Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected laptop running Vista Home Preiump, SP2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected laptop running Vista Home Preiump, SP2

Unread postby MealWorms » February 6th, 2011, 5:41 pm

Hi folks,

I have a laptop running Windows Vista Home Premium SP2 and connected to the internet. As of about a week or so, every time I open my laptop or restart my machine, a never-ending sequence of what seem like auto-created .exes running out of C:\Users\<username>\AppData\Local\Temp attempt to do something that Account Control blocks and prompts me to permit. I can manage to bring up the TaskManager in which I see several random processes running with what seem like auto-generated names (603.exe, 514.exe). If I terminate those processes via the Task Manager, the flurry of Account Control interrupts stops and the machine returns to normal operation. After some time (sometimes minutes, sometimes hours) another of these processes spontaneously launches again. So it seems like some kind of infection or remote execution is happening.

Thanks in advance for your help!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:22:58 PM, on 06/02/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Steam\Steam.exe
C:\Users\Dave\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\notepad.exe
C:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\Program Files\Microsoft Visual Studio 9.0\Common7\ide\mspdbsrv.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [System Defender] "C:\ProgramData\b148976\WSb148.exe" /s /d
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [MSConfig] C:\Users\Dave\umofbma.exe \u
O4 - HKCU\..\Run: [wouzuv] C:\Users\Dave\AppData\Roaming\Microsoft\fyquouqu.exe
O4 - HKCU\..\Run: [Firewall Security Service] c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\winfixer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: 0vvqf9a.exe
O4 - Startup: 1blrb72.exe
O4 - Startup: 1qqql1v.exe
O4 - Startup: 2w1llrb.exe
O4 - Startup: 4upf5a1.exe
O4 - Startup: 5w6ql5g.exe
O4 - Startup: 6f5a2qk.exe
O4 - Startup: 6l8gaqq.exe
O4 - Startup: a0vq0k0faa.exe
O4 - Startup: aavvaaq6l.exe
O4 - Startup: aqggaavvv2q.exe
O4 - Startup: av5q1faqq.exe
O4 - Startup: avllfv9qql.exe
O4 - Startup: Dropbox.lnk = C:\Users\Dave\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: faa1qa32.exe
O4 - Startup: faqq6laqffa.exe
O4 - Startup: fvvvklffaqq.exe
O4 - Startup: gbwwq4lb.exe
O4 - Startup: gr5brrlb.exe
O4 - Startup: gvvqqlbbvl9.exe
O4 - Startup: i7ds4iyy.exe
O4 - Startup: ids4nddy.exe
O4 - Startup: k0faavlaqq.exe
O4 - Startup: l321a0vvqf.exe
O4 - Startup: laavllfv9.exe
O4 - Startup: laavllgv9.exe
O4 - Startup: laqq1a0v.exe
O4 - Startup: lgga2qlaglg.exe
O4 - Startup: lggbq4qqg.exe
O4 - Startup: lvl98gav9q.exe
O4 - Startup: ny26sds4iy.exe
O4 - Startup: q7lgaavvq7.exe
O4 - Startup: qf9a0vqqlql.exe
O4 - Startup: qfvvqqlaav.exe
O4 - Startup: ukappkkfuu.exe
O4 - Startup: v86lvll71qg.exe
O4 - Startup: vq0lg0a0vq.exe
O4 - Startup: vvqffaavllf.exe
O4 - Startup: vvqkkffa7.exe
O4 - Startup: ysn9i0dy0s0.exe
O4 - Startup: yyssnddyn9.exe
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9383 bytes





uninstall_list.txt

7-Zip 4.65
Add or Remove Adobe Creative Suite 3 Design Premium
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Premium
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop Lightroom 2.2
Adobe Setup
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Advanced Audio FX Engine
Advanced Video FX Engine
AHV content for Acrobat and Flash
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Application Verifier
Ask Toolbar
Audacity 1.2.6
Audio Signal Generator
Auralux
Bionic Commando Rearmed
Broadcom Management Programs
Browser Address Error Redirector
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon Inkjet Printer/Scanner/Fax Extended Survey Program
Canon MP Navigator EX 3.1
Canon MX340 series MP Drivers
Canon Speed Dial Utility
Canon Utilities My Printer
CDDRV_Installer
Commander Keen Complete Pack
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
CuteFTP 8 Professional
Darwinia
Dasher
DEFCON
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card
DellSupport
Diablo II
Digital Line Detect
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Plus Web Player
Eufloria
Everyday Shooter
Flight Control HD
Flotilla
Foxit Reader
Fraps (remove only)
Galcon Fusion
GoldWave v5.58
GPL Ghostscript 8.60
GPL Ghostscript Fonts
Gratuitous Space Battles - Demo
GSview 4.9
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB945282)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946040)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB946308)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947540)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB947789)
Hotfix for Microsoft Visual C++ 2008 Express Edition with SP1 - ENU (KB948127)
HP Product Detection
Impulse
Impulse
ImTOO MOV Converter
Intel(R) Graphics Media Accelerator Driver
Internet Service Offers Launcher
iPhone Configuration Utility
Java DB 10.3.1.4
Java(TM) 6 Update 23
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 7
Java(TM) SE Runtime Environment 6
Jets'n'Guns 1.034
KhalInstallWrapper
Knick-Knack-Knock!
Laptop Integrated Webcam Driver (1.04.01.1011)
Live! Cam Avatar v1.0
Logitech SetPoint
Logitech Updater
Lux Delux 6.06
Machinarium
Magic: The Gathering - Duels of the Planeswalkers
Master of Orion II
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft .NET Framework 4 Extended
Microsoft Antimalware
Microsoft CAPICOM 2.1.0.2 SDK
Microsoft DirectX SDK (August 2009)
Microsoft Document Explorer 2008
Microsoft Document Explorer 2008
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE (Partnernet)
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows - LIVE SDK
Microsoft Office Word Viewer 2003
Microsoft Platform SDK (R2) (3790.2075)
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft SQL Server 2008 Management Objects
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual C++ Compilers 2008 Standard Edition - enu - x86
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
Microsoft Windows SDK for Windows Server 2008 (6001.18000.367)
Microsoft Works
Microsoft Xbox 360 Accessories 1.2
Microsoft XNA Framework Redistributable 3.0
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
MiKTeX 2.7
Mind Wall (remove only)
Minesweeper Clone 2007 release 2
Modem Diagnostic Tool
Mozilla Firefox (3.6.13)
Mozilla Thunderbird (3.1.7)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Music, Photos & Videos Launcher
NetWaiting
NVIDIA Cg Toolkit 3.0 July 2010
NVIDIA PhysX
OpenAL
OpenOffice.org 3.1
Osmos
OutlookAddinSetup
Owlboy
Pando Media Booster
PDF Settings
Product Documentation Launcher
Python 2.6.2
QuickSet
QuickTime
RealWorld Cursor Editor
Samorost 2
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Skype™ 4.2
SlimDX Redistributable (March 2009)
Sonic Activation Module
SQL Server System CLR Types
Steam
Swords and Soldiers HD
Synergy
System Requirements Lab for Intel
TextPad 5
Torchlight - Demo
TortoiseSVN 1.6.11.20210 (32 bit)
Unity Web Player
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Uplink
User's Guides
VC80CRTRedist - 8.0.50727.4053
VLC media player 1.1.4
Winamp
Windows Live ID Sign-in Assistant
Windows Media Player Firefox Plugin
Windows Mobile Device Center
Windows Mobile Device Center Driver Update
WinRAR archiver
World of Goo
Zuma's Revenge!
MealWorms
Active Member
 
Posts: 9
Joined: February 6th, 2011, 5:29 pm
Advertisement
Register to Remove

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby askey127 » February 7th, 2011, 4:36 pm

Hi Mealworms,
There is a serious set of infections here.
Please don't scan, install or remove anything unless I ask, until we are through cleaning.
Please do the following tasks in the sequence given:
-----------------------------------------------------------
Disable Windows Defender
Open Windows Defender by clicking the Start button, clicking All Programs, and then clicking Windows Defender.
If you don't see it in the Programs List, you can access it using the Control Panel.
Click Tools, and then click Options.
Scroll down to the bottom. Under Administrator options, UNcheck the Use Windows Defender check box, and then click Save.
Administrator permission is required. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
-----------------------------------------------------------
Remove Registry items with HijackThis. Start HijackThis. (Right-click and "Run as administrator" in Vista/Win7)
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Foxit Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - Startup: 0vvqf9a.exe
O4 - Startup: 1blrb72.exe
O4 - Startup: 1qqql1v.exe
O4 - Startup: 2w1llrb.exe
O4 - Startup: 4upf5a1.exe
O4 - Startup: 5w6ql5g.exe
O4 - Startup: 6f5a2qk.exe
O4 - Startup: 6l8gaqq.exe
O4 - Startup: a0vq0k0faa.exe
O4 - Startup: aavvaaq6l.exe
O4 - Startup: aqggaavvv2q.exe
O4 - Startup: av5q1faqq.exe
O4 - Startup: avllfv9qql.exe
O4 - Startup: faa1qa32.exe
O4 - Startup: faqq6laqffa.exe
O4 - Startup: fvvvklffaqq.exe
O4 - Startup: gbwwq4lb.exe
O4 - Startup: gr5brrlb.exe
O4 - Startup: gvvqqlbbvl9.exe
O4 - Startup: i7ds4iyy.exe
O4 - Startup: ids4nddy.exe
O4 - Startup: k0faavlaqq.exe
O4 - Startup: l321a0vvqf.exe
O4 - Startup: laavllfv9.exe
O4 - Startup: laavllgv9.exe
O4 - Startup: laqq1a0v.exe
O4 - Startup: lgga2qlaglg.exe
O4 - Startup: lggbq4qqg.exe
O4 - Startup: lvl98gav9q.exe
O4 - Startup: ny26sds4iy.exe
O4 - Startup: q7lgaavvq7.exe
O4 - Startup: qf9a0vqqlql.exe
O4 - Startup: qfvvqqlaav.exe
O4 - Startup: ukappkkfuu.exe
O4 - Startup: v86lvll71qg.exe
O4 - Startup: vq0lg0a0vq.exe
O4 - Startup: vvqffaavllf.exe
O4 - Startup: vvqkkffa7.exe
O4 - Startup: ysn9i0dy0s0.exe
O4 - Startup: yyssnddyn9.exe

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked
Click the "X" in the upper right corner of the HiJackThis window to close it.
-----------------------------------------------------------
REBOOT (RESTART) Your Machine
---------------------------------------------
Perform a Custom Scan or Fix with OTL
Please download OTL.exe by OldTimer and save it to your desktop.
  • Double click on the icon to run it. For Vista or Win7, right click the icon and choose "Run as administrator".
    • Under the Custom Scans/Fixes box at the bottom, paste in the following:
      Code: Select all
      :processes
      killallprocesses
      
