Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

Google redirect virus - results5.google

3K views 21 replies 2 participants last post by  Rorschach112 
#1 ·
Hi everyone, I have some nasty things happening to this PC and hope you can help!
My young son was searching for Transformers pictures and ended up on some dodgy web sites.
Yes I left the room for a few minutes and look what happens!

The main thing is the results5.google redirect, but also web sites just open themselves and others I click on say 'Internet Explorer cannot display the webpage'. The PC also freezes on some websites forcing a reboot.

I have tried to fix it with PC Tools spyware doctor, AdAware, and Spybot - they find stuff but when I rescan the next day they are back. I downloaded Malwarebytes but it wont run, also tried the Kaspersky online scanner & ESET Online scan but they wouldn't work.

Its an older PC running Windows XP, its on a router with one other PC. The other PC is new running Windows 7 64 bit - it has no problems.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:13 PM, on 10/07/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Telstra\BigPond Assist\assist.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windiwsfsearch.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
R3 - URLSearchHook: (no name) - {855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: ninemsn Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: ninemsn Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ecc] C:\Program Files\Telstra\BigPond Assist\assist.exe
O4 - HKLM\..\Run: [hpppt] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe /ICON
O4 - HKLM\..\Run: [HP Lamp] C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 1.1.4322; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.ballerarcade.com/preroll.php?g_id=1157"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [VO3N0SLJ2I] C:\WINDOWS\TEMP\Esh.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [rdmasjkg] C:\Documents and Settings\NetworkService\Local Settings\Application Data\nflsesqaf\lqhexvitssd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...m.au/commodore/VY_Series2/content.asp?model=9
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {11111111-1111-1111-1111-111111111113} - mhtml:file://C:NO_SUCH_MHT.MHT!http://38.113.193.2/420/whocares.exe
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com.au/cabs/QOLCheck.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1197027409468
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5436/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cryptographic Services CryptSvcWebClient (CryptSvcWebClient) - Unknown owner - C:\WINDOWS\system32\1054a.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
--
End of file - 14361 bytes
 
See less See more
#3 ·
Ok I have done that, results below....
While I was waiting for a reply I managed to get Malwarebytes to work - uninstalled and installed about 5 times but it finally worked, there were 9 files and other stuff infected.

