers\MODEMCSA.sys

0xF1775000 \SystemRoot\system32\drivers\tbcwdm.sys

0xF09FA000 \SystemRoot\system32\drivers\portcls.sys

0xF8826000 \SystemRoot\system32\drivers\drmk.sys

0xF8AA2000 \SystemRoot\system32\DRIVERS\gameenum.sys

0xF89B6000 \SystemRoot\System32\DRIVERS\flpydisk.sys

0xF8AC2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xF8C05000 \SystemRoot\System32\Drivers\Null.SYS

0xF8AC4000 \SystemRoot\System32\Drivers\Beep.SYS

0xF888E000 \SystemRoot\System32\drivers\vga.sys

0xF8AC6000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xF8AC8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xF8946000 \SystemRoot\System32\Drivers\Msfs.SYS

0xF88A6000 \SystemRoot\System32\Drivers\Npfs.SYS

0xEE941000 \SystemRoot\System32\DRIVERS\rasacd.sys

0xECF80000 \SystemRoot\System32\DRIVERS\ipsec.sys

0xECF27000 \SystemRoot\System32\DRIVERS\tcpip.sys

0xF8726000 \SystemRoot\System32\Drivers\aswTdi.SYS

0xECECE000 \SystemRoot\System32\DRIVERS\netbt.sys

0xEE931000 \SystemRoot\System32\drivers\ws2ifsl.sys

0xECE95000 \SystemRoot\System32\drivers\afd.sys

0xF25EC000 \SystemRoot\System32\DRIVERS\netbios.sys

0xECDFB000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys

0xF896E000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

0xECD3A000 \SystemRoot\System32\DRIVERS\rdbss.sys

0xED9F5000 \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS

0xECC86000 \SystemRoot\System32\DRIVERS\mrxsmb.sys

0xF86F6000 \SystemRoot\System32\Drivers\Fips.SYS

0xECBC0000 \SystemRoot\System32\DRIVERS\ipnat.sys

0xF255C000 \SystemRoot\System32\DRIVERS\wanarp.sys

0xEBDAD000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xEC3BB000 \SystemRoot\System32\DRIVERS\hidusb.sys

0xEB98B000 \SystemRoot\System32\DRIVERS\HIDCLASS.SYS

0xEF94F000 \SystemRoot\System32\DRIVERS\HIDPARSE.SYS

0xEFD48000 \SystemRoot\system32\DRIVERS\usbprint.sys

0xEF6CE000 \SystemRoot\system32\DRIVERS\BrScnUsb.sys

0xEF6CA000 \SystemRoot\System32\Drivers\BrUsbSer.sys

0xEB94B000 \SystemRoot\System32\Drivers\BrSerIf.sys

0xEFE13000 \SystemRoot\System32\Drivers\Cinemsup.SYS

0xEB8F0000 \SystemRoot\System32\Drivers\aswSP.SYS

0xEFE03000 \SystemRoot\System32\Drivers\Aavmker4.SYS

0xEFE63000 \SystemRoot\System32\DRIVERS\mouhid.sys

0xEFEEE000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xEFD8B000 \SystemRoot\System32\drivers\Dxapi.sys

0xEFDDB000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xF8C51000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\nv4_disp.dll

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xF8A82000 \SystemRoot\System32\Drivers\aswFsBlk.SYS

0xEFD8F000 \SystemRoot\System32\DRIVERS\ndisuio.sys

0xB9D04000 \SystemRoot\System32\Drivers\aswMon2.SYS

0xB93AF000 \SystemRoot\system32\drivers\wdmaud.sys

0xED296000 \SystemRoot\system32\drivers\sysaudio.sys

0xB9214000 \SystemRoot\System32\DRIVERS\mrxdav.sys

0xF8B6C000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xB9241000 \SystemRoot\System32\drivers\aspi32.sys

0xB90CC000 \SystemRoot\System32\DRIVERS\srv.sys

0xB8DBB000 \SystemRoot\System32\Drivers\HTTP.sys

0xED3BD000 \SystemRoot\System32\Drivers\aswRdr.SYS

0xB8782000 \SystemRoot\System32\Drivers\Udfs.SYS

0xB85EC000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 44):