      :Files
      c:\windows\system32\0vvqf9a.exe
      c:\windows\system32\1blrb72.exe
      c:\windows\system32\1qqql1v.exe
      c:\windows\system32\2w1llrb.exe
      c:\windows\system32\4upf5a1.exe
      c:\windows\system32\5w6ql5g.exe
      c:\windows\system32\6f5a2qk.exe
      c:\windows\system32\6l8gaqq.exe
      c:\windows\system32\a0vq0k0faa.exe
      c:\windows\system32\aavvaaq6l.exe
      c:\windows\system32\aqggaavvv2q.exe
      c:\windows\system32\av5q1faqq.exe
      c:\windows\system32\avllfv9qql.exe
      c:\windows\system32\faa1qa32.exe
      c:\windows\system32\faqq6laqffa.exe
      c:\windows\system32\fvvvklffaqq.exe
      c:\windows\system32\gbwwq4lb.exe
      c:\windows\system32\gr5brrlb.exe
      c:\windows\system32\gvvqqlbbvl9.exe
      c:\windows\system32\i7ds4iyy.exe
      c:\windows\system32\ids4nddy.exe
      c:\windows\system32\k0faavlaqq.exe
      c:\windows\system32\l321a0vvqf.exe
      c:\windows\system32\laavllfv9.exe
      c:\windows\system32\laavllgv9.exe
      c:\windows\system32\laqq1a0v.exe
      c:\windows\system32\lgga2qlaglg.exe
      c:\windows\system32\lggbq4qqg.exe
      c:\windows\system32\lvl98gav9q.exe
      c:\windows\system32\ny26sds4iy.exe
      c:\windows\system32\q7lgaavvq7.exe
      c:\windows\system32\qf9a0vqqlql.exe
      c:\windows\system32\qfvvqqlaav.exe
      c:\windows\system32\ukappkkfuu.exe
      c:\windows\system32\v86lvll71qg.exe
      c:\windows\system32\vq0lg0a0vq.exe
      c:\windows\system32\vvqffaavllf.exe
      c:\windows\system32\vvqkkffa7.exe
      c:\windows\system32\ysn9i0dy0s0.exe
      c:\windows\system32\yyssnddyn9.exe
      
      :Commands
      [PURITY]
      [EMPTYTEMP]
      [Reboot]
      
    • Then click the Run Fix button at the top.
    • Let the program run unhindered and reboot the PC when it is done.
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby MealWorms » February 7th, 2011, 5:12 pm

Thanks askey127; I've performed the tasks as instructed.
Please see below for the 'Quick Scan' results from OTL:

OTL logfile created on: 07/02/2011 4:06:42 PM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Dave\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 56.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 210.32 Gb Total Space | 22.12 Gb Free Space | 10.52% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.80 Gb Free Space | 58.05% Space Free | Partition Type: NTFS
Drive F: | 2.49 Gb Total Space | 2.49 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Computer Name: DAVE-PC | User Name: Dave | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/07 15:58:03 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
PRC - [2010/12/16 12:37:59 | 012,584,112 | ---- | M] (Mozilla Messaging) -- C:\Program Files\Mozilla Thunderbird\thunderbird.exe
PRC - [2010/12/13 05:23:32 | 000,912,344 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/10/01 22:41:10 | 000,619,800 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2009/09/08 07:12:51 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/09/24 04:27:38 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2007/09/24 04:27:30 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2007/09/24 04:27:28 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2007/09/24 04:27:28 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/09/07 13:25:12 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/07 13:23:36 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/08/29 16:25:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/08/29 00:54:58 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007/04/16 17:10:26 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe


========== Modules (SafeList) ==========

MOD - [2011/02/07 15:58:03 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (stllssvr)
SRV - [2011/01/11 11:38:39 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/11/11 12:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpActivator)
SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetPipeActivator)
SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetMsmqActivator)
SRV - [2009/09/24 20:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/09/08 07:12:51 | 000,116,104 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2008/10/06 08:14:57 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/02 01:42:06 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/07 13:25:12 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/08/29 16:25:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/05/31 10:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 10:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2007/03/19 13:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)


========== Driver Services (SafeList) ==========

DRV - [2010/10/24 21:25:38 | 000,054,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010/10/24 21:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/09/09 18:24:14 | 000,062,424 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\xusb21.sys -- (xusb21)
DRV - [2009/02/07 13:23:48 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/02/29 02:13:24 | 000,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 02:13:16 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/01/02 16:48:28 | 002,016,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2007/12/06 16:06:35 | 000,020,152 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/12/06 16:06:35 | 000,019,128 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/12/06 16:06:35 | 000,017,592 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/10/10 16:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/09/24 04:27:26 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/09/21 03:11:02 | 000,028,432 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2007/09/07 13:26:04 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/08/29 00:55:06 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2007/05/21 00:43:56 | 000,179,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2007/04/23 05:51:56 | 000,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
DRV - [2007/03/21 14:33:46 | 000,534,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/27 02:48:46 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/27 02:48:44 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/27 02:48:44 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/02 21:43:30 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 21:42:18 | 000,206,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/11/02 21:42:08 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/11/02 04:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 02:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2006/11/02 02:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2006/10/05 18:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/04 19:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2004/11/29 13:14:30 | 000,019,648 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)
DRV - [2004/11/25 11:41:08 | 000,046,080 | ---- | M] (Protection Technology) [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2004/10/28 05:47:59 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&cli ... bd=2071206
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://mail.google.com/mail/?shva=1#inbox|http://www.new.facebook.com/login.php"
FF - prefs.js..extensions.enabledItems: ctrl-tab@design-noir.de:0.21.1
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/13 05:23:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/13 05:23:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/12/16 12:37:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/03/23 23:20:05 | 000,000,000 | ---D | M]

[2010/08/27 16:18:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dave\AppData\Roaming\Mozilla\Extensions
[2010/08/27 16:18:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dave\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/02/06 15:05:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions
[2010/06/29 10:37:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/10/14 12:56:45 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2011/02/02 14:26:04 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/03/22 09:19:25 | 000,000,000 | ---D | M] (Ctrl-Tab) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions\ctrl-tab@design-noir.de
[2011/01/27 15:09:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/31 20:00:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/20 17:52:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/18 10:03:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/27 15:09:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2008/06/24 14:00:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\inspector@mozilla.org
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [DellSupportCenter] File not found
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DellSupportCenter] File not found
O4 - HKCU..\Run: [Firewall Security Service] c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\winfixer.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [MSConfig] C:\Users\Dave\umofbma.exe ()
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - HKCU..\Run: [System Defender] File not found
O4 - HKCU..\Run: [wouzuv] C:\Users\Dave\AppData\Roaming\Microsoft\fyquouqu.exe (Google Inc.)
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5fvvqff.exe ()
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lggbrr.exe ()
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Dave\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggbb6llg2.exe ()
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rggbrgww1g.exe ()
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a.exe ()
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a0.exe ()
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\RECYCLER\S-1-5-21-7702168376-5550137348-691632285-2071\yv8g67.exe) - C:\RECYCLER\S-1-5-21-7702168376-5550137348-691632285-2071\yv8g67.exe (BGT3vjn7nJi)
O20 - HKCU Winlogon: Shell - (C:\Users\Dave\AppData\Roaming\juzjf.exe) - C:\Users\Dave\AppData\Roaming\juzjf.exe (Google Inc.)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (C:\Users\Dave\fxmdk.exe) - C:\Users\Dave\fxmdk.exe ()
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Dave\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Dave\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/08/16 10:35:02 | 000,000,000 | ---D | M] - C:\Autostitch -- [ NTFS ]
O33 - MountPoints2\{15939c9f-be80-11de-b7b6-001c23f9c651}\Shell - "" = AutoRun
O33 - MountPoints2\{15939c9f-be80-11de-b7b6-001c23f9c651}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{6f8bb6b1-f903-11dd-a1f1-001c23f9c651}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
O33 - MountPoints2\{e58ca034-c015-11dc-9d0a-001c23f9c651}\Shell\AutoRun\command - "" = F:\wubi.exe --cdmenu
O33 - MountPoints2\{e58ca047-c015-11dc-9d0a-001c23f9c651}\Shell\AutoRun\command - "" = G:\DISALA///pushila.exe
O33 - MountPoints2\{e58ca047-c015-11dc-9d0a-001c23f9c651}\Shell\explore\command - "" = G:\DISALA//pushila.exe
O33 - MountPoints2\{e58ca047-c015-11dc-9d0a-001c23f9c651}\Shell\open\command - "" = G:\DISALA//pushila.exe
O33 - MountPoints2\{ede944dd-eb52-11dd-9d95-001c23f9c651}\Shell\AutoRun\command - "" = G:\DISALA///pushila.exe
O33 - MountPoints2\{ede944dd-eb52-11dd-9d95-001c23f9c651}\Shell\explore\command - "" = G:\DISALA//pushila.exe
O33 - MountPoints2\{ede944dd-eb52-11dd-9d95-001c23f9c651}\Shell\open\command - "" = G:\DISALA//pushila.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/07 16:00:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/02/07 15:58:09 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
[2011/02/06 15:49:39 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/02/06 15:49:39 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/02/04 09:44:42 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\Temp
[2011/02/02 08:03:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auralux
[2011/02/02 08:03:00 | 000,000,000 | ---D | C] -- C:\Program Files\Auralux
[2011/01/30 14:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/01/29 11:49:46 | 000,000,000 | ---D | C] -- C:\Users\Dave\Documents\Osmos
[2011/01/28 15:20:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AuraluxDemo
[2011/01/27 14:48:26 | 000,000,000 | RHSD | C] -- C:\RECYCLER
[2011/01/27 14:42:35 | 000,155,648 | RHS- | C] (Google Inc.) -- C:\Users\Dave\AppData\Roaming\juzjf.exe
[2011/01/27 13:48:26 | 000,000,000 | ---D | C] -- C:\Users\Dave\Desktop\Phtos_Uncategorized
[2011/01/20 15:05:50 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2011/01/20 15:05:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011/01/14 16:47:43 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2011/01/14 12:16:55 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
[2008/08/20 19:32:34 | 000,014,848 | ---- | C] ( ) -- C:\Windows\System32\Interop.MSScriptControl.dll

========== Files - Modified Within 30 Days ==========

[2011/02/07 16:04:19 | 000,043,520 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a0.exe
[2011/02/07 16:04:19 | 000,043,520 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5fvvqff.exe
[2011/02/07 16:04:19 | 000,040,448 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a.exe
[2011/02/07 16:03:14 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/07 16:03:14 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/07 16:03:01 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/02/07 16:02:59 | 2137,042,944 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/07 16:02:07 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/02/07 16:00:36 | 000,645,346 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/02/07 16:00:36 | 000,123,984 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/02/07 15:58:03 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
[2011/02/07 15:56:35 | 000,043,520 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggbb6llg2.exe
[2011/02/07 15:56:35 | 000,040,448 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rggbrgww1g.exe
[2011/02/07 15:56:35 | 000,040,448 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lggbrr.exe
[2011/02/03 07:48:27 | 000,143,360 | RHS- | M] () -- C:\Users\Dave\fxmdk.exe
[2011/02/02 09:36:10 | 000,000,790 | ---- | M] () -- C:\Users\Dave\Desktop\Auralux - Shortcut.lnk
[2011/01/31 21:22:43 | 000,000,544 | -H-- | M] () -- C:\ProgramData\common.data
[2011/01/31 07:48:44 | 000,000,222 | ---- | M] () -- C:\Users\Dave\Documents\WhiteToPlay.pgn
[2011/01/30 14:37:22 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/01/29 15:21:06 | 000,228,656 | ---- | M] () -- C:\Users\Dave\Documents\spectro.jpg
[2011/01/27 14:54:38 | 000,005,972 | ---- | M] () -- C:\Users\Dave\AppData\Local\d3d9caps.dat
[2011/01/27 14:43:39 | 000,045,568 | -H-- | M] () -- C:\Users\Dave\secupdat.dat
[2011/01/27 14:43:39 | 000,017,920 | -H-- | M] () -- C:\Users\Dave\umofbma.exe
[2011/01/14 16:48:29 | 000,000,942 | ---- | M] () -- C:\Users\Dave\Desktop\Dropbox.lnk
[2011/01/14 16:47:53 | 000,000,922 | ---- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/01/13 20:40:12 | 000,117,539 | ---- | M] () -- C:\Users\Dave\Desktop\MoteBloomOnly.jpg
[2011/01/13 20:39:55 | 000,170,831 | ---- | M] () -- C:\Users\Dave\Desktop\MoteBloomAndPosterize.jpg
[2011/01/13 18:12:47 | 000,074,796 | ---- | M] () -- C:\Users\Dave\Desktop\110113-OL-Hemisphere-MCPA.DOCX
[2011/01/11 17:22:36 | 000,023,040 | ---- | M] () -- C:\Users\Dave\Desktop\most royals.doc

