0

Hi

First i'd like to thank you for your time and effort in maintaining such an organized page. I know you are all volunteers so i appreciate your help.

On to business then.

My only problem is that sometimes when i click on a link say in google search, i'm taken to a page that says i have malware, weird bars start filling up and its giving me a report all of a sudden on trojans and other things that arent on my computer! This problem had started when firefox would report an "attack site" on almost every link i click. i disabled that option from firefox and another malware page would come on instead.

I immediately closed everything, ran a full scan with my updated Mcafee total protection but the malware pages wouldnt stop( i feel cheated out of my mcafee subscription).

Anyways i came here and performed all the steps in the section. Just a note that there are partitions on this damn machines that i cant access because this was my brother's computer before he traveled abroad and left it locked as admins. he left me a partition space and the rest i unfortunately cant access... so i hope none of the malware are in there :(

i tried to uninstall p2p and other software that were on this PC.. ihope i was succesful.

well thanks a lot in advance.. you guys are super. attached is everything i've been doing for the last 2 days

1. Microsoft® Windows® Malicious Software Removal Tool came up with nothing at all.
2.The GMER rootkit scanner gave me a lot of trouble when i deactivated Mcafee it kept crashing... but it did work finally(i hope).

3. The MBAM came up with 21 infections which i removed and got the logs for you good people here :)

4. then i did the dds thing and got the logs. so i'll copy paste everything then.

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-10 21:43:55
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00FJA0 rev.13.03G13
Running: d6p003s3.exe; Driver: C:\DOCUME~1\Moe\LOCALS~1\Temp\pwldipob.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwEnumerateKey [0xF7464C7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF7464FF6]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73610F8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7361124]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF736117A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF73610A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF73610B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF736110E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF7361150]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF73611A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7361190]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7361164]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdePort0 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdePort2 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdePort3 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \FileSystem\Ntfs \Ntfs 86B8A0E8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2010-12-10 21:32:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00FJA0 rev.13.03G13
Running: d6p003s3.exe; Driver: C:\DOCUME~1\Moe\LOCALS~1\Temp\pwldipob.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF7464B3A]
SSDT sptd.sys ZwEnumerateKey [0xF7464C7E]
SSDT sptd.sys ZwEnumerateValueKey [0xF7464FF6]
SSDT sptd.sys ZwOpenKey [0xF7464A18]
SSDT sptd.sys ZwQueryKey [0xF74650C0]
SSDT sptd.sys ZwQueryValueKey [0xF7464F58]
SSDT sptd.sys ZwSetValueKey [0xF7465148]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF73610F8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7361124]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF736117A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF73610A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF73610B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF736110E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF7361150]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF73611A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7361190]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7361164]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86B8A0E8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\dmio \Device\DmControl\DmIoDaemon 86BD59C0
Device \Driver\dmio \Device\DmControl\DmConfig 86BD59C0
Device \Driver\dmio \Device\DmControl\DmPnP 86BD59C0
Device \Driver\dmio \Device\DmControl\DmInfo 86BD59C0
Device \Driver\NetBT \Device\NetBT_Tcpip_{15F43413-885A-427A-8475-45B217FA8159} 8585E7F8

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Ftdisk \Device\HarddiskVolume1 86BD5C78
Device \Driver\Ftdisk \Device\HarddiskVolume2 86BD5C78
Device \Driver\Cdrom \Device\CdRom0 86B25548
Device \FileSystem\Rdbss \Device\FsWrap 85D3B7E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdePort0 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdePort1 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdePort2 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdePort3 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 [F73B4B40] atapi.sys[unknown section] {MOV EAX, 0x86bd5628; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7475442; RET }
Device \Driver\Cdrom \Device\CdRom1 86B25548
Device \Driver\Ftdisk \Device\HarddiskVolume3 86BD5C78
Device \Driver\Cdrom \Device\CdRom2 86B25548
Device \Driver\Cdrom \Device\CdRom3 86B25548
Device \Driver\NetBT \Device\NetBt_Wins_Export 8585E7F8
Device \Driver\NetBT \Device\NetbiosSmb 8585E7F8

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Disk \Device\Harddisk0\DR0 86BD5450

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85D457E0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85D457E0
Device \FileSystem\Npfs \Device\NamedPipe 858697F8
Device \Driver\Ftdisk \Device\FtControl 86BD5C78
Device \FileSystem\Msfs \Device\Mailslot 858BC7F8
Device \FileSystem\Cdfs \Cdfs 86913EB0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB5 0x59 0x6E 0x04 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x18 0x4A 0x67 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x55 0x6F 0x6F 0x5F ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0009d0500279 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a588f69 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000a3a588f69@001370b015e8 0x6F 0x8D 0xB7 0x03 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x62 0x2E 0x12 0x49 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x18 0x4A 0x67 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x29 0xF1 0x31 0x05 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009d0500279
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009d0500279@001370b015e8 0x17 0x78 0xC6 0xEE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009d0500279@001dfd481a16 0x7B 0xB4 0x5B 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a588f69
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000a3a588f69@001370b015e8 0x6F 0x8D 0xB7 0x03 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 403222050
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1230124633
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1716136675
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8F 0x58 0x5A 0xA6 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x6B 0xE8 0x99 0x74 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x18 0x4A 0x67 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x5D 0xFA 0xDC 0x22 ...
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0009d0500279 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0009d0500279@001370b015e8 0x17 0x78 0xC6 0xEE ...
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0009d0500279@001dfd481a16 0x7B 0xB4 0x5B 0x44 ...
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\000a3a588f69 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\000a3a588f69@001370b015e8 0x6F 0x8D 0xB7 0x03 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8F 0x58 0x5A 0xA6 ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Classes\CLSID\{1d4db557-477b-46a9-9f4d-f77b399bfc00}@Model 250
Reg HKLM\SOFTWARE\Classes\CLSID\{1d4db557-477b-46a9-9f4d-f77b399bfc00}@Therad 16
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x21 0xFF 0x57 0x0D ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xFF 0x74 0xEB 0x22 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{aabf374c-89dc-449a-a736-082b3f4c854c}@Model 165
Reg HKLM\SOFTWARE\Classes\CLSID\{aabf374c-89dc-449a-a736-082b3f4c854c}@Therad 30
Reg HKLM\SOFTWARE\Classes\CLSID\{aabf374c-89dc-449a-a736-082b3f4c854c}@MData 0x2B 0x8F 0x78 0x29 ...

