TechSpot

Fake antivirus program (AV Guard Online) attacking Windows XP

Inactive
By matteoporcedda
Oct 5, 2011
  1. Hey, so I have a Windows XP desktop.

    This fake antivirus called AV Guard Online popped up on my computer today. I was looking at a website, did not download anything, and this program became installed on my computer.

    I looked at where the desktop icon directed to, which was C:\WINDOWS\system32\cKK88gRRZ9YX.exe. I deleted this file and the fake program has not popped up.

    I have McAfee Security Center installed on my computer, however as soon as this fake antivirus program popped up, it turned off real time scanning. Every time I turn it on, it turns back off a few seconds later. Any time I try to do a full scan it says "An unexpected problem occurred with your scan.

    I tried installing Malwarebytes' Anti-Malware but it wanted me to restart. I didn't want to restart the computer because I am afraid it will get more messed up.

    Instead, I tried to scan right away. It began to work, then it unexpectedly shut. Now, when I try to open it, it says "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. "

    I would greatly appreciate any help. I have not backed up this computer, and there's lots of personal stuff (family pics, etc.) that would really suck to lose. Thank you in advance.
     
  2. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    Sorry for the double post, it was an accident
     
  3. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
     
  4. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    Hey, I can't get past step one. I have an antivirus software, and it has disabled it. Should I try to install one of the free ones?

    I tried step two (installing Malware Bytes) and the scan started, then the program crashed. Now a system error message comes up when I try to open the program.

    Should I go to step three?
     
  5. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Yes, complete as many steps as you can.
     
  6. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    Update: Computer is nearly unresponsive. VERY slow. Even the mouse movement is slow. I tried opening up the ctrl alt delete panel and it only partially opened.

    What to do? Should I turn off the computer over night or leave it on?
     
  7. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  8. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    Update:

    I rebooted the computer a few times and its running more smoothly, though the antivirus software still gets shut off. it appears that malware bytes was immediately uninstalled after I installed it as well. I was able to run GMER and DDS

    View attachment attach.txt

    View attachment gmer.log

    for whatever reason I cannot attach the dds txt file. I will attempt to do so again later. does this help at all?

    Thank you guys so much for your help. It really means a lot. Money is really tight right now so taking it in to get it fixed isn't really an option.

    Me and my family thank you so much.
     
  9. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    All logs have to be pasted.
     
  10. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Run by Lynn at 19:13:20 on 2011-10-09
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.911 [GMT -7:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\WINDOWS\514901506:4248391649.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\1.3.21.69\GoogleCrashHandler.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
    C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\ATT-SST\McciTrayApp.exe
    C:\WINDOWS\system32\umonit.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\Program Files\Pure Networks\Network Magic\nmapp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\BellSouthWCC\McciTrayApp.exe
    C:\program files\real\realplayer\update\realsched.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\mfevtps.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    c:\Program Files\Zune\ZuneBusEnum.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.att.net
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111007154119.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [Simple Sticky Notes] c:\program files\simnet\simple sticky notes\ssn.exe
    uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
    uRun: [UpdateFlow.ATT-SST] c:\program files\att-sst\mccibrowser.exe -appkey=att-sst -url=file://c:\program files\att-sst\offlineupdate\redirector.htm
    uRun: [Google Update] "c:\documents and settings\lynn\local settings\application data\google\update\GoogleUpdate.exe" /c
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exe
    mRun: [MMTray] c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe
    mRun: [ATT-SST_McciTrayApp] "c:\program files\att-sst\McciTrayApp.exe"
    mRun: [UMonit] c:\windows\system32\umonit.exe
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
    mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [BellSouthWCC_McciTrayApp] c:\program files\bellsouthwcc\McciTrayApp.exe
    mRun: [ATT_WCC] c:\program files\bellsouthwcc\McciTrayApp.exe
    mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [GUVVellOBtx0yS18234A] c:\windows\system32\cKK88gRRZ9YX.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    LSP: mswsock.dll
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: motive.com\pattta.att
    Trusted Zone: motive.com\patttbc.att
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232669641984
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234378947968
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{5BA6CD34-5C2F-4ACD-9115-73A18B338F48} : DhcpNameServer = 12.127.17.77 12.127.16.77 12.127.16.68
    TCP: Interfaces\{88335330-166B-4884-BD38-029171CECD9B} : DhcpNameServer = 192.168.1.254
    Filter: text/html - {992446a2-35fb-4a9c-a097-5ff5e1cb8548} -
    Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\lynn\application data\mozilla\firefox\profiles\ujxsiy3v.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
    FF - plugin: c:\documents and settings\lynn\application data\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\documents and settings\lynn\application data\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\documents and settings\lynn\application data\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - plugin: c:\documents and settings\lynn\local settings\application data\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\common files\motive\npMotive.dll
    FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 387480]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-5 84200]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-6-8 203280]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-5 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-5 271480]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-5 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-5 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-5 141792]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-5 56064]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-25 153280]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-5 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-5 88736]
    S0 cerc6;cerc6; [x]
    S2 gupdate1c99383a758ac58;Google Update Service (gupdate1c99383a758ac58);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
    S2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-5 171168]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2009-8-5 16512]
    S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [2009-7-17 6016]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-12-25 30192]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-2-20 133104]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-25 52320]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-5 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-5 84488]
    S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-2-25 34248]
    S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-2-25 40552]
    S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [2008-12-23 517632]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\zune\WMZuneComm.exe [2010-11-11 268528]
    .
    =============== Created Last 30 ================
    .
    2011-10-05 18:03:48 -------- d-----w- c:\documents and settings\lynn\application data\D9hhTTXwjUVeIB
    2011-10-05 18:03:41 -------- d-----w- c:\documents and settings\lynn\application data\kCCCekkIVrOyx0u
    2011-10-05 18:03:41 -------- d-----w- c:\documents and settings\lynn\application data\d22oFF3pm5QJdE8
    2011-10-05 17:58:47 -------- d-----w- c:\documents and settings\lynn\application data\RIIIVrrzONtA0vS
    2011-10-05 17:58:47 -------- d-----w- c:\documents and settings\lynn\application data\KibbFF3pmG
    2011-10-05 17:58:21 -------- d-----w- c:\documents and settings\lynn\application data\J22oobF3pmG5QJd
    2011-09-30 06:15:12 -------- d-----w- c:\windows\SxsCaPendDel
    2011-09-21 18:11:50 -------- d-----w- c:\program files\CA Business Start-Up Forms
    .
    ==================== Find3M ====================
    .
    2011-10-07 22:35:48 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-01 00:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-02-08 06:18:08 140864 --sha-r- c:\windows\temp\~rnsetup\nppl3260.dll
    2010-02-08 06:18:04 79400 --sha-w- c:\windows\temp\~rnsetup\rpelevation.dll
    2010-02-08 06:18:03 77824 --sh--w- c:\windows\temp\~rnsetup\twebbrowse.dll
    2010-02-08 06:18:08 135168 --sha-r- c:\windows\temp\~rnsetup\audp\audplin.dll
    2010-02-08 06:18:12 329312 --sh--w- c:\windows\temp\~rnsetup\browserrecordplugin\rpbrowserrecordplugin.dll
    2010-02-08 06:18:06 110592 --sha-r- c:\windows\temp\~rnsetup\browserrecordplugin\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    2010-02-08 06:18:07 118784 --sh-tr- c:\windows\temp\~rnsetup\browserrecordplugin\browserrecord\thinshims\rpnpshimswf.dll
    2010-02-08 06:18:15 548919 --sh-tw- c:\windows\temp\~rnsetup\ecodecs\colorcvt.dll
    2010-02-08 06:18:03 65602 --sh-tw- c:\windows\temp\~rnsetup\ecodecs\cook.dll
    2010-02-08 06:18:13 376832 --sha-r- c:\windows\temp\~rnsetup\ecodecs\erv2.dll
    2010-02-08 06:18:05 86100 --sh-tw- c:\windows\temp\~rnsetup\eproducertools\audiolimiter.dll
    2010-02-08 06:18:09 163914 --sh-tr- c:\windows\temp\~rnsetup\eproducertools\dsreader.dll
    2010-02-08 06:18:02 53328 --sh--w- c:\windows\temp\~rnsetup\eproducertools\packetsource.dll
    2010-02-08 06:18:09 184320 --sh--r- c:\windows\temp\~rnsetup\fftranscdir\fftr3210.dll
    2010-02-08 06:18:02 61440 --sha-w- c:\windows\temp\~rnsetup\flv\flvff.dll
    2010-02-08 06:18:05 98304 --sh--r- c:\windows\temp\~rnsetup\gemsetup\rnad3201.dll
    2010-02-08 06:18:20 222728 --shatw- c:\windows\temp\~rnsetup\player\realplay.exe
    2010-02-08 06:18:17 618496 --shatw- c:\windows\temp\~rnsetup\playerplugins\rjbc3260.dll
    2010-02-08 06:18:19 1261568 --sh-tr- c:\windows\temp\~rnsetup\playerplugins\rpap3260.dll
    2010-02-08 06:18:10 204800 --sh--r- c:\windows\temp\~rnsetup\plins\httpfsys.dll
    2010-02-08 06:18:13 409600 --sha-r- c:\windows\temp\~rnsetup\sonrecordengine\sonr3210.dll
    2010-02-08 06:18:17 719360 --shatr- c:\windows\temp\~rnsetup\symbols\dbghelp.dll
    2010-02-08 06:18:12 303104 --sh--w- c:\windows\temp\~rnsetup\update\rnqu3270.dll
    .
    ============= FINISH: 19:14:32.85 ===============



