also @ TechSpot: JPR: Nvidia GPU shipments are up despite turbulent PC market

TechSpot

TechSpot News Products Downloads Forums

About
Sign in

Welcome to TechSpot

Why should I register?

Sign up for a new account or log in here:

Forgot your password?

Couldn't sign you in, please try again.

Google redirect, AV & IE damage

Discussion in 'Virus and Malware Removal' started by tatterjack, Oct 13, 2011.

Post New Reply

Page 4 of 7

Broni Malware Annihilator Posts: 39,313 +175

You can OK that message.

Broni, Oct 18, 2011

#61
tatterjack Newcomer, in training Posts: 75

ComboFix log

ComboFix 11-10-18.04 - Russell Dobash 10/19/2011 4:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1679 [GMT 1:00]
Running from: C:\ComboFix.exe
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Local Settings\Application Data\bvdbobao.log
c:\documents and settings\LocalService\Local Settings\Application Data\fkvqtkwm.log
c:\documents and settings\LocalService\Local Settings\Application Data\nesqejrr.log
c:\documents and settings\LocalService\Local Settings\Application Data\obigcqqa.log
c:\documents and settings\LocalService\Local Settings\Application Data\rwgxkfbp.log
c:\documents and settings\LocalService\Local Settings\Application Data\ydmeccsi.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\bvdbobao.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\fkvqtkwm.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\mnldimku.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\nesqejrr.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\obigcqqa.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\rwgxkfbp.log
c:\documents and settings\Russell Dobash\Local Settings\Application Data\ydmeccsi.log
c:\documents and settings\Russell Dobash\WINDOWS
c:\program files\Common Files\Uninstall
c:\program files\PAV
c:\windows\system32\d3d9caps.dat
c:\windows\system32\lsprst7.dll
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-19 to 2011-10-19 )))))))))))))))))))))))))))))))
.
.
2011-10-18 20:59 . 2011-10-19 03:14 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
2011-09-28 12:41 . 2011-09-28 12:41 -------- d-----w- c:\windows\system32\MpEngineStore
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
.
c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
.
2011-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
.
2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
- c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
.
2011-10-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
- c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-LmlLhkfv - c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe
AddRemove-EndNote - c:\progra~1\ENDNOT~2\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-19 04:15
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2520)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-10-19 04:27:04 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-19 03:26
.
Pre-Run: 121,508,352,000 bytes free
Post-Run: 121,815,048,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 8D47F9A2204DF8A2D05E4C26F5FF0D93

tatterjack, Oct 18, 2011

#62
Broni Malware Annihilator Posts: 39,313 +175
Good job

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box

Click OK

Windows Vista/7 users: click Start, in "Start search" type notepad and press Enter.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

Folder:: c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000000

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
Broni, Oct 18, 2011

#63
tatterjack Newcomer, in training Posts: 75

Left combofix.exe on C:\ and dragged cfscript.txt to it from USB drive.
Windows message: "Windows cannot access the specified device, path, file"

Tried putting cfscript.txt on C:\ and dragging to combofix. Same result.

I still have no access to McAfee. If it is this that is causing the problem I am very happy to get rid of it and use one of the free ones.

tatterjack, Oct 19, 2011

#64
Broni Malware Annihilator Posts: 39,313 +175

Lets run the following tool. This will help determine which files need permissions restored.

Please download and save Junction.zip

Unzip it and place Junction.exe in the Windows directory (C:\Windows).
Go to Start>Run (Vista and Windows 7 users use "Start search" box).
Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system.
Wait until a log file opens.
Copy and paste the log in your next reply.

Broni, Oct 19, 2011

#65

tatterjack Newcomer, in training Posts: 75

JUnction Output

Junction v1.06 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

.
Failed to open \\?\c:\\Qoobox\BackEnv\AppData.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Cache.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Cookies.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Desktop.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Favorites.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\History.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\LocalAppData.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\LocalSettings.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Music.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\NetHood.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Personal.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Pictures.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\PrintHood.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Profiles.Folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Programs.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Recent.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\SendTo.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\SetPath.bat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\StartMenu.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\StartUp.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\SysPath.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\Templates.folder.dat: Access is denied.

Failed to open \\?\c:\\Qoobox\BackEnv\VikPev00: Access is denied.

Failed to open \\?\c:\\System Volume Information\1590912drv.isw: Access is denied.

Failed to open \\?\c:\\System Volume Information\7234949drv.isw: Access is denied.

Failed to open \\?\c:\\System Volume Information\mdllog.dat: Access is denied.

..