01:17:00:468 4032 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
01:17:00:468 4032 ================================================================================
01:17:00:468 4032 SystemInfo:
01:17:00:468 4032 OS Version: 5.1.2600 ServicePack: 3.0
01:17:00:468 4032 Product type: Workstation
01:17:00:468 4032 ComputerName: WINE-P4
01:17:00:468 4032 UserName: David
01:17:00:468 4032 Windows directory: C:\WINDOWS
01:17:00:468 4032 System windows directory: C:\WINDOWS
01:17:00:468 4032 Processor architecture: Intel x86
01:17:00:468 4032 Number of processors: 2
01:17:00:468 4032 Page size: 0x1000
01:17:00:562 4032 Boot type: Normal boot
01:17:00:562 4032 ================================================================================
01:17:01:812 4032 Initialize success
01:17:01:812 4032
01:17:01:812 4032 Scanning Services ...
01:17:02:406 4032 Raw services enum returned 409 services
01:17:02:437 4032
01:17:02:437 4032 Scanning Drivers ...
01:17:03:437 4032 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
01:17:03:500 4032 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
01:17:03:562 4032 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
01:17:03:640 4032 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
01:17:03:687 4032 agp440 (2f9668b13c74275c1c6e32eb8e006264) C:\WINDOWS\system32\DRIVERS\agp440.sys
01:17:03:703 4032 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\agp440.sys. Real md5: 2f9668b13c74275c1c6e32eb8e006264, Fake md5: b76739a40a35060bb51a0dc3c0695775
01:17:03:703 4032 File "C:\WINDOWS\system32\DRIVERS\agp440.sys" infected by TDSS rootkit ... 01:17:06:187 4032 Backup copy found, using it..
01:17:06:359 4032 will be cured on next reboot
01:17:06:546 4032 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
01:17:06:593 4032 ASAPIW2k (4f9cbbf95e8f7a0d4c0edcfe3b78102e) C:\WINDOWS\system32\drivers\ASAPIW2k.sys
01:17:06:718 4032 Aspi32 (20d04091eba710f6988f710507d85868) C:\WINDOWS\system32\drivers\Aspi32.sys
01:17:06:765 4032 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
01:17:06:828 4032 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
01:17:06:984 4032 ati2mtag (7790f8d1000fce5cfd33ccf4f861928f) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
01:17:07:093 4032 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
01:17:07:156 4032 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
01:17:07:203 4032 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
01:17:07:250 4032 BENDER (829c6c1707784262b559c67b07c59775) C:\WINDOWS\system32\drivers\bender.sys
01:17:07:296 4032 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
01:17:07:296 4032 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
01:17:07:359 4032 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
01:17:07:406 4032 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
01:17:07:468 4032 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
01:17:07:500 4032 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
01:17:07:546 4032 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
01:17:07:687 4032 ctac32k (e7610aba1f551eb77b6bb2274d194f93) C:\WINDOWS\system32\drivers\ctac32k.sys
01:17:07:781 4032 ctaud2k (e9ee8b502acfbd0955d081d7a1ccce24) C:\WINDOWS\system32\drivers\ctaud2k.sys
01:17:07:875 4032 ctdvda2k (437f2b31ba8b6b264d38b4fe6682faec) C:\WINDOWS\system32\drivers\ctdvda2k.sys
01:17:07:906 4032 ctprxy2k (90fd30ea61c68df474a0b398f03e6d9b) C:\WINDOWS\system32\drivers\ctprxy2k.sys
01:17:07:937 4032 ctsfm2k (ab564ee9668bf9af1c3e5544cceade1d) C:\WINDOWS\system32\drivers\ctsfm2k.sys
01:17:08:031 4032 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
01:17:08:109 4032 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
01:17:08:203 4032 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
01:17:08:234 4032 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
01:17:08:281 4032 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
01:17:08:343 4032 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
01:17:08:375 4032 drvmcdb (2b6869f231c338306f87a56f4bff0d2d) C:\WINDOWS\system32\drivers\drvmcdb.sys
01:17:08:421 4032 drvnddm (d3c1e501ed42e77574b3095309dd4075) C:\WINDOWS\system32\drivers\drvnddm.sys
01:17:08:484 4032 E1000 (2476936f4994e9084ccfe75ed4f6226a) C:\WINDOWS\system32\DRIVERS\e1000325.sys
01:17:08:546 4032 emupia (8b2303cf5fdc7e97a975bd1069cd99d6) C:\WINDOWS\system32\drivers\emupia2k.sys
01:17:08:609 4032 epstw2k (aff9bc3da54aa48bf212443f769699c7) C:\WINDOWS\system32\DRIVERS\epstw2k.sys
01:17:08:671 4032 epstwnt (e7587c11022880a9a6eabd534bfe90d0) C:\WINDOWS\system32\Drivers\epstwnt.mpd
01:17:08:718 4032 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
01:17:08:765 4032 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
01:17:08:796 4032 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
01:17:08:828 4032 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
01:17:08:859 4032 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
01:17:08:906 4032 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
01:17:08:937 4032 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
01:17:08:984 4032 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
01:17:09:000 4032 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
01:17:09:046 4032 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
01:17:09:093 4032 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
01:17:09:156 4032 ha10kx2k (e64325ba1ede4a2551a0be186c61d4d7) C:\WINDOWS\system32\drivers\ha10kx2k.sys
01:17:09:218 4032 hap16v2k (a28be5017b423a783dd0d0a4cd3b48f5) C:\WINDOWS\system32\drivers\hap16v2k.sys