    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2011-10-09 19:12:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-75FRA0 rev.77.07W77
    Running: 6h9ib6i0.exe; Driver: C:\DOCUME~1\Lynn\LOCALS~1\Temp\kwlyapod.sys


    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF743E210]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF743E224]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF743E250]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF743E2A6]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF743E1FC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF743E1D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF743E1E8]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF743E23A]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF743E27C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF743E266]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF743E2D0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF743E2BC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF743E290]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 01/22/2009 3:08:36 PM
    System Uptime: 10/09/2011 6:37:27 PM (1 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0F4491
    Processor: Intel(R) Pentium(R) 4 CPU 3.06GHz | Microprocessor | 3059/533mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 74 GiB total, 22.1 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP899: 07/17/2011 9:14:18 AM - System Checkpoint
    RP900: 07/18/2011 9:37:45 AM - System Checkpoint
    RP901: 07/19/2011 10:56:04 AM - System Checkpoint
    RP902: 07/20/2011 10:04:12 PM - System Checkpoint
    RP903: 07/21/2011 10:58:03 PM - System Checkpoint
    RP904: 07/22/2011 11:09:51 PM - System Checkpoint
    RP905: 07/23/2011 11:33:00 PM - System Checkpoint
    RP906: 07/24/2011 11:37:14 PM - System Checkpoint
    RP907: 07/25/2011 11:57:51 PM - System Checkpoint
    RP908: 07/27/2011 1:50:11 AM - System Checkpoint
    RP909: 07/28/2011 1:57:50 AM - System Checkpoint
    RP910: 07/29/2011 2:33:51 AM - System Checkpoint
    RP911: 07/30/2011 3:21:50 AM - System Checkpoint
    RP912: 07/31/2011 3:57:57 AM - System Checkpoint
    RP913: 08/01/2011 4:57:51 AM - System Checkpoint
    RP914: 08/02/2011 5:58:50 AM - System Checkpoint
    RP915: 08/03/2011 6:57:50 AM - System Checkpoint
    RP916: 08/04/2011 7:47:52 AM - System Checkpoint
    RP917: 08/05/2011 2:45:11 PM - System Checkpoint
    RP918: 08/06/2011 4:03:53 PM - System Checkpoint
    RP919: 08/07/2011 4:43:43 PM - System Checkpoint
    RP920: 08/08/2011 6:45:33 PM - System Checkpoint
    RP921: 08/09/2011 7:21:53 PM - System Checkpoint
    RP922: 08/10/2011 7:56:43 PM - System Checkpoint
    RP923: 08/11/2011 3:01:16 AM - Software Distribution Service 3.0
    RP924: 08/12/2011 4:27:32 AM - System Checkpoint
    RP925: 08/13/2011 7:24:42 AM - System Checkpoint
    RP926: 08/14/2011 12:15:51 PM - System Checkpoint
    RP927: 08/15/2011 12:32:51 PM - System Checkpoint
    RP928: 08/16/2011 1:10:22 PM - System Checkpoint
    RP929: 08/17/2011 1:44:21 PM - System Checkpoint
    RP930: 08/18/2011 2:20:51 PM - System Checkpoint
    RP931: 08/19/2011 3:35:01 PM - System Checkpoint
    RP932: 08/22/2011 3:41:44 AM - System Checkpoint
    RP933: 08/23/2011 4:36:22 AM - System Checkpoint
    RP934: 08/24/2011 5:10:22 AM - System Checkpoint
    RP935: 08/25/2011 3:00:20 AM - Software Distribution Service 3.0
    RP936: 08/26/2011 5:55:16 AM - System Checkpoint
    RP937: 08/27/2011 8:16:46 AM - System Checkpoint
    RP938: 08/28/2011 9:04:35 AM - System Checkpoint
    RP939: 09/01/2011 7:07:45 PM - System Checkpoint
    RP940: 09/02/2011 7:27:18 PM - System Checkpoint
    RP941: 09/04/2011 12:58:23 AM - System Checkpoint
    RP942: 09/05/2011 1:55:20 AM - System Checkpoint
    RP943: 09/06/2011 2:15:19 AM - System Checkpoint
    RP944: 09/07/2011 3:15:48 AM - System Checkpoint
    RP945: 09/08/2011 3:00:20 AM - Software Distribution Service 3.0
    RP946: 09/09/2011 4:22:48 AM - System Checkpoint
    RP947: 09/10/2011 10:52:03 AM - System Checkpoint
    RP948: 09/11/2011 11:22:17 AM - System Checkpoint
    RP949: 09/12/2011 11:30:48 AM - System Checkpoint
    RP950: 09/13/2011 9:17:19 PM - System Checkpoint
    RP951: 09/14/2011 3:01:23 AM - Software Distribution Service 3.0
    RP952: 09/15/2011 3:14:14 AM - System Checkpoint
    RP953: 09/16/2011 4:31:33 AM - System Checkpoint
    RP954: 09/17/2011 8:38:42 AM - System Checkpoint
    RP955: 09/18/2011 10:19:46 AM - System Checkpoint
    RP956: 09/19/2011 1:14:36 PM - System Checkpoint
    RP957: 09/20/2011 1:38:04 PM - System Checkpoint
    RP958: 09/21/2011 8:13:56 PM - System Checkpoint
    RP959: 09/22/2011 9:29:21 PM - System Checkpoint
    RP960: 09/23/2011 9:54:04 PM - System Checkpoint
    RP961: 09/24/2011 10:13:41 PM - System Checkpoint
    RP962: 09/26/2011 5:16:16 AM - System Checkpoint
    RP963: 09/27/2011 6:02:39 AM - System Checkpoint
    RP964: 09/28/2011 3:00:20 AM - Software Distribution Service 3.0
    RP965: 09/29/2011 3:43:49 AM - System Checkpoint
    RP966: 09/29/2011 10:36:39 PM - Removed PC Camera
    RP967: 09/29/2011 11:08:37 PM - Removed DD Thought Tickler 5.4
    RP968: 09/29/2011 11:13:55 PM - Removed Microsoft Office Click-to-Run 2010
    RP969: 09/29/2011 11:25:44 PM - Removed OpenOffice.org 3.2
    RP970: 09/29/2011 11:41:40 PM - Software Distribution Service 3.0
    RP971: 10/01/2011 6:59:31 PM - System Checkpoint
    RP972: 10/02/2011 7:29:13 PM - System Checkpoint
    RP973: 10/03/2011 8:48:31 PM - System Checkpoint
    RP974: 10/04/2011 9:56:46 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    101 Law Forms for Personal Use
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.6
    Adobe Shockwave Player 11.5
    AiO_Scan
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AT&T Self Support Tool
    AT&T Toolbar
    AT&T Yahoo! Internet Mail
    ATT-HSI
    Audacity 1.2.6
    Bonjour
    Broadcom 440x 10/100 Integrated Controller
    Business Contact Manager for Outlook 2003
    CA Business Start-Up Forms
    Cisco Network Magic
    Compatibility Pack for the 2007 Office system
    Coupon Printer for Windows
    Critical Update for Windows Media Player 11 (KB959772)
    Debrief v2.3
    Dell Digital Jukebox Driver
    Dell ResourceCD
    Facebook Plug-In
    FileZilla Client 3.3.2
    GCalc 3
    getPlus(R) for Adobe
    GOM Player
    Google Apps
    Google Chrome
    Google Desktop
    Google Talk Plugin
    Google Update Helper
    Google Updater
    GraphCalc v4.0.1
    Guitar Pro 5.2
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Format 11 SDK (KB973442)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB915800-v4)
    Hotfix for Windows XP (KB932716-v2)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Driver Diagnostics
    HP Product Detection
    HP PSC & OfficeJet 5.3.B
    Intel(R) 537EP V9x DF PCI Modem
    Intel(R) PRO Network Connections Drivers
    iTunes
    Jasc Paint Shop Photo Album
    Jasc Paint Shop Pro 8 Dell Edition
    Java Auto Updater
    Java DB 10.4.1.3
    Java(TM) 6 Update 21
    Java(TM) 6 Update 3
    Java(TM) SE Development Kit 6 Update 11
    LAME v3.98.2 for Audacity
    Living Trust Forms
    Malwarebytes' Anti-Malware version 1.51.2.1300
    McAfee SecurityCenter
    McAfee Virtual Technician
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Small Business Edition 2003
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.9
    Microsoft WinUsb 1.0
    Mozilla Firefox 7.0.1 (x86 en-US)
    MSXML 6.0 Parser (KB925673)
    MUSICMATCH® Jukebox
    Network Magic
    Nolo's Encyclopedia of Everyday Law
    Nolo's Will Forms
    Nolo’s Guide to California Law
    OGA Notifier 2.0.0048.0
    Picasa 3
    PowerDVD
    Pure Networks Platform
    QFolder
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    SanDisk ImageMate Reader/Writer
    Scan
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Search 4 - KB963093
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SoundMAX
    TI Connect 1.6
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB969497)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB943729)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VLC media player 1.0.1
    WebEx Support Manager for Internet Explorer
    WebFldrs XP
    Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer Clean Up
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Mobile Device Updater Component
    Windows Presentation Foundation
    Windows Search 4.0
    WinRAR archiver
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! Install Manager
    Zune
    Zune Language Pack (DEU)
    Zune Language Pack (ESP)
    Zune Language Pack (FRA)
    Zune Language Pack (ITA)
    Zune Language Pack (NLD)
    Zune Language Pack (PTB)
    Zune Language Pack (PTG)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    10/09/2011 6:45:22 PM, error: Service Control Manager [7034] - The McAfee Scanner service terminated unexpectedly. It has done this 1 time(s).
    10/07/2011 3:40:46 PM, error: Service Control Manager [7000] - The McShield service failed to start due to the following error: Access is denied.
    10/07/2011 3:34:11 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Search service, but this action failed with the following error: An instance of the service is already running.
    10/07/2011 3:33:41 PM, error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    10/07/2011 3:28:52 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
    10/07/2011 3:26:46 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    10/07/2011 3:26:46 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    10/07/2011 3:26:41 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
    10/05/2011 10:53:39 AM, error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
    .
    ==== End Of File ===========================
     