---- EOF - GMER 1.0.15 ----


Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5290

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

12/11/2010 3:11:37 AM
mbam-log-2010-12-11 (03-11-37).txt

Scan type: Full scan (C:\|E:\|I:\|)
Objects scanned: 270739
Time elapsed: 3 hour(s), 31 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{54192079-8E8A-43D8-BCBC-3874916159AF} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E014A78F-34DC-4BE5-83BB-58CA12E384B6} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\C8H1KKCTZV (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\HJRUDZ5DT2 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{NSINAME} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Bind (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HJRUDZ5DT2 (Trojan.FakeAlert) -> Value: HJRUDZ5DT2 -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
c:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
c:\documents and settings\Moe\application data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
c:\WINDOWS\bmab621dab.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\bmab621dab.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{35dc3473-a719-4d14-b7c1-fd326ca84a0c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/12/2006 12:21:17 PM
System Uptime: 12/11/2010 3:14:11 AM (0 hours ago)

Motherboard: | | C51MCP51
Processor: AMD Athlon(tm) 64 Processor 3200+ | Socket 939 | 1999/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 3.497 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 32 GiB total, 16.549 GiB free.
F: is CDROM ()
G: is CDROM ()
H: is CDROM (CDFS)
I: is FIXED (NTFS) - 8 GiB total, 2.411 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================


Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop CS
Adobe Reader 7.0.7
Advanced Office Password Breaker
Advanced Office Password Recovery (remove only)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
BitTorrent complete dir 1.1
Bonjour
Compatibility Pack for the 2007 Office system
Cool Edit Pro 2.1
Critical Update for Windows Media Player 11 (KB959772)
Diablo II
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EAX(tm) Unified (SHELL)
Family Feud (remove only)
FINAL FANTASY VIII
FLV Player 1.3.3
GENS
Google Talk (remove only)
Google Talk Plugin
GRE POWERPREP
Hero Editor V0.96 (C:\Program Files\Hero Editors\)
Hero Editor V1.03
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
InterActual Player
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0 Update 19
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 22
MagicDisc 2.7.105
Malwarebytes' Anti-Malware
McAfee Total Protection
MDI2PDF 2.6
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Monopoly
Monopoly by Parker Brothers
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MyPhoneExplorer
NVIDIA Drivers
PartitionMagic
PC Connectivity Solution
PCI Audio Driver
PowerQuest PartitionMagic 8.0
Project64 1.6
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Runtime 8.0 Libraries
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Segoe UI
Skype™ 4.2
Starcraft
Usmleworld QBank
Usmleworld Step1 QBank
Vista Codec Package
VLC media player 1.1.2
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 4.0.2
WinRAR archiver
WinZip
Worms2

==== Event Viewer Messages From Past Week ========

12/10/2010 9:49:48 PM, error: atapi [11] - The driver detected a controller error on \Device\Ide\IdePort0.
12/10/2010 5:47:17 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
12/10/2010 4:37:10 PM, error: Service Control Manager [7023] - The SSHNAS service terminated with the following error: The specified module could not be found.
12/10/2010 4:36:58 PM, error: Print [19] - Sharing printer failed + 1722, Printer hp deskjet 3600 series share name Printer.
12/10/2010 10:45:41 PM, error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/10/2010 10:45:41 PM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/10/2010 10:45:41 PM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/10/2010 10:45:41 PM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/10/2010 10:45:41 PM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
12/10/2010 10:45:41 PM, error: Service Control Manager [7031] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

==== End Of File ===========================


DDS (Ver_10-12-05.01) - NTFSx86
Run by Moe at 3:23:49.32 on Sat 12/11/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.484 [GMT 2:00]

AV: BitDefender Antivirus *On-access scanning disabled* (Outdated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: BitDefender Firewall *disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Moe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101116175640.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\moe\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\moe\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
uPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: iPMS.exe - dummy.dat
IFEO: iPMS20.exe - dummy.dat

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\moe\applic~1\mozilla\firefox\profiles\s5nndwoo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\moe\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\moe\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\moe\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: UnPlug: unplug@compunach - c:\docume~1\moe\applic~1\mozilla\firefox\profiles\s5nndwoo.default\extensions\unplug@compunach
FF - Extension: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\docume~1\moe\applic~1\mozilla\firefox\profiles\s5nndwoo.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Extension: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-4-22 386840]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2006-5-12 13696]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-4-22 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-14 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-4-22 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-4-22 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-4-22 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-4-22 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-4-22 55840]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-4-19 6656]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-4-22 152960]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-4-22 52104]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-4-22 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-4-22 88544]
S3 AVPsys;AVPsys;c:\windows\system32\drivers\cdaudio.sys [2001-8-17 18688]
S3 I2o7rsrsb_g;I2o7rsrsb_g; [x]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [2009-7-11 20864]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-12-10 38224]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-4-22 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-4-22 84264]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [2008-12-2 27904]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-6 34064]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [2006-11-20 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [2007-7-2 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [2007-7-2 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [2007-7-2 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [2007-7-2 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [2006-11-20 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [2007-7-2 90800]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-5-28 223128]