01:17:09:250 4032 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
01:17:09:328 4032 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
01:17:09:375 4032 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
01:17:09:421 4032 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
01:17:09:468 4032 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
01:17:09:578 4032 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
01:17:09:640 4032 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
01:17:09:718 4032 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
01:17:09:765 4032 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
01:17:09:812 4032 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
01:17:09:843 4032 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
01:17:09:890 4032 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
01:17:09:921 4032 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
01:17:09:968 4032 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
01:17:10:000 4032 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
01:17:10:031 4032 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
01:17:10:062 4032 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
01:17:10:125 4032 !dthrs6
01:17:10:171 4032 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\system32\drivers\klmd.sys
01:17:10:218 4032 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
01:17:10:281 4032 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
01:17:10:343 4032 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
01:17:10:406 4032 MarvinBus (7584ffb07305d2e9e3823059a9310b0f) C:\WINDOWS\system32\DRIVERS\MarvinBus.sys
01:17:10:453 4032 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
01:17:10:484 4032 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
01:17:10:515 4032 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
01:17:10:562 4032 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
01:17:10:578 4032 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
01:17:10:671 4032 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
01:17:10:750 4032 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
01:17:10:828 4032 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
01:17:10:859 4032 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
01:17:10:890 4032 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
01:17:10:921 4032 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
01:17:10:953 4032 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
01:17:10:984 4032 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
01:17:11:031 4032 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
01:17:11:062 4032 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
01:17:11:125 4032 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
01:17:11:156 4032 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
01:17:11:187 4032 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
01:17:11:218 4032 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
01:17:11:250 4032 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
01:17:11:296 4032 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
01:17:11:328 4032 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
01:17:11:359 4032 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
01:17:11:406 4032 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
01:17:11:453 4032 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
01:17:11:515 4032 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
01:17:11:609 4032 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
01:17:11:656 4032 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
01:17:11:703 4032 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
01:17:11:750 4032 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
01:17:11:796 4032 ossrv (8db15d0105d92c2fbca5e83cd882a477) C:\WINDOWS\system32\drivers\ctoss2k.sys
01:17:11:843 4032 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
01:17:11:875 4032 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
01:17:11:906 4032 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
01:17:11:937 4032 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
01:17:12:015 4032 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
01:17:12:062 4032 PCLEPCI (1bebe7de8508a02650cdce45c664c2a2) C:\WINDOWS\system32\drivers\pclepci.sys
01:17:12:093 4032 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
01:17:12:156 4032 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
01:17:12:203 4032 PCTCore (807ff1dd6e1bdf8e7d2062fca0daecaf) C:\WINDOWS\system32\drivers\PCTCore.sys
01:17:12:265 4032 pctgntdi (d15669bd3e1cf18f00b46a7949ea541f) C:\WINDOWS\system32\drivers\pctgntdi.sys
01:17:12:312 4032 pctplsg (30c931fcb8df713bcd2fb7ce763a0b47) C:\WINDOWS\system32\drivers\pctplsg.sys
01:17:12:515 4032 pfc (da86016f0672ada925f589ede715f185) C:\WINDOWS\system32\drivers\pfc.sys
01:17:12:562 4032 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\System32\drivers\PfModNT.sys
01:17:12:625 4032 Point32 (08b11f5c60edca255b18cedef8efba2a) C:\WINDOWS\system32\DRIVERS\point32.sys
01:17:12:671 4032 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
01:17:12:718 4032 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
01:17:12:734 4032 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
01:17:12:781 4032 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
01:17:12:937 4032 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
01:17:12:984 4032 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
01:17:13:015 4032 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