  11. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Please download DummyCreator.zip and unzip it.

    • Run the tool.
    • Copy and paste the following into the edit box:
    C:\WINDOWS\514901506
    • Press Create button and post the content of the Result.txt.
    Important: Restart the computer.

    ================================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
     
  12. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    DummyCreator by Farbar
    Ran by Lynn (administrator) on 09-10-2011 at 21:15:44
    **************************************************************

    C:\WINDOWS\514901506 [09-10-2011 21:15:44]

    == End of log ==
     
  13. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    21:23:23.0061 3844 TDSS rootkit removing tool 2.6.6.0 Oct 7 2011 12:45:24
    21:23:25.0061 3844 ============================================================
    21:23:25.0061 3844 Current date / time: 2011/10/09 21:23:25.0061
    21:23:25.0061 3844 SystemInfo:
    21:23:25.0061 3844
    21:23:25.0061 3844 OS Version: 5.1.2600 ServicePack: 3.0
    21:23:25.0061 3844 Product type: Workstation
    21:23:25.0061 3844 ComputerName: DELL4600
    21:23:25.0061 3844 UserName: Lynn
    21:23:25.0061 3844 Windows directory: C:\WINDOWS
    21:23:25.0061 3844 System windows directory: C:\WINDOWS
    21:23:25.0061 3844 Processor architecture: Intel x86
    21:23:25.0061 3844 Number of processors: 2
    21:23:25.0061 3844 Page size: 0x1000
    21:23:25.0061 3844 Boot type: Normal boot
    21:23:25.0061 3844 ============================================================
    21:23:26.0936 3844 Initialize success
    21:23:32.0685 0932 ============================================================
    21:23:32.0685 0932 Scan started
    21:23:32.0685 0932 Mode: Manual;
    21:23:32.0685 0932 ============================================================
    21:23:33.0966 0932 2c6b01e - ok
    21:23:34.0029 0932 Abiosdsk - ok
    21:23:34.0060 0932 abp480n5 - ok
    21:23:34.0154 0932 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    21:23:34.0154 0932 ACPI - ok
    21:23:34.0232 0932 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    21:23:34.0232 0932 ACPIEC - ok
    21:23:34.0326 0932 adpu160m - ok
    21:23:34.0419 0932 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    21:23:34.0419 0932 aec - ok
    21:23:34.0497 0932 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
    21:23:34.0497 0932 AFD - ok
    21:23:34.0654 0932 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    21:23:34.0654 0932 agp440 - ok
    21:23:34.0685 0932 Aha154x - ok
    21:23:34.0716 0932 aic78u2 - ok
    21:23:34.0747 0932 aic78xx - ok
    21:23:34.0794 0932 AliIde - ok
    21:23:34.0825 0932 amsint - ok
    21:23:34.0919 0932 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    21:23:34.0919 0932 Arp1394 - ok
    21:23:34.0966 0932 asc - ok
    21:23:34.0997 0932 asc3350p - ok
    21:23:35.0029 0932 asc3550 - ok
    21:23:35.0091 0932 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys
    21:23:35.0091 0932 ASPI - ok
    21:23:35.0216 0932 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    21:23:35.0216 0932 AsyncMac - ok
    21:23:35.0357 0932 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    21:23:35.0357 0932 atapi - ok
    21:23:35.0404 0932 Atdisk - ok
    21:23:35.0482 0932 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    21:23:35.0482 0932 Atmarpc - ok
    21:23:35.0763 0932 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    21:23:35.0778 0932 audstub - ok
    21:23:35.0997 0932 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    21:23:35.0997 0932 Beep - ok
    21:23:36.0091 0932 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    21:23:36.0091 0932 cbidf2k - ok
    21:23:36.0200 0932 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    21:23:36.0200 0932 CCDECODE - ok
    21:23:36.0278 0932 cd20xrnt - ok
    21:23:36.0403 0932 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    21:23:36.0403 0932 Cdaudio - ok
    21:23:36.0513 0932 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    21:23:36.0513 0932 Cdfs - ok
    21:23:36.0653 0932 Cdrom (940dffedca6a4a9e659fcd8cc6e8e796) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    21:23:36.0653 0932 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\cdrom.sys. Real md5: 940dffedca6a4a9e659fcd8cc6e8e796, Fake md5: 4b0a100eaf5c49ef3cca8c641431eacc
    21:23:36.0653 0932 Cdrom ( ForgedFile.Multi.Generic ) - warning
    21:23:36.0653 0932 Cdrom - detected ForgedFile.Multi.Generic (1)
    21:23:36.0700 0932 cerc6 - ok
    21:23:36.0778 0932 cfwids (7fd604cd7a7a0ff8975af61bdf64c577) C:\WINDOWS\system32\drivers\cfwids.sys
    21:23:36.0794 0932 cfwids - ok
    21:23:36.0856 0932 Changer - ok
    21:23:36.0919 0932 CmdIde - ok
    21:23:36.0966 0932 Cpqarray - ok
    21:23:37.0028 0932 dac2w2k - ok
    21:23:37.0060 0932 dac960nt - ok
    21:23:37.0153 0932 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    21:23:37.0169 0932 Disk - ok
    21:23:37.0278 0932 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    21:23:37.0356 0932 dmboot - ok
    21:23:37.0700 0932 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    21:23:37.0716 0932 dmio - ok
    21:23:37.0934 0932 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    21:23:37.0934 0932 dmload - ok
    21:23:38.0028 0932 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    21:23:38.0044 0932 DMusic - ok
    21:23:38.0106 0932 dpti2o - ok
    21:23:38.0200 0932 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    21:23:38.0200 0932 drmkaud - ok
    21:23:38.0309 0932 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    21:23:38.0309 0932 E100B - ok
    21:23:38.0466 0932 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    21:23:38.0466 0932 Fastfat - ok
    21:23:38.0591 0932 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    21:23:38.0606 0932 Fdc - ok
    21:23:38.0731 0932 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    21:23:38.0731 0932 Fips - ok
    21:23:38.0825 0932 fixustor (cdb568db5e8985dcc623da808ac61042) C:\WINDOWS\system32\drivers\fixustor.sys
    21:23:38.0841 0932 fixustor - ok
    21:23:38.0950 0932 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    21:23:38.0950 0932 Flpydisk - ok
    21:23:39.0059 0932 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    21:23:39.0059 0932 FltMgr - ok
    21:23:39.0216 0932 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    21:23:39.0216 0932 Fs_Rec - ok
    21:23:39.0325 0932 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    21:23:39.0325 0932 Ftdisk - ok
    21:23:39.0403 0932 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    21:23:39.0403 0932 GEARAspiWDM - ok
    21:23:39.0591 0932 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    21:23:39.0591 0932 Gpc - ok
    21:23:39.0716 0932 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    21:23:39.0716 0932 hidusb - ok
    21:23:39.0778 0932 hpn - ok
    21:23:39.0872 0932 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    21:23:39.0872 0932 HPZid412 - ok
    21:23:39.0950 0932 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    21:23:39.0950 0932 HPZipr12 - ok
    21:23:40.0044 0932 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    21:23:40.0044 0932 HPZius12 - ok
    21:23:40.0153 0932 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    21:23:40.0169 0932 HTTP - ok
    21:23:40.0231 0932 i2omgmt - ok
    21:23:40.0325 0932 i2omp - ok
    21:23:40.0419 0932 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
    21:23:40.0419 0932 i8042prt - ok
    21:23:40.0528 0932 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    21:23:40.0544 0932 Imapi - ok
    21:23:40.0606 0932 ini910u - ok
    21:23:40.0762 0932 IntelC51 (fcab28ffd3a8964581e16455efaf81c8) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
    21:23:40.0809 0932 IntelC51 - ok
    21:23:40.0965 0932 IntelC52 (a288e7e3a6255255b9066686d860fbc5) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