========== Files Created - No Company Name ==========

[2011/02/07 16:04:23 | 000,043,520 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a0.exe
[2011/02/07 16:04:23 | 000,040,448 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a.exe
[2011/02/07 16:04:22 | 000,043,520 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5fvvqff.exe
[2011/02/07 15:56:39 | 000,043,520 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggbb6llg2.exe
[2011/02/07 15:56:39 | 000,040,448 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rggbrgww1g.exe
[2011/02/07 15:56:38 | 000,040,448 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lggbrr.exe
[2011/02/02 09:36:10 | 000,000,790 | ---- | C] () -- C:\Users\Dave\Desktop\Auralux - Shortcut.lnk
[2011/01/31 07:48:44 | 000,000,222 | ---- | C] () -- C:\Users\Dave\Documents\WhiteToPlay.pgn
[2011/01/30 14:37:22 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2011/01/29 15:21:03 | 000,228,656 | ---- | C] () -- C:\Users\Dave\Documents\spectro.jpg
[2011/01/28 09:22:32 | 000,000,544 | -H-- | C] () -- C:\ProgramData\common.data
[2011/01/27 15:30:06 | 000,143,360 | RHS- | C] () -- C:\Users\Dave\fxmdk.exe
[2011/01/27 14:48:12 | 000,000,000 | -H-- | C] () -- C:\Users\Dave\AppData\Roaming\HhdFJl61DD.txt
[2011/01/27 14:43:39 | 000,045,568 | -H-- | C] () -- C:\Users\Dave\secupdat.dat
[2011/01/27 14:43:39 | 000,017,920 | -H-- | C] () -- C:\Users\Dave\umofbma.exe
[2011/01/27 14:42:35 | 000,000,000 | -H-- | C] () -- C:\Users\Dave\AppData\Roaming\kkK7HfH611.txt
[2011/01/27 14:42:32 | 000,000,000 | -H-- | C] () -- C:\Users\Dave\AppData\Roaming\hJCd8i8H8I.txt
[2011/01/20 15:03:32 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2011/01/20 15:03:32 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2011/01/20 15:03:31 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2011/01/14 16:48:29 | 000,000,942 | ---- | C] () -- C:\Users\Dave\Desktop\Dropbox.lnk
[2011/01/14 16:47:53 | 000,000,922 | ---- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/01/13 20:40:10 | 000,117,539 | ---- | C] () -- C:\Users\Dave\Desktop\MoteBloomOnly.jpg
[2011/01/13 20:39:52 | 000,170,831 | ---- | C] () -- C:\Users\Dave\Desktop\MoteBloomAndPosterize.jpg
[2011/01/13 18:12:47 | 000,074,796 | ---- | C] () -- C:\Users\Dave\Desktop\110113-OL-Hemisphere-MCPA.DOCX
[2011/01/11 17:19:18 | 000,023,040 | ---- | C] () -- C:\Users\Dave\Desktop\most royals.doc
[2010/10/14 01:36:44 | 000,179,263 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/11/18 13:48:18 | 000,040,960 | ---- | C] () -- C:\Windows\System32\nvISWOW64.dll
[2009/10/12 11:23:48 | 000,005,972 | ---- | C] () -- C:\Users\Dave\AppData\Local\d3d9caps.dat
[2009/10/10 18:19:10 | 000,013,116 | ---- | C] () -- C:\Users\Dave\AppData\Local\c4u.log
[2009/10/10 18:19:03 | 000,000,177 | ---- | C] () -- C:\Users\Dave\AppData\Local\LaunchHomeCenter.log
[2009/10/10 18:09:43 | 000,253,472 | ---- | C] () -- C:\Users\Dave\AppData\Local\installer.log
[2009/09/04 02:38:00 | 000,020,594 | ---- | C] () -- C:\Windows\System32\DELS3L3.DLL
[2009/08/20 14:26:36 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/03/12 09:49:36 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/02/02 13:50:49 | 000,000,218 | ---- | C] () -- C:\Users\Dave\AppData\Roaming\.Whitebutterfly
[2008/11/18 14:27:17 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2008/11/10 08:35:04 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/11/10 08:35:04 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/11/10 08:35:04 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/10/06 08:22:35 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008/09/10 05:22:00 | 000,350,280 | ---- | C] () -- C:\Windows\System32\vfprintpthelper.dll
[2008/02/08 09:10:36 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2008/02/08 09:10:36 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2008/02/08 09:10:36 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2008/01/21 20:33:02 | 000,000,025 | ---- | C] () -- C:\Windows\cdplayer.ini
[2008/01/13 18:10:20 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2008/01/10 14:58:17 | 000,080,896 | ---- | C] () -- C:\Users\Dave\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/06 16:07:08 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/12/06 16:07:08 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1322.dll
[2007/12/06 16:07:08 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/12/06 16:07:02 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/12/06 08:30:39 | 000,065,536 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/12/10 12:40:26 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\.GrapplingHook
[2010/05/17 13:52:53 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\.minecraft
[2010/09/24 08:30:33 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Atlus
[2010/07/13 14:45:08 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Beat Hazard
[2009/09/05 20:00:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Blender Foundation
[2009/04/13 17:30:37 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Braid
[2010/11/18 21:30:02 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Canon
[2011/01/04 13:07:16 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Chessmaster Challenge
[2010/01/24 15:29:29 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\com.rocketbirds.revolution.CF766248D3FE4779BD81B4B4A3BB448567BF58E0.1
[2011/02/07 16:04:47 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Dropbox
[2010/09/17 11:25:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\FOG Downloader
[2010/11/18 08:19:26 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Foxit Software
[2010/02/05 08:45:25 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\GamesFaction
[2009/11/18 14:07:05 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\gDEBugger
[2008/04/21 12:29:25 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\GetRightToGo
[2009/12/15 17:10:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\GlobalSCAPE
[2008/05/08 16:35:54 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Helios
[2009/12/20 22:46:15 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\ImTOO Software Studio
[2010/09/24 08:57:34 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Internet Chess Club
[2010/10/28 12:10:04 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\LolClient
[2009/07/03 10:07:30 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\My Games
[2011/01/04 13:24:11 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\OnLive App
[2009/12/24 13:29:24 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\OpenOffice.org
[2010/02/24 16:51:41 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Playrix Entertainment
[2010/11/02 13:06:15 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Processing
[2010/05/11 16:55:22 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Purity
[2010/06/22 11:17:50 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\runic games
[2008/05/26 15:14:42 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Sahmon Games
[2011/01/04 12:08:01 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\SpinTop
[2010/09/23 08:12:03 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Star Ruler
[2010/01/18 13:58:20 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Stardock
[2008/09/26 15:47:09 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Subversion
[2008/08/17 16:01:42 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Supernova2
[2009/12/15 13:45:11 | 000,000,000 | -HSD | M] -- C:\Users\Dave\AppData\Roaming\System Defender
[2010/11/18 09:31:47 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\SystemRequirementsLab
[2010/08/27 16:18:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Thunderbird
[2008/10/30 12:11:08 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\ToadTrip Games Pty Ltd
[2009/06/24 11:02:00 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Unity
[2010/01/22 13:11:09 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\ZombieDriver
[2011/02/07 16:02:07 | 000,032,602 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 523 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 514643 bytes -> C:\Users\Dave\AppData\Roaming\desktop.ini:init
@Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:D158BAF9
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:93E9C78D
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:697CEF62

< End of report >
MealWorms
Active Member
 
Posts: 9
Joined: February 6th, 2011, 5:29 pm

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby askey127 » February 7th, 2011, 7:56 pm

Mealworms,
----------------------------------------------
Perform a Custom Scan or Fix with OTL
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O4 - HKLM..\Run: [DellSupportCenter] File not found
    O4 - HKCU..\Run: [DellSupportCenter] File not found
    O4 - HKCU..\Run: [System Defender] File not found
    O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5fvvqff.exe ()
    O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lggbrr.exe ()
    O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggbb6llg2.exe ()
    O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rggbrgww1g.exe ()
    O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a.exe ()
    O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a0.exe ()
    O4 - HKCU..\Run: [wouzuv] C:\Users\Dave\AppData\Roaming\Microsoft\fyquouqu.exe (Google Inc.)
    O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_07)
    O20 - HKCU Winlogon: Shell - (C:\Users\Dave\AppData\Roaming\juzjf.exe) - C:\Users\Dave\AppData\Roaming\juzjf.exe (Google Inc.)
    O20 - HKCU Winlogon: Shell - (C:\Users\Dave\fxmdk.exe) - C:\Users\Dave\fxmdk.exe ()
    O33 - MountPoints2\{e58ca034-c015-11dc-9d0a-001c23f9c651}\Shell\AutoRun\command - "" = F:\wubi.exe --cdmenu
    O33 - MountPoints2\{e58ca047-c015-11dc-9d0a-001c23f9c651}\Shell\AutoRun\command - "" = G:\DISALA///pushila.exe
    O33 - MountPoints2\{e58ca047-c015-11dc-9d0a-001c23f9c651}\Shell\explore\command - "" = G:\DISALA//pushila.exe
    O33 - MountPoints2\{e58ca047-c015-11dc-9d0a-001c23f9c651}\Shell\open\command - "" = G:\DISALA//pushila.exe
    O33 - MountPoints2\{ede944dd-eb52-11dd-9d95-001c23f9c651}\Shell\AutoRun\command - "" = G:\DISALA///pushila.exe
    O33 - MountPoints2\{ede944dd-eb52-11dd-9d95-001c23f9c651}\Shell\explore\command - "" = G:\DISALA//pushila.exe
    O33 - MountPoints2\{ede944dd-eb52-11dd-9d95-001c23f9c651}\Shell\open\command - "" = G:\DISALA//pushila.exe
    [2011/02/07 16:04:19 | 000,043,520 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a0.exe
    [2011/02/07 16:04:19 | 000,043,520 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5fvvqff.exe
    [2011/02/07 16:04:19 | 000,040,448 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a.exe
    [2011/02/07 16:04:23 | 000,043,520 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a0.exe
    [2011/02/07 16:04:23 | 000,040,448 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a.exe
    [2011/02/07 16:04:22 | 000,043,520 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5fvvqff.exe
    [2011/02/07 15:56:39 | 000,043,520 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggbb6llg2.exe
    [2011/02/07 15:56:39 | 000,040,448 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rggbrgww1g.exe
    [2011/02/07 15:56:38 | 000,040,448 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lggbrr.exe
    [2011/01/27 14:48:12 | 000,000,000 | -H-- | C] () -- C:\Users\Dave\AppData\Roaming\HhdFJl61DD.txt
    [2011/01/27 14:43:39 | 000,045,568 | -H-- | C] () -- C:\Users\Dave\secupdat.dat
    [2011/01/27 14:43:39 | 000,017,920 | -H-- | C] () -- C:\Users\Dave\umofbma.exe
    [2011/01/27 14:42:35 | 000,000,000 | -H-- | C] () -- C:\Users\Dave\AppData\Roaming\kkK7HfH611.txt
    [2011/01/27 14:42:32 | 000,000,000 | -H-- | C] () -- C:\Users\Dave\AppData\Roaming\hJCd8i8H8I.txt
    [2011/01/28 09:22:32 | 000,000,544 | -H-- | C] () -- C:\ProgramData\common.data
    [2011/01/27 15:30:06 | 000,143,360 | RHS- | C] () -- C:\Users\Dave\fxmdk.exe
    
    @Alternate Data Stream - 523 bytes -> C:\ProgramData\TEMP:05EE1EEF
    @Alternate Data Stream - 514643 bytes -> C:\Users\Dave\AppData\Roaming\desktop.ini:init
    @Alternate Data Stream - 115 bytes -> C:\ProgramData\TEMP:D158BAF9
    @Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:93E9C78D
    @Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:697CEF62
    :Services
    
    :Reg
    
    :Files
    C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5fvvqff.exe
    C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5lggbrr.exe
    C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ggbb6llg2.exe
    C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rggbrgww1g.exe
    C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a.exe
    C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vfv9qqlf9a0.exe
    
    :Commands
    [EMPTYTEMP]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
----------------------------------------------

After you have completed the above, you have a file named pushila.exe that appears on the G: drive (flash drive?)
It is trying to run automatically everytime G: drive is mounted, and it is an infection. Delete it if you can.