01:17:13:046 4032 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
01:17:13:078 4032 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
01:17:13:125 4032 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
01:17:13:156 4032 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
01:17:13:203 4032 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
01:17:13:250 4032 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
01:17:13:296 4032 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
01:17:13:359 4032 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
01:17:13:375 4032 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
01:17:13:421 4032 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
01:17:13:453 4032 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
01:17:13:484 4032 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
01:17:13:531 4032 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
01:17:13:562 4032 SHARSHTL (0a988950f625145a0730ba717f9c1c05) C:\WINDOWS\System32\Drivers\sharshtl.sys
01:17:13:625 4032 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
01:17:13:687 4032 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
01:17:13:750 4032 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
01:17:13:781 4032 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
01:17:13:843 4032 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
01:17:13:921 4032 sscdbhk5 (328e8bb94ec58480f60458fb4b8437a7) C:\WINDOWS\system32\drivers\sscdbhk5.sys
01:17:13:968 4032 ssrtln (7ec8b427cee5c0cdac066320b93f1355) C:\WINDOWS\system32\drivers\ssrtln.sys
01:17:14:015 4032 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
01:17:14:062 4032 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
01:17:14:140 4032 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
01:17:14:171 4032 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
01:17:14:390 4032 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
01:17:14:453 4032 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
01:17:14:546 4032 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
01:17:14:578 4032 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
01:17:14:625 4032 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
01:17:14:671 4032 TfFsMon (d2a1cd31200a6c9d3dfad022503e4836) C:\WINDOWS\system32\drivers\TfFsMon.sys
01:17:14:703 4032 TfNetMon (3e3a544d10b0ac1c4c133048f84390ac) C:\WINDOWS\system32\drivers\TfNetMon.sys
01:17:14:781 4032 tfsnboio (8971cfc8323c95875d393a9e6a02beef) C:\WINDOWS\system32\dla\tfsnboio.sys
01:17:14:812 4032 tfsncofs (b23cf9903066f5b8ccb9b8bd53c34656) C:\WINDOWS\system32\dla\tfsncofs.sys
01:17:14:843 4032 tfsndrct (f319a596c256e81d17ac763eec358dc5) C:\WINDOWS\system32\dla\tfsndrct.sys
01:17:14:875 4032 tfsndres (13f19a1718ea8c58be4965efb9a22c21) C:\WINDOWS\system32\dla\tfsndres.sys
01:17:14:937 4032 tfsnifs (8a29f7a693aa4095052121984c7927a6) C:\WINDOWS\system32\dla\tfsnifs.sys
01:17:14:984 4032 tfsnopio (d658fc23905b21dd4b6213ce153cd69c) C:\WINDOWS\system32\dla\tfsnopio.sys
01:17:15:031 4032 tfsnpool (bacbe72a85ba0b2243f6826f19e7cd3f) C:\WINDOWS\system32\dla\tfsnpool.sys
01:17:15:078 4032 tfsnudf (29f25bb25e21047a9f980e52e6c50382) C:\WINDOWS\system32\dla\tfsnudf.sys
01:17:15:140 4032 tfsnudfa (303ff215f7f8a8bd7831d6b6f4a82f66) C:\WINDOWS\system32\dla\tfsnudfa.sys
01:17:15:187 4032 TfSysMon (706be7328a35c39dbe449e10c1ac6a38) C:\WINDOWS\system32\drivers\TfSysMon.sys
01:17:15:265 4032 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
01:17:15:343 4032 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
01:17:15:453 4032 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
01:17:15:546 4032 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
01:17:15:578 4032 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
01:17:15:609 4032 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
01:17:15:656 4032 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
01:17:15:687 4032 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
01:17:15:734 4032 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
01:17:15:781 4032 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
01:17:15:812 4032 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
01:17:15:843 4032 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
01:17:15:906 4032 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
01:17:15:937 4032 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
01:17:16:000 4032 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
01:17:16:062 4032 WmBEnum (bc3ecbcb40147bdae3ad2fd0b4b346d8) C:\WINDOWS\system32\drivers\WmBEnum.sys
01:17:16:109 4032 WmFilter (19f9881d8b3484fedb605d0216876898) C:\WINDOWS\system32\drivers\WmFilter.sys
01:17:16:500 4032 WmVirHid (7a51545a6409a25eedbdbd97d019e8cc) C:\WINDOWS\system32\drivers\WmVirHid.sys
01:17:16:593 4032 WmXlCore (1f083b3bc73017e60c3ca85cf4a70753) C:\WINDOWS\system32\drivers\WmXlCore.sys
01:17:16:781 4032 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
01:17:16:921 4032 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
01:17:17:078 4032 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
01:17:17:250 4032 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
01:17:17:265 4032 Reboot required for cure complete..
01:17:17:578 4032 Cure on reboot scheduled successfully
01:17:17:578 4032
01:17:17:578 4032 Completed
01:17:17:578 4032
01:17:17:578 4032 Results:
01:17:17:578 4032 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
01:17:17:578 4032 File objects infected / cured / cured on reboot: 1 / 0 / 1
01:17:17:578 4032
01:17:17:578 4032 KLMD(ARK) unloaded successfully
 