    21:23:40.0997 0932 IntelC52 - ok
    21:23:41.0137 0932 IntelC53 (d5e5a1abf6bdba7ca49941a044f04598) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
    21:23:41.0137 0932 IntelC53 - ok
    21:23:41.0231 0932 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    21:23:41.0231 0932 IntelIde - ok
    21:23:41.0372 0932 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    21:23:41.0372 0932 intelppm - ok
    21:23:41.0465 0932 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    21:23:41.0465 0932 Ip6Fw - ok
    21:23:41.0590 0932 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    21:23:41.0590 0932 IpFilterDriver - ok
    21:23:41.0700 0932 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    21:23:41.0700 0932 IpInIp - ok
    21:23:41.0809 0932 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    21:23:41.0809 0932 IpNat - ok
    21:23:41.0903 0932 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    21:23:41.0918 0932 IPSec - ok
    21:23:41.0981 0932 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    21:23:41.0996 0932 IRENUM - ok
    21:23:42.0090 0932 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    21:23:42.0106 0932 isapnp - ok
    21:23:42.0200 0932 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    21:23:42.0200 0932 Kbdclass - ok
    21:23:42.0293 0932 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    21:23:42.0293 0932 kbdhid - ok
    21:23:42.0387 0932 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    21:23:42.0387 0932 kmixer - ok
    21:23:42.0465 0932 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    21:23:42.0481 0932 KSecDD - ok
    21:23:42.0543 0932 lbrtfdc - ok
    21:23:42.0746 0932 mfeapfk (688b626fca708ee9eb161cad1f7363a9) C:\WINDOWS\system32\drivers\mfeapfk.sys
    21:23:42.0746 0932 mfeapfk - ok
    21:23:42.0856 0932 mfeavfk (dbf6e1b388d5c070d438c61adb990c30) C:\WINDOWS\system32\drivers\mfeavfk.sys
    21:23:42.0856 0932 mfeavfk - ok
    21:23:42.0950 0932 mfebopk (a528b15e330edb83ea649be318d841d5) C:\WINDOWS\system32\drivers\mfebopk.sys
    21:23:42.0950 0932 mfebopk - ok
    21:23:43.0090 0932 mfefirek (c7da1b8003c89acedaa13768f7a1c622) C:\WINDOWS\system32\drivers\mfefirek.sys
    21:23:43.0090 0932 mfefirek - ok
    21:23:43.0231 0932 mfehidk (44184f32392fa2e94d08d056ce750d56) C:\WINDOWS\system32\drivers\mfehidk.sys
    21:23:43.0262 0932 mfehidk - ok
    21:23:43.0387 0932 mfendisk (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    21:23:43.0387 0932 mfendisk - ok
    21:23:43.0387 0932 mfendiskmp (b1728195877b18ce63cf0cd00b2871eb) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    21:23:43.0387 0932 mfendiskmp - ok
    21:23:43.0496 0932 mferkdet (ce1711f7c3f72f6762abd241dcfd5ee1) C:\WINDOWS\system32\drivers\mferkdet.sys
    21:23:43.0496 0932 mferkdet - ok
    21:23:43.0637 0932 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
    21:23:43.0637 0932 mferkdk - ok
    21:23:43.0762 0932 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
    21:23:43.0762 0932 mfesmfk - ok
    21:23:43.0824 0932 mfetdi2k - ok
    21:23:43.0918 0932 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    21:23:43.0918 0932 mnmdd - ok
    21:23:44.0027 0932 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    21:23:44.0027 0932 Modem - ok
    21:23:44.0121 0932 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    21:23:44.0137 0932 MODEMCSA - ok
    21:23:44.0231 0932 mohfilt (c6a08c4f34b3048a73bbb2951150f98d) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
    21:23:44.0231 0932 mohfilt - ok
    21:23:44.0324 0932 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    21:23:44.0340 0932 Mouclass - ok
    21:23:44.0434 0932 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    21:23:44.0434 0932 mouhid - ok
    21:23:44.0527 0932 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    21:23:44.0527 0932 MountMgr - ok
    21:23:44.0606 0932 mraid35x - ok
    21:23:44.0715 0932 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    21:23:44.0731 0932 MREMP50 - ok
    21:23:44.0731 0932 MREMP50a64 - ok
    21:23:44.0746 0932 MREMPR5 - ok
    21:23:44.0746 0932 MRENDIS5 - ok
    21:23:44.0777 0932 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    21:23:44.0777 0932 MRESP50 - ok
    21:23:44.0793 0932 MRESP50a64 - ok
    21:23:44.0934 0932 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    21:23:44.0949 0932 MRxDAV - ok
    21:23:45.0043 0932 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    21:23:45.0074 0932 MRxSmb - ok
    21:23:45.0215 0932 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    21:23:45.0215 0932 Msfs - ok
    21:23:45.0324 0932 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    21:23:45.0324 0932 MSKSSRV - ok
    21:23:45.0418 0932 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    21:23:45.0418 0932 MSPCLOCK - ok
    21:23:45.0527 0932 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    21:23:45.0527 0932 MSPQM - ok
    21:23:45.0746 0932 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    21:23:45.0746 0932 mssmbios - ok
    21:23:45.0840 0932 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    21:23:45.0840 0932 MSTEE - ok
    21:23:45.0965 0932 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    21:23:45.0980 0932 Mup - ok
    21:23:46.0105 0932 MxlW2k (a1520761f42dbb06db7929d6fa9753ea) C:\WINDOWS\system32\drivers\MxlW2k.sys
    21:23:46.0105 0932 MxlW2k - ok
    21:23:46.0215 0932 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    21:23:46.0215 0932 NABTSFEC - ok
    21:23:46.0355 0932 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    21:23:46.0355 0932 NDIS - ok
    21:23:46.0480 0932 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    21:23:46.0480 0932 NdisIP - ok
    21:23:46.0637 0932 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    21:23:46.0637 0932 NdisTapi - ok
    21:23:46.0746 0932 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    21:23:46.0746 0932 Ndisuio - ok
    21:23:46.0840 0932 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    21:23:46.0840 0932 NdisWan - ok
    21:23:46.0918 0932 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    21:23:46.0918 0932 NDProxy - ok
    21:23:47.0027 0932 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    21:23:47.0027 0932 NetBIOS - ok
    21:23:47.0121 0932 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    21:23:47.0121 0932 NetBT - ok
    21:23:47.0230 0932 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    21:23:47.0230 0932 NIC1394 - ok
    21:23:47.0402 0932 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    21:23:47.0402 0932 Npfs - ok
    21:23:47.0511 0932 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    21:23:47.0558 0932 Ntfs - ok
    21:23:47.0730 0932 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    21:23:47.0730 0932 Null - ok
    21:23:47.0980 0932 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    21:23:48.0058 0932 nv - ok
    21:23:48.0199 0932 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    21:23:48.0199 0932 NwlnkFlt - ok
    21:23:48.0308 0932 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    21:23:48.0308 0932 NwlnkFwd - ok
    21:23:48.0449 0932 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    21:23:48.0449 0932 ohci1394 - ok
    21:23:48.0574 0932 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
    21:23:48.0574 0932 OMCI - ok
    21:23:48.0699 0932 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    21:23:48.0699 0932 Parport - ok
    21:23:48.0793 0932 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    21:23:48.0793 0932 PartMgr - ok
    21:23:48.0902 0932 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    21:23:48.0902 0932 ParVdm - ok
    21:23:48.0996 0932 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    21:23:48.0996 0932 PCI - ok
    21:23:49.0027 0932 PCIDump - ok
    21:23:49.0121 0932 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    21:23:49.0121 0932 PCIIde - ok
    21:23:49.0199 0932 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    21:23:49.0199 0932 Pcmcia - ok