----------------------------------------------
Right click the Microsoft Security Essentials Icon (the little orange or green icon with the checkmark, click open.
Check the Scan option Full, and click Scan Now.
Let it remove anything it wants.

As an aside, your C: drive is too full for Windows to run properly.
Windows needs about 15% minimum free space.
Think about offloading some music/photos/videos to free up a bit more space on the C: drive.

Let me know how it goes.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby MealWorms » February 8th, 2011, 7:51 am

Hi askey127,

I ran OTL as suggested, cleaned up the C: (now about 36 GB free), and ran Security Essentials 'Full Scan' overnight; it flagged four files as 'Trojans', which it than removed.

Regarding the rogue file on G: -- I actually don't have a G drive... but I do have a wireless USB mouse, whose receiver key is always plugged in to the laptop. Perhaps the wireless mouse key is infected? FWIW, there's no explicit storage on the key (i.e. this wireless mouse predates the days when the keys of wireless USB mice doubled as storage keys).

Another datapoint pointing to some sort of USB-transmitted infection: when I connect a flash card to my laptop and empty it in windows explorer, then bring it over to my MacBook or a Linux box, there are some files on the card which aren't visible in Windows Explorer.

In any case: below is the scan result from OTL, generated after the 2nd OTL 'Run Fix' operation and before the cleanup of C: and MS Security Essentials run:

OTL logfile created on: 07/02/2011 7:18:14 PM - Run 2
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Users\Dave\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18999)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 210.32 Gb Total Space | 23.02 Gb Free Space | 10.95% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.80 Gb Free Space | 58.05% Space Free | Partition Type: NTFS
Drive F: | 2.49 Gb Total Space | 2.49 Gb Free Space | 100.00% Space Free | Partition Type: FAT32

Computer Name: DAVE-PC | User Name: Dave | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/07 15:58:03 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/10/01 22:41:10 | 000,619,800 | ---- | M] (http://tortoisesvn.net) -- C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
PRC - [2009/09/08 07:12:51 | 000,116,104 | ---- | M] () -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2007/09/24 04:27:38 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2007/09/24 04:27:30 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2007/09/24 04:27:28 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2007/09/24 04:27:28 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2007/09/07 13:25:12 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/07 13:23:36 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/08/29 16:25:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/08/29 00:54:58 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2007/04/16 17:10:26 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe


========== Modules (SafeList) ==========

MOD - [2011/02/07 15:58:03 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (stllssvr)
SRV - [2011/01/11 11:38:39 | 000,407,336 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/11/11 12:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2010/03/18 16:47:22 | 000,035,160 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe -- (aspnet_state)
SRV - [2010/03/18 12:16:28 | 000,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 12:16:28 | 000,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetTcpActivator)
SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetPipeActivator)
SRV - [2010/03/18 12:16:28 | 000,124,240 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe -- (NetMsmqActivator)
SRV - [2009/09/24 20:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/09/08 07:12:51 | 000,116,104 | ---- | M] () [Auto | Running] -- C:\Program Files\Canon\IJPLM\ijplmsvc.exe -- (IJPLMSVC)
SRV - [2008/10/06 08:14:57 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/02 01:42:06 | 000,121,360 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/07 13:25:12 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/08/29 16:25:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/05/31 10:21:24 | 000,379,784 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2007/05/31 10:21:18 | 000,183,688 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2007/03/19 13:44:44 | 000,070,656 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)


========== Driver Services (SafeList) ==========

DRV - [2010/10/24 21:25:38 | 000,054,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010/10/24 21:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2009/09/09 18:24:14 | 000,062,424 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\xusb21.sys -- (xusb21)
DRV - [2009/02/07 13:23:48 | 000,025,280 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2008/02/29 02:13:24 | 000,036,880 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2008/02/29 02:13:16 | 000,035,344 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2008/01/02 16:48:28 | 002,016,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2007/12/06 16:06:35 | 000,020,152 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/12/06 16:06:35 | 000,019,128 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/12/06 16:06:35 | 000,017,592 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/10/10 16:03:00 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2007/09/24 04:27:26 | 000,155,136 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/09/21 03:11:02 | 000,028,432 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LUsbFilt.sys -- (LUsbFilt)
DRV - [2007/09/07 13:26:04 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/08/29 00:55:06 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2007/05/21 00:43:56 | 000,179,712 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2007/04/23 05:51:56 | 000,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
DRV - [2007/03/21 14:33:46 | 000,534,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2007/02/25 13:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/11/27 02:48:46 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2006/11/27 02:48:44 | 000,043,520 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/27 02:48:44 | 000,032,256 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2006/11/02 21:43:30 | 000,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 21:42:18 | 000,206,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/11/02 21:42:08 | 000,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/11/02 04:51:45 | 000,900,712 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 000,420,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 000,316,520 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 000,297,576 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 000,235,112 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 000,232,040 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 000,147,048 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 000,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 000,098,408 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 000,088,680 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 000,071,784 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 000,040,040 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 000,038,504 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 000,037,480 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 000,067,688 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 000,065,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 000,028,776 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 03:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 02:30:55 | 000,200,704 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2006/11/02 02:30:54 | 000,117,760 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2006/10/05 18:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/08/04 19:39:10 | 000,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2004/11/29 13:14:30 | 000,019,648 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfsync02.sys -- (sfsync02) StarForce Protection Synchronization Driver (version 2.x)
DRV - [2004/11/25 11:41:08 | 000,046,080 | ---- | M] (Protection Technology) [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\sfdrv01.sys -- (sfdrv01) StarForce Protection Environment Driver (version 1.x)
DRV - [2004/10/28 05:47:59 | 000,006,656 | ---- | M] (Protection Technology) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\sfhlp02.sys -- (sfhlp02) StarForce Protection Helper Driver (version 2.x)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ig/dell?hl=en&cli ... bd=2071206
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://mail.google.com/mail/?shva=1#inbox|http://www.new.facebook.com/login.php"
FF - prefs.js..extensions.enabledItems: ctrl-tab@design-noir.de:0.21.1
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}:6.0.22
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/13 05:23:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/13 05:23:35 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/12/16 12:37:59 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.7\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/03/23 23:20:05 | 000,000,000 | ---D | M]

[2010/08/27 16:18:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dave\AppData\Roaming\Mozilla\Extensions
[2010/08/27 16:18:59 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dave\AppData\Roaming\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2011/02/07 16:16:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions
[2010/06/29 10:37:38 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/10/14 12:56:45 | 000,000,000 | ---D | M] (Flashblock) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
[2011/02/02 14:26:04 | 000,000,000 | ---D | M] (NoScript) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/03/22 09:19:25 | 000,000,000 | ---D | M] (Ctrl-Tab) -- C:\Users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\extensions\ctrl-tab@design-noir.de
[2011/01/27 15:09:25 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/31 20:00:46 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/20 17:52:02 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/18 10:03:36 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/27 15:09:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2008/06/24 14:00:35 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\inspector@mozilla.org
[2010/11/12 18:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [Conime] C:\Windows\System32\conime.exe (Microsoft Corporation)
O4 - HKLM..\Run: [DELL Webcam Manager] C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe (CANON INC.)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (Macrovision Corporation)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\Windows\KHALMNPR.Exe (Logitech, Inc.)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [XboxStat] C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe (Microsoft Corporation)
O4 - HKCU..\Run: [Firewall Security Service] c:\RECYCLER\R-1-5-21-1482476501-1644491937-682003330-1013\winfixer.exe (Trend Micro Inc.)
O4 - HKCU..\Run: [MSConfig] File not found
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0k6qffa.exe ()
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2vvqffa.exe ()
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\Dave\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O4 - Startup: C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kfvvqf9a0v.exe ()
O9 - Extra Button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} file:///C:/Program%20Files/Chessmaster%20Challenge/Images/stg_drm.ocx (SpinTop DRM Control)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/i ... ction2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} file:///C:/Program%20Files/Chessmaster%20Challenge/Images/armhelper.ocx (ArmHelper Control)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKCU Winlogon: Shell - (c:\recycler\s-1-5-21-7702168376-5550137348-691632285-2071\yv8g67.exe) - c:\RECYCLER\S-1-5-21-7702168376-5550137348-691632285-2071\yv8g67.exe (BGT3vjn7nJi)
O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\Dave\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Dave\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010/08/16 10:35:02 | 000,000,000 | ---D | M] - C:\Autostitch -- [ NTFS ]
O33 - MountPoints2\{15939c9f-be80-11de-b7b6-001c23f9c651}\Shell - "" = AutoRun
O33 - MountPoints2\{15939c9f-be80-11de-b7b6-001c23f9c651}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -a
O33 - MountPoints2\{6f8bb6b1-f903-11dd-a1f1-001c23f9c651}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/07 16:00:09 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/02/07 15:58:09 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
[2011/02/06 15:49:39 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/02/06 15:49:39 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis
[2011/02/04 09:44:42 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Local\Temp
[2011/02/02 08:03:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Auralux
[2011/02/02 08:03:00 | 000,000,000 | ---D | C] -- C:\Program Files\Auralux
[2011/01/30 14:35:28 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/01/29 11:49:46 | 000,000,000 | ---D | C] -- C:\Users\Dave\Documents\Osmos
[2011/01/28 15:20:21 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AuraluxDemo
[2011/01/27 14:48:26 | 000,000,000 | RHSD | C] -- C:\RECYCLER
[2011/01/27 13:48:26 | 000,000,000 | ---D | C] -- C:\Users\Dave\Desktop\Phtos_Uncategorized
[2011/01/20 15:05:50 | 000,000,000 | ---D | C] -- C:\Windows\System32\WindowsPowerShell
[2011/01/20 15:05:48 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
[2011/01/14 16:47:43 | 000,000,000 | ---D | C] -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
[2011/01/14 12:16:55 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
[2008/08/20 19:32:34 | 000,014,848 | ---- | C] ( ) -- C:\Windows\System32\Interop.MSScriptControl.dll