#6 ·
one more scan then

Download ComboFix here :

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
 
#7 ·
Rorschach112, sorry for the slow response, I've been away.

The redirects started again, I have just run ComboFix.....

ComboFix 10-08-03.02 - David 04/08/2010 17:30:41.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1125 [GMT 10:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\David\Application Data\inst.exe
c:\documents and settings\David\Local Settings\Application Data\{7A0FA3D8-26B6-4C1F-9D6C-CFE805CBBD32}
c:\documents and settings\David\Local Settings\Application Data\{7A0FA3D8-26B6-4C1F-9D6C-CFE805CBBD32}\chrome.manifest
c:\documents and settings\David\Local Settings\Application Data\{7A0FA3D8-26B6-4C1F-9D6C-CFE805CBBD32}\chrome\content\_cfg.js
c:\documents and settings\David\Local Settings\Application Data\{7A0FA3D8-26B6-4C1F-9D6C-CFE805CBBD32}\chrome\content\overlay.xul
c:\documents and settings\David\Local Settings\Application Data\{7A0FA3D8-26B6-4C1F-9D6C-CFE805CBBD32}\install.rdf
c:\program files\INSTALL.LOG
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
C:\Thumbs.db
c:\windows\dexdhdie.dll
c:\windows\system32\1334523763.dat
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\Thumbs.db
c:\windows\uqopikeb.dll
.
((((((((((((((((((((((((( Files Created from 2010-07-04 to 2010-08-04 )))))))))))))))))))))))))))))))
.
2010-08-04 03:01 . 2010-08-04 07:17 120 ----a-w- c:\windows\Ktowabulamuf.dat
2010-08-04 03:01 . 2010-08-04 03:01 0 ----a-w- c:\windows\Ezanarowijehulal.bin
2010-08-03 11:23 . 2010-08-03 11:23 88 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\0\libfftw3f-3-1-1a_upx.dll
2010-08-03 11:23 . 2010-08-03 11:23 100 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\0\setiathome_6.03_windows_intelx86.exe
2010-08-02 06:50 . 2010-08-04 03:00 -------- d-----w- c:\program files\riva1
2010-08-01 03:34 . 2010-08-03 17:18 59392 ----a-w- c:\windows\ExplorerSrv.exe
2010-07-31 07:21 . 2010-08-02 14:54 88 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\1\libfftw3f-3-1-1a_upx.dll
2010-07-31 07:21 . 2010-08-02 14:54 100 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\slots\1\setiathome_6.03_windows_intelx86.exe
2010-07-31 02:38 . 2010-07-31 02:38 -------- d-----w- c:\program files\Alwil Software
2010-07-31 02:38 . 2010-07-31 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-21 10:00 . 2010-07-21 10:00 -------- d-----w- c:\program files\iPod
2010-07-21 09:54 . 2010-07-21 09:54 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
2010-07-14 11:28 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-10 11:32 . 2010-08-03 17:23 124416 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-10 11:32 . 2010-08-01 02:56 113152 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-10 11:32 . 2010-08-03 17:23 178688 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-10 11:31 . 2010-07-10 11:31 -------- d-----w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2010-07-10 11:31 . 2010-07-10 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-10 11:31 . 2010-07-23 14:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-10 10:27 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-10 10:27 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-07 15:39 . 2010-07-07 15:39 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2010-07-07 13:08 . 2010-07-07 13:08 -------- d-----w- c:\documents and settings\Administrator.WINE-P4\Application Data\Malwarebytes
2010-07-07 12:26 . 2010-07-07 12:26 -------- d-sh--w- c:\documents and settings\Administrator.WINE-P4\IETldCache
2010-07-07 12:26 . 2010-07-07 12:26 -------- d-----w- c:\documents and settings\Administrator.WINE-P4\Local Settings\Application Data\Microsoft
2010-07-07 06:02 . 2010-07-07 13:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\nflsesqaf
2010-07-06 15:52 . 2010-07-06 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-06 15:52 . 2010-07-10 10:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-06 06:07 . 2010-07-06 06:07 -------- d-----w- C:\spoolerlogs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-04 07:43 . 2009-06-24 18:16 -------- d-----w- c:\program files\Microsoft
2010-08-04 07:28 . 2008-11-13 10:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-04 07:27 . 2003-11-14 04:46 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000003-00000000-00000002-00001102-00000004-20021102}.dat
2010-08-04 07:27 . 2003-11-14 04:46 384 ----a-w- c:\windows\system32\DVCState-{00000003-00000000-00000002-00001102-00000004-20021102}.dat
2010-08-04 07:26 . 2009-07-13 13:25 -------- d-----w- c:\documents and settings\All Users\Application Data\BOINC
2010-08-04 06:44 . 2008-11-13 11:43 -------- d-----w- c:\program files\Spyware Doctor
2010-08-03 14:34 . 2006-01-04 09:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-03 05:12 . 2005-12-20 05:55 -------- d-----w- c:\program files\CCleaner
2010-08-01 14:21 . 2005-11-17 15:34 -------- d-----w- c:\program files\QuickTime
2010-08-01 05:20 . 2005-06-14 08:48 223232 ----a-w- C:\UNWISE.EXE
2010-08-01 03:34 . 2005-11-08 12:26 -------- d-----w- c:\program files\ICQToolbar
2010-08-01 03:17 . 2003-12-08 13:52 -------- d-----w- c:\program files\Cheating-Death
2010-08-01 02:54 . 2009-07-13 13:25 765952 -c--a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\setiathome_4.18_windows_intelx86.exe
2010-08-01 02:54 . 2009-08-16 09:10 540672 ----a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.05_windows_intelx86.exe
2010-08-01 02:54 . 2009-07-13 13:25 524288 -c--a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_4.36_windows_intelx86.exe
2010-08-01 02:54 . 2009-08-16 09:10 356352 -c--a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\ap_graphics_5.05_windows_intelx86.exe
2010-08-01 02:54 . 2009-07-13 13:25 356352 -c--a-w- c:\documents and settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\ap_graphics_4.36_windows_intelx86.exe
2010-07-31 17:45 . 2010-03-01 17:49 -------- d-----w- c:\documents and settings\David\Application Data\Wanuhi
2010-07-21 10:00 . 2007-09-25 13:14 -------- d-----w- c:\program files\Common Files\Apple
2010-07-10 15:49 . 2003-11-14 03:11 42368 ----a-w- c:\windows\system32\drivers\agp440.sys
2010-07-09 15:00 . 2008-03-27 06:59 -------- d-----w- c:\program files\MagicISO
2010-07-07 17:00 . 2003-11-15 15:25 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-07 17:00 . 2003-11-15 15:26 -------- d-----w- c:\program files\Telstra
2010-07-07 06:01 . 2007-01-23 11:32 6184 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-05 06:16 . 2010-07-05 06:16 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-02 23:55 . 2008-03-26 12:01 -------- d-----w- c:\program files\uTorrent
2010-07-02 17:11 . 2008-03-26 12:01 -------- d-----w- c:\documents and settings\David\Application Data\uTorrent