    21:23:49.0261 0932 PDCOMP - ok
    21:23:49.0324 0932 PDFRAME - ok
    21:23:49.0355 0932 PDRELI - ok
    21:23:49.0386 0932 PDRFRAME - ok
    21:23:49.0417 0932 perc2 - ok
    21:23:49.0480 0932 perc2hib - ok
    21:23:49.0589 0932 pnarp (36fcac4fa28b462ca867742dea59b0d0) C:\WINDOWS\system32\DRIVERS\pnarp.sys
    21:23:49.0589 0932 pnarp - ok
    21:23:49.0699 0932 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    21:23:49.0699 0932 PptpMiniport - ok
    21:23:49.0792 0932 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    21:23:49.0792 0932 PSched - ok
    21:23:49.0902 0932 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    21:23:49.0902 0932 Ptilink - ok
    21:23:49.0964 0932 purendis (d8ac00388262b1a4878a7ee12f31d376) C:\WINDOWS\system32\DRIVERS\purendis.sys
    21:23:49.0964 0932 purendis - ok
    21:23:50.0058 0932 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    21:23:50.0058 0932 PxHelp20 - ok
    21:23:50.0121 0932 ql1080 - ok
    21:23:50.0152 0932 Ql10wnt - ok
    21:23:50.0183 0932 ql12160 - ok
    21:23:50.0214 0932 ql1240 - ok
    21:23:50.0292 0932 ql1280 - ok
    21:23:50.0386 0932 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    21:23:50.0386 0932 RasAcd - ok
    21:23:50.0480 0932 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    21:23:50.0480 0932 Rasl2tp - ok
    21:23:50.0605 0932 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    21:23:50.0605 0932 RasPppoe - ok
    21:23:50.0714 0932 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    21:23:50.0714 0932 Raspti - ok
    21:23:50.0808 0932 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    21:23:50.0808 0932 Rdbss - ok
    21:23:50.0917 0932 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    21:23:50.0917 0932 RDPCDD - ok
    21:23:51.0011 0932 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    21:23:51.0027 0932 rdpdr - ok
    21:23:51.0120 0932 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    21:23:51.0136 0932 RDPWD - ok
    21:23:51.0245 0932 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    21:23:51.0245 0932 redbook - ok
    21:23:51.0433 0932 rt2870 (c2a6f7f35e617744a65dbfb0c0a64adc) C:\WINDOWS\system32\DRIVERS\rt2870.sys
    21:23:51.0464 0932 rt2870 - ok
    21:23:51.0636 0932 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    21:23:51.0636 0932 Secdrv - ok
    21:23:51.0777 0932 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    21:23:51.0808 0932 senfilt - ok
    21:23:51.0948 0932 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    21:23:51.0948 0932 serenum - ok
    21:23:52.0027 0932 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    21:23:52.0042 0932 Serial - ok
    21:23:52.0136 0932 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    21:23:52.0152 0932 Sfloppy - ok
    21:23:52.0198 0932 Simbad - ok
    21:23:52.0370 0932 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    21:23:52.0370 0932 SLIP - ok
    21:23:52.0480 0932 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
    21:23:52.0480 0932 smwdm - ok
    21:23:52.0526 0932 Sparrow - ok
    21:23:52.0714 0932 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    21:23:52.0714 0932 splitter - ok
    21:23:52.0870 0932 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    21:23:52.0870 0932 sr - ok
    21:23:52.0964 0932 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    21:23:52.0980 0932 Srv - ok
    21:23:53.0089 0932 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    21:23:53.0089 0932 streamip - ok
    21:23:53.0183 0932 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    21:23:53.0183 0932 swenum - ok
    21:23:53.0292 0932 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    21:23:53.0292 0932 swmidi - ok
    21:23:53.0589 0932 symc810 - ok
    21:23:53.0745 0932 symc8xx - ok
    21:23:53.0776 0932 sym_hi - ok
    21:23:53.0870 0932 sym_u3 - ok
    21:23:54.0120 0932 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    21:23:54.0151 0932 sysaudio - ok
    21:23:54.0417 0932 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    21:23:54.0886 0932 Tcpip - ok
    21:23:55.0401 0932 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    21:23:55.0432 0932 TDPIPE - ok
    21:23:55.0682 0932 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    21:23:55.0682 0932 TDTCP - ok
    21:23:55.0807 0932 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    21:23:55.0823 0932 TermDD - ok
    21:23:56.0057 0932 TIEHDUSB (a1124ebc672aa3ae1b327096c1dcc346) C:\WINDOWS\system32\drivers\tiehdusb.sys
    21:23:56.0057 0932 TIEHDUSB - ok
    21:23:56.0354 0932 TosIde - ok
    21:23:56.0542 0932 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    21:23:56.0542 0932 Udfs - ok
    21:23:56.0667 0932 ultra - ok
    21:23:56.0823 0932 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    21:23:56.0870 0932 Update - ok
    21:23:57.0104 0932 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
    21:23:57.0135 0932 USBAAPL - ok
    21:23:57.0338 0932 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    21:23:57.0354 0932 usbaudio - ok
    21:23:57.0541 0932 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    21:23:57.0541 0932 usbccgp - ok
    21:23:57.0682 0932 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    21:23:57.0682 0932 usbehci - ok
    21:23:57.0791 0932 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    21:23:57.0854 0932 usbhub - ok
    21:23:58.0120 0932 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    21:23:58.0135 0932 usbprint - ok
    21:23:58.0557 0932 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    21:23:58.0557 0932 usbscan - ok
    21:23:58.0729 0932 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    21:23:58.0744 0932 USBSTOR - ok
    21:23:59.0026 0932 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    21:23:59.0026 0932 usbuhci - ok
    21:23:59.0416 0932 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    21:23:59.0447 0932 usbvideo - ok
    21:23:59.0901 0932 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    21:23:59.0994 0932 VgaSave - ok
    21:24:00.0401 0932 ViaIde - ok
    21:24:00.0916 0932 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    21:24:00.0947 0932 VolSnap - ok
    21:24:01.0400 0932 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    21:24:01.0416 0932 Wanarp - ok
    21:24:02.0010 0932 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
    21:24:02.0010 0932 Wdf01000 - ok
    21:24:02.0447 0932 WDICA - ok
    21:24:03.0103 0932 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    21:24:03.0166 0932 wdmaud - ok
    21:24:04.0009 0932 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
    21:24:04.0041 0932 WinUSB - ok
    21:24:04.0587 0932 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    21:24:04.0650 0932 WpdUsb - ok
    21:24:05.0384 0932 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    21:24:05.0431 0932 WSTCODEC - ok
    21:24:06.0119 0932 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    21:24:06.0197 0932 WudfPf - ok
    21:24:07.0134 0932 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    21:24:07.0243 0932 WudfRd - ok
    21:24:07.0915 0932 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
    21:24:07.0915 0932 zumbus - ok
    21:24:07.0978 0932 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    21:24:09.0103 0932 \Device\Harddisk0\DR0 - ok
    21:24:09.0118 0932 Boot (0x1200) (23c13e77fc033df478d574c4452f0b78) \Device\Harddisk0\DR0\Partition0
    21:24:09.0196 0932 \Device\Harddisk0\DR0\Partition0 - ok
    21:24:09.0196 0932 ============================================================
    21:24:09.0196 0932 Scan finished
    21:24:09.0196 0932 ============================================================
    21:24:09.0212 1772 Detected object count: 1
    21:24:09.0212 1772 Actual detected object count: 1
    21:24:50.0551 1772 Cdrom ( ForgedFile.Multi.Generic ) - skipped by user
    21:24:50.0551 1772 Cdrom ( ForgedFile.Multi.Generic ) - User select action: Skip
     