=============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2010-12-10 21:17:24 -------- d-----w- c:\docume~1\moe\applic~1\Malwarebytes
2010-12-10 21:17:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 21:17:02 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-10 21:17:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-15 20:36:53 -------- d-----w- C:\SIERRA
2010-11-14 00:58:22 8704 ----a-w- c:\windows\MCIOLE.DLL
2010-11-14 00:58:22 674 ----a-w- c:\windows\MPLAYER.REG
2010-11-14 00:58:22 5744 ----a-w- c:\windows\system\DISPDIB.DLL
2010-11-14 00:58:22 38432 ----a-w- c:\windows\system\MSVIDC.DRV
2010-11-14 00:58:22 115648 ----a-w- c:\windows\system\INDEO.DRV
2010-11-14 00:58:22 113488 ----a-w- c:\windows\MPLAYER.EXE

==================== Find3M ====================

2010-09-18 09:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 01:50:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-14 23:29:49 73728 ----a-w- c:\windows\system32\javacpl.cpl

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00FJA0 rev.13.03G13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x86D8A0E8]<<
_asm { MOV EAX, 0x86d8a008; XCHG [ESP], EAX; PUSH EAX; PUSH 0x86dd8eb4; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86CFDAB8]
\Driver\Disk[0x86DE1A20] -> IRP_MJ_CREATE -> 0x86D8A0E8
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x86d8a0e8
user & kernel MBR OK
Warning: possible MBR rootkit infection !

============= FINISH: 3:25:57.92 ===============

3
Contributors
25
Replies
26
Views
6 Years
Discussion Span
Last Post by Moe1981
0

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

0

Here is the report you requested. Thank you

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 133):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF79B0000 \WINDOWS\system32\KDCOM.DLL
0xF78C0000 \WINDOWS\system32\BOOTVID.dll
0xF72DF000 sptd.sys
0xF79B2000 \WINDOWS\System32\Drivers\WMILIB.SYS
0xF72C7000 \WINDOWS\System32\Drivers\SPTD8621.SYS
0xF7299000 ACPI.sys
0xF7288000 pci.sys
0xF74B0000 isapnp.sys
0xF7A78000 pciide.sys
0xF7730000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF74C0000 MountMgr.sys
0xF7269000 ftdisk.sys
0xF79B4000 dmload.sys
0xF7243000 dmio.sys
0xF7738000 PartMgr.sys
0xF74D0000 VolSnap.sys
0xF722B000 atapi.sys
0xF74E0000 disk.sys
0xF74F0000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF720B000 fltmgr.sys
0xF71AE000 mfehidk.sys
0xF7500000 PxHelp20.sys
0xF7197000 KSecDD.sys
0xF710A000 Ntfs.sys
0xF70DD000 NDIS.sys
0xF70C3000 Mup.sys
0xF7660000 \SystemRoot\system32\DRIVERS\processr.sys
0xF6427000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6413000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77C8000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF63EF000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77D0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7670000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7680000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF63CC000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77D8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7690000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF636F000 \SystemRoot\system32\drivers\cmaudio.sys
0xF634B000 \SystemRoot\system32\drivers\portcls.sys
0xF76A0000 \SystemRoot\system32\drivers\drmk.sys
0xF5F5C000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF7057000 \SystemRoot\system32\DRIVERS\nvnetbus.sys
0xF5F12000 \SystemRoot\system32\DRIVERS\NVNRM.SYS
0xF5EDB000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS
0xF77E0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF76B0000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7053000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF5EC7000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7AD1000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF5EB3000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF76C0000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6851000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5E9C000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76D0000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76E0000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77E8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5E8B000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76F0000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF5E3F000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF3FAD000 \SystemRoot\system32\drivers\mfefirek.sys
0xF7860000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7868000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7630000 \SystemRoot\System32\Drivers\Pcouffin.sys
0xF3F55000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7570000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7870000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7878000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF3F38000 \SystemRoot\system32\DRIVERS\mcdbus.sys
0xF3F20000 \SystemRoot\system32\DRIVERS\SCSIPORT.SYS
0xF7A14000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF3EC2000 \SystemRoot\system32\DRIVERS\update.sys
0xF7097000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF75D0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7640000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7A26000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF5E6B000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF4028000 \SystemRoot\system32\DRIVERS\NVENETFD.sys
0xF7A2E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7B1F000 \SystemRoot\System32\Drivers\Null.SYS
0xF7A30000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7770000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7780000 \SystemRoot\System32\drivers\vga.sys
0xF7A32000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7A34000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7778000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7790000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF3F99000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEF784000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEF72B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEF718000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xEF6F2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEF6A2000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEF680000 \SystemRoot\System32\drivers\afd.sys
0xF75F0000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEF655000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF7B57000 \SystemRoot\System32\Drivers\PQNTDrv.SYS
0xEF5E5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7620000 \SystemRoot\System32\Drivers\Fips.SYS
0xF4088000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF1EB6000 \??\C:\WINDOWS\system32\drivers\BIOS.sys
0xF7990000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF15A3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF77F8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7A76000 \SystemRoot\system32\DRIVERS\gflmouhid.sys
0xF708F000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF67DD000 \SystemRoot\system32\drivers\usbaudio.sys
0xED711000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xECCAB000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEB783000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79BC000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF157F000 \SystemRoot\System32\drivers\Dxapi.sys
0xEE7B1000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7B8B000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xED71D000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB9D83000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7A10000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xB9CB3000 \SystemRoot\system32\DRIVERS\srv.sys
0xEC4ED000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xB9C23000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
0xB9396000 \SystemRoot\system32\drivers\wdmaud.sys
0xEF3D6000 \SystemRoot\system32\drivers\sysaudio.sys
0xF7768000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB8D59000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xEF4C6000 \SystemRoot\system32\drivers\cfwids.sys
0xB8C78000 \SystemRoot\System32\Drivers\HTTP.sys
0xB8AFA000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB8CC9000 \SystemRoot\system32\drivers\mfebopk.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
1200 C:\WINDOWS\system32\smss.exe
1264 csrss.exe
1288 C:\WINDOWS\system32\winlogon.exe
1336 C:\WINDOWS\system32\services.exe
1348 C:\WINDOWS\system32\lsass.exe
1512 C:\WINDOWS\system32\svchost.exe
1576 svchost.exe
1696 C:\WINDOWS\system32\svchost.exe
1744 svchost.exe
1820 svchost.exe
364 C:\WINDOWS\system32\spoolsv.exe
468 svchost.exe
516 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
532 C:\Program Files\Bonjour\mDNSResponder.exe
556 svchost.exe
636 C:\Program Files\Java\jre6\bin\jqs.exe
672 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
720 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
828 C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
896 C:\WINDOWS\system32\nvsvc32.exe
1208 C:\WINDOWS\system32\svchost.exe
256 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
1928 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
1656 C:\WINDOWS\explorer.exe
2816 alg.exe
3284 C:\WINDOWS\system32\rundll32.exe
3292 C:\WINDOWS\mixer.exe
3304 C:\WINDOWS\soundman.exe
3328 C:\Program Files\McAfee.com\Agent\mcagent.exe
3352 C:\Program Files\iTunes\iTunesHelper.exe
3372 C:\WINDOWS\vsnpstd3.exe
3380 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3388 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
3404 C:\WINDOWS\system32\ctfmon.exe
1156 C:\WINDOWS\system32\svchost.exe
2368 C:\WINDOWS\system32\wuauclt.exe
2828 C:\Program Files\iPod\bin\iPodService.exe
3536 C:\Program Files\Mozilla Firefox\firefox.exe
2112 C:\Documents and Settings\Moe\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive0 at offset 0x00000008`8b905a00 (NTFS)
\\.\I: --> \\.\PhysicalDrive0 at offset 0x00000010`9a1bb800 (NTFS)