2010-07-02 11:09 . 2010-07-02 11:09 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-02 11:09 . 2010-07-02 16:10 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-02 11:07 . 2010-07-02 11:09 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-02 10:56 . 2010-07-02 10:56 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-07-02 10:55 . 2008-11-17 11:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-07-01 15:06 . 2010-07-01 15:06 -------- d-----w- c:\documents and settings\David\Application Data\HD Tune Pro
2010-07-01 15:06 . 2010-07-01 15:06 -------- d-----w- c:\program files\HD Tune Pro
2010-07-01 15:03 . 2010-07-01 14:27 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-01 15:03 . 2010-07-01 14:28 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-01 14:30 . 2008-11-14 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-07-01 14:28 . 2008-11-14 05:23 -------- d-----w- c:\program files\Common Files\PC Tools
2010-06-26 17:34 . 2010-06-26 17:34 -------- d-----w- c:\documents and settings\David\Application Data\Auslogics
2010-06-26 17:33 . 2010-06-26 17:33 -------- d-----w- c:\program files\Auslogics
2010-06-26 16:53 . 2003-11-16 05:53 -------- d-----w- c:\program files\Steam
2010-06-25 11:13 . 2003-11-14 03:14 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-23 09:54 . 2010-06-23 09:54 -------- d-----w- c:\program files\Bonjour
2010-06-23 03:03 . 2010-06-23 03:03 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb15B.tmp.exe
2010-06-14 14:31 . 2003-11-14 02:54 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-08 02:16 . 2010-07-01 14:30 763832 ----a-w- c:\windows\BDTSupport.dll
2010-06-08 00:21 . 2010-07-01 14:30 1652664 ----a-w- c:\windows\PCTBDCore.dll
2010-06-08 00:01 . 2003-11-25 06:07 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-18 06:35 . 2010-05-18 06:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 06:35 . 2010-05-18 06:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2004-02-06 08:05 916480 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="c:\program files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-11 135168]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-23 39408]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"CTHelper"="CTHELPER.EXE" [2003-06-20 24576]
"AsioReg"="CTASIO.DLL" [2003-06-20 118784]
"SBDrvDet"="c:\program files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-01 57344]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-01-08 114741]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"ecc"="c:\program files\Telstra\BigPond Assist\assist.exe" [2004-12-17 278528]
"hpppt"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe" [1998-12-14 106496]
"HP Lamp"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-12-14 43520]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-01 151552]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-16 47392]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-06-10 4182784]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-06-10 58112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-08-01 483328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"iTunesHelper"="d:\itunes\iTunesHelper.exe" [2010-07-15 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Administrator.WINE-P4\Start Menu\Programs\Startup\
ihuve.exe [2010-7-26 143872]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ezuf.exe [2010-7-26 143872]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2010-08-02 139264]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e\0lsdelete
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^David^Start Menu^Programs^Startup^BOINC Manager.lnk]
path=c:\documents and settings\David\Start Menu\Programs\Startup\BOINC Manager.lnk
backup=c:\windows\pss\BOINC Manager.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-01 04:06 483328 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"d:\\EA GAMES\\Battlefield 2\\BF2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\EA 2142\\BF2142.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\SteamApps\\team fortress classic\\hl.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"d:\\iTunes\\iTunes.exe"=
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/07/2010 9:09 PM 64288]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2/07/2010 12:28 AM 218592]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2/07/2010 12:30 AM 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2/07/2010 12:30 AM 59664]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2/07/2010 12:28 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [18/02/2010 4:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/05/2010 4:41 AM 67656]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/07/2010 12:30 AM 112592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [5/02/2010 1:52 AM 1352832]
R3 BENDER;Pinnacle AV/DV2 Capture;c:\windows\system32\drivers\bender.sys [21/05/2005 3:43 PM 180480]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd [27/10/2007 6:36 PM 84480]
S2 CryptSvcWebClient;Cryptographic Services CryptSvcWebClient;c:\windows\system32\1054a.exe srv --> c:\windows\system32\1054a.exe srv [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/02/2010 10:29 PM 135664]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\Sharshtl.sys [27/10/2007 6:36 PM 18432]
S3 epstw2k;SCM Parallel Port SCSI Driver;c:\windows\system32\drivers\epstw2k.sys [23/05/2005 9:15 PM 114944]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2/07/2010 12:27 AM 63360]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [13/11/2008 9:44 PM 366840]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2/07/2010 12:30 AM 33552]
S3 ThreatFire;ThreatFire;c:\program files\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\Spyware Doctor\TFEngine\TFService.exe service [?]
.
Contents of the 'Scheduled Tasks' folder
2010-08-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 11:07]
2010-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]
2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 12:29]
2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 12:29]
2010-08-04 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 05:07]
2010-08-04 c:\windows\Tasks\User_Feed_Synchronization-{DB4DC5C6-E1F8-44E6-A2E3-1F39307D649B}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:31]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.Google.com/
uSearchMigratedDefaultURL = hxxp://www.Google.com/
mSearch Bar = hxxp://google.icq.com/search/search_frame.php
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = hxxp://www.Google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchURL = hxxp://www.Google.com/
IE: &ICQ Toolbar Search - c:\program files\ICQToolbar\toolbaru.dll/SEARCH.HTML
IE: &ninemsn Search - c:\program files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: {11111111-1111-1111-1111-111111111113} - mhtml:file://C:NO_SUCH_MHT.MHT!http://38.113.193.2/420/whocares.exe
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Tlesurulipizul - c:\windows\dexdhdie.dll
HKLM-Run-Jhuloyoh - c:\windows\uqopikeb.dll
HKU-Default-Run-wavdriver - c:\program files\wavectrl.exe
SafeBoot-klmdb.sys