  14. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  15. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    So Combofix is running, but hasnt had any progress/changes for about 30 minutes. Is this normal?
     
  16. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    What's the situation with Combofix?
     
  17. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    I woke up in the morning today after leaving combofix running all night and there wasnt any progress. I will retry tomorrow morning (in 8 hours)
     
  18. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan:
    [​IMG]

    On completion of the scan click "Save log", save it to your desktop and post in your next reply:
    [​IMG]

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===================================================================

    Lets run the following tool. This will help determine which files need permissions restored.

    Please download and save Junction.zip

    Unzip it and place Junction.exe in the Windows directory (C:\Windows).
    Go to Start>Run (Vista and Windows 7 users use "Start search" box).
    Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system.
    Wait until a log file opens.
    Copy and paste the log in your next reply.
     
  19. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    So I ran asw.MBR then while scanning it suddenly quit. When I tried to reopen it, it says "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

    I downloaded it again and ran it again. This time, before it got shutdown, I managed to save a log while it was going, which contains one infected file. Here it is:

    aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
    Run date: 2011-10-12 20:00:33
    -----------------------------
    20:00:33.203 OS Version: Windows 5.1.2600 Service Pack 3
    20:00:33.203 Number of processors: 2 586 0x209
    20:00:33.218 ComputerName: DELL4600 UserName: Lynn
    20:00:33.718 Initialize success
    20:00:41.859 AVAST engine defs: 11101201
    20:00:53.265 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    20:00:53.265 Disk 0 Vendor: WDC_WD800BB-75FRA0 77.07W77 Size: 76293MB BusType: 3
    20:00:55.265 Disk 0 MBR read successfully
    20:00:55.265 Disk 0 MBR scan
    20:00:55.296 Disk 0 Windows XP default MBR code
    20:00:55.296 Disk 0 scanning sectors +156232125
    20:00:55.390 Disk 0 scanning C:\WINDOWS\system32\drivers
    20:00:56.937 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Crypt-KMR [Trj]
    20:01:04.359 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Lynn\Desktop\MBR.dat"
    20:01:04.359 The log file has been saved successfully to "C:\Documents and Settings\Lynn\Desktop\aswMBR.txt"






    Junction Log


    Junction v1.06 - Windows junction creator and reparse point viewer
    Copyright (C) 2000-2010 Mark Russinovich
    Sysinternals - www.sysinternals.com


    Failed to open \\?\c:\\hiberfil.sys: The process cannot access the file because it is being used by another process.



    Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.



    Failed to open \\?\c:\\System Volume Information: Access is denied.


    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ..
    Failed to open \\?\c:\\Documents and Settings\Lynn\Desktop\aswMBR.exe: Access is denied.


    .

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    .
    Failed to open \\?\c:\\Documents and Settings\Lynn\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db: Access is denied.



    Failed to open \\?\c:\\Documents and Settings\Lynn\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow: Access is denied.


    ..


    Failed to open \\?\c:\\Documents and Settings\Lynn\Local Settings\Temp\McInstallTemp (4)\Install.exe: Access is denied.



    Failed to open \\?\c:\\Documents and Settings\Lynn\Local Settings\Temp\McInstallTemp (4)\Riskscan.exe: Access is denied.



    Failed to open \\?\c:\\Documents and Settings\Lynn\Local Settings\Temp\McTemp (2)\6255\Download_Files\mmips\stinger.exe: Access is denied.


    ...


    Failed to open \\?\c:\\Documents and Settings\Lynn\Local Settings\Temporary Internet Files\Content.IE5\WLXV2RMS\aswMBR[1].exe: Access is denied.


    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...


    Failed to open \\?\c:\\Program Files\Common Files\McAfee\SystemCore\mcshield.exe: Access is denied.


    .
    Failed to open \\?\c:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE: Access is denied.


    ..

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...
    Failed to open \\?\c:\\Program Files\McAfee\MPF\MpfAlert.exe: Access is denied.




    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ..
    Failed to open \\?\c:\\WINDOWS\$NtUninstallKB19751$: Access is denied.


    .

    ...

    ...

    .\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
    Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
    Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

    \\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
    Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
    Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e

    ..

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    .
     
  20. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Please download GrantPerms.zip and save it to your desktop.
    Unzip the file and depending on the system run GrantPerms.exe (32-bit system) or GrantPerms64.exe (64-bit system)
    Copy and paste the following in the edit box:

    Code:
    c:\\WINDOWS\$NtUninstallKB19751$
    c:\\Program Files\McAfee\MPF\MpfAlert.exe
    c:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\\Documents and Settings\Lynn\Local Settings\Temporary Internet Files\Content.IE5\WLXV2RMS\aswMBR[1].exe
    c:\\Documents and Settings\Lynn\Local Settings\Temp\McTemp (2)\6255\Download_Files\mmips\stinger.exe
    c:\\Documents and Settings\Lynn\Local Settings\Temp\McInstallTemp (4)\Riskscan.exe
    c:\\Documents and Settings\Lynn\Local Settings\Temp\McInstallTemp (4)\Install.exe
    c:\\Documents and Settings\Lynn\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow
    c:\\Documents and Settings\Lynn\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db
    c:\\Documents and Settings\Lynn\Desktop\aswMBR.exe
    c:\\System Volume Information
    
    Click Unlock. When it is done click "OK".
    Click List Permissions and post the result of Perms.txt file that pops up.
    A copy of Perms.txt will be saved in the same directory the tool is run.
     