========== Files - Modified Within 30 Days ==========

[2011/02/07 19:17:03 | 000,040,448 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kfvvqf9a0v.exe
[2011/02/07 19:17:02 | 000,043,520 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0k6qffa.exe
[2011/02/07 19:17:02 | 000,040,448 | RHS- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2vvqffa.exe
[2011/02/07 19:16:10 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/02/07 19:16:09 | 000,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/02/07 19:15:52 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/02/07 19:15:49 | 2137,042,944 | -HS- | M] () -- C:\hiberfil.sys
[2011/02/07 19:14:56 | 000,000,012 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2011/02/07 16:10:58 | 000,645,346 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/02/07 16:10:58 | 000,123,984 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/02/07 15:58:03 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Users\Dave\Desktop\OTL.exe
[2011/02/02 09:36:10 | 000,000,790 | ---- | M] () -- C:\Users\Dave\Desktop\Auralux - Shortcut.lnk
[2011/01/31 07:48:44 | 000,000,222 | ---- | M] () -- C:\Users\Dave\Documents\WhiteToPlay.pgn
[2011/01/30 14:37:22 | 000,001,945 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/01/29 15:21:06 | 000,228,656 | ---- | M] () -- C:\Users\Dave\Documents\spectro.jpg
[2011/01/27 14:54:38 | 000,005,972 | ---- | M] () -- C:\Users\Dave\AppData\Local\d3d9caps.dat
[2011/01/14 16:48:29 | 000,000,942 | ---- | M] () -- C:\Users\Dave\Desktop\Dropbox.lnk
[2011/01/14 16:47:53 | 000,000,922 | ---- | M] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/01/13 20:40:12 | 000,117,539 | ---- | M] () -- C:\Users\Dave\Desktop\MoteBloomOnly.jpg
[2011/01/13 20:39:55 | 000,170,831 | ---- | M] () -- C:\Users\Dave\Desktop\MoteBloomAndPosterize.jpg
[2011/01/13 18:12:47 | 000,074,796 | ---- | M] () -- C:\Users\Dave\Desktop\110113-OL-Hemisphere-MCPA.DOCX
[2011/01/11 17:22:36 | 000,023,040 | ---- | M] () -- C:\Users\Dave\Desktop\most royals.doc

========== Files Created - No Company Name ==========

[2011/02/07 19:17:07 | 000,040,448 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kfvvqf9a0v.exe
[2011/02/07 19:17:06 | 000,043,520 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0k6qffa.exe
[2011/02/07 19:17:06 | 000,040,448 | RHS- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2vvqffa.exe
[2011/02/02 09:36:10 | 000,000,790 | ---- | C] () -- C:\Users\Dave\Desktop\Auralux - Shortcut.lnk
[2011/01/31 07:48:44 | 000,000,222 | ---- | C] () -- C:\Users\Dave\Documents\WhiteToPlay.pgn
[2011/01/30 14:37:22 | 000,001,945 | ---- | C] () -- C:\Windows\epplauncher.mif
[2011/01/29 15:21:03 | 000,228,656 | ---- | C] () -- C:\Users\Dave\Documents\spectro.jpg
[2011/01/20 15:03:32 | 000,201,184 | ---- | C] () -- C:\Windows\System32\winrm.vbs
[2011/01/20 15:03:32 | 000,002,426 | ---- | C] () -- C:\Windows\System32\WsmTxt.xsl
[2011/01/20 15:03:31 | 000,004,675 | ---- | C] () -- C:\Windows\System32\wsmanconfig_schema.xml
[2011/01/14 16:48:29 | 000,000,942 | ---- | C] () -- C:\Users\Dave\Desktop\Dropbox.lnk
[2011/01/14 16:47:53 | 000,000,922 | ---- | C] () -- C:\Users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
[2011/01/13 20:40:10 | 000,117,539 | ---- | C] () -- C:\Users\Dave\Desktop\MoteBloomOnly.jpg
[2011/01/13 20:39:52 | 000,170,831 | ---- | C] () -- C:\Users\Dave\Desktop\MoteBloomAndPosterize.jpg
[2011/01/13 18:12:47 | 000,074,796 | ---- | C] () -- C:\Users\Dave\Desktop\110113-OL-Hemisphere-MCPA.DOCX
[2011/01/11 17:19:18 | 000,023,040 | ---- | C] () -- C:\Users\Dave\Desktop\most royals.doc
[2010/10/14 01:36:44 | 000,179,263 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/11/18 13:48:18 | 000,040,960 | ---- | C] () -- C:\Windows\System32\nvISWOW64.dll
[2009/10/12 11:23:48 | 000,005,972 | ---- | C] () -- C:\Users\Dave\AppData\Local\d3d9caps.dat
[2009/10/10 18:19:10 | 000,013,116 | ---- | C] () -- C:\Users\Dave\AppData\Local\c4u.log
[2009/10/10 18:19:03 | 000,000,177 | ---- | C] () -- C:\Users\Dave\AppData\Local\LaunchHomeCenter.log
[2009/10/10 18:09:43 | 000,253,472 | ---- | C] () -- C:\Users\Dave\AppData\Local\installer.log
[2009/09/04 02:38:00 | 000,020,594 | ---- | C] () -- C:\Windows\System32\DELS3L3.DLL
[2009/08/20 14:26:36 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/03/12 09:49:36 | 000,000,258 | RHS- | C] () -- C:\ProgramData\ntuser.pol
[2009/02/02 13:50:49 | 000,000,218 | ---- | C] () -- C:\Users\Dave\AppData\Roaming\.Whitebutterfly
[2008/11/18 14:27:17 | 000,000,510 | ---- | C] () -- C:\Windows\WORDPAD.INI
[2008/11/10 08:35:04 | 001,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/11/10 08:35:04 | 001,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/11/10 08:35:04 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\Windows\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\System32\AgCPanelFrench.dll
[2008/10/06 08:22:35 | 002,463,976 | ---- | C] () -- C:\Windows\System32\NPSWF32.dll
[2008/09/10 05:22:00 | 000,350,280 | ---- | C] () -- C:\Windows\System32\vfprintpthelper.dll
[2008/02/08 09:10:36 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2008/02/08 09:10:36 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2008/02/08 09:10:36 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2008/01/21 20:33:02 | 000,000,025 | ---- | C] () -- C:\Windows\cdplayer.ini
[2008/01/13 18:10:20 | 000,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2008/01/10 14:58:17 | 000,080,896 | ---- | C] () -- C:\Users\Dave\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/12/06 16:07:08 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/12/06 16:07:08 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1322.dll
[2007/12/06 16:07:08 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/12/06 16:07:02 | 000,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2007/12/06 08:30:39 | 000,065,536 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini

========== LOP Check ==========

[2009/12/10 12:40:26 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\.GrapplingHook
[2010/05/17 13:52:53 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\.minecraft
[2010/09/24 08:30:33 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Atlus
[2010/07/13 14:45:08 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Beat Hazard
[2009/09/05 20:00:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Blender Foundation
[2009/04/13 17:30:37 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Braid
[2010/11/18 21:30:02 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Canon
[2011/01/04 13:07:16 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Chessmaster Challenge
[2010/01/24 15:29:29 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\com.rocketbirds.revolution.CF766248D3FE4779BD81B4B4A3BB448567BF58E0.1
[2011/02/07 19:17:35 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Dropbox
[2010/09/17 11:25:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\FOG Downloader
[2010/11/18 08:19:26 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Foxit Software
[2010/02/05 08:45:25 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\GamesFaction
[2009/11/18 14:07:05 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\gDEBugger
[2008/04/21 12:29:25 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\GetRightToGo
[2009/12/15 17:10:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\GlobalSCAPE
[2008/05/08 16:35:54 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Helios
[2009/12/20 22:46:15 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\ImTOO Software Studio
[2010/09/24 08:57:34 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Internet Chess Club
[2010/10/28 12:10:04 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\LolClient
[2009/07/03 10:07:30 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\My Games
[2011/01/04 13:24:11 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\OnLive App
[2009/12/24 13:29:24 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\OpenOffice.org
[2010/02/24 16:51:41 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Playrix Entertainment
[2010/11/02 13:06:15 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Processing
[2010/05/11 16:55:22 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Purity
[2010/06/22 11:17:50 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\runic games
[2008/05/26 15:14:42 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Sahmon Games
[2011/01/04 12:08:01 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\SpinTop
[2010/09/23 08:12:03 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Star Ruler
[2010/01/18 13:58:20 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Stardock
[2008/09/26 15:47:09 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Subversion
[2008/08/17 16:01:42 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Supernova2
[2009/12/15 13:45:11 | 000,000,000 | -HSD | M] -- C:\Users\Dave\AppData\Roaming\System Defender
[2010/11/18 09:31:47 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\SystemRequirementsLab
[2010/08/27 16:18:58 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Thunderbird
[2008/10/30 12:11:08 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\ToadTrip Games Pty Ltd
[2009/06/24 11:02:00 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\Unity
[2010/01/22 13:11:09 | 000,000,000 | ---D | M] -- C:\Users\Dave\AppData\Roaming\ZombieDriver
[2011/02/07 19:14:58 | 000,032,602 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



< End of report >
f
MealWorms
Active Member
 
Posts: 9
Joined: February 6th, 2011, 5:29 pm

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby askey127 » February 8th, 2011, 9:52 pm

Mealworms,
--------------------------------------------------
Run Flash Disinfector
  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task > Run... Type in explorer.exe and press Enter. Your desktop should now appear.
Wait until it has finished scanning and then exit the program.

You can run Flash Disinfector with other flash drives and/or other removable drives. This may include your mobile phone.
Please do so and allow the utility to clean up those drives as well.
------------------------------------------------
Remove Programs Using Control Panel
From Start, Control Panel, click on Uninstall a program under the Programs heading.
Right click each Entry, as follows, one by one, if it exists, choose Uninstall/Change, and give permission to Continue:
Ask Toolbar
Java(TM) 6 Update 7
Java(TM) SE Development Kit 6 Update 7
Java(TM) SE Runtime Environment 6
Pando Media Booster

Take extra care in answering questions posed by any Uninstaller.
----------------------------------------------------------------------------------
Download and Run MalwareBytes' Anti-Malware It is free for non-business use.
Please go here to the Download Location, click on Download.
  • After clicking on the download and choosing Save, the "Save to location" dialog will come up.
  • Click the browse folders button, then click on Desktop on the left as the location for the installer and click Save again. Close the dialog when the download is complete.
  • You should now have a desktop icon named mbam-setup.exe.
  • Right click it, choose Run as administrator and Continue
  • Let it install where it wants to, with the default settings, and click Finish.
  • If an update is found, it will download and install the latest version. A shield symbol will show on the desktop icon while it is updating, and will disappear when it's done.
  • If necessary, start Malwarebytes Anti-Malware again.
  • Once the program has started up, select Perform Quick Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • If it found any malware items, check all items except items in the C:\System Volume Information folder... and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location, and post the contents in your reply.
  • The log can also be found using the "Logs" tab in the program. You can click any "Scan" log listed to open its contents. The logs are listed and named by time/date stamp.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby MealWorms » February 9th, 2011, 10:30 am

Hi askey127,

Regarding Flash_Disinfector: not sure it ran correctly, as I wasn't presented with e.g. a prompt to connect a flash drive. On running it from the desktop for the first time, a dialog popped up saying the program had not installed successfully. I selected 'Reinstall with recommended settings'. The dialog went away, returning me to the desktop. I tried running again, but nothing happened. When I run it with the Task Manager opened, I see a couple of consoleIME processes are launched, but then disappear. So it seems as if it didn't run correctly.