PhysicalDrive0 Model Number: WDCWD800BB-00FJA0

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

0

Please read carefully and follow these steps.

* Download TDSSKiller and save it to your Desktop.
* Extract its contents to your desktop.
* Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

* If an infected file is detected, the default action will be Cure, click on Continue.

* If a suspicious file is detected, the default action will be Skip, click on Continue.

* It may ask you to reboot the computer to complete the process. Click on Reboot Now.

* If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
* If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

0

As always thank you very much for your effort and patience. here is the log that you requested. one item was found and the defauly response was "skip" ... no reboot was required and i'm copying the log below.

2010/12/11 22:53:15.0156 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/11 22:53:15.0156 ================================================================================
2010/12/11 22:53:15.0156 SystemInfo:
2010/12/11 22:53:15.0156
2010/12/11 22:53:15.0156 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/11 22:53:15.0156 Product type: Workstation
2010/12/11 22:53:15.0156 ComputerName: MAINDESKTOP
2010/12/11 22:53:15.0156 UserName: Moe
2010/12/11 22:53:15.0156 Windows directory: C:\WINDOWS
2010/12/11 22:53:15.0156 System windows directory: C:\WINDOWS
2010/12/11 22:53:15.0156 Processor architecture: Intel x86
2010/12/11 22:53:15.0156 Number of processors: 1
2010/12/11 22:53:15.0156 Page size: 0x1000
2010/12/11 22:53:15.0156 Boot type: Normal boot
2010/12/11 22:53:15.0156 ================================================================================
2010/12/11 22:53:15.0781 Initialize success
2010/12/11 22:53:20.0937 ================================================================================
2010/12/11 22:53:20.0937 Scan started
2010/12/11 22:53:20.0937 Mode: Manual;
2010/12/11 22:53:20.0937 ================================================================================
2010/12/11 22:53:22.0406 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/11 22:53:22.0718 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/11 22:53:23.0265 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/11 22:53:23.0609 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/11 22:53:25.0859 ALCXWDM (dd8520280304b6145a6be31008748c7c) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/12/11 22:53:28.0531 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/11 22:53:28.0859 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/11 22:53:29.0328 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/11 22:53:29.0671 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/11 22:53:29.0953 AVPsys (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\cdaudio.sys
2010/12/11 22:53:30.0250 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/11 22:53:30.0531 BIOS (be5d50529799b9bab6be879ec768b6cf) C:\WINDOWS\system32\drivers\BIOS.sys
2010/12/11 22:53:30.0812 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2010/12/11 22:53:31.0093 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
2010/12/11 22:53:31.0406 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2010/12/11 22:53:31.0765 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2010/12/11 22:53:32.0125 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2010/12/11 22:53:32.0421 CA561 (57cc65392f9d128fb16423c88bd1da8d) C:\WINDOWS\system32\Drivers\SPCA561.SYS
2010/12/11 22:53:32.0828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/11 22:53:33.0156 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/11 22:53:33.0625 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/11 22:53:33.0906 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/11 22:53:34.0187 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/11 22:53:34.0515 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
2010/12/11 22:53:35.0296 cmpci (e5842ccf0953d3d46d5e26427b67e901) C:\WINDOWS\system32\drivers\cmaudio.sys
2010/12/11 22:53:36.0281 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/11 22:53:36.0781 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/11 22:53:37.0265 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/11 22:53:37.0593 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/11 22:53:37.0875 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/11 22:53:38.0375 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/11 22:53:38.0718 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/11 22:53:39.0031 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/11 22:53:39.0312 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/11 22:53:39.0609 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/11 22:53:39.0921 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/11 22:53:40.0203 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/11 22:53:40.0531 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/11 22:53:40.0875 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/12/11 22:53:41.0171 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/12/11 22:53:41.0484 genmcmnUSB (86f732d2995ada73fd307539ec266d3a) C:\WINDOWS\system32\DRIVERS\gflmouhid.sys
2010/12/11 22:53:41.0796 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/11 22:53:42.0109 hidgame (923ee4eef2582909a056904ca8026015) C:\WINDOWS\system32\DRIVERS\hidgame.sys
2010/12/11 22:53:42.0390 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/11 22:53:42.0937 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/11 22:53:43.0875 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/11 22:53:44.0156 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/11 22:53:44.0890 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/11 22:53:45.0171 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/11 22:53:45.0437 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/11 22:53:45.0781 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/11 22:53:46.0109 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/11 22:53:46.0390 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/11 22:53:46.0703 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/11 22:53:46.0984 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/11 22:53:47.0265 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/11 22:53:47.0562 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/11 22:53:47.0906 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/11 22:53:48.0593 LwAdiHid (a8fe41a339ceb3b517321a7ff0ed67c5) C:\WINDOWS\system32\DRIVERS\LwAdiHid.sys
2010/12/11 22:53:48.0875 MBAMSwissArmy (e74dc2f3f9675a6025a4aa020edd4341) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010/12/11 22:53:49.0296 mcdbus (af61a1c34e2d3f7543f9ccfc323170b8) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
2010/12/11 22:53:49.0656 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
2010/12/11 22:53:50.0000 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
2010/12/11 22:53:50.0500 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
2010/12/11 22:53:50.0875 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
2010/12/11 22:53:51.0312 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
2010/12/11 22:53:51.0687 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2010/12/11 22:53:51.0750 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2010/12/11 22:53:52.0015 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
2010/12/11 22:53:52.0328 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2010/12/11 22:53:52.0625 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/11 22:53:52.0921 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/11 22:53:53.0203 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/11 22:53:53.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/11 22:53:53.0812 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/11 22:53:54.0343 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/11 22:53:54.0765 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/11 22:53:55.0140 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/11 22:53:55.0406 msgame (082a950191dde602bbea8ef4e5900251) C:\WINDOWS\system32\DRIVERS\msgame.sys