  21. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    GrantPerms by Farbar
    Ran by Lynn at 2011-10-13 14:43:45

    ===============================================
    \\?\c:\\WINDOWS\$NtUninstallKB19751$

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)


    \\?\c:\\Program Files\McAfee\MPF\MpfAlert.exe

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Documents and Settings\Lynn\Local Settings\Temporary Internet Files\Content.IE5\WLXV2RMS\aswMBR[1].exe

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Documents and Settings\Lynn\Local Settings\Temp\McTemp (2)\6255\Download_Files\mmips\stinger.exe

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Documents and Settings\Lynn\Local Settings\Temp\McInstallTemp (4)\Riskscan.exe

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Documents and Settings\Lynn\Local Settings\Temp\McInstallTemp (4)\Install.exe

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Documents and Settings\Lynn\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Documents and Settings\Lynn\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\Documents and Settings\Lynn\Desktop\aswMBR.exe

    Owner: BUILTIN\Administrators

    DACL(P)(AI):
    BUILTIN\Administrators FULL ALLOW (NI)
    NT AUTHORITY\SYSTEM FULL ALLOW (NI)
    BUILTIN\Users READ/EXECUTE ALLOW (NI)


    \\?\c:\\System Volume Information

    Owner: BUILTIN\Administrators

    DACL(NP)(AI):
    BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
    NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
    CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
    BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
    BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
    BUILTIN\Users ADD FILE ALLOW (CI)(I)
     
  22. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Delete your Combofix file, download fresh one and see if it'll run now.
     
  23. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    It ran!!!!! woooo



    ComboFix 11-10-13.05 - Lynn 10/13/2011 15:09:07.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.965 [GMT -7:00]
    Running from: c:\documents and settings\Lynn\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    * Resident AV is active
    .
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Lynn\Application Data\d22oFF3pm5QJdE8AV Guard Online.ico
    c:\documents and settings\Lynn\Application Data\KibbFF3pmGAV Guard Online.ico
    c:\documents and settings\Lynn\EhSvc.dll
    c:\documents and settings\Lynn\Launcher.exe
    c:\documents and settings\Lynn\My Documents\~WRL1721.tmp
    c:\program files\Common
    c:\windows\$NtUninstallKB19751$
    c:\windows\$NtUninstallKB19751$\1042333577
    c:\windows\$NtUninstallKB19751$\46575646\@
    c:\windows\$NtUninstallKB19751$\46575646\bckfg.tmp
    c:\windows\$NtUninstallKB19751$\46575646\cfg.ini
    c:\windows\$NtUninstallKB19751$\46575646\Desktop.ini
    c:\windows\$NtUninstallKB19751$\46575646\keywords
    c:\windows\$NtUninstallKB19751$\46575646\kwrd.dll
    c:\windows\$NtUninstallKB19751$\46575646\L\dofmoesx
    c:\windows\$NtUninstallKB19751$\46575646\lsflt7.ver
    c:\windows\$NtUninstallKB19751$\46575646\U\00000001.@
    c:\windows\$NtUninstallKB19751$\46575646\U\00000002.@
    c:\windows\$NtUninstallKB19751$\46575646\U\80000000.@
    c:\windows\$NtUninstallKB19751$\46575646\U\80000032.@
    c:\windows\514901506
    .
    Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
    Restored copy from - c:\windows\system32\dllcache\cdrom.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Service_2c6b01e
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-13 to 2011-10-13 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-13 03:04 . 2010-09-07 22:39 150392 ----a-w- c:\windows\junction.exe
    2011-10-10 03:39 . 2011-04-14 21:01 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
    2011-10-10 03:39 . 2011-04-14 21:01 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-10 03:39 . 2011-04-14 21:01 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-10-10 03:39 . 2011-04-14 21:01 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-10 03:39 . 2011-04-14 21:01 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-10-10 03:39 . 2011-04-14 21:01 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-10 03:39 . 2011-04-14 21:01 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-10 03:39 . 2011-04-14 21:01 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-10 03:39 . 2011-04-14 21:01 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-10 03:39 . 2011-10-10 03:39 -------- d-----w- c:\program files\McAfee.com
    2011-10-10 03:14 . 2011-03-13 18:45 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-05 18:32 . 2011-10-05 18:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-10-05 18:03 . 2011-10-05 18:03 -------- d-----w- c:\documents and settings\Lynn\Application Data\D9hhTTXwjUVeIB
    2011-10-05 18:03 . 2011-10-05 18:03 -------- d-----w- c:\documents and settings\Lynn\Application Data\kCCCekkIVrOyx0u
    2011-10-05 18:03 . 2011-10-05 18:03 -------- d-----w- c:\documents and settings\Lynn\Application Data\d22oFF3pm5QJdE8
    2011-10-05 17:58 . 2011-10-05 17:58 -------- d-----w- c:\documents and settings\Lynn\Application Data\RIIIVrrzONtA0vS
    2011-10-05 17:58 . 2011-10-05 17:58 -------- d-----w- c:\documents and settings\Lynn\Application Data\KibbFF3pmG
    2011-10-05 17:58 . 2011-10-05 17:58 -------- d-----w- c:\documents and settings\Lynn\Application Data\J22oobF3pmG5QJd
    2011-09-30 06:40 . 2011-09-30 06:40 -------- d-----w- c:\program files\Common Files\Adobe
    2011-09-30 06:15 . 2011-09-30 06:58 -------- d-----w- c:\windows\SxsCaPendDel
    2011-09-26 01:25 . 2011-09-26 01:25 -------- d-----w- c:\program files\Apple Software Update
    2011-09-21 18:11 . 2011-09-21 18:11 -------- d-----w- c:\program files\CA Business Start-Up Forms
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-29 06:53 . 2011-10-01 06:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2010-08-27 04:04 . 2009-12-25 20:42 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2011-04-14 21:01 . 2011-10-10 03:39 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-25 39408]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-02-27 319280]
    "UpdateFlow.ATT-SST"="c:\program files\ATT-SST\McciBrowser.exe" [2010-06-30 1057792]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
    "MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-20 131072]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-06-30 1573888]
    "UMonit"="c:\windows\system32\umonit.exe" [2004-10-28 53248]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-27 30192]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
    "nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2010-11-13 472112]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
    "BellSouthWCC_McciTrayApp"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2009-11-18 1577984]
    "ATT_WCC"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2009-11-18 1577984]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-07-04 273544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-24 1195408]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Documents and Settings\\Lynn\\My Documents\\Downloads\\SRO_L4_Full_Client_Downloader.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Documents and Settings\\Lynn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    "c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:pure Networks Platform Service
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "25928:TCP"= 25928:TCP:BitComet 25928 TCP
    "25928:UDP"= 25928:UDP:BitComet 25928 UDP
    "67:UDP"= 67:UDP:DHCP Discovery Service
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/09/2011 8:39 PM 84200]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/09/2011 8:39 PM 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/09/2011 8:39 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [10/09/2011 8:39 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [10/09/2011 8:39 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/09/2011 8:14 PM 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/09/2011 8:39 PM 56064]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/09/2011 8:39 PM 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/09/2011 8:39 PM 88736]
    S0 cerc6;cerc6; [x]
    S2 gupdate1c99383a758ac58;Google Update Service (gupdate1c99383a758ac58);c:\program files\Google\Update\GoogleUpdate.exe [02/20/2009 10:49 AM 133104]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [08/05/2009 9:44 AM 16512]
    S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [07/17/2009 10:11 AM 6016]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/25/2009 1:42 PM 30192]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/20/2009 10:49 AM 133104]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/09/2011 8:39 PM 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/09/2011 8:39 PM 84488]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    2011-10-13 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-25 01:41]
    .
    2011-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 17:49]
    .
    2011-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 17:49]
    .
    2011-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1500820517-1644491937-1003Core.job
    - c:\documents and settings\Lynn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 15:59]
    .
    2011-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1500820517-1644491937-1003UA.job
    - c:\documents and settings\Lynn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 15:59]
    .
    2011-10-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1645522239-1500820517-1644491937-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
    .
    2011-10-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1645522239-1500820517-1644491937-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.att.net
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: motive.com\pattta.att
    Trusted Zone: motive.com\patttbc.att
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Lynn\Application Data\Mozilla\Firefox\Profiles\ujxsiy3v.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    HKCU-Run-Simple Sticky Notes - c:\program files\Simnet\Simple Sticky Notes\ssn.exe
    HKLM-Run-GUVVellOBtx0yS18234A - c:\windows\system32\cKK88gRRZ9YX.exe
    SafeBoot-WudfPf
    SafeBoot-WudfRd
    AddRemove-Coupon Printer for Windows4.0 - c:\program files\Coupons\uninstall.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-13 15:37
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    UMonit = c:\windows\system32\umonit.exe?WZSE0.TMP\imagemate-6.30\WinXP\fixustor.sys????????????????????????????A~0:??????????tq[?l??? ??|`??|????]??|??D~????????0:??F$?|??B~??B~*?,?0:????????????????????????????????B~????????????tq[?????T?????[?????tq[???????a????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3676)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\program files\Microsoft Office\OFFICE11\msohev.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Google\Update\1.3.21.69\GoogleCrashHandler.exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Motive\McciCMService.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
    c:\windows\system32\HPZipm12.exe
    c:\program files\Zune\ZuneBusEnum.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    c:\windows\system32\SearchIndexer.exe
    c:\program files\Windows Desktop Search\WindowsSearch.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2011-10-13 15:51:11 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-10-13 22:50
    .
    Pre-Run: 23,054,061,568 bytes free
    Post-Run: 24,268,345,344 bytes free
    .
    - - End Of File - - C0C2744FF2D754F4800CC5A52C5A9C66
     