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

No reparse points found.

tatterjack, Oct 19, 2011

#66

Broni Malware Annihilator Posts: 39,313 +175

Please download GrantPerms.zip and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe (32-bit system) or GrantPerms64.exe (64-bit system)
Copy and paste the following in the edit box:

Code:

c:\\System Volume Information\mdllog.dat
c:\\System Volume Information\7234949drv.isw
c:\\System Volume Information\1590912drv.isw
c:\\Qoobox\BackEnv\VikPev00
c:\\Qoobox\BackEnv\Templates.folder.dat
c:\\Qoobox\BackEnv\SysPath.dat
c:\\Qoobox\BackEnv\StartUp.folder.dat
c:\\Qoobox\BackEnv\StartMenu.folder.dat
c:\\Qoobox\BackEnv\SetPath.bat
c:\\Qoobox\BackEnv\SendTo.folder.dat
c:\\Qoobox\BackEnv\Recent.folder.dat
c:\\Qoobox\BackEnv\Programs.folder.dat
c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat
c:\\Qoobox\BackEnv\Profiles.Folder.dat
c:\\Qoobox\BackEnv\PrintHood.folder.dat
c:\\Qoobox\BackEnv\Pictures.folder.dat
c:\\Qoobox\BackEnv\Personal.folder.dat
c:\\Qoobox\BackEnv\NetHood.folder.dat
c:\\Qoobox\BackEnv\Music.folder.dat
c:\\Qoobox\BackEnv\LocalSettings.folder.dat
c:\\Qoobox\BackEnv\LocalAppData.folder.dat
c:\\Qoobox\BackEnv\History.folder.dat
c:\\Qoobox\BackEnv\Favorites.folder.dat
c:\\Qoobox\BackEnv\Desktop.folder.dat
c:\\Qoobox\BackEnv\Cookies.folder.dat
c:\\Qoobox\BackEnv\Cache.folder.dat
c:\\Qoobox\BackEnv\AppData.folder.dat

Click Unlock. When it is done click "OK".
Click List Permissions and post the result of Perms.txt file that pops up.
A copy of Perms.txt will be saved in the same directory the tool is run.

You should be able to run Combofix fix now.

Broni, Oct 19, 2011

#67

tatterjack Newcomer, in training Posts: 75

Grant Perms Ouput

GrantPerms by Farbar
Ran by Russell Dobash at 2011-10-20 02:58:00

===============================================
\\?\c:\\System Volume Information\mdllog.dat

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)

\\?\c:\\System Volume Information\7234949drv.isw

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)

\\?\c:\\System Volume Information\1590912drv.isw

Owner: BUILTIN\Administrators

DACL(P)(AI):
BUILTIN\Administrators FULL ALLOW (CI)(OI)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)

\\?\c:\\Qoobox\BackEnv\VikPev00

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Templates.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\SysPath.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\StartUp.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\StartMenu.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\SetPath.bat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\SendTo.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Recent.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Programs.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Profiles.Folder.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Profiles.Folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\PrintHood.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Pictures.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Personal.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\NetHood.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Music.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\LocalSettings.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\LocalAppData.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\History.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Favorites.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Desktop.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Cookies.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\Cache.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

\\?\c:\\Qoobox\BackEnv\AppData.folder.dat

Owner: BUILTIN\Administrators

DACL(NP)(AI):
Everyone FULL DENY (CI)(OI)(I)
BUILTIN\Administrators FULL ALLOW (CI)(OI)(I)
NT AUTHORITY\SYSTEM FULL ALLOW (CI)(OI)(I)
CREATOR OWNER FULL ALLOW (CI)(OI)(IO)(I)
BUILTIN\Users READ/EXECUTE ALLOW (CI)(OI)(I)
BUILTIN\Users ADD SUBDIRECTORY ALLOW (CI)(I)
BUILTIN\Users ADD FILE ALLOW (CI)(I)

tatterjack, Oct 19, 2011

#68
Broni Malware Annihilator Posts: 39,313 +175

See if Combofix fix will run now.

Broni, Oct 19, 2011

#69
tatterjack Newcomer, in training Posts: 75

ComboFix

This time I could drag ComboFix to the desktop and when I dragged cfscript.txt onto it, it ran. It's now showing the blue command and coming up with the Nirkmd messages to which I'm replying OK. There were about 50 of them las time

tatterjack, Oct 19, 2011

#70
tatterjack Newcomer, in training Posts: 75

Curiously I got a message saying Windows update needed to restart the computer despite not being connected to the Internet. I clicked Restart Later

tatterjack, Oct 19, 2011

#71
Broni Malware Annihilator Posts: 39,313 +175

Update me on Combofix situation in a while.