2010/12/11 22:53:55.0703 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/11 22:53:55.0984 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/11 22:53:56.0250 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/11 22:53:56.0515 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/11 22:53:56.0796 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/11 22:53:57.0093 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/11 22:53:57.0390 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/11 22:53:57.0750 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/11 22:53:58.0046 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/11 22:53:58.0343 Ndisprot (a3b80c6e0774815c362aeb5ed5ac047d) C:\WINDOWS\system32\drivers\Ndisprot.sys
2010/12/11 22:53:58.0609 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/11 22:53:58.0921 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/11 22:53:59.0234 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/11 22:53:59.0562 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/11 22:54:00.0000 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/11 22:54:00.0453 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/11 22:54:00.0781 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys
2010/12/11 22:54:01.0171 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
2010/12/11 22:54:01.0453 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
2010/12/11 22:54:01.0750 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/11 22:54:02.0156 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/11 22:54:02.0546 ntgrip (e966288cf47889753ef88ff165ddb56d) C:\WINDOWS\system32\drivers\ntgrip.sys
2010/12/11 22:54:02.0843 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/11 22:54:04.0015 nv (e7497f80961d182fcd0813cca7e78e26) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/11 22:54:05.0343 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2010/12/11 22:54:05.0625 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2010/12/11 22:54:05.0921 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/11 22:54:06.0187 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/11 22:54:06.0515 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/11 22:54:06.0828 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/11 22:54:07.0093 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/11 22:54:07.0390 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/11 22:54:07.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/11 22:54:08.0156 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/11 22:54:08.0484 Pcouffin (b6ec90dd34c82ec1539a45dfe19ca2fd) C:\WINDOWS\system32\Drivers\Pcouffin.sys
2010/12/11 22:54:10.0296 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/11 22:54:10.0578 PQNTDrv (4228630829c0e521c43d882a00533374) C:\WINDOWS\system32\drivers\PQNTDrv.sys
2010/12/11 22:54:10.0859 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/11 22:54:11.0218 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/11 22:54:11.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/11 22:54:11.0843 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/11 22:54:13.0078 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/11 22:54:13.0343 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/11 22:54:13.0640 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/11 22:54:13.0937 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/11 22:54:14.0250 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/11 22:54:14.0546 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/11 22:54:14.0984 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/11 22:54:15.0718 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/11 22:54:16.0687 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/11 22:54:17.0609 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2010/12/11 22:54:18.0687 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
2010/12/11 22:54:19.0375 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/12/11 22:54:20.0421 sea1bus (d2654321192037bae90204e2fa6697ce) C:\WINDOWS\system32\DRIVERS\sea1bus.sys
2010/12/11 22:54:20.0734 sea1mdfl (8146d9ec5142bd364956d3807f09ca9a) C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys
2010/12/11 22:54:21.0125 sea1mdm (afe065da777dc4408c64df5c87472bb9) C:\WINDOWS\system32\DRIVERS\sea1mdm.sys
2010/12/11 22:54:21.0437 sea1mgmt (a0bbd60222ad053d52f3a5c4f79904c7) C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys
2010/12/11 22:54:21.0734 sea1nd5 (6549babfc3362f1621a8c0eff288fb14) C:\WINDOWS\system32\DRIVERS\sea1nd5.sys
2010/12/11 22:54:22.0156 sea1obex (957510ab44e84497733f53322351f6e8) C:\WINDOWS\system32\DRIVERS\sea1obex.sys
2010/12/11 22:54:22.0468 sea1unic (c1517e6a7ce1191ab076472bdf1b0e6e) C:\WINDOWS\system32\DRIVERS\sea1unic.sys
2010/12/11 22:54:22.0781 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/11 22:54:23.0171 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/11 22:54:23.0437 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/11 22:54:23.0734 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/11 22:54:24.0296 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/11 22:54:27.0609 SNPSTD3 (11bb0e11d42cc3a43d741d9b30839be1) C:\WINDOWS\system32\DRIVERS\snpstd3.sys
2010/12/11 22:54:30.0968 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/11 22:54:31.0390 sptd (8d5e5b471ce56a39b090b0a9a6ca8c51) C:\WINDOWS\system32\Drivers\sptd.sys
2010/12/11 22:54:31.0390 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 8d5e5b471ce56a39b090b0a9a6ca8c51
2010/12/11 22:54:31.0406 sptd - detected Locked file (1)
2010/12/11 22:54:31.0687 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/11 22:54:32.0093 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/11 22:54:32.0437 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/11 22:54:32.0687 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/11 22:54:32.0968 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/11 22:54:34.0171 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/11 22:54:34.0546 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/11 22:54:34.0953 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/11 22:54:35.0265 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/11 22:54:35.0562 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/11 22:54:35.0890 tmcomm (df8444a8fa8fd38d8848bdd40a8403b3) C:\WINDOWS\system32\drivers\tmcomm.sys
2010/12/11 22:54:36.0546 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/11 22:54:37.0156 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/11 22:54:37.0578 USBAAPL (e8c1b9ebac65288e1b51e8a987d98af6) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/12/11 22:54:37.0875 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/12/11 22:54:38.0171 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/11 22:54:38.0453 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/11 22:54:38.0750 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/11 22:54:39.0031 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/11 22:54:39.0312 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/12/11 22:54:39.0593 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/11 22:54:39.0875 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/11 22:54:40.0234 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
2010/12/11 22:54:40.0562 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/11 22:54:41.0062 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/11 22:54:41.0343 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/11 22:54:41.0828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/11 22:54:42.0187 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/11 22:54:42.0500 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/11 22:54:42.0828 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/11 22:54:43.0140 ================================================================================
2010/12/11 22:54:43.0140 Scan finished
2010/12/11 22:54:43.0140 ================================================================================
2010/12/11 22:54:43.0156 Detected object count: 1
2010/12/11 22:55:07.0671 Locked file(sptd) - User select action: Skip