0 System Idle Process

4 System

492 C:\WINDOWS\system32\smss.exe

572 csrss.exe

596 C:\WINDOWS\system32\winlogon.exe

640 C:\WINDOWS\system32\services.exe

652 C:\WINDOWS\system32\lsass.exe

804 C:\WINDOWS\system32\svchost.exe

848 svchost.exe

916 C:\WINDOWS\system32\svchost.exe

980 svchost.exe

1056 svchost.exe

1208 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

1308 C:\WINDOWS\explorer.exe

1420 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

1428 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

1436 C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

1448 C:\Program Files\iTunes\iTunesHelper.exe

1456 C:\WINDOWS\system32\WDBtnMgr.exe

1476 C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe

1560 C:\Program Files\Alwil Software\Avast5\AvastUI.exe

1604 C:\Program Files\Common Files\Java\Java Update\jusched.exe

1648 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

1700 C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe

1716 C:\Program Files\Starfield\starfieldupdate.exe

1728 C:\Program Files\Starfield\wben.exe

1744 C:\WINDOWS\system32\ctfmon.exe

1812 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe

440 C:\WINDOWS\system32\spoolsv.exe

1896 svchost.exe

1808 C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

544 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

656 C:\Program Files\Starfield\offSyncService.exe

892 C:\Program Files\iPod Access for Windows\iPAHelper.exe

904 C:\Program Files\Java\jre6\bin\jqs.exe

1008 C:\WINDOWS\system32\nvsvc32.exe

1096 C:\Program Files\Dantz\Retrospect\retrorun.exe

1400 C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

1496 C:\WINDOWS\system32\svchost.exe

2180 C:\Program Files\iPod\bin\iPodService.exe

2540 alg.exe

2784 C:\Program Files\Internet Explorer\iexplore.exe

3964 C:\Program Files\Internet Explorer\iexplore.exe

3496 C:\Documents and Settings\Bonnie\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: MAXTOR6L080J4, Rev: A93.0500

Size Device Name MBR Status

--------------------------------------------

74 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Done!

Share this post


Link to post
Share on other sites

Thanks, sp60!!!

When I look at the processes running on your system I can see there is a lot of unnecessary activity.

For example, jqs.exe is Java Quick Starter and that is NOT essential:

To disable it:

1. Click Start.

2. Click Control Panel.

3. Double click on the Java Control Panel (Coffee cup icon).

4. Click the Advanced tab

5. Click the + sign next to "Miscellaneous" and Expand that entry.

6. Uncheck the check box for Java Quick Starter.

7. Click Ok and reboot your PC.

You can reduce your startups by downloading Malwarebyte's StartUp Lite and saving it to a convenient location.

Just double-click StartUpLite.exe. The check the options you would like based on the descriptions provided, then select continue.

This will free up system resources because nonessential background programs will no longer be running when you start up your computer.

As far as ImgBurn goes, perhaps there is a setting that is restricting burn speed. I would uninstall ImgBurn and reinstall it, but before reinstalling, if any ImgBurn files exist in the Application data folder, remove them first:

C:\Documents and Settings\<user>\Application Data\ImgBurn\ for all users

Do the same for WinRar:

Uninstall, delete all WinRar references under Application Data, and the reinstall that program:

C:\Documents and Settings\<user>\Application Data\WinRar\ for all users

I don't know if you ever tried 7-Zip but I use that for unzipping and compacting and it is very efficient:

http://www.7-zip.org/

You can see what results you get with that vs. WinRar

You can read the suggestions in this topic to improve browser speed:

http://www.bleepingcomputer.com/forums/topic87058.html

In general if things are slow I recommend:

1. Removing unused programs using the Control Panel

2. Disable unnecessary Start-ups (use Start-up Lite) and setting services that are needed on a demand basis only, to manual startup.

For help with customizing Services, follow the "Safe" column suggestions in Black Viper's "Windows XP x86 (32-bit) Service Pack Service Configuration":

http://www.blackviper.com/WinXP/servicecfg.htm

3. Clean temp files, browser cache, etc - using the Windows Disk Cleanup Utility or TFC.

To access the Windows Disk Cleanup Utility

Click Start -> Run. In the Open box, type cleanmgr,and then click OK.

http://support.microsoft.com/kb/310312

To use TFC (Temporary File Cleaner):

Download TFC to your desktop

http://oldtimer.geekstogo.com/TFC.exe

  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean

4. Do a Defrag and Automatically detect and fix common maintenance problems:

http://support.microsoft.com/kb/314848

5. Use a Process Viewer like Process Explorer to monitor CPU usage and zero in on any CPU Hogs:

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Share this post


Link to post
Share on other sites

I also was bitten by whitesmoke. I would like to follow your instructions, but combofix is apparently not for use with windows 7 x64. Should I use it anyway or is there another tool?

Share this post


Link to post
Share on other sites

Did You download a fresh copy and try to run it because I believe it now supports W7 X64,. But You should start a new topic to get help because the author of Combofix does not want Combofix used without guidance.

Another "tool" that works on W7 64 bit is OTL:

http://www.geekstogo.com/forum/topic/27739...ldtimer-listit/

When you create a new topic, you can post the log from OTL for reference.

Share this post


Link to post
Share on other sites

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.