  24. Broni

    Broni Malware Annihilator Posts: 47,986   +271

    Very good :)

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box
    • Click OK
    Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    c:\documents and settings\Lynn\Application Data\J22oobF3pmG5QJd
    c:\documents and settings\Lynn\Application Data\KibbFF3pmG
    c:\documents and settings\Lynn\Application Data\RIIIVrrzONtA0vS
    c:\documents and settings\Lynn\Application Data\d22oFF3pm5QJdE8
    c:\documents and settings\Lynn\Application Data\kCCCekkIVrOyx0u
    c:\documents and settings\Lynn\Application Data\D9hhTTXwjUVeIB
    
    
    DDS::
    Trusted Zone: internet
    Trusted Zone: mcafee.com
    Trusted Zone: motive.com\pattta.att
    Trusted Zone: motive.com\patttbc.att
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000000
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000000
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  25. matteoporcedda

    matteoporcedda TS Rookie Topic Starter Posts: 20

    ComboFix 11-10-13.05 - Lynn 10/13/2011 16:48:59.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.860 [GMT -7:00]
    Running from: c:\documents and settings\Lynn\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Lynn\Desktop\CFScript.txt
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Lynn\Application Data\d22oFF3pm5QJdE8
    c:\documents and settings\Lynn\Application Data\D9hhTTXwjUVeIB
    c:\documents and settings\Lynn\Application Data\J22oobF3pmG5QJd
    c:\documents and settings\Lynn\Application Data\kCCCekkIVrOyx0u
    c:\documents and settings\Lynn\Application Data\KibbFF3pmG
    c:\documents and settings\Lynn\Application Data\ldr.ini
    c:\documents and settings\Lynn\Application Data\RIIIVrrzONtA0vS
    c:\program files\version.txt
    c:\windows\dasetup.log
    c:\windows\system32\d3d9caps.dat
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-09-14 to 2011-10-14 )))))))))))))))))))))))))))))))
    .
    .
    2011-10-13 22:45 . 2011-10-13 22:45 -------- d-----w- c:\windows\LastGood
    2011-10-13 03:04 . 2010-09-07 22:39 150392 ----a-w- c:\windows\junction.exe
    2011-10-10 03:39 . 2011-04-14 21:01 24376 ----a-w- c:\program files\Mozilla Firefox\components\Scriptff.dll
    2011-10-10 03:39 . 2011-04-14 21:01 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-10-10 03:39 . 2011-04-14 21:01 88736 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-10-10 03:39 . 2011-04-14 21:01 84488 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-10-10 03:39 . 2011-04-14 21:01 84200 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-10-10 03:39 . 2011-04-14 21:01 56064 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-10-10 03:39 . 2011-04-14 21:01 52320 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-10-10 03:39 . 2011-04-14 21:01 314088 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-10-10 03:39 . 2011-04-14 21:01 153280 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-10-10 03:39 . 2011-10-10 03:39 -------- d-----w- c:\program files\McAfee.com
    2011-10-10 03:14 . 2011-03-13 18:45 148520 ----a-w- c:\windows\system32\mfevtps.exe
    2011-10-05 18:32 . 2011-10-05 18:32 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-09-30 06:40 . 2011-09-30 06:40 -------- d-----w- c:\program files\Common Files\Adobe
    2011-09-30 06:15 . 2011-09-30 06:58 -------- d-----w- c:\windows\SxsCaPendDel
    2011-09-26 01:25 . 2011-09-26 01:25 -------- d-----w- c:\program files\Apple Software Update
    2011-09-21 18:11 . 2011-09-21 18:11 -------- d-----w- c:\program files\CA Business Start-Up Forms
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-09-09 09:12 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
    2011-09-29 06:53 . 2011-10-01 06:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2010-08-27 04:04 . 2009-12-25 20:42 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2011-04-14 21:01 . 2011-10-10 03:39 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-10-13_22.34.44 )))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-25 39408]
    "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2010-02-27 319280]
    "UpdateFlow.ATT-SST"="c:\program files\ATT-SST\McciBrowser.exe" [2010-06-30 1057792]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-20 53248]
    "MMTray"="c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe" [2004-04-20 131072]
    "ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-06-30 1573888]
    "UMonit"="c:\windows\system32\umonit.exe" [2004-10-28 53248]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-27 30192]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
    "nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2010-11-13 472112]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-11-11 159472]
    "BellSouthWCC_McciTrayApp"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2009-11-18 1577984]
    "ATT_WCC"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2009-11-18 1577984]
    "TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-07-04 273544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-24 1195408]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Documents and Settings\\Lynn\\My Documents\\Downloads\\SRO_L4_Full_Client_Downloader.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Documents and Settings\\Lynn\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
    "c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:pure Networks Platform Service
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "25928:TCP"= 25928:TCP:BitComet 25928 TCP
    "25928:UDP"= 25928:UDP:BitComet 25928 UDP
    "67:UDP"= 67:UDP:DHCP Discovery Service
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [10/09/2011 8:39 PM 84200]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/09/2011 8:39 PM 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [10/09/2011 8:39 PM 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [10/09/2011 8:39 PM 271480]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [10/09/2011 8:39 PM 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/09/2011 8:14 PM 148520]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [10/09/2011 8:39 PM 56064]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [10/09/2011 8:39 PM 314088]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [10/09/2011 8:39 PM 88736]
    S0 cerc6;cerc6; [x]
    S2 gupdate1c99383a758ac58;Google Update Service (gupdate1c99383a758ac58);c:\program files\Google\Update\GoogleUpdate.exe [02/20/2009 10:49 AM 133104]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [08/05/2009 9:44 AM 16512]
    S3 fixustor;fixustor;c:\windows\system32\drivers\fixustor.sys [07/17/2009 10:11 AM 6016]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/25/2009 1:42 PM 30192]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [02/20/2009 10:49 AM 133104]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [10/09/2011 8:39 PM 88736]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/09/2011 8:39 PM 84488]
    S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\Zune\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-10-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
    .
    2011-10-13 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-25 01:41]
    .
    2011-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 17:49]
    .
    2011-10-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-02-20 17:49]
    .
    2011-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1500820517-1644491937-1003Core.job
    - c:\documents and settings\Lynn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 15:59]
    .
    2011-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-1500820517-1644491937-1003UA.job
    - c:\documents and settings\Lynn\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 15:59]
    .
    2011-10-13 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1645522239-1500820517-1644491937-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
    .
    2011-10-13 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1645522239-1500820517-1644491937-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 17:47]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.att.net
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.254
    FF - ProfilePath - c:\documents and settings\Lynn\Application Data\Mozilla\Firefox\Profiles\ujxsiy3v.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
    FF - prefs.js: network.proxy.type - 0
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-10-13 17:01
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    UMonit = c:\windows\system32\umonit.exe?WZSE0.TMP\imagemate-6.30\WinXP\fixustor.sys????????????????????????????A~0:??????????tq[?l??? ??|`??|????]??|??D~????????0:??F$?|??B~??B~*?,?0:????????????????????????????????B~????????????tq[?????T?????[?????tq[???????a????
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-10-13 17:12:24
    ComboFix-quarantined-files.txt 2011-10-14 00:12
    ComboFix2.txt 2011-10-13 22:51
    .
    Pre-Run: 24,270,839,808 bytes free
    Post-Run: 24,262,479,872 bytes free
    .
    - - End Of File - - 0F19467B3C301401DE92857AD8DCFD7A
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.