0

Please download ComboFix by sUBs from

http://www.bleepingcomputer.com/download/anti-virus/combofix

Please note that the BleepingComputer.com download link will expire in 10 minutes after you click it so if you don’t click within ten minutes after reaching the page you will need to refresh the page.

You must download it to and run it from your Desktop

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
• Re-enable all the programs that were disabled during the running of ComboFix..
• Then post back here with that log and a new scan log from HiJackThis.

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

0

Hello again. Sorry for this delay but a storm took out my internet connection for most of the day :(

Anyways here is the combofix log that you asked me to perform. Thank you very much

ComboFix 10-12-11.04 - Moe 12/12/2010 15:50:10.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.533 [GMT 2:00]
Running from: c:\documents and settings\Moe\Desktop\ComboFix.exe
AV: BitDefender Antivirus *Disabled/Outdated* {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: BitDefender Firewall *Disabled* {4055920F-2E99-48A8-A270-4243D2B8F242}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Moe\GoToAssistDownloadHelper.exe
c:\program files\driver
c:\windows\system32\Ijl11.dll
c:\windows\system32\logs
c:\windows\system32\mwbwtfhb.ini
c:\windows\system32\tmp.reg
c:\windows\w32dasm8.ini
E:\resycled
I:\resycled

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SSHNAS
-------\Service_AVPsys


((((((((((((((((((((((((( Files Created from 2010-11-12 to 2010-12-12 )))))))))))))))))))))))))))))))
.

2010-12-10 21:17 . 2010-12-10 21:17 -------- d-----w- c:\documents and settings\Moe\Application Data\Malwarebytes
2010-12-10 21:17 . 2010-11-29 15:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-10 21:17 . 2010-12-10 21:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-10 21:17 . 2010-11-29 15:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-15 20:36 . 2010-11-15 20:41 -------- d-----w- C:\SIERRA
2010-11-14 00:58 . 1992-10-27 22:00 8704 ----a-w- c:\windows\MCIOLE.DLL
2010-11-14 00:58 . 1992-10-27 22:00 674 ----a-w- c:\windows\MPLAYER.REG
2010-11-14 00:58 . 1992-10-27 22:00 5744 ----a-w- c:\windows\system\DISPDIB.DLL
2010-11-14 00:58 . 1992-10-27 22:00 38432 ----a-w- c:\windows\system\MSVIDC.DRV
2010-11-14 00:58 . 1992-10-27 22:00 115648 ----a-w- c:\windows\system\INDEO.DRV
2010-11-14 00:58 . 1992-10-27 22:00 113488 ----a-w- c:\windows\MPLAYER.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-13 20:28 . 2010-04-22 18:29 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-10-13 20:28 . 2010-04-22 18:29 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-10-13 20:28 . 2010-04-22 18:29 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-10-13 20:28 . 2010-04-22 18:29 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-10-13 20:28 . 2010-04-22 18:29 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-10-13 20:28 . 2010-04-22 18:29 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-10-13 20:28 . 2010-04-22 18:29 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-10-13 20:28 . 2010-04-22 18:29 386840 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-10-13 20:28 . 2010-04-22 18:29 313288 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-10-13 20:28 . 2010-04-22 18:29 152960 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-09-18 09:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-15 01:50 . 2010-05-18 16:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-14 23:29 . 2010-05-18 16:39 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-13 20:28 . 2010-04-22 18:29 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-16 3872080]
"Google Update"="c:\documents and settings\Moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-09-09 136176]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-14 7204864]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"C-Media Mixer"="Mixer.exe" [2002-10-15 1818624]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\Moe\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-2-15 575488]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Moe^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Moe\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-04-28 12:06 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-09-14 12:05 7204864 ------w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-17 18:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-08-28 18:33 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Diablo II\\D2Loader-1.11b.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\Moe\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [5/28/2006 5:56 PM 642560]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [5/12/2006 11:29 AM 13696]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/22/2010 8:29 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/14/2009 12:48 PM 88176]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [4/22/2010 8:29 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [4/22/2010 8:29 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [4/22/2010 8:30 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [4/22/2010 8:29 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/22/2010 8:29 PM 55840]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [4/19/2004 3:01 PM 6656]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [4/22/2010 8:29 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 8:29 PM 88544]
S3 I2o7rsrsb_g;I2o7rsrsb_g; [x]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [7/11/2009 6:36 PM 20864]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/10/2010 11:17 PM 38224]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [4/22/2010 8:29 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [4/22/2010 8:29 PM 84264]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [12/2/2008 12:43 AM 27904]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/6/2007 10:22 PM 34064]
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);c:\windows\system32\drivers\sea1bus.sys [11/20/2006 12:47 PM 61536]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;c:\windows\system32\drivers\sea1mdfl.sys [7/2/2007 6:29 PM 9360]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;c:\windows\system32\drivers\sea1mdm.sys [7/2/2007 6:29 PM 97088]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\sea1mgmt.sys [7/2/2007 6:29 PM 88624]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);c:\windows\system32\drivers\sea1nd5.sys [7/2/2007 6:29 PM 18704]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;c:\windows\system32\drivers\sea1obex.sys [11/20/2006 12:50 PM 86432]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);c:\windows\system32\drivers\sea1unic.sys [7/2/2007 6:29 PM 90800]
S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [5/28/2006 5:58 PM 223128]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-12-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 08:50]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1425521274-682003330-1004Core.job
- c:\documents and settings\Moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-09 16:46]