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-04 17:46
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x8A472EC5]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf765bf28
\Driver\ACPI -> ACPI.sys @ 0xf758ecb8
\Driver\atapi -> atapi.sys @ 0xf7480852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Intel(R) PRO/1000 CT Desktop Connection -> SendCompleteHandler -> NDIS.sys @ 0xf796fbb0
PacketIndicateHandler -> NDIS.sys @ 0xf797ca21
SendHandler -> NDIS.sys @ 0xf795a87b
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1547161642-113007714-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CD656FED-3B50-02B8-8999-62F5471008F3}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-1547161642-113007714-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f1,7c,c3,77,3f,ae,55,c2,3e,f1,d5,91,82,7f,7b,4a,04,3d,63,d7,68,24,54,
94,8a,a7,39,ca,86,19,47,b1,6e,24,77,48,59,54,38,d3,e9,a5,b6,5d,a2,0a,79,f0,\
"??"=hex:98,92,76,c1,aa,88,4f,41,49,86,ff,73,28,c6,e6,0d
[HKEY_LOCAL_MACHINE\software\Classes\.application\bootstrap]
@DACL=(02 0000)
@="bootstrap.application.1"
[HKEY_LOCAL_MACHINE\software\Classes\giffile\shell\Open\ddeexec]
@DACL=(02 0000)
@="\"file:%1\",,-1,,,,,"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'lsass.exe'(688)
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2010-08-04 17:53:15
ComboFix-quarantined-files.txt 2010-08-04 07:53
Pre-Run: 3,664,416,768 bytes free
Post-Run: 3,937,554,432 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
- - End Of File - - 079CF311F6BAA25AED28D38CBFFB664B
 