Broni, Oct 19, 2011

#72
tatterjack Newcomer, in training Posts: 75

Combofix Output

ComboFix 11-10-18.04 - Russell Dobash 10/20/2011 3:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1384 [GMT 1:00]
Running from: c:\documents and settings\Russell Dobash\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Russell Dobash\Desktop\cfscript.txt
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\LocalService\Local Settings\Application Data\bvdbobao.log
c:\documents and settings\LocalService\Local Settings\Application Data\fkvqtkwm.log
c:\documents and settings\LocalService\Local Settings\Application Data\mnldimku.log
c:\documents and settings\LocalService\Local Settings\Application Data\nesqejrr.log
c:\documents and settings\LocalService\Local Settings\Application Data\obigcqqa.log
c:\documents and settings\LocalService\Local Settings\Application Data\rwgxkfbp.log
c:\documents and settings\LocalService\Local Settings\Application Data\ydmeccsi.log
c:\windows\system32\_000005_.tmp.dll
c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi . . . . Failed to delete
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MICORSOFT_WINDOWS_SERVICE
-------\Service_Micorsoft Windows Service
.
.
((((((((((((((((((((((((( Files Created from 2011-09-20 to 2011-10-20 )))))))))))))))))))))))))))))))
.
.
2011-10-18 20:59 . 2011-10-20 02:22 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi
2011-10-15 15:50 . 2010-09-07 14:39 150392 ----a-w- c:\windows\junction.exe
2011-10-14 20:44 . 2011-10-14 20:44 -------- d-----w- C:\_OTL
2011-10-13 17:11 . 2011-10-13 17:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-13 17:11 . 2011-08-31 16:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-08 15:26 . 2011-10-08 15:26 -------- d-----w- c:\documents and settings\Russell Dobash\Local Settings\Application Data\PCHealth
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-14 09:51 . 2004-08-04 12:00 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2011-10-07 14:24 . 2011-08-25 08:51 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-09 09:12 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2004-08-04 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2004-08-04 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-19_03.15.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-20 02:24 . 2011-10-20 02:24 56200 c:\windows\Temp\offreg.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\mshtmled.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\mshtmled.dll
- 2006-11-07 21:03 . 2011-06-23 18:36 55296 c:\windows\system32\msfeedsbs.dll
+ 2006-11-07 21:03 . 2011-08-22 23:48 55296 c:\windows\system32\msfeedsbs.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\jsproxy.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\jsproxy.dll
- 2009-07-17 08:48 . 2011-06-23 18:36 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2009-07-17 08:48 . 2011-08-22 23:48 12800 c:\windows\system32\dllcache\xpshims.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 66560 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 07:50 . 2011-08-22 23:48 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2007-05-09 07:50 . 2011-06-23 18:36 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 43520 c:\windows\system32\dllcache\licmgr10.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 43520 c:\windows\system32\dllcache\licmgr10.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2010-09-23 14:55 . 2010-09-23 14:55 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-07-08 13:00 . 2011-07-08 13:00 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Security.dll
+ 2011-07-07 11:04 . 2011-07-07 11:04 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2010-09-23 01:26 . 2010-09-23 01:26 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2011-07-07 11:04 . 2011-07-07 11:04 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2010-09-23 01:26 . 2010-09-23 01:26 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2011-07-07 11:03 . 2011-07-07 11:03 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2010-09-23 01:26 . 2010-09-23 01:26 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2010-09-23 02:17 . 2010-09-23 02:17 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2011-07-07 12:09 . 2011-07-07 12:09 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2010-09-23 02:17 . 2010-09-23 02:17 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-07-07 12:09 . 2011-07-07 12:09 24576 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_filter.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 66560 c:\windows\ie8updates\KB2586448-IE8\mshtmled.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 55296 c:\windows\ie8updates\KB2586448-IE8\msfeedsbs.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 43520 c:\windows\ie8updates\KB2586448-IE8\licmgr10.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 25600 c:\windows\ie8updates\KB2586448-IE8\jsproxy.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_a11d3fd6\System.Drawing.Design.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_fa26395a\CustomMarshalers.dll
- 2010-10-06 17:13 . 2010-10-06 17:13 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-20 02:00 . 2011-10-20 02:00 81920 c:\windows\assembly\GAC\System.Security\1.0.5000.0__b03f5f7f11d50a3a\System.Security.dll
+ 2011-10-20 02:22 . 2011-10-20 02:22 114035 c:\windows\Temp\drggmmefohcljxih.exe
- 2011-10-19 03:14 . 2011-10-19 03:14 114035 c:\windows\Temp\drggmmefohcljxih.exe
- 2004-08-04 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\url.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\url.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\occache.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\mstime.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\mstime.dll
- 2006-11-07 21:03 . 2011-06-23 18:36 602112 c:\windows\system32\msfeeds.dll
+ 2006-11-07 21:03 . 2011-08-22 23:48 602112 c:\windows\system32\msfeeds.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\iepeers.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\iepeers.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\iedkcs32.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\iedkcs32.dll
+ 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\ie4uinit.exe
+ 2006-07-10 12:10 . 2011-10-20 02:22 307600 c:\windows\system32\FNTCACHE.DAT
- 2006-07-10 12:10 . 2011-07-14 09:01 307600 c:\windows\system32\FNTCACHE.DAT
- 2004-08-04 12:00 . 2011-06-23 18:36 916480 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 916480 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 105984 c:\windows\system32\dllcache\url.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 206848 c:\windows\system32\dllcache\occache.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 611840 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 611840 c:\windows\system32\dllcache\mstime.dll
- 2007-05-09 07:50 . 2011-06-23 18:36 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2007-05-09 07:50 . 2011-08-22 23:48 602112 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-07-17 08:48 . 2011-08-22 23:48 247808 c:\windows\system32\dllcache\ieproxy.dll
- 2009-07-17 08:48 . 2011-06-23 18:36 247808 c:\windows\system32\dllcache\ieproxy.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 184320 c:\windows\system32\dllcache\iepeers.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2010-06-13 14:58 . 2011-08-22 23:48 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2010-06-13 14:58 . 2011-06-23 18:36 743424 c:\windows\system32\dllcache\iedvtool.dll
- 2004-08-04 12:00 . 2011-06-23 18:36 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-04 12:00 . 2011-08-22 11:56 174080 c:\windows\system32\dllcache\ie4uinit.exe
- 2008-06-20 11:40 . 2011-02-16 13:22 138496 c:\windows\system32\dllcache\afd.sys
+ 2008-06-20 11:40 . 2011-08-17 13:49 138496 c:\windows\system32\dllcache\afd.sys
+ 2011-10-18 20:59 . 2011-10-20 02:22 114035 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\lmllhkfv.exe