From the Control Panel, I uninstalled the recommended programs. All were present except for the 'Ask Toolbar'. Note that there are still two Java-related programs listed as installed, 'Java DB 10.3.1.4' and 'Java(TM) 6 Update 23' -- are these kosher?

Please see below for the log results from Malwarebytes Anti-Malware:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5719

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

09/02/2011 9:24:01 AM
mbam-log-2011-02-09 (09-24-01).txt

Scan type: Quick scan
Objects scanned: 170976
Time elapsed: 5 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSConfig (Trojan.Agent) -> Value: MSConfig -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=249&q={searchTerms}) Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) -> Quarantined and deleted successfully.

Folders Infected:
c:\Users\Dave\AppData\Roaming\system defender (Rogue.SystemDefender) -> Quarantined and deleted successfully.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013 (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.

Files Infected:
c:\Users\Dave\AppData\Local\Temp\528.exe (Worm.Zeroll) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Local\Temp\549.exe (Worm.Zeroll) -> Quarantined and deleted successfully.
c:\Users\Dave\local settings\temporary internet files\Content.IE5\BY047M11\ms[1].exe (Worm.Zeroll) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\system defender\cookies.sqlite (Rogue.SystemDefender) -> Quarantined and deleted successfully.
c:\Users\Dave\AppData\Roaming\system defender\instructions.ini (Rogue.SystemDefender) -> Quarantined and deleted successfully.
c:\RECYCLER\r-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Worm.AutoRun.Gen) -> Quarantined and deleted successfully.
MealWorms
Active Member
 
Posts: 9
Joined: February 6th, 2011, 5:29 pm

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby askey127 » February 9th, 2011, 12:10 pm

Mealworms,
What I would like you to do is this:
-----------------------------------------------------------
Download and Run ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.
ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.
You will need to disable all your antivirus software BEFORE running ComboFix.
.
  • Download ComboFix from here
  • Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it.
    **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**
  • DISABLE MICROSOFT SECURITY ESSENTIALS
    Right click the green MS Security Essentials "schoolhouse" icon in the lower right System tray, and click "Open".
    Click the "Settings" tab and in the left pane, then Click "Real Time Protection"
    In The Main Window UNCHECK the box for "Turn on real time protection(Recommended)"
    Then click "Save Changes".
  • Now start ComboFix (zzz.exe). Right click and choose "Run as administrator".
  • OK any disclaimers and start the Scan.
  • Do not touch the computer AT ALL while ComboFix is running.
  • It will run through about 50 tasks, and take a while to assemble the report.
    When finished, the report will open. Post the log in your next reply, and then Reenable Microsoft Security Essentials
A copy of the log will be located here if you need it-> C:\ComboFix.txt
If you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.
-----------------------------------------------------------
Sanitize Flash Autoruns
(Please perform this on every flash drive you have). Plug in the flash drive, wait for it to initialize.
Open My Computer and double click on the drive corresponding to the flash.
If there is any file in the main directory named autorun.inf, please right click it with your mouse and choose Delete.
Now, while you are still looking at the list of files on the flash, right click on an empty space and choose New, and then Folder.
Name the new folder autorun.inf
Please repeat the procedure for each flash drive you have.
This action will help make it more difficult to install infected files on the flash that autorun when the flash is plugged in.

Most people have no use for a Java Database, so I don't have any idea why that is on there. It is not usually dangerous.
The Java(TM) 6 Update 23 item is the latest version of the common Java Runtime Library, and useful to have for interaction with website forms, etc.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby MealWorms » February 10th, 2011, 1:57 pm

Hi askey127,

Thanks as always for your help! Please see below for the log generated by ComboFix:

ComboFix 11-02-09.05 - Dave 10/02/2011 12:10:12.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.649 [GMT -5:00]
Running from: c:\users\Dave\Desktop\zzz.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\CLSV.tmp
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\DBOLE.tmp
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\fix.dll
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\FW.drv
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\pal.dll
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\ppal.exe
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\ppal.tmp
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\sld.drv
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\SM.exe
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\tempdoc.drv
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\tjd.sys
c:\users\Dave\AppData\Roaming\Microsoft\Windows\Recent\tjd.tmp
c:\users\Dave\AppData\Roaming\System Defender
c:\users\Dave\AppData\Roaming\System Defender\Instructions.ini
c:\windows\system32\twunk_32.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-10 to 2011-02-10 )))))))))))))))))))))))))))))))
.

2011-02-10 17:36 . 2011-02-10 17:37 -------- d-----w- c:\users\Dave\AppData\Local\temp
2011-02-10 17:36 . 2011-02-10 17:36 -------- d-----w- c:\users\UserPerson\AppData\Local\temp
2011-02-10 17:36 . 2011-02-10 17:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-10 17:02 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C13D0DF6-EE14-406D-A53F-3ACCB8E8736A}\mpengine.dll
2011-02-09 14:16 . 2011-02-09 14:16 -------- d-----w- c:\users\Dave\AppData\Roaming\Malwarebytes
2011-02-09 14:16 . 2011-02-09 14:16 -------- d-----w- c:\programdata\Malwarebytes
2011-02-09 14:16 . 2011-02-09 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-07 21:00 . 2011-02-07 21:00 -------- d-----w- C:\_OTL
2011-02-06 20:49 . 2011-02-06 20:49 388096 ----a-r- c:\users\Dave\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-06 20:49 . 2011-02-06 20:49 -------- d-----w- c:\program files\Trend Micro
2011-02-02 13:03 . 2011-02-02 14:36 -------- d-----w- c:\program files\Auralux
2011-01-30 19:36 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-01-30 19:35 . 2011-01-30 19:37 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-30 19:34 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-01-28 20:19 . 2010-02-04 15:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-01-28 20:19 . 2010-02-04 15:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-01-28 20:19 . 2010-02-04 15:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-01-28 20:19 . 2010-02-04 15:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-01-28 20:17 . 2011-01-28 20:17 47384 ----a-w- c:\program files\Common Files\Microsoft Shared\XNA\Framework\Shared\xnavisualizer.dll
2011-01-28 20:17 . 2011-01-28 20:17 2265880 ----a-w- c:\program files\Common Files\Microsoft Shared\XNA\Framework\v4.0\XnaNative.dll
2011-01-28 20:17 . 2011-01-28 20:17 17176 ----a-w- c:\program files\Common Files\Microsoft Shared\XNA\Framework\Shared\XnaVisualizerPS.dll
2011-01-12 13:16 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-01-12 13:16 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-01-12 13:16 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-01-12 13:16 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-01-12 13:16 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-01-12 13:16 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-01-12 13:16 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 09:41 . 2010-11-14 23:19 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-12 23:53 . 2010-06-01 01:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Dave\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Dave\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Dave\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-29 36864]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 133656]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-01 2508104]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Dave\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-12-16 23343848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&cli ... bd=2071206
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?shva=1#inb ... /login.php
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Ctrl-Tab: ctrl-tab@design-noir.de - %profile%\extensions\ctrl-tab@design-noir.de
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SigmatelSysTrayApp - %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-10 12:36
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-10 12:45:54
ComboFix-quarantined-files.txt 2011-02-10 17:45

Pre-Run: 40,005,476,352 bytes free
Post-Run: 40,484,311,040 bytes free

- - End Of File - - C4AEA1E1D01B6403F31AB9781EF88E8D
MealWorms
Active Member
 
Posts: 9
Joined: February 6th, 2011, 5:29 pm

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby askey127 » February 10th, 2011, 8:56 pm

Mealworms;
----------------------------------------------
Perform a Custom Scan or Fix with OTL
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :processes
    killallprocesses
    
    :OTL
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
    
    :Commands
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
--------------------------------------------
TDSSKiller - Rootkit Removal Tool
Please download the TDSSKiller.exe by Kaspersky... save it to your Desktop. <-Important!!!
  1. Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    (Vista - W7 users: Right-click and select "Run As Administrator")
    If TDSSKiller does not run... rename it. Right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. ektfhtw.com).
    If you don't see file extensions, please see: How to change the file extension.
  2. Click the Start Scan button. Do not use the computer during the scan!
  3. If the scan completes with nothing found, click Close to exit.
  4. If malicious objects are found, they will show in the "Scan results - Select action for found objects" and offer 3 options.
    • Ensure Cure (default) is selected... then click Continue > Reboot now to finish the cleaning process.
    • If Cure is not offered as an option, choose Skip.
  5. A log file named TDSSKiller_version_dd.mm.yyyy_hh.mm.ss_log.txt will be created and saved to the root directory. (usually Local Disk C:).
  6. Copy and paste the contents of that file in your next reply.
If, for some reason,you can't locate the text file to paste into your reply, just tell me, but DO NOT run the program a second time.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby MealWorms » February 11th, 2011, 10:33 am

Hi askey127,

The kaspersky program found no infections. Please see below for the log from OTL:

========== PROCESSES ==========
All processes killed
========== OTL ==========
File Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} not found.
File Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} not found.
File Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} not found.
File Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} not found.
File Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} not found.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.20.6 log created on 02112011_092408

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
MealWorms
Active Member
 
Posts: 9
Joined: February 6th, 2011, 5:29 pm

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby askey127 » February 11th, 2011, 4:34 pm

Mealworms,
If you would be so kind as to post the last 15-20 lines of the TDSSKiller log, It would be helpful.
It's located in the main directory of the C: drive.

----------------------------------------------
Perform a Custom Scan or Fix with OTL
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    Code: Select all
    :Commands
    [EMPTYTEMP]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    
  • Then click the Run Fix button at the top.
  • Let the program run unhindered and reboot the PC when it is done.
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby MealWorms » February 11th, 2011, 4:53 pm

Hi askey127,

Please see below for the latest OTL log result, and below that the the contents of the TDSSKiller log.