2010-12-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1425521274-682003330-1004UA.job
- c:\documents and settings\Moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-09 16:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/md5auth.srf?lc=1033
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Moe\Application Data\Mozilla\Firefox\Profiles\s5nndwoo.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Moe\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Moe\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\Moe\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: UnPlug: unplug@compunach - c:\documents and settings\Moe\Application Data\Mozilla\Firefox\Profiles\s5nndwoo.default\extensions\unplug@compunach
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - c:\documents and settings\Moe\Application Data\Mozilla\Firefox\Profiles\s5nndwoo.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe
SafeBoot-Tck75.sys
MSConfigStartUp-!AVG Anti-Spyware - c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
MSConfigStartUp-AnyDVD - c:\program files\SlySoft\AnyDVD\AnyDVD.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\lib\NMBgMonitor.exe
MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe
MSConfigStartUp-HOTFOON2 - c:\documents and settings\Moe\Local Settings\Temp\hotfoon4.exe
MSConfigStartUp-IDMan - c:\program files\Internet Download Manager\IDMan.exe
MSConfigStartUp-msnmsgr - c:\program files\MSN Messenger\msnmsgr.exe
MSConfigStartUp-NeroFilterCheck - c:\windows\system32\NeroCheck.exe
MSConfigStartUp-osCheck - c:\program files\Norton AntiVirus\osCheck.exe
MSConfigStartUp-PcSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe
MSConfigStartUp-SpySweeper - c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
MSConfigStartUp-VirtualCloneDrive - c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
AddRemove-Advanced Office Password Recovery - c:\program files\Elcomsoft\AOPR\uninstall.exe
AddRemove-CompleteDir - c:\program files\completedir\uninstall.exe
AddRemove-FINAL FANTASY VIII - c:\program files\Square Soft
AddRemove-GRE POWERPREP - c:\program files\ETS\PPGRE.ISU
AddRemove-InterActual Player - c:\program files\InterActual\InterActual Player\inuninst.exe
AddRemove-Monopoly by Parker Brothers - c:\progra~1\Hasbro\MONOPO~1\UNWISE.EXE
AddRemove-Worms2 - c:\worms 2\Uninst.isu
AddRemove-Advanced Office Password Breaker - c:\program files\ElcomSoft\Advanced Office Password Breaker\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-12 16:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-00FJA0 rev.13.03G13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x86B8BC78]<<
_asm { MOV EAX, 0x86b8bb98; XCHG [ESP], EAX; PUSH EAX; PUSH 0x86bd7a74; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x86B27AB8]
\Driver\Disk[0x86BE9F38] -> IRP_MJ_CREATE -> 0x86B8BC78
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\Disk -> 0x86b8bc78
user & kernel MBR OK
Warning: possible MBR rootkit infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1547161642-1425521274-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7d,51,69,2a,77,ae,49,93,c7,83,54,0a,3c,79,e6,11,6f,f7,3d,c0,93,f1,9f,
be,41,c4,81,41,e5,a7,f2,6d,b0,f0,af,69,a4,7c,a6,a7,c6,a2,e9,2e,e7,54,71,5a,\
"??"=hex:43,a3,e6,e5,c2,11,21,e8,de,8f,6f,e4,7b,43,f3,be

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1d4db557-477b-46a9-9f4d-f77b399bfc00}]
@Denied: (Full) (Everyone)
"Model"=dword:000000fa
"Therad"=dword:00000010

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):21,ff,57,0d,b3,6f,a7,36,e5,e0,68,9b,d2,03,51,20,fc,c1,3e,1c,fd,
36,6c,83,d2,90,65,a6,5c,54,66,3f,38,4e,5a,29,70,f5,b8,82,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):ff,74,eb,22,e4,b4,a9,f5,0d,5c,59,4e,a3,97,bd,4e,60,c7,9f,67,ec,
ce,c1,b6,0c,d3,81,ac,a0,d3,d0,c5,9d,a5,70,db,f5,6e,86,11,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{aabf374c-89dc-449a-a736-082b3f4c854c}]
@Denied: (Full) (Everyone)
"Model"=dword:000000a5
"Therad"=dword:0000001e
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,a0,25,31,d6,ce,de,c2,bf,c4,9f,27,cf,25,5d,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3616)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\Mixer.exe
c:\windows\SOUNDMAN.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-12-12 16:13:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-12 14:13
ComboFix2.txt 2008-04-19 23:13

Pre-Run: 3,608,768,512 bytes free
Post-Run: 3,503,398,912 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - AFC69AD68EED753F6B365B0BFF86C321

0

Download Bootkit Remover to your Desktop.

* You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
* After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
* It will show a Black screen with some data on it.
* Right click on the screen and click Select All.
* Press CTRL+C
* Open a Notepad and press CTRL+V
* Post the output back here.