- 2010-09-23 01:26 . 2010-09-23 01:26 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2011-07-07 11:04 . 2011-07-07 11:04 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2010-09-23 01:25 . 2010-09-23 01:25 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2011-07-07 11:01 . 2011-07-07 11:01 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2010-09-23 02:17 . 2010-09-23 02:17 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-07-07 12:09 . 2011-07-07 12:09 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2011-10-20 02:03 . 2011-06-23 18:36 130043 c:\windows\ie8updates\KB2586448-IE8\xpshims.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 916480 c:\windows\ie8updates\KB2586448-IE8\wininet.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 105984 c:\windows\ie8updates\KB2586448-IE8\url.dll
+ 2011-10-20 02:03 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2586448-IE8\spuninst\updspapi.dll
+ 2011-10-20 02:03 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2586448-IE8\spuninst\spuninst.exe
+ 2011-10-20 02:02 . 2011-06-23 18:36 206848 c:\windows\ie8updates\KB2586448-IE8\occache.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 611840 c:\windows\ie8updates\KB2586448-IE8\mstime.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 602112 c:\windows\ie8updates\KB2586448-IE8\msfeeds.dll
+ 2011-10-20 02:03 . 2011-06-23 18:36 364892 c:\windows\ie8updates\KB2586448-IE8\ieproxy.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 184320 c:\windows\ie8updates\KB2586448-IE8\iepeers.dll
+ 2011-10-20 02:03 . 2011-06-23 18:36 860696 c:\windows\ie8updates\KB2586448-IE8\iedvtool.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 387584 c:\windows\ie8updates\KB2586448-IE8\iedkcs32.dll
+ 2011-10-20 02:03 . 2011-06-23 12:05 173568 c:\windows\ie8updates\KB2586448-IE8\ie4uinit.exe
+ 2011-10-20 02:01 . 2011-10-20 02:01 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_8685ae70\System.Drawing.dll
+ 2011-10-20 02:23 . 2011-10-20 02:24 7269712 c:\windows\Temp\MPENGINE.DLL
- 2004-08-04 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\urlmon.dll
+ 2004-08-04 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\mshtml.dll
+ 2006-10-17 11:57 . 2011-08-22 23:48 2000384 c:\windows\system32\iertutil.dll
- 2008-10-16 11:53 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2008-10-16 11:53 . 2011-09-06 13:20 1858944 c:\windows\system32\dllcache\win32k.sys
- 2004-08-04 12:00 . 2011-06-23 18:36 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2011-08-22 23:48 1212416 c:\windows\system32\dllcache\urlmon.dll
+ 2004-08-04 12:00 . 2011-10-03 08:35 5971456 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 07:50 . 2011-08-22 23:48 2000384 c:\windows\system32\dllcache\iertutil.dll
+ 2011-07-08 12:59 . 2011-07-08 12:59 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2010-09-23 14:55 . 2010-09-23 14:55 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2010-09-23 14:55 . 2010-09-23 14:55 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-07-08 12:59 . 2011-07-08 12:59 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2011-07-07 11:02 . 2011-07-07 11:02 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2010-09-23 01:26 . 2010-09-23 01:26 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2011-07-07 11:02 . 2011-07-07 11:02 2527232 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2010-09-23 14:55 . 2010-09-23 14:55 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-07-08 12:59 . 2011-07-08 12:59 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 1212416 c:\windows\ie8updates\KB2586448-IE8\urlmon.dll
+ 2011-10-20 02:02 . 2011-07-25 15:17 5969920 c:\windows\ie8updates\KB2586448-IE8\mshtml.dll
+ 2011-10-20 02:02 . 2011-06-23 18:36 1991680 c:\windows\ie8updates\KB2586448-IE8\iertutil.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_006ebf2b\System.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_a1e531e9\System.Xml.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_f00b8d1f\System.Windows.Forms.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_316aa935\System.Design.dll
+ 2011-10-20 02:01 . 2011-10-20 02:01 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_df620e42\mscorlib.dll
- 2010-10-06 17:13 . 2010-10-06 17:13 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2011-10-20 02:00 . 2011-10-20 02:00 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2011-10-20 02:00 . 2011-10-20 02:00 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2010-10-06 17:13 . 2010-10-06 17:13 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2006-09-21 15:00 . 2011-10-20 02:03 48324552 c:\windows\system32\MRT.exe
- 2006-11-07 21:03 . 2011-06-23 18:36 11081728 c:\windows\system32\ieframe.dll
+ 2006-11-07 21:03 . 2011-08-23 16:48 11081728 c:\windows\system32\ieframe.dll
- 2007-05-09 07:50 . 2011-06-23 18:36 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-09 07:50 . 2011-08-23 16:48 11081728 c:\windows\system32\dllcache\ieframe.dll
+ 2011-07-12 21:49 . 2011-07-12 21:49 11459584 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2572067\M2572067Uninstall.msp
+ 2011-07-12 14:50 . 2011-07-12 14:50 17555968 c:\windows\Installer\126fa2f.msp
+ 2011-10-20 02:02 . 2011-06-23 18:36 11081728 c:\windows\ie8updates\KB2586448-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-29 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-05-26 85160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-01-17 1193848]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2011-10-15 1404928]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"LmlLhkfv"="c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe" [2011-10-20 114035]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
lmllhkfv.exe [2011-10-20 114035]
.
c:\documents and settings\Russell Dobash\Start Menu\Programs\Startup\
Freecom Personal Media Suite.lnk - c:\program files\Freecom Personal Media Suite\FCPMS.exe [2006-9-14 3338296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - c:\windows\Installer\{21E247D4-5E27-4BEA-AA4D-19A81203FE2A}\Icon3E5562ED7.ico [2011-4-3 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\documents and settings\LocalService\Local Settings\Application Data\dgtvwkvi\lmllhkfv.exe"
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\WinWrapIDE.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.exe"=
"c:\\Program Files\\SPSSInc\\PASWStatistics18\\paswstat.com"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/2/2011 5:56 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [9/19/2010 3:05 PM 203280]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/2/2011 5:55 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/2/2011 5:56 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [4/2/2011 5:56 PM 141792]
R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [9/14/2006 3:23 PM 12160]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/2/2011 5:56 PM 55840]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/2/2011 5:56 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [9/14/2006 3:23 PM 7040]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/1/2010 12:55 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/2/2011 5:56 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/2/2011 5:56 PM 84264]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 11:55]
.
2011-10-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003Core.job
- c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
.
2011-10-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1482476501-839522115-1003UA.job
- c:\documents and settings\Russell Dobash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-04 14:41]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.google.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-20 03:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\MRT.exe
.
**************************************************************************
.
Completion time: 2011-10-20 03:30:57 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-20 02:30
ComboFix2.txt 2011-10-19 03:27
.
Pre-Run: 118,658,908,160 bytes free
Post-Run: 118,891,155,456 bytes free
.
- - End Of File - - D023BFFABFF0FFBBA95A892C9E6983C0