#8 ·
Please download OTM
  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code:
    :Processes
    
    :Services
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    c:\windows\Ktowabulamuf.dat
    c:\windows\Ezanarowijehulal.bin
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

      Click the image to enlarge it
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.
 
#9 ·
OTM results.....

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\David\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\David\Desktop\cmd.txt deleted successfully.
c:\windows\Ktowabulamuf.dat moved successfully.
c:\windows\Ezanarowijehulal.bin moved successfully.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator

User: Administrator.WINE-P4
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: David
->Temp folder emptied: 1308815 bytes
->Temporary Internet Files folder emptied: 201500859 bytes
->Java cache emptied: 4564 bytes
->Flash cache emptied: 6294 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 802950 bytes
->Flash cache emptied: 23173 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8339858 bytes
->Java cache emptied: 42 bytes
->Flash cache emptied: 27184 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 1119359 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 647939 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 6005753 bytes
RecycleBin emptied: 219136 bytes

Total Files Cleaned = 210.00 mb

Restore point Set: OTM Restore Point (0)

OTM by OldTimer - Version 3.1.15.0 log created on 08062010_014104
 
#12 ·
skip it

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
#14 ·
TFC done....

After the reboot from Malwarebytes' Anti-Malware, there was a RUNDLL error at startup.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4399
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
7/08/2010 12:37:10 AM
mbam-log-2010-08-07 (00-37-10).txt
Scan type: Quick scan
Objects scanned: 147970
Time elapsed: 6 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\imucucaqiqe.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\dexdhdie.dll (Trojan.Agent.Gen) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jhuloyoh (Trojan.Hiloti) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tlesurulipizul (Trojan.Agent.Gen) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\imucucaqiqe.dll (Trojan.Hiloti) -> Delete on reboot.
C:\WINDOWS\dexdhdie.dll (Trojan.Agent.Gen) -> Delete on reboot.
C:\Program Files\outlook Express\msimnSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\ExplorerSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
 
#16 ·
rename gmer to svchost.com and run it in safe mode

if it fails move on to this

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic
 
#17 ·
The log from ESET is too big to post, over 3000 files were infected.

Its asking if I should delete the quarantined files?

This is some of the log...

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=08ce4a14d4bcb641b65a27197178af3c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-07 03:01:35
# local_time=2010-08-08 01:01:35 (+1000, AUS Eastern Standard Time)
# country="Australia"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 54170070 54170070 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777191 100 0 0 0 0 0
# compatibility_mode=4864 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 4762 4762 0 0
# compatibility_mode=9217 16776894 25 4 2857945 2857945 0 0
# scanned=195755
# found=3355
# cleaned=3347
# scan_time=8087
C:\UNWISE.EXE Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\AtiCimUn.exe Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\CheckVer.exe Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\makensisw.exe Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\ACE\ACE.dll Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\BIN\aticds10.dll Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\BIN\AtiCIM.dll Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\BIN\atiicdxx.dll Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\Driver\Driver.DLL Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\Driver\2KXP_INF\B_28018\atiiiexx.dll Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\WDM_ALL\WDM_ALL.dll Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\WDM_ALL\WDM_NSP\XP\ativtmxx.DLL Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\5-11_xp-2k_dd_ccc_wdm_enu_27345\WDM_ALL\WDM_SP\XP\ativtmxx.DLL Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
C:\ATI\SUPPORT\6-10_xp-2k_dd_ccc_wdm_enu_36790\AtiCimUn.exe Win32/Ramnit.A virus (cleaned - quarantined) 00000000000000000000000000000000 C
 
#18 ·
you appear to have a file infecter, they infect as many files as they can.

the best solution is to format this PC. we can try fix it, but it can be a hard and slow task, with the potential of making your PC unbootable. what do you want to do ?
 
#20 ·
potentially, you need to follow this

You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.
  • Backup all your documents and important items only.
  • DO NOT backup any executable files (,exe .scr .html or .htm)
  • Do Not back up compressed files (zip/cab/rar) files that may contain .exe, .pdf, .jpg, .doc or .scr files
  • Reformat and Reinstall as outlined HERE

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

after formatting, run another eset scan, if it finds anything then something was infected that you backed up
 
#21 ·
Ok backed up the stuff I want to keep, photos, music, movies, and some files with PDF's and Word / Excel Docs. These will be ok and shouldn't be infected?
I'm not going to reformat, this HD will go in the bin and a new bigger one with Windows 7 will go in.
Thanks for all your help.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top