0

Hello again Jholland, i feel like after all this i need to buy you a christmas present! Thanks a lot. Here is the bootkit information you asked of me.

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

0

:) so what do you think? am i clean or far from it still!

0

Until Crunchie can look at this last log we cannot say for sure if you are clean or not.

Those logs look fine to me. Any ongoing problems now?

Actually come to think of it i havent seen that malware page all day long! :icon_mrgreen: ... my task manager processes have shrunk down substantially! I must thank you guys and i will recommend this page to a lot of people who have similar problems.

I dont know where the malware came from to be honest but its sad that i pay a yearly fee for mcafee total protection yet these problems can still happen despite full scans. Is there a better antivirus than mcafee and would it make a difference against Malware?

0

Well, with the increased numbers of infected computers I have seen, here and another forum where I post, running McAfee I am not that impressed with it. There are a couple other FREE options I recommend that do quite a good job.
Avira Free is one, I use it and like it a lot.http://www.free-av.com/
Avast Free is also excellent. http://www.avast.com/free-antivirus-download

Both score very high in av testing, usually much higher than McAfee.

But before you change your security program you need to finish this to be sure all is clean, then you can decide if you want to change or not.

You need to Update MBA-M and do another Full Scan with it. If it finds anything have it of course remove or quarantine and reboot the computer.

Then also do the online scan with ESET Online scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer to complete this scan and you will need to allow an Active X to be installed or you may use Firefox
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back here with those logs and also a system scan log with HiJackThis.
http://free.antivirus.com/hijackthis/

0

sorry for this delay.. work was overwhelming today! well i'm scanning as i post this :)

0

Hello again! Hope you're having a good day! I did everything and here are the results.

1. I updated MBAM and scanned. Zero infections

2. ESET came up with 11 infections which it cleaned! i'll copy the log below.

3. Hijakthis seems to see my Mcafee although i disable it. oh well, the log is below

4. Thank you very much once again :)

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17093 (vista_gdr.101017-1200)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=04e042af2279fd449c22e6076581fc27
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-15 09:42:52
# local_time=2010-12-15 11:42:52 (+0200, GTB Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=2304 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16777189 100 75 1555042 21666423 0 0
# compatibility_mode=8192 67108863 100 0 4482 4482 0 0
# scanned=106447
# found=11
# cleaned=11
# scan_time=5470
C:\QooBox\Quarantine\C\AutoRun.inf.vir Win32/Banker.C worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\axbjlwyo.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\jbsgdina.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\jTvFOqss.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\jTvFOqss.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\mwbwtfhb.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\pqbwtopm.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\tdcvfdwv.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\UxHRBJlm.ini.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\QooBox\Quarantine\C\WINDOWS\system32\UxHRBJlm.ini2.vir Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{EC61AD28-8CBA-4393-A21D-39BD2F8B6970}\RP1\A0000038.ini Win32/Adware.Virtumonde.NEO application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

___________________________________________________________________________________


O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9160 bytes

Edited by Moe1981: n/a

0

Looking good! Everything found by the ESET scan were in the Combofix quarantine or system restore so that's great. You left off the top part of the HJT scan and we do need to see that. That's the part that shows running processes. So post back with the entire HJT log and we can finish up.

0

:) woops how silly of me! Here's the full log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:00:22, on 12/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/md5auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101116175640.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Moe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9160 bytes

0

All looks good to me. You need to uninstall combofix now as it cannot be used again. It needs to be done this way:

You should remove HiJackThis, you don't need it any more and the same goes for all of those other items you had to run, including the special scanners and the DDS scanner.

You also should uninstall combofix. It basically is a "one time" fix. If a person is told to use it again some other time then a new copy would be needed.

Uninstall Combofix:
Go Start > Run
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.


You also need to set a new, clean Restore point.
To do this Right Click My computer.
Choose Properties
When System Properties opens choose the System Restore Tab.
Place a check mark in Shut down System Restore.
You will probably get a message telling you it will be shut down, click ok or yes.
Allow it to shut down.
Wait a moment. Then go back in and take that check mark Out so that System Restore will turn back on.

0

There! i've done all that as well. I guess that's a rap. I've been browsing a lot for the past 2 days and no more attack page or that malware gage page! do i owe you or what?! :)

very pleased with all the help from A to Z. Appreciate it greatly

0

Keep the MBA-M, update it and do a Quick Scan with it at least once a week. If anything is found of course have it remove, reboot, update again and do a Full Scan with it, removing anything found and rebooting again.
Also add this extra security protection, SpywareBlaster

http://download.cnet.com/SpywareBlaster/3000-8022_4-10196637.html

It IS free, offers superb protection against ActiveX-based spyware, adware, dialers, browser hijackers, and other potentially unwanted programs. It can also block spyware/tracking cookies in IE, Mozilla Firefox, Netscape, and many other browsers, and restrict the actions of spyware/ad/tracking sites.

Download, install, update and then be sure to enable all protection including the Restricted Sites portion. Then close the program, that's it. It doesn't run in the background so it isn't intrusive. It is not a scanner program it protects your computer.
Check for updates manually every couple weeks or so, it doesn't update often but be sure to check. If there are updates then install them and again click Enable all protection and close the program. I have used this for years and never would run a computer without it.

Also be sure that you have correct cookie settings in your browser. Go to Tools, Internet Options, Privacy tab, click Advanced, Put a dot in Allow 1st party cookies, Always Block 3rd party cookies and a check mark in Allow Session Cookies.

Are you still considering changing your AV program?

0

Alright i'm gonna get this spywareBlaster that you recommended.. it sounds good. About my antivirus, i do want to change it but i had paid the yearly subscription renewal a few days before i came and posted here.. so it would be a loss if i get rid of my 3 user license.

I guess i'll wait for it to expire and judging by what happens this year i'll consider whether or not to renew again or opt for a new one.

0

Thank you very much. The results of your work on my computer says enough

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.