tatterjack, Oct 19, 2011

#73
Broni Malware Annihilator Posts: 39,313 +175

The offending entry is still there....

Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.

Broni, Oct 19, 2011

#74
tatterjack Newcomer, in training Posts: 75

FixTDSS

One message:

Backdor.Tidserv has been found on your computer.

BTW the USB stick is no longer being corrupted and the McAfee icon has reappeared in the notification area although it has no function.

tatterjack, Oct 20, 2011

#75
Broni Malware Annihilator Posts: 39,313 +175
Some good news

Download TDSSKiller and save it to your desktop.

Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.

If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
Broni, Oct 20, 2011

#76
tatterjack Newcomer, in training Posts: 75

TDSSKiller Report

21:35:54.0015 3800 TDSS rootkit removing tool 2.6.11.0 Oct 19 2011 13:50:27
21:35:54.0046 3800 ============================================================
21:35:54.0046 3800 Current date / time: 2011/10/20 21:35:54.0046
21:35:54.0046 3800 SystemInfo:
21:35:54.0046 3800
21:35:54.0046 3800 OS Version: 5.1.2600 ServicePack: 3.0
21:35:54.0046 3800 Product type: Workstation
21:35:54.0046 3800 ComputerName: UNIVERSI-2DDE3C
21:35:54.0046 3800 UserName: Russell Dobash
21:35:54.0046 3800 Windows directory: C:\WINDOWS
21:35:54.0046 3800 System windows directory: C:\WINDOWS
21:35:54.0046 3800 Processor architecture: Intel x86
21:35:54.0046 3800 Number of processors: 2
21:35:54.0046 3800 Page size: 0x1000
21:35:54.0046 3800 Boot type: Normal boot
21:35:54.0046 3800 ============================================================
21:35:55.0546 3800 Initialize success
21:36:14.0656 3828 ============================================================
21:36:14.0656 3828 Scan started
21:36:14.0656 3828 Mode: Manual;
21:36:14.0656 3828 ============================================================
21:36:14.0828 3828 Abiosdsk - ok
21:36:14.0843 3828 abp480n5 - ok
21:36:14.0937 3828 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:36:14.0953 3828 ACPI - ok
21:36:15.0000 3828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
21:36:15.0000 3828 ACPIEC - ok
21:36:15.0015 3828 adpu160m - ok
21:36:15.0078 3828 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:36:15.0078 3828 aec - ok
21:36:15.0125 3828 AegisP (2f7f3e8da380325866e566f5d5ec23d5) C:\WINDOWS\system32\DRIVERS\AegisP.sys
21:36:15.0125 3828 AegisP - ok
21:36:15.0171 3828 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:36:15.0171 3828 AFD - ok
21:36:15.0187 3828 Aha154x - ok
21:36:15.0234 3828 aic78u2 - ok
21:36:15.0250 3828 aic78xx - ok
21:36:15.0328 3828 AliIde - ok
21:36:15.0359 3828 amsint - ok
21:36:15.0421 3828 asc - ok
21:36:15.0453 3828 asc3350p - ok
21:36:15.0484 3828 asc3550 - ok
21:36:15.0609 3828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:36:15.0609 3828 AsyncMac - ok
21:36:15.0656 3828 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:36:15.0671 3828 atapi - ok
21:36:15.0703 3828 Atdisk - ok
21:36:15.0796 3828 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:36:15.0796 3828 Atmarpc - ok
21:36:15.0906 3828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:36:15.0906 3828 audstub - ok
21:36:15.0953 3828 b57w2k (241474d01380e9ed41d4c07f4f5fd401) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
21:36:15.0953 3828 b57w2k - ok
21:36:16.0062 3828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:36:16.0062 3828 Beep - ok
21:36:16.0140 3828 Bonifay (c0152e77307de863ebf6c728cf0a771d) C:\WINDOWS\system32\DRIVERS\Bonifay.sys
21:36:16.0156 3828 Bonifay - ok
21:36:16.0187 3828 catchme - ok
21:36:16.0265 3828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:36:16.0265 3828 cbidf2k - ok
21:36:16.0312 3828 cd20xrnt - ok
21:36:16.0375 3828 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:36:16.0375 3828 Cdaudio - ok
21:36:16.0468 3828 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:36:16.0468 3828 Cdfs - ok
21:36:16.0515 3828 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:36:16.0515 3828 Cdrom - ok
21:36:16.0593 3828 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
21:36:16.0593 3828 cfwids - ok
21:36:16.0656 3828 Changer - ok
21:36:16.0718 3828 CmdIde - ok
21:36:16.0828 3828 Cpqarray - ok
21:36:16.0921 3828 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
21:36:16.0921 3828 CVirtA - ok
21:36:17.0031 3828 CVPNDRVA (c23025ac5ae45a105d63bd6e2408edd4) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
21:36:17.0031 3828 CVPNDRVA - ok
21:36:17.0046 3828 dac2w2k - ok
21:36:17.0078 3828 dac960nt - ok
21:36:17.0218 3828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:36:17.0218 3828 Disk - ok
21:36:17.0343 3828 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:36:17.0406 3828 dmboot - ok
21:36:17.0453 3828 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:36:17.0468 3828 dmio - ok
21:36:17.0500 3828 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:36:17.0500 3828 dmload - ok
21:36:17.0609 3828 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:36:17.0609 3828 DMusic - ok
21:36:17.0687 3828 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
21:36:17.0687 3828 DNE - ok
21:36:17.0828 3828 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
21:36:17.0843 3828 Dot4 - ok
21:36:17.0890 3828 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
21:36:17.0890 3828 Dot4Print - ok
21:36:17.0953 3828 dpti2o - ok
21:36:18.0015 3828 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:36:18.0015 3828 drmkaud - ok
21:36:18.0140 3828 ElbyCDIO (178cc9403816c082d22a1d47fa1f9c85) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
21:36:18.0140 3828 ElbyCDIO - ok
21:36:18.0250 3828 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:36:18.0250 3828 Fastfat - ok
21:36:18.0296 3828 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
21:36:18.0312 3828 Fdc - ok
21:36:18.0343 3828 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:36:18.0343 3828 Fips - ok
21:36:18.0359 3828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
21:36:18.0359 3828 Flpydisk - ok
21:36:18.0390 3828 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:36:18.0406 3828 FltMgr - ok
21:36:18.0421 3828 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:36:18.0421 3828 Fs_Rec - ok
21:36:18.0453 3828 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:36:18.0468 3828 Ftdisk - ok
21:36:18.0546 3828 Gonzales (673d63add112dce1ea58a4e418eddb86) C:\WINDOWS\system32\DRIVERS\Gonzales.sys
21:36:18.0546 3828 Gonzales - ok
21:36:18.0625 3828 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:36:18.0625 3828 Gpc - ok
21:36:18.0687 3828 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:36:18.0687 3828 hidusb - ok
21:36:18.0781 3828 HPFXBULK (e4e0b356a8756066cf89080d9da69f22) C:\WINDOWS\system32\drivers\hpfxbulk.sys
21:36:18.0781 3828 HPFXBULK - ok
21:36:18.0812 3828 hpn - ok
21:36:18.0906 3828 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:36:18.0906 3828 HTTP - ok
21:36:19.0015 3828 hwdatacard (20330198554b7ddb44403af21d6ae179) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
21:36:19.0015 3828 hwdatacard - ok
21:36:19.0062 3828 i2omgmt - ok
21:36:19.0140 3828 i2omp - ok
21:36:19.0203 3828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
21:36:19.0203 3828 i8042prt - ok
21:36:19.0234 3828 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:36:19.0250 3828 Imapi - ok
21:36:19.0281 3828 ini910u - ok
21:36:19.0328 3828 IntelIde - ok
21:36:19.0406 3828 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:36:19.0406 3828 intelppm - ok
21:36:19.0453 3828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:36:19.0468 3828 Ip6Fw - ok
21:36:19.0562 3828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:36:19.0562 3828 IpFilterDriver - ok
21:36:19.0609 3828 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:36:19.0609 3828 IpInIp - ok
21:36:19.0734 3828 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:36:19.0734 3828 IpNat - ok
21:36:19.0796 3828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:36:19.0812 3828 IPSec - ok
21:36:19.0843 3828 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:36:19.0843 3828 IRENUM - ok
21:36:19.0890 3828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:36:19.0890 3828 isapnp - ok
21:36:19.0906 3828 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:36:19.0921 3828 Kbdclass - ok
21:36:19.0968 3828 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:36:19.0968 3828 kbdhid - ok
21:36:20.0031 3828 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:36:20.0031 3828 kmixer - ok
21:36:20.0062 3828 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:36:20.0062 3828 KSecDD - ok
21:36:20.0109 3828 lbrtfdc - ok
21:36:20.0171 3828 MBAMSwissArmy - ok
21:36:20.0375 3828 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
21:36:20.0375 3828 mfeapfk - ok
21:36:20.0453 3828 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
21:36:20.0468 3828 mfeavfk - ok
21:36:20.0468 3828 mfeavfk01 - ok
21:36:20.0500 3828 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
21:36:20.0500 3828 mfebopk - ok
21:36:20.0546 3828 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
21:36:20.0546 3828 mfefirek - ok
21:36:20.0609 3828 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
21:36:20.0625 3828 mfehidk - ok
21:36:20.0671 3828 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
21:36:20.0671 3828 mfendisk - ok
21:36:20.0687 3828 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
21:36:20.0687 3828 mfendiskmp - ok
21:36:20.0750 3828 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
21:36:20.0750 3828 mferkdet - ok
21:36:20.0843 3828 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
21:36:20.0843 3828 mfetdi2k - ok
21:36:20.0890 3828 Micorsoft Windows Service - ok
21:36:20.0937 3828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:36:20.0937 3828 mnmdd - ok
21:36:21.0015 3828 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:36:21.0015 3828 Modem - ok
21:36:21.0046 3828 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:36:21.0046 3828 Mouclass - ok
21:36:21.0109 3828 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:36:21.0109 3828 mouhid - ok
21:36:21.0125 3828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:36:21.0125 3828 MountMgr - ok
21:36:21.0140 3828 mraid35x - ok
21:36:21.0171 3828 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:36:21.0187 3828 MRxDAV - ok
21:36:21.0250 3828 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:36:21.0296 3828 MRxSmb - ok
21:36:21.0343 3828 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:36:21.0343 3828 Msfs - ok
21:36:21.0390 3828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:36:21.0406 3828 MSKSSRV - ok
21:36:21.0468 3828 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:36:21.0468 3828 MSPCLOCK - ok
21:36:21.0546 3828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:36:21.0546 3828 MSPQM - ok
21:36:21.0593 3828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:36:21.0593 3828 mssmbios - ok
21:36:21.0656 3828 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:36:21.0656 3828 Mup - ok
21:36:21.0765 3828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:36:21.0765 3828 NDIS - ok
21:36:21.0843 3828 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:36:21.0843 3828 NdisTapi - ok
21:36:21.0921 3828 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:36:21.0921 3828 Ndisuio - ok
21:36:21.0968 3828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:36:21.0968 3828 NdisWan - ok
21:36:22.0015 3828 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:36:22.0015 3828 NDProxy - ok
21:36:22.0093 3828 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:36:22.0093 3828 NetBIOS - ok
21:36:22.0187 3828 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:36:22.0187 3828 NetBT - ok
21:36:22.0312 3828 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:36:22.0312 3828 Npfs - ok
21:36:22.0359 3828 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:36:22.0390 3828 Ntfs - ok
21:36:22.0437 3828 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:36:22.0437 3828 Null - ok
21:36:22.0500 3828 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:36:22.0500 3828 NwlnkFlt - ok
21:36:22.0500 3828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:36:22.0515 3828 NwlnkFwd - ok
21:36:22.0593 3828 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
21:36:22.0593 3828 Parport - ok
21:36:22.0625 3828 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:36:22.0625 3828 PartMgr - ok
21:36:22.0687 3828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:36:22.0687 3828 ParVdm - ok
21:36:22.0703 3828 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:36:22.0703 3828 PCI - ok
21:36:22.0734 3828 PCIDump - ok
21:36:22.0781 3828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:36:22.0796 3828 PCIIde - ok
21:36:22.0843 3828 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
21:36:22.0843 3828 Pcmcia - ok
21:36:22.0859 3828 PDCOMP - ok
21:36:22.0953 3828 PDFRAME - ok
21:36:22.0984 3828 PDRELI - ok
21:36:23.0031 3828 PDRFRAME - ok
21:36:23.0109 3828 perc2 - ok
21:36:23.0156 3828 perc2hib - ok
21:36:23.0312 3828 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:36:23.0312 3828 PptpMiniport - ok
21:36:23.0359 3828 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:36:23.0359 3828 PSched - ok
21:36:23.0406 3828 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:36:23.0406 3828 Ptilink - ok
21:36:23.0453 3828 ql1080 - ok
21:36:23.0500 3828 Ql10wnt - ok
21:36:23.0531 3828 ql12160 - ok
21:36:23.0578 3828 ql1240 - ok
21:36:23.0656 3828 ql1280 - ok
21:36:23.0703 3828 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:36:23.0703 3828 RasAcd - ok
21:36:23.0765 3828 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:36:23.0765 3828 Rasl2tp - ok
21:36:23.0828 3828 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:36:23.0828 3828 RasPppoe - ok
21:36:23.0906 3828 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:36:23.0906 3828 Raspti - ok
21:36:23.0953 3828 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:36:23.0953 3828 Rdbss - ok
21:36:24.0000 3828 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:36:24.0000 3828 RDPCDD - ok
21:36:24.0062 3828 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:36:24.0062 3828 rdpdr - ok
21:36:24.0125 3828 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
21:36:24.0125 3828 RDPWD - ok
21:36:24.0187 3828 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:36:24.0187 3828 redbook - ok
21:36:24.0312 3828 RT73 (bf4709c002d632170dc15a282813d6b3) C:\WINDOWS\system32\DRIVERS\rt73.sys
21:36:24.0328 3828 RT73 - ok
21:36:24.0453 3828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:36:24.0453 3828 Secdrv - ok
21:36:24.0531 3828 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
21:36:24.0531 3828 senfilt - ok
21:36:24.0578 3828 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
21:36:24.0578 3828 serenum - ok
21:36:24.0609 3828 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
21:36:24.0609 3828 Serial - ok
21:36:24.0687 3828 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:36:24.0687 3828 Sfloppy - ok
21:36:24.0734 3828 Simbad - ok
21:36:24.0812 3828 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
21:36:24.0812 3828 smwdm - ok
21:36:24.0843 3828 Sparrow - ok
21:36:24.0937 3828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:36:24.0937 3828 splitter - ok
21:36:25.0000 3828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:36:25.0000 3828 sr - ok
21:36:25.0062 3828 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:36:25.0078 3828 Srv - ok
21:36:25.0109 3828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:36:25.0109 3828 swenum - ok
21:36:25.0171 3828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:36:25.0187 3828 swmidi - ok
21:36:25.0250 3828 symc810 - ok
21:36:25.0328 3828 symc8xx - ok
21:36:25.0359 3828 sym_hi - ok
21:36:25.0390 3828 sym_u3 - ok
21:36:25.0453 3828 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:36:25.0453 3828 sysaudio - ok
21:36:25.0546 3828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:36:25.0546 3828 Tcpip - ok
21:36:25.0593 3828 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:36:25.0593 3828 TDPIPE - ok
21:36:25.0640 3828 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:36:25.0640 3828 TDTCP - ok
21:36:25.0687 3828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:36:25.0687 3828 TermDD - ok
21:36:25.0734 3828 TosIde - ok
21:36:25.0796 3828 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:36:25.0796 3828 Udfs - ok
21:36:25.0812 3828 ultra - ok
21:36:25.0875 3828 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:36:25.0890 3828 Update - ok
21:36:25.0968 3828 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:36:25.0968 3828 usbccgp - ok
21:36:26.0015 3828 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:36:26.0015 3828 usbehci - ok
21:36:26.0046 3828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:36:26.0046 3828 usbhub - ok
21:36:26.0093 3828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:36:26.0093 3828 usbprint - ok
21:36:26.0156 3828 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:36:26.0156 3828 USBSTOR - ok
21:36:26.0187 3828 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:36:26.0187 3828 usbuhci - ok
21:36:26.0265 3828 VClone (1cdaa48cb2f7744b8d25650e050766a5) C:\WINDOWS\system32\DRIVERS\VClone.sys
21:36:26.0265 3828 VClone - ok
21:36:26.0296 3828 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:36:26.0312 3828 VgaSave - ok
21:36:26.0359 3828 ViaIde - ok
21:36:26.0421 3828 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:36:26.0421 3828 VolSnap - ok
21:36:26.0500 3828 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:36:26.0500 3828 Wanarp - ok
21:36:26.0531 3828 WDICA - ok
21:36:26.0625 3828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:36:26.0625 3828 wdmaud - ok
21:36:26.0859 3828 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:36:26.0984 3828 \Device\Harddisk0\DR0 - ok
21:36:27.0000 3828 MBR (0x1B8) (fa5336aed3a1e2e264422e4ab865ae7b) \Device\Harddisk1\DR3
21:36:30.0234 3828 \Device\Harddisk1\DR3 - ok
21:36:30.0250 3828 Boot (0x1200) (e6b55c23be86f137bd054ea55b406768) \Device\Harddisk0\DR0\Partition0
21:36:30.0250 3828 \Device\Harddisk0\DR0\Partition0 - ok
21:36:30.0250 3828 ============================================================
21:36:30.0250 3828 Scan finished
21:36:30.0250 3828 ============================================================
21:36:30.0296 3820 Detected object count: 0
21:36:30.0296 3820 Actual detected object count: 0

tatterjack, Oct 20, 2011

#77
Broni Malware Annihilator Posts: 39,313 +175
Download Bootkit Remover to your Desktop.

Unzip downloaded file to your Desktop.

Double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).

It will show a Black screen with some data on it.

Right click on the screen and click Select All.

Press CTRL+C

Open a Notepad and press CTRL+V

Post the output back here.
Broni, Oct 20, 2011

#78
tatterjack Newcomer, in training Posts: 75

Bootkit Remover

I may have screwed this one up.

When I did the ctrl+v into notepad I got the output from TDSSKiller again. I went back to the window, selected all again and this time when I did ctrl+c the window closed. I'm afraid I can't remember the contents.

tatterjack, Oct 20, 2011

#79
Broni Malware Annihilator Posts: 39,313 +175

Redo it one more time.

Broni, Oct 20, 2011

#80

Page 4 of 7

Add New Comment

	Social Login & Guest Posting			TechSpot Members Login here or sign up for free, it takes about a minute.
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.