All processes killed
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Dave
->Temp folder emptied: 49973 bytes
->Temporary Internet Files folder emptied: 33790724 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 41667865 bytes
->Flash cache emptied: 480 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UserPerson
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16292 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 72.00 mb



OTL by OldTimer - Version 3.2.20.6 log created on 02112011_154754

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


------------------------------------------


2011/02/11 09:30:01.0254 1620 TDSS rootkit removing tool 2.4.17.0 Feb 10 2011 11:07:20
2011/02/11 09:30:01.0348 1620 ================================================================================
2011/02/11 09:30:01.0348 1620 SystemInfo:
2011/02/11 09:30:01.0348 1620
2011/02/11 09:30:01.0348 1620 OS Version: 6.0.6002 ServicePack: 2.0
2011/02/11 09:30:01.0348 1620 Product type: Workstation
2011/02/11 09:30:01.0348 1620 ComputerName: DAVE-PC
2011/02/11 09:30:01.0348 1620 UserName: Dave
2011/02/11 09:30:01.0348 1620 Windows directory: C:\Windows
2011/02/11 09:30:01.0348 1620 System windows directory: C:\Windows
2011/02/11 09:30:01.0348 1620 Processor architecture: Intel x86
2011/02/11 09:30:01.0348 1620 Number of processors: 2
2011/02/11 09:30:01.0348 1620 Page size: 0x1000
2011/02/11 09:30:01.0348 1620 Boot type: Normal boot
2011/02/11 09:30:01.0348 1620 ================================================================================
2011/02/11 09:30:02.0783 1620 Initialize success
2011/02/11 09:30:45.0465 3188 ================================================================================
2011/02/11 09:30:45.0465 3188 Scan started
2011/02/11 09:30:45.0465 3188 Mode: Manual;
2011/02/11 09:30:45.0465 3188 ================================================================================
2011/02/11 09:30:47.0930 3188 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/02/11 09:30:48.0647 3188 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/02/11 09:30:49.0146 3188 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/02/11 09:30:49.0505 3188 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/02/11 09:30:50.0394 3188 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/02/11 09:30:51.0174 3188 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/02/11 09:30:51.0830 3188 agp440 (8b10ce1c1f9f1d47e4deb1a547a00cd4) C:\Windows\system32\drivers\agp440.sys
2011/02/11 09:30:52.0906 3188 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/02/11 09:30:53.0140 3188 aliide (dc67a153fdb8105b25d05334b5e1d8e2) C:\Windows\system32\drivers\aliide.sys
2011/02/11 09:30:53.0546 3188 amdagp (848f27e5b27c1c253f6cefdc1a5d8f21) C:\Windows\system32\drivers\amdagp.sys
2011/02/11 09:30:54.0372 3188 amdide (835c4c3355088298a5ebd818fa31430f) C:\Windows\system32\drivers\amdide.sys
2011/02/11 09:30:55.0386 3188 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/02/11 09:30:56.0416 3188 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/02/11 09:30:57.0570 3188 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\Windows\system32\DRIVERS\Apfiltr.sys
2011/02/11 09:30:58.0756 3188 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/02/11 09:31:00.0129 3188 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/02/11 09:31:00.0862 3188 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/02/11 09:31:01.0221 3188 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/02/11 09:31:02.0609 3188 b57nd60x (32795e299c3aba589a5e04c83d531cdf) C:\Windows\system32\DRIVERS\b57nd60x.sys
2011/02/11 09:31:02.0968 3188 BCM43XX (746f59822a5187510471fc46889b8cc9) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/02/11 09:31:04.0310 3188 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/02/11 09:31:06.0228 3188 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/02/11 09:31:07.0445 3188 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/02/11 09:31:07.0679 3188 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/02/11 09:31:08.0007 3188 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/02/11 09:31:08.0272 3188 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/02/11 09:31:08.0522 3188 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/02/11 09:31:08.0787 3188 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/02/11 09:31:09.0036 3188 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/02/11 09:31:09.0458 3188 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/02/11 09:31:09.0832 3188 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/02/11 09:31:10.0004 3188 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/02/11 09:31:10.0175 3188 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/02/11 09:31:10.0674 3188 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/02/11 09:31:11.0127 3188 cmdide (e79cbb2195e965f6e3256e2c1b23fd1c) C:\Windows\system32\drivers\cmdide.sys
2011/02/11 09:31:11.0548 3188 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/02/11 09:31:11.0813 3188 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/02/11 09:31:12.0000 3188 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/02/11 09:31:12.0156 3188 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/02/11 09:31:12.0375 3188 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/02/11 09:31:12.0780 3188 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2011/02/11 09:31:13.0186 3188 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/02/11 09:31:13.0638 3188 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/02/11 09:31:13.0826 3188 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/02/11 09:31:14.0013 3188 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/02/11 09:31:14.0169 3188 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\Windows\system32\DRIVERS\dsunidrv.sys
2011/02/11 09:31:14.0528 3188 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2011/02/11 09:31:14.0715 3188 e1express (7505290504c8e2d172fa378cc0497bcc) C:\Windows\system32\DRIVERS\e1e6032.sys
2011/02/11 09:31:14.0980 3188 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/02/11 09:31:15.0183 3188 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/02/11 09:31:15.0588 3188 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/02/11 09:31:15.0838 3188 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/02/11 09:31:15.0994 3188 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/02/11 09:31:16.0275 3188 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/02/11 09:31:16.0431 3188 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/02/11 09:31:16.0571 3188 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/02/11 09:31:16.0821 3188 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/02/11 09:31:17.0148 3188 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/02/11 09:31:17.0289 3188 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/02/11 09:31:17.0523 3188 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/02/11 09:31:17.0850 3188 hamachi (7929a161f9951d173ca9900fe7067391) C:\Windows\system32\DRIVERS\hamachi.sys
2011/02/11 09:31:18.0240 3188 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/02/11 09:31:18.0599 3188 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/02/11 09:31:19.0208 3188 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/02/11 09:31:19.0504 3188 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/02/11 09:31:19.0691 3188 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/02/11 09:31:20.0066 3188 HSF_DPV (e9e589c9ab799f52e18f057635a2b362) C:\Windows\system32\DRIVERS\HSX_DPV.sys
2011/02/11 09:31:20.0253 3188 HSXHWAZL (7845d2385f4dc7dfb3ccaf0c2fa4948e) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
2011/02/11 09:31:20.0518 3188 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/02/11 09:31:20.0690 3188 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/02/11 09:31:21.0095 3188 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/02/11 09:31:21.0314 3188 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\Windows\system32\drivers\iastor.sys
2011/02/11 09:31:22.0312 3188 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/02/11 09:31:22.0749 3188 igfx (c134e69ce901422d1f2d7ea8d69098fe) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/02/11 09:31:23.0295 3188 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/02/11 09:31:24.0262 3188 intelide (0084046c084d68e494f8cf36bcf08186) C:\Windows\system32\DRIVERS\intelide.sys
2011/02/11 09:31:24.0902 3188 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/02/11 09:31:25.0338 3188 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/02/11 09:31:25.0900 3188 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/02/11 09:31:26.0274 3188 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/02/11 09:31:26.0633 3188 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/02/11 09:31:26.0742 3188 isapnp (2f8ece2699e7e2070545e9b0960a8ed2) C:\Windows\system32\drivers\isapnp.sys
2011/02/11 09:31:26.0930 3188 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/02/11 09:31:27.0320 3188 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/02/11 09:31:27.0741 3188 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/02/11 09:31:27.0866 3188 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/02/11 09:31:28.0022 3188 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/02/11 09:31:28.0162 3188 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/02/11 09:31:28.0443 3188 LHidFilt (24e0ddb99aeccf86bb37702611761459) C:\Windows\system32\DRIVERS\LHidFilt.Sys
2011/02/11 09:31:28.0536 3188 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/02/11 09:31:28.0692 3188 LMouFilt (d58b330d318361a66a9fe60d7c9b4951) C:\Windows\system32\DRIVERS\LMouFilt.Sys
2011/02/11 09:31:28.0911 3188 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/02/11 09:31:29.0176 3188 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/02/11 09:31:29.0348 3188 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/02/11 09:31:29.0597 3188 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/02/11 09:31:29.0769 3188 LUsbFilt (ff1c2f90d40a2e52649937854e175987) C:\Windows\system32\Drivers\LUsbFilt.Sys
2011/02/11 09:31:30.0003 3188 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/02/11 09:31:30.0206 3188 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/02/11 09:31:30.0642 3188 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/02/11 09:31:30.0954 3188 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/02/11 09:31:31.0469 3188 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/02/11 09:31:32.0624 3188 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/02/11 09:31:32.0982 3188 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/02/11 09:31:33.0248 3188 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/02/11 09:31:33.0482 3188 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/02/11 09:31:33.0965 3188 MpKsl306ca944 (5f53edfead46fa7adb78eee9ecce8fdf) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8F5FF633-9D50-4DEE-881B-AC6AB6DA6D5B}\MpKsl306ca944.sys
2011/02/11 09:31:34.0106 3188 MpKsl92684f8e (5f53edfead46fa7adb78eee9ecce8fdf) c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{8F5FF633-9D50-4DEE-881B-AC6AB6DA6D5B}\MpKsl92684f8e.sys
2011/02/11 09:31:34.0308 3188 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/02/11 09:31:34.0542 3188 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/02/11 09:31:35.0494 3188 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/02/11 09:31:35.0603 3188 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/02/11 09:31:35.0806 3188 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/02/11 09:31:36.0430 3188 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/02/11 09:31:37.0335 3188 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/02/11 09:31:38.0692 3188 msahci (d420bc42a637ac3cc4f411220549c0dc) C:\Windows\system32\drivers\msahci.sys
2011/02/11 09:31:39.0113 3188 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/02/11 09:31:40.0174 3188 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/02/11 09:31:41.0219 3188 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/02/11 09:31:43.0684 3188 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/02/11 09:31:44.0043 3188 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/02/11 09:31:44.0370 3188 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/02/11 09:31:44.0729 3188 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/02/11 09:31:45.0353 3188 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/02/11 09:31:45.0618 3188 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/02/11 09:31:45.0806 3188 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/02/11 09:31:46.0445 3188 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/02/11 09:31:46.0804 3188 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/02/11 09:31:47.0319 3188 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/02/11 09:31:47.0584 3188 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/02/11 09:31:47.0958 3188 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/02/11 09:31:48.0130 3188 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/02/11 09:31:48.0707 3188 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/02/11 09:31:48.0879 3188 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/02/11 09:31:49.0347 3188 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/02/11 09:31:49.0518 3188 NisDrv (17e2c08c5ecfbe94a7c67b1c275ee9d9) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2011/02/11 09:31:49.0690 3188 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/02/11 09:31:49.0893 3188 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/02/11 09:31:50.0642 3188 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/02/11 09:31:50.0938 3188 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/02/11 09:31:51.0422 3188 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/02/11 09:31:51.0671 3188 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/02/11 09:31:52.0124 3188 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/02/11 09:31:52.0280 3188 nv_agp (055081fd5076401c1ee1bcab08d81911) C:\Windows\system32\drivers\nv_agp.sys
2011/02/11 09:31:53.0262 3188 OEM02Dev (19cac780b858822055f46c58a111723c) C:\Windows\system32\DRIVERS\OEM02Dev.sys
2011/02/11 09:31:53.0325 3188 OEM02Vfx (86326062a90494bdd79ce383511d7d69) C:\Windows\system32\DRIVERS\OEM02Vfx.sys
2011/02/11 09:31:53.0481 3188 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/02/11 09:31:53.0824 3188 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/02/11 09:31:53.0918 3188 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/02/11 09:31:54.0011 3188 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/02/11 09:31:54.0261 3188 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/02/11 09:31:54.0370 3188 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/02/11 09:31:54.0479 3188 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/02/11 09:31:54.0791 3188 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/02/11 09:31:55.0088 3188 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/02/11 09:31:55.0322 3188 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/02/11 09:31:55.0524 3188 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/02/11 09:31:56.0039 3188 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
2011/02/11 09:31:56.0538 3188 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/02/11 09:31:58.0520 3188 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/02/11 09:31:58.0972 3188 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/02/11 09:31:59.0362 3188 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
2011/02/11 09:32:00.0579 3188 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/02/11 09:32:00.0984 3188 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/02/11 09:32:01.0515 3188 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/02/11 09:32:02.0326 3188 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/02/11 09:32:02.0747 3188 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/02/11 09:32:03.0356 3188 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/02/11 09:32:05.0040 3188 rdpdr (0245418224cfa77bf4b41c2fe0622258) C:\Windows\system32\drivers\rdpdr.sys
2011/02/11 09:32:05.0462 3188 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/02/11 09:32:05.0945 3188 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/02/11 09:32:07.0162 3188 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
2011/02/11 09:32:08.0644 3188 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
2011/02/11 09:32:08.0862 3188 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
2011/02/11 09:32:09.0221 3188 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/02/11 09:32:09.0455 3188 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/02/11 09:32:10.0110 3188 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
2011/02/11 09:32:10.0532 3188 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/02/11 09:32:11.0436 3188 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/02/11 09:32:11.0592 3188 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/02/11 09:32:12.0029 3188 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/02/11 09:32:12.0263 3188 sfdrv01 (4354d1eea9b4b6e29d53151acde7980f) C:\Windows\system32\drivers\sfdrv01.sys
2011/02/11 09:32:13.0542 3188 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/02/11 09:32:14.0572 3188 sffp_mmc (96ded8b20c734ac41641ce275250e55d) C:\Windows\system32\drivers\sffp_mmc.sys
2011/02/11 09:32:14.0759 3188 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/02/11 09:32:15.0992 3188 sfhlp02 (3ad2b15ccc03febfbaf5ff057822aa75) C:\Windows\system32\drivers\sfhlp02.sys
2011/02/11 09:32:16.0163 3188 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/02/11 09:32:16.0444 3188 sfsync02 (d14d5c9c11998da690fa75460f4f1cf3) C:\Windows\system32\drivers\sfsync02.sys
2011/02/11 09:32:16.0616 3188 sisagp (08072b2fb92477fc813271a84b3a8698) C:\Windows\system32\drivers\sisagp.sys
2011/02/11 09:32:16.0896 3188 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/02/11 09:32:17.0068 3188 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/02/11 09:32:17.0240 3188 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/02/11 09:32:17.0427 3188 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/02/11 09:32:17.0598 3188 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/02/11 09:32:17.0739 3188 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/02/11 09:32:17.0910 3188 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/02/11 09:32:18.0706 3188 STHDA (5af135b2e2097d4494b9067ce84e2665) C:\Windows\system32\drivers\stwrt.sys
2011/02/11 09:32:19.0486 3188 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/02/11 09:32:19.0673 3188 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/02/11 09:32:19.0892 3188 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/02/11 09:32:20.0126 3188 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/02/11 09:32:20.0718 3188 Tcpip (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\drivers\tcpip.sys
2011/02/11 09:32:20.0937 3188 Tcpip6 (6a10afce0b38371064be41c1fbfd3c6b) C:\Windows\system32\DRIVERS\tcpip.sys
2011/02/11 09:32:21.0358 3188 tcpipreg (9bf343f4c878d6ad6922b2c5a4fefe0d) C:\Windows\system32\drivers\tcpipreg.sys
2011/02/11 09:32:21.0561 3188 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/02/11 09:32:21.0826 3188 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/02/11 09:32:22.0356 3188 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/02/11 09:32:24.0026 3188 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/02/11 09:32:24.0322 3188 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/02/11 09:32:24.0462 3188 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/02/11 09:32:26.0288 3188 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/02/11 09:32:26.0397 3188 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/02/11 09:32:26.0584 3188 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/02/11 09:32:26.0771 3188 uliagpkx (6d72ef05921abdf59fc45c7ebfe7e8dd) C:\Windows\system32\drivers\uliagpkx.sys
2011/02/11 09:32:27.0442 3188 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/02/11 09:32:27.0707 3188 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/02/11 09:32:28.0643 3188 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/02/11 09:32:29.0002 3188 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/02/11 09:32:30.0063 3188 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
2011/02/11 09:32:30.0250 3188 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/02/11 09:32:31.0046 3188 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/02/11 09:32:32.0153 3188 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/02/11 09:32:32.0294 3188 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/02/11 09:32:32.0418 3188 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/02/11 09:32:32.0590 3188 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/02/11 09:32:32.0668 3188 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/02/11 09:32:32.0730 3188 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/02/11 09:32:32.0824 3188 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/02/11 09:32:32.0949 3188 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/02/11 09:32:33.0027 3188 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/02/11 09:32:33.0089 3188 viaagp (d5929a28bdff4367a12caf06af901971) C:\Windows\system32\drivers\viaagp.sys
2011/02/11 09:32:33.0136 3188 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/02/11 09:32:33.0214 3188 viaide (f3b4762eb85a2aff4999401f14c3262b) C:\Windows\system32\drivers\viaide.sys
2011/02/11 09:32:33.0292 3188 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/02/11 09:32:33.0401 3188 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/02/11 09:32:33.0464 3188 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/02/11 09:32:33.0510 3188 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/02/11 09:32:33.0588 3188 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/02/11 09:32:33.0651 3188 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/02/11 09:32:33.0698 3188 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/02/11 09:32:33.0776 3188 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/02/11 09:32:33.0854 3188 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/02/11 09:32:34.0150 3188 winachsf (4daca8f07537d4d7e3534bb99294aa26) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/02/11 09:32:34.0431 3188 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/02/11 09:32:34.0571 3188 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/02/11 09:32:34.0649 3188 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/02/11 09:32:35.0008 3188 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/02/11 09:32:35.0164 3188 XAudio (5a7ff9a18ff6d7e0527fe3abf9204ef8) C:\Windows\system32\DRIVERS\xaudio.sys
2011/02/11 09:32:35.0304 3188 xusb21 (09e5340bd9b2cb730bf4dc6be7721291) C:\Windows\system32\DRIVERS\xusb21.sys
2011/02/11 09:32:35.0382 3188 ================================================================================
2011/02/11 09:32:35.0382 3188 Scan finished
2011/02/11 09:32:35.0382 3188 ================================================================================
2011/02/11 09:32:52.0371 1592 Deinitialize success
MealWorms
Active Member
 
Posts: 9
Joined: February 6th, 2011, 5:29 pm

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby askey127 » February 12th, 2011, 8:04 am

Mealworms,
-------------------------------------------------------------
  • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
  • Highlight the contents of the codebox below and press Ctrl+C to copy it to the clipboard. Do Not copy the word "Code".
    Code: Select all
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000000
    
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    
  • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
  • Save it to your desktop as CFScript.txt

    Image
  • Now drag and drop the CFScript.txt icon onto combofix.exe (zzz.exe) as in the picture above, and follow the prompts.
  • Then post the resultant log, C:\ComboFix.txt, in your next reply.

Reboot and tell me how it's running
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Re: Infected laptop running Vista Home Preiump, SP2

Unread postby MealWorms » February 13th, 2011, 6:27 pm

Hi askey127,

Please see below for the latest ComboFix log. The laptop is running well; all previous 'process launch spam' activity has ceased, and it seems like everything is smooth! Does this mean we call the laptop 'clean'?

ComboFix 11-02-09.05 - Dave 13/02/2011 16:57:01.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.2037.1121 [GMT -5:00]
Running from: c:\users\Dave\Desktop\zzz.exe
Command switches used :: c:\users\Dave\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2011-01-13 to 2011-02-13 )))))))))))))))))))))))))))))))
.

2011-02-13 22:08 . 2011-02-13 22:09 -------- d-----w- c:\users\Dave\AppData\Local\temp
2011-02-13 22:08 . 2011-02-13 22:08 -------- d-----w- c:\users\UserPerson\AppData\Local\temp
2011-02-13 22:08 . 2011-02-13 22:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-13 21:03 . 2011-02-13 21:41 -------- d-----w- C:\zzz
2011-02-13 20:54 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{B19012E0-E1AC-464F-861A-A3D45880B383}\mpengine.dll
2011-02-11 18:52 . 2011-02-11 18:52 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{CA79A251-9EB4-4791-B9F9-77CE9C7BCAF6}\gapaengine.dll
2011-02-10 17:02 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-10 17:02 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-02-10 17:02 . 2010-10-15 14:08 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-10 17:02 . 2010-10-15 14:08 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-10 17:00 . 2011-01-08 08:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-10 17:00 . 2011-01-08 06:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 14:16 . 2011-02-09 14:16 -------- d-----w- c:\users\Dave\AppData\Roaming\Malwarebytes
2011-02-09 14:16 . 2011-02-09 14:16 -------- d-----w- c:\programdata\Malwarebytes
2011-02-09 14:16 . 2011-02-09 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-02-07 21:00 . 2011-02-07 21:00 -------- d-----w- C:\_OTL
2011-02-06 20:49 . 2011-02-06 20:49 388096 ----a-r- c:\users\Dave\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-06 20:49 . 2011-02-06 20:49 -------- d-----w- c:\program files\Trend Micro
2011-02-02 13:03 . 2011-02-02 14:36 -------- d-----w- c:\program files\Auralux
2011-01-30 19:36 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-01-30 19:35 . 2011-01-30 19:37 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-30 19:34 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys
2011-01-28 20:19 . 2010-02-04 15:01 74072 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2011-01-28 20:19 . 2010-02-04 15:01 528216 ----a-w- c:\windows\system32\XAudio2_6.dll
2011-01-28 20:19 . 2010-02-04 15:01 238936 ----a-w- c:\windows\system32\xactengine3_6.dll
2011-01-28 20:19 . 2010-02-04 15:01 22360 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2011-01-28 20:17 . 2011-01-28 20:17 47384 ----a-w- c:\program files\Common Files\Microsoft Shared\XNA\Framework\Shared\xnavisualizer.dll
2011-01-28 20:17 . 2011-01-28 20:17 2265880 ----a-w- c:\program files\Common Files\Microsoft Shared\XNA\Framework\v4.0\XnaNative.dll
2011-01-28 20:17 . 2011-01-28 20:17 17176 ----a-w- c:\program files\Common Files\Microsoft Shared\XNA\Framework\Shared\XnaVisualizerPS.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 09:41 . 2010-11-14 23:19 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-28 15:55 . 2011-01-12 13:16 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 13:16 1169408 ----a-w- c:\windows\system32\sdclt.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2010-03-21 12:55 87304 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Dave\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Dave\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2010-10-06 23:36 94208 ----a-w- c:\users\Dave\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-24 159744]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-29 36864]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 76304]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-16 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-16 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-16 133656]
"Conime"="c:\windows\system32\conime.exe" [2009-04-11 69120]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-09-30 718688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-11-01 2508104]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.exe" [2009-09-28 140640]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Dave\AppData\Roaming\Dropbox\bin\Dropbox.exe [2010-12-16 23343848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R1 MpKsl431a0035;MpKsl431a0035;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4247A522-57DB-4806-BCF3-68FB875F35ED}\MpKsl431a0035.sys [x]
R1 MpKsl8f6c9587;MpKsl8f6c9587;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{4247A522-57DB-4806-BCF3-68FB875F35ED}\MpKsl8f6c9587.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-08-29 73728]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-21 179712]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&cli ... bd=2071206
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\users\Dave\AppData\Roaming\Mozilla\Firefox\Profiles\abcl5c0i.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?shva=1#inb ... /login.php
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Flashblock: {3d7eb24f-2740-49df-8937-200b1cc08f8a} - %profile%\extensions\{3d7eb24f-2740-49df-8937-200b1cc08f8a}
FF - Ext: Ctrl-Tab: ctrl-tab@design-noir.de - %profile%\extensions\ctrl-tab@design-noir.de
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-13 17:08
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2800)
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\libaprutil_tsvn.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\users\Dave\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2011-02-13 17:13:15
ComboFix-quarantined-files.txt 2011-02-13 22:13
ComboFix2.txt 2011-02-13 21:41
ComboFix3.txt 2011-02-10 17:46

Pre-Run: 43,028,451,328 bytes free
Post-Run: 42,995,273,728 bytes free

- - End Of File - - 196A4469613C637F6ABEFF0B8D4F78CE
MealWorms
Active Member
 
Posts: 9
Joined: February 6th, 2011, 5:29 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware