Ping.exe Causing Slow Computer/Redirection

Hello,

I seem to find myself infected with ping.exe and it is reeking havoc on my computer. It continually eats up all of my resources and bogs the computer down to terrible speeds. Additionally, I have been getting redirects where I am browsing the internet. BC Advisor cryptodan reccommended that I repost here with some information.

First, here is the link to my previous posts in the "Am I Infected Board"--
http://www.bleepingcomputer.com/forums/topic431877.html/page__pid__2513277#entry2513277

Second, here is a description of what I have done to correct my problem thus far--
Thinking that this was a run of the mill virus that I would be able to remove without extra help, I searched the internet and tried to corrective methods. I tried this method http://blog.teesupport.com/completely-remove-ping-exe-virus-manually-uninstall-ping-exe-with-svchost-exe/ but had no luck. Next, I ran Malwarebyte's Anti-Malware. This did not seem to help at all. crypotan had me run and post a Full Scan using MBAM, and then install and run SUPERAntiSpyware, GMER, and SecurityCheck. Results from these scans are available in the link above, as well as saved to my desktop.

Third, I followed the "Malware Removal and Log Section Preparation Guide" to the best of my ability to prepare for this post.
I had a small problem with DDS, as the link for download did not begin the download for me. At the time, my computer was running slowly and decided to restart and try again. No luck the second try either, but I had DDS downloaded from last year when I had a problem and ran the version of DDS. When I ran GMER, my computer froze up twice. I still have the log from the time cryptodan had me run it a few days prior, so that is the log attached to this post.

If I missed any steps or more information is required of me, I will gladly take care of it quickly. Thanks for an help that is offered!
--Ryan

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433205 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

• If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
• A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
  
  • Please do this even if you have previously posted logs for us.
  • If you were unable to produce the logs originally please try once more.
  • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
  • If you are unsure about any of these characteristics just post what you can and we will guide you.
• Please tell us if you have your original Windows CD/DVD available.
• Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

• Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results.
• Follow the instructions that pop up for posting the results.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

As per HelpBot's instructions, I have created new logs to post. Just for clarity's sake, I will redescribe my problems. First, ping.exe is constantly running in the background using up all of my resources. Sometimes it gets as high as 800,000 K! Using the task manager I close the program, but it keeps running itself. Second, I keep getting redirected when I click on links. I have Firefox, IE, and Chrome all in stalled on my computer. IE and Firefox are unusable due to the redirects, but Chrome holds up ok for now. Third, this is one I only just noticed, when I have a browser open multiples show in my processes tab. For example, when I am in Chrome there will be two Chrome processes running even though only one window, one tab are open. Sometimes this number reaches up to five different Chrome processes running even with just one window/tab open. When I close out of Chrome they all close.

I appreciate any help that can be offered. Please let me know if more information is needed or I need to be more clear. Thanks in advance for the help!
--Ryan

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please run the DDS tool and paste the contents of the DDS.txt log in your next post. Do Not Attach the file.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

• Click the "Scan" button to start scan.
• Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
• Please post the contents of that log in your next reply.

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

Note: You may be asked if you want to download Avast Free Antivirus I suggest you deny this dowload unless you do not have any Antivirus protection on the computer.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.

• Click on the Start Scan button and wait for the scan and disinfection process to be over.
• If an infected file is detected, the default action will be Cure, click on Continue
  
• If a suspicious file is detected, the default action will be Skip, click on Continue
  
• If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
• If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please paste the logs on your next post, DO NOT ATTACH THEM.

Thanks for taking the time to help me nasdaq. I have run all the programs you suggested. As per your request, I have attached the MBR.dat zip file and copied the log from DDS.txt and the report from TDSSKiller.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_30
Run by Ryan at 18:24:50 on 2011-12-26
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1150 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Flip Video\FlipShare\FlipShareService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Super_DVD_Creator_9.8\NMSAccessU.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\Ryan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ryan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ryan\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\ping.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.mail.lycos.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080404
uInternet Settings,ProxyServer = http=127.0.0.1:1036
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [DellAutomatedPCTuneUp] "c:\program files\dellautomatedpctuneup\PTAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\ryan\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [bjmkphdpbjutw] c:\documents and settings\ryan\local settings\application data\csqcsk\bkrrfax.exe
uRun: [ohkwfbil] c:\documents and settings\ryan\local settings\application data\uuybbxs\yhygny.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [jpqmemwsp] c:\documents and settings\ryan\local settings\application data\gqcrfqa\skqmhbu.exe
uRun: [frdavdhbjh] c:\documents and settings\ryan\local settings\application data\yfrqxjra\wxacfsm.exe
uRun: [aqypdslpke] c:\documents and settings\ryan\local settings\application data\pftwdd\homxift.exe
uRun: [DriverBoost] c:\program files\driverboost\DriverBoost.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [dvd43] c:\program files\dvd43\dvd43_tray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [SymInstallStub] c:\documents and settings\all users.windows\application data\divx\symantec\SymInstallStub.exe /partnerid=divx /productlist=nss /staging=true /delay=5 /lang=English /desktopshortcut=1 /startmenushortcut=1 /tasktries=1
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: paflyfish.com\www
Trusted Zone: progressive.com\onlineservice1
Trusted Zone: progressive.com\onlineservice2
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ryan\application data\mozilla\firefox\profiles\4f38q9o3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.paflyfish.com/
FF - plugin: c:\documents and settings\ryan\local settings\application data\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2008-9-1 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-9 22216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
.
=============== Created Last 30 ================
.
2011-12-15 20:32:32 -------- d-----w- c:\windows\system32\drivers\nss\0306010.00B
2011-12-15 20:32:32 -------- d-----w- c:\windows\system32\drivers\NSS
2011-12-15 20:32:31 -------- d-----w- c:\program files\Norton Security Scan
2011-12-15 20:32:17 -------- d-----w- c:\program files\NortonInstaller
2011-12-15 02:41:32 -------- d-----w- c:\documents and settings\ryan\application data\SUPERAntiSpyware.com
2011-12-15 02:40:43 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-15 02:40:43 -------- d-----w- c:\documents and settings\all users.windows\application data\SUPERAntiSpyware.com
2011-12-09 22:58:55 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2011-12-09 22:58:51 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 13:03:25 21840 ----a-w- c:\windows\system32\SIntfNT.dll
2011-09-28 13:03:25 17212 ----a-w- c:\windows\system32\SIntf32.dll
2011-09-28 13:03:24 12067 ----a-w- c:\windows\system32\SIntf16.dll
2011-09-28 12:55:40 2829 ----a-w- c:\windows\DIIUnin.pif
2011-09-28 12:55:39 94208 ----a-w- c:\windows\DIIUnin.exe
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
.
============= FINISH: 18:27:14.80 ===============



08:35:49.0828 0716 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
08:35:50.0171 0716 ============================================================
08:35:50.0171 0716 Current date / time: 2011/12/28 08:35:50.0171
08:35:50.0171 0716 SystemInfo:
08:35:50.0171 0716
08:35:50.0171 0716 OS Version: 5.1.2600 ServicePack: 3.0
08:35:50.0171 0716 Product type: Workstation
08:35:50.0171 0716 ComputerName: TEMP
08:35:50.0171 0716 UserName: Ryan
08:35:50.0171 0716 Windows directory: C:\WINDOWS
08:35:50.0171 0716 System windows directory: C:\WINDOWS
08:35:50.0171 0716 Processor architecture: Intel x86
08:35:50.0171 0716 Number of processors: 2
08:35:50.0171 0716 Page size: 0x1000
08:35:50.0171 0716 Boot type: Normal boot
08:35:50.0171 0716 ============================================================
08:35:58.0625 0716 Initialize success
08:36:03.0531 2148 ============================================================
08:36:03.0531 2148 Scan started
08:36:03.0531 2148 Mode: Manual;
08:36:03.0531 2148 ============================================================
08:36:11.0562 2148 Abiosdsk - ok
08:36:12.0156 2148 abp480n5 - ok
08:36:12.0781 2148 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:36:12.0906 2148 ACPI - ok
08:36:13.0656 2148 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
08:36:13.0671 2148 ACPIEC - ok
08:36:14.0390 2148 adpu160m - ok
08:36:15.0046 2148 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:36:15.0140 2148 aec - ok
08:36:16.0390 2148 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:36:16.0500 2148 AFD - ok
08:36:17.0906 2148 Aha154x - ok
08:36:18.0609 2148 aic78u2 - ok
08:36:19.0281 2148 aic78xx - ok
08:36:19.0843 2148 AliIde - ok
08:36:20.0703 2148 amsint - ok
08:36:21.0609 2148 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
08:36:21.0609 2148 APPDRV - ok
08:36:22.0656 2148 asc - ok
08:36:23.0406 2148 asc3350p - ok
08:36:23.0890 2148 asc3550 - ok
08:36:25.0062 2148 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:36:25.0203 2148 AsyncMac - ok
08:36:26.0546 2148 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:36:26.0546 2148 atapi - ok
08:36:27.0609 2148 Atdisk - ok
08:36:30.0468 2148 ati2mtag (e78b73eb84c257d0d940e041742d2699) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
08:36:32.0250 2148 ati2mtag - ok
08:36:33.0390 2148 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:36:33.0453 2148 Atmarpc - ok
08:36:34.0531 2148 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:36:34.0531 2148 audstub - ok
08:36:36.0968 2148 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
08:36:38.0359 2148 BCM43XX - ok
08:36:39.0593 2148 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
08:36:39.0593 2148 bcm4sbxp - ok
08:36:40.0921 2148 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:36:40.0921 2148 Beep - ok
08:36:41.0875 2148 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
08:36:41.0875 2148 BVRPMPR5 - ok
08:36:43.0187 2148 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:36:43.0187 2148 cbidf2k - ok
08:36:44.0281 2148 cd20xrnt - ok
08:36:45.0453 2148 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:36:45.0453 2148 Cdaudio - ok
08:36:46.0500 2148 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:36:46.0562 2148 Cdfs - ok
08:36:47.0812 2148 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:36:47.0812 2148 Cdrom - ok
08:36:48.0875 2148 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
08:36:48.0875 2148 cercsr6 - ok
08:36:49.0781 2148 Changer - ok
08:36:50.0593 2148 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:36:50.0609 2148 CmBatt - ok
08:36:51.0312 2148 CmdIde - ok
08:36:52.0765 2148 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:36:52.0765 2148 Compbatt - ok
08:36:53.0546 2148 Cpqarray - ok
08:36:54.0578 2148 dac2w2k - ok
08:36:55.0546 2148 dac960nt - ok
08:36:56.0703 2148 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:36:56.0703 2148 Disk - ok
08:36:59.0250 2148 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:37:00.0015 2148 dmboot - ok
08:37:01.0109 2148 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:37:01.0250 2148 dmio - ok
08:37:02.0593 2148 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:37:02.0609 2148 dmload - ok
08:37:03.0765 2148 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:37:03.0812 2148 DMusic - ok
08:37:04.0890 2148 dpti2o - ok
08:37:05.0796 2148 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:37:05.0796 2148 drmkaud - ok
08:37:06.0703 2148 dvd43llh (1fc1eed3ea0c3a0ecf8a95b97e1b4831) C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
08:37:06.0718 2148 dvd43llh - ok
08:37:08.0828 2148 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:37:08.0921 2148 Fastfat - ok
08:37:09.0687 2148 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:37:09.0687 2148 Fdc - ok
08:37:10.0593 2148 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:37:10.0593 2148 Fips - ok
08:37:11.0406 2148 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:37:11.0406 2148 Flpydisk - ok
08:37:12.0328 2148 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
08:37:12.0406 2148 FltMgr - ok
08:37:13.0296 2148 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:37:13.0296 2148 Fs_Rec - ok
08:37:13.0984 2148 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:37:14.0093 2148 Ftdisk - ok
08:37:14.0765 2148 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
08:37:14.0765 2148 GEARAspiWDM - ok
08:37:15.0750 2148 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:37:15.0781 2148 Gpc - ok
08:37:16.0687 2148 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
08:37:16.0687 2148 grmnusb - ok
08:37:17.0718 2148 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:37:17.0828 2148 HDAudBus - ok
08:37:18.0718 2148 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:37:18.0718 2148 HidUsb - ok
08:37:19.0750 2148 hpn - ok
08:37:20.0593 2148 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
08:37:20.0750 2148 HSFHWAZL - ok
08:37:22.0312 2148 HSF_DPV (ddbd528e60f5961c142a490dc4ea7780) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
08:37:23.0343 2148 HSF_DPV - ok
08:37:24.0421 2148 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
08:37:24.0593 2148 HTTP - ok
08:37:25.0359 2148 i2omgmt - ok
08:37:26.0140 2148 i2omp - ok
08:37:26.0703 2148 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:37:26.0734 2148 i8042prt - ok
08:37:27.0562 2148 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:37:27.0593 2148 Imapi - ok
08:37:28.0265 2148 ini910u - ok
08:37:28.0750 2148 IntelIde - ok
08:37:29.0453 2148 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
08:37:29.0468 2148 Ip6Fw - ok
08:37:30.0218 2148 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:37:30.0250 2148 IpFilterDriver - ok
08:37:30.0812 2148 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:37:30.0812 2148 IpInIp - ok
08:37:31.0812 2148 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:37:31.0859 2148 IpNat - ok
08:37:32.0812 2148 IPSec (c6f1ee627efc039977aa1f85121c4782) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:37:32.0859 2148 IPSec ( Rootkit.Win32.ZAccess.h ) - infected
08:37:32.0859 2148 IPSec - detected Rootkit.Win32.ZAccess.h (0)
08:37:33.0593 2148 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:37:33.0593 2148 IRENUM - ok
08:37:34.0500 2148 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:37:34.0500 2148 isapnp - ok
08:37:35.0343 2148 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:37:35.0343 2148 Kbdclass - ok
08:37:36.0234 2148 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:37:36.0234 2148 kmixer - ok
08:37:36.0921 2148 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
08:37:37.0046 2148 KSecDD - ok
08:37:37.0890 2148 lbrtfdc - ok
08:37:38.0625 2148 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
08:37:38.0640 2148 MBAMProtector - ok
08:37:39.0296 2148 MBAMSwissArmy - ok
08:37:39.0843 2148 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
08:37:39.0843 2148 mdmxsdk - ok
08:37:40.0546 2148 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:37:40.0546 2148 mnmdd - ok
08:37:41.0406 2148 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:37:41.0406 2148 Modem - ok
08:37:42.0421 2148 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:37:42.0421 2148 Mouclass - ok
08:37:43.0140 2148 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:37:43.0140 2148 mouhid - ok
08:37:43.0703 2148 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:37:43.0703 2148 MountMgr - ok
08:37:44.0437 2148 mraid35x - ok
08:37:45.0390 2148 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:37:45.0468 2148 MRxDAV - ok
08:37:46.0437 2148 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:37:46.0703 2148 MRxSmb - ok
08:37:47.0531 2148 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:37:47.0546 2148 Msfs - ok
08:37:48.0281 2148 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:37:48.0281 2148 MSKSSRV - ok
08:37:48.0812 2148 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:37:48.0812 2148 MSPCLOCK - ok
08:37:49.0734 2148 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:37:49.0734 2148 MSPQM - ok
08:37:50.0437 2148 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:37:50.0437 2148 mssmbios - ok
08:37:51.0156 2148 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
08:37:51.0171 2148 Mup - ok
08:37:51.0796 2148 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:37:51.0921 2148 NDIS - ok
08:37:52.0515 2148 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:37:52.0531 2148 NdisTapi - ok
08:37:53.0078 2148 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:37:53.0093 2148 Ndisuio - ok
08:37:53.0671 2148 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:37:53.0718 2148 NdisWan - ok
08:37:54.0359 2148 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:37:54.0359 2148 NDProxy - ok
08:37:55.0093 2148 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:37:55.0093 2148 NetBIOS - ok
08:37:55.0750 2148 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:37:55.0859 2148 NetBT - ok
08:37:56.0671 2148 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:37:56.0671 2148 Npfs - ok
08:37:57.0750 2148 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:37:58.0156 2148 Ntfs - ok
08:37:58.0781 2148 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
08:37:58.0781 2148 NuidFltr - ok
08:37:59.0421 2148 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:37:59.0421 2148 Null - ok
08:38:00.0015 2148 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:38:00.0031 2148 NwlnkFlt - ok
08:38:00.0578 2148 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:38:00.0593 2148 NwlnkFwd - ok
08:38:01.0343 2148 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
08:38:01.0343 2148 Parport - ok
08:38:01.0859 2148 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:38:01.0859 2148 PartMgr - ok
08:38:02.0656 2148 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:38:02.0656 2148 ParVdm - ok
08:38:03.0406 2148 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:38:03.0406 2148 PCI - ok
08:38:03.0859 2148 PCIDump - ok
08:38:04.0500 2148 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:38:04.0500 2148 PCIIde - ok
08:38:05.0218 2148 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
08:38:05.0250 2148 Pcmcia - ok
08:38:05.0718 2148 PDCOMP - ok
08:38:06.0281 2148 PDFRAME - ok
08:38:06.0796 2148 PDRELI - ok
08:38:07.0296 2148 PDRFRAME - ok
08:38:07.0812 2148 perc2 - ok
08:38:08.0359 2148 perc2hib - ok
08:38:09.0187 2148 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:38:09.0187 2148 PptpMiniport - ok
08:38:09.0953 2148 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
08:38:09.0953 2148 Processor - ok
08:38:10.0609 2148 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:38:10.0609 2148 PSched - ok
08:38:11.0265 2148 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:38:11.0265 2148 Ptilink - ok
08:38:11.0500 2148 PTPROCT (413f2d5f9d802688242c23b38f767ecb) C:\PROGRA~1\DELLAU~1\GTACTION\TRIGGERS\PTPROCT.sys
08:38:11.0500 2148 PTPROCT - ok
08:38:12.0390 2148 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
08:38:12.0390 2148 PxHelp20 - ok
08:38:13.0062 2148 ql1080 - ok
08:38:13.0531 2148 Ql10wnt - ok
08:38:14.0078 2148 ql12160 - ok
08:38:14.0625 2148 ql1240 - ok
08:38:19.0046 2148 ql1280 - ok
08:38:19.0625 2148 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:38:19.0625 2148 RasAcd - ok
08:38:20.0359 2148 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:38:20.0359 2148 Rasl2tp - ok
08:38:21.0093 2148 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:38:21.0093 2148 RasPppoe - ok
08:38:21.0625 2148 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:38:21.0625 2148 Raspti - ok
08:38:22.0562 2148 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:38:22.0640 2148 Rdbss - ok
08:38:23.0453 2148 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:38:23.0453 2148 RDPCDD - ok
08:38:24.0312 2148 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
08:38:24.0375 2148 RDPWD - ok
08:38:25.0156 2148 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:38:25.0156 2148 redbook - ok
08:38:25.0687 2148 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
08:38:25.0703 2148 rimmptsk - ok
08:38:26.0093 2148 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
08:38:26.0093 2148 SASDIFSV - ok
08:38:26.0218 2148 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
08:38:26.0265 2148 SASKUTIL - ok
08:38:27.0203 2148 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
08:38:27.0218 2148 sdbus - ok
08:38:27.0703 2148 SDDMI2 - ok
08:38:28.0500 2148 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:38:28.0500 2148 Secdrv - ok
08:38:29.0328 2148 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
08:38:29.0328 2148 Serial - ok
08:38:29.0953 2148 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:38:29.0968 2148 Sfloppy - ok
08:38:30.0562 2148 Simbad - ok
08:38:30.0796 2148 SMSIVZAM5 (1e715247efffdda938c085913045d599) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS
08:38:30.0812 2148 SMSIVZAM5 - ok
08:38:31.0546 2148 Sparrow - ok
08:38:32.0218 2148 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:38:32.0218 2148 splitter - ok
08:38:32.0781 2148 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:38:32.0796 2148 sr - ok
08:38:33.0765 2148 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
08:38:34.0062 2148 Srv - ok
08:38:35.0593 2148 STHDA (31ba85e1cff39a57f702a2a0877bb8e1) C:\WINDOWS\system32\drivers\sthda.sys
08:38:36.0562 2148 STHDA - ok
08:38:37.0296 2148 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:38:37.0296 2148 swenum - ok
08:38:37.0859 2148 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:38:37.0859 2148 swmidi - ok
08:38:38.0500 2148 symc810 - ok
08:38:39.0015 2148 symc8xx - ok
08:38:39.0484 2148 sym_hi - ok
08:38:40.0156 2148 sym_u3 - ok
08:38:40.0812 2148 SynTP (936cd58395d36659bb798b961ef7357f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
08:38:40.0937 2148 SynTP - ok
08:38:41.0671 2148 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:38:41.0671 2148 sysaudio - ok
08:38:42.0734 2148 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:38:42.0968 2148 Tcpip - ok
08:38:43.0703 2148 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:38:43.0703 2148 TDPIPE - ok
08:38:45.0281 2148 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:38:45.0281 2148 TDTCP - ok
08:38:46.0203 2148 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:38:46.0203 2148 TermDD - ok
08:38:46.0781 2148 TosIde - ok
08:38:47.0546 2148 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:38:47.0546 2148 Udfs - ok
08:38:48.0203 2148 UIUSys - ok
08:38:48.0703 2148 ultra - ok
08:38:49.0718 2148 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:38:50.0000 2148 Update - ok
08:38:50.0843 2148 usbbus (9419faac6552a51542dbba02971c841c) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
08:38:50.0843 2148 usbbus - ok
08:38:51.0937 2148 UsbDiag (c0a466fa4ffec464320e159bc1bbdc0c) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
08:38:51.0937 2148 UsbDiag - ok
08:38:54.0187 2148 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:38:54.0250 2148 usbehci - ok
08:38:55.0312 2148 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:38:55.0312 2148 usbhub - ok
08:38:56.0343 2148 USBModem (f74a54774a9b0afeb3c40adec68aa600) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
08:38:56.0343 2148 USBModem - ok
08:38:57.0125 2148 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
08:38:57.0125 2148 usbohci - ok
08:38:57.0703 2148 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
08:38:57.0703 2148 usbprint - ok
08:38:58.0515 2148 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:38:58.0515 2148 USBSTOR - ok
08:38:59.0343 2148 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:38:59.0375 2148 VgaSave - ok
08:39:00.0031 2148 ViaIde - ok
08:39:00.0578 2148 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:39:00.0593 2148 VolSnap - ok
08:39:01.0234 2148 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:39:01.0265 2148 Wanarp - ok
08:39:02.0281 2148 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
08:39:02.0562 2148 Wdf01000 - ok
08:39:03.0265 2148 WDICA - ok
08:39:03.0890 2148 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:39:03.0953 2148 wdmaud - ok
08:39:05.0109 2148 winachsf (96aff1738271755a39b52eef7e35f98f) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
08:39:05.0671 2148 winachsf - ok
08:39:06.0687 2148 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
08:39:06.0687 2148 WmiAcpi - ok
08:39:07.0390 2148 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
08:39:07.0390 2148 WpdUsb - ok
08:39:08.0156 2148 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:39:08.0171 2148 WudfPf - ok
08:39:08.0984 2148 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:39:09.0046 2148 WudfRd - ok
08:39:09.0140 2148 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:39:09.0906 2148 \Device\Harddisk0\DR0 - ok
08:39:09.0921 2148 Boot (0x1200) (7808846bd7f5e06d0bf2033b2a0f655b) \Device\Harddisk0\DR0\Partition0
08:39:09.0921 2148 \Device\Harddisk0\DR0\Partition0 - ok
08:39:09.0921 2148 ============================================================
08:39:09.0921 2148 Scan finished
08:39:09.0921 2148 ============================================================
08:39:09.0968 3296 Detected object count: 1
08:39:09.0968 3296 Actual detected object count: 1
08:39:28.0234 3296 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\ipsec.sys) error 1813
08:39:30.0078 3296 Backup copy found, using it..
08:39:30.0171 3296 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured on reboot
08:40:41.0000 3296 IPSec ( Rootkit.Win32.ZAccess.h ) - User select action: Cure
08:44:32.0671 3368 Deinitialize success

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Did you set up this proxy server?
uInternet Settings,ProxyServer = http=127.0.0.1:1036

If not and it's not required by your Internet Provider (please check) the remove it.

How to remove the proxy settings.

In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:5577 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".
===

If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option. Or no proxy if you do not need it.
===

If you use Firefox remove the proxy settings also.
http://support.mozilla.com/en-US/kb/Firefox+cannot+load+websites+but+other+programs+can?s=proxy+settings&as=s
===
Please download Malwarebytes Anti-Malware and save it to your desktop.

• alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:[list]
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
• Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

With this type of infection ComboFix may stall or restart a few times.
If it stalls after 40 Minutes your should Stop the process and run it again.

Post the logs and let me know what problem persists.

Sorry for the delayed post nasdaq. I manage a grocery store so things get crazy for me this time of year. The proxy server was not set up by my internet provider, so I went ahead and deleted it. I ran the scans requested and posted the logs below. Ping.exe no longer appears to be a problem and the redirection is gone, however my computer still seems a bit sluggish. Certain things, like youtube videos, are running normally again, but browsers still open a bit slow, as is my Lord of the Rings Online game that I play with some frequency. When I open up my task manager, there are still 2 Chrome.exe running despite there only being one browser window, and one tab open. Additionally, there are 7 svchost.exe open (I never noticed them before), 2 under NETWORK SERVICE, 2 under LOCACL SERVICE, and 3 under SYSTEM. Is that normal?


Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2011.12.24.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Ryan :: TEMP [administrator]

Protection: Disabled

12/29/2011 5:46:42 PM
mbam-log-2011-12-29 (17-46-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 292615
Time elapsed: 53 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)




ComboFix 11-12-29.05 - Ryan 12/29/2011 19:17:55.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1561 [GMT -5:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\hretywa.dll
c:\documents and settings\Ryan\WINDOWS
c:\windows\$NtUninstallKB48938$
c:\windows\$NtUninstallKB48938$\1766215290
c:\windows\$NtUninstallKB48938$\3794099471\@
c:\windows\$NtUninstallKB48938$\3794099471\bckfg.tmp
c:\windows\$NtUninstallKB48938$\3794099471\cfg.ini
c:\windows\$NtUninstallKB48938$\3794099471\Desktop.ini
c:\windows\$NtUninstallKB48938$\3794099471\keywords
c:\windows\$NtUninstallKB48938$\3794099471\kwrd.dll
c:\windows\$NtUninstallKB48938$\3794099471\L\aitzyism
c:\windows\$NtUninstallKB48938$\3794099471\lsflt7.ver
c:\windows\$NtUninstallKB48938$\3794099471\U\00000001.@
c:\windows\$NtUninstallKB48938$\3794099471\U\00000002.@
c:\windows\$NtUninstallKB48938$\3794099471\U\00000004.@
c:\windows\$NtUninstallKB48938$\3794099471\U\80000000.@
c:\windows\$NtUninstallKB48938$\3794099471\U\80000004.@
c:\windows\$NtUninstallKB48938$\3794099471\U\80000032.@
c:\windows\Downloaded Installations\BMP
c:\windows\Downloaded Installations\BMP\{44C774BE-1389-4E84-B5DE-54D9FB4A2253}\1033.MST
c:\windows\Downloaded Installations\BMP\{44C774BE-1389-4E84-B5DE-54D9FB4A2253}\BACS.msi
c:\windows\system32\drivers\1028_DELL_XPS_Vostro 1000 .MRK
c:\windows\system32\drivers\DELL_XPS_Vostro 1000 .MRK
c:\windows\system32\SET29B9.tmp
c:\windows\system32\SET29BD.tmp
c:\windows\system32\SET29C5.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-11-28 to 2011-12-30 )))))))))))))))))))))))))))))))
.
.
2011-12-15 20:32 . 2011-12-15 20:32 -------- d-----w- c:\windows\system32\drivers\NSS
2011-12-15 20:32 . 2011-12-15 20:32 -------- d-----w- c:\program files\Norton Security Scan
2011-12-15 20:32 . 2011-12-15 20:32 -------- d-----w- c:\program files\NortonInstaller
2011-12-15 02:41 . 2011-12-15 02:41 -------- d-----w- c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com
2011-12-15 02:40 . 2011-12-15 02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-15 02:40 . 2011-12-15 02:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2011-12-14 08:02 . 2011-12-14 08:02 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\PCHealth
2011-12-11 07:00 . 2011-12-11 07:01 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2011-12-09 22:58 . 2011-12-09 22:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-12-09 22:58 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 19:07 . 2011-12-09 19:07 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\PrivacIE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 13:45 . 2004-08-04 10:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54 . 2010-06-25 21:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2010-06-25 21:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2005-03-30 01:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-06-25 00:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-03 68856]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-09-28 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-3 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59156:TCP"= 59156:TCP:*:Disabled:Pando Media Booster
"59156:UDP"= 59156:UDP:*:Disabled:Pando Media Booster
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/1/2008 8:12 AM 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/9/2011 5:58 PM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 8:57 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 8:57 AM 135664]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 5:43 PM 32408]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 13:57]
.
2011-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 13:57]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1343024091-725345543-1005Core.job
- c:\documents and settings\Ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-14 09:26]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1343024091-725345543-1005UA.job
- c:\documents and settings\Ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-14 09:26]
.
2011-12-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1343024091-725345543-1006Core.job
- c:\documents and settings\Jessica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-25 00:00]
.
2011-12-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1343024091-725345543-1006UA.job
- c:\documents and settings\Jessica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-25 00:00]
.
2011-12-29 c:\windows\Tasks\Norton Security Scan for Ryan.job
- c:\progra~1\NORTON~2\Engine\361~1.11\Nss.exe [2011-12-15 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.lycos.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080404
uInternet Settings,ProxyServer = http=127.0.0.1:1036
uInternet Settings,ProxyOverride = *.local;<local>
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: paflyfish.com\www
Trusted Zone: progressive.com\onlineservice1
Trusted Zone: progressive.com\onlineservice2
TCP: DhcpNameServer = 192.168.1.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\4f38q9o3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.paflyfish.com/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKCU-Run-bjmkphdpbjutw - c:\documents and settings\ryan\local settings\application data\csqcsk\bkrrfax.exe
HKCU-Run-ohkwfbil - c:\documents and settings\ryan\local settings\application data\uuybbxs\yhygny.exe
HKCU-Run-jpqmemwsp - c:\documents and settings\ryan\local settings\application data\gqcrfqa\skqmhbu.exe
HKCU-Run-frdavdhbjh - c:\documents and settings\ryan\local settings\application data\yfrqxjra\wxacfsm.exe
HKCU-Run-aqypdslpke - c:\documents and settings\ryan\local settings\application data\pftwdd\homxift.exe
HKCU-Run-DriverBoost - c:\program files\DriverBoost\DriverBoost.exe
HKLM-RunOnce-SymInstallStub - c:\documents and settings\All Users.WINDOWS\Application Data\DivX\Symantec\SymInstallStub.exe
SafeBoot-67733800.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-29 20:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,0b,c6,b4,cf,09,f1,4b,bd,99,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,0b,c6,b4,cf,09,f1,4b,bd,99,a1,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\09\02\1b\0c\0e\"?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(1488)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Flip Video\FlipShare\FlipShareService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Super_DVD_Creator_9.8\NMSAccessU.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2011-12-29 20:18:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-30 01:17
ComboFix2.txt 2008-09-03 12:12
.
Pre-Run: 27,490,238,464 bytes free
Post-Run: 30,075,797,504 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 5C9B76AD335A0296E4DA91BD8240AF2B

I'm not a supporter of the Trusted Zone.

Trusted Zone: paflyfish.com\www
Trusted Zone: progressive.com\onlineservice1
Trusted Zone: progressive.com\onlineservice2

You are open for some infection should with or without knowledge these sites are hosting bad file.
In that Zone nothing will stop them from being downloaded to you computer.
Your call if you want to keep them.


Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Open notepad and copy/paste the text in the quote box below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:1036
uInternet Settings,ProxyOverride = *.local;<local>

Save this as CFScript on your desktop.



Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.
===

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

Please post the logs and let me know what problem persists.

p.s. A reminded when we are finished I suggest your defrag your computer.
Many files were removed by ComboFix and a defrag would be in order.

The computer still seems a bit slow, but it could just need the defrag that you suggested when we are finished. Additionally, the multiple browsers I mentioned on the 31st are listed as running in the system processes, as are the svchost.exe processes. Here are the logs you requested that I completed--


Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
```````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware
Java™ 6 Update 30
Adobe Flash Player 10.1.53.64 Flash Player out of Date!
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (3.6.12) Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
``````````End of Log````````````




ComboFix 12-01-02.01 - Ryan 01/02/2012 17:45:55.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1327 [GMT -5:00]
Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ryan\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-12-02 to 2012-01-02 )))))))))))))))))))))))))))))))
.
.
2011-12-15 20:32 . 2011-12-15 20:32 -------- d-----w- c:\windows\system32\drivers\NSS
2011-12-15 20:32 . 2011-12-15 20:32 -------- d-----w- c:\program files\Norton Security Scan
2011-12-15 20:32 . 2011-12-15 20:32 -------- d-----w- c:\program files\NortonInstaller
2011-12-15 02:41 . 2011-12-15 02:41 -------- d-----w- c:\documents and settings\Ryan\Application Data\SUPERAntiSpyware.com
2011-12-15 02:40 . 2011-12-15 02:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-15 02:40 . 2011-12-15 02:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2011-12-14 08:02 . 2011-12-14 08:02 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\PCHealth
2011-12-11 07:00 . 2011-12-11 07:01 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Adobe
2011-12-09 22:58 . 2011-12-09 22:58 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2011-12-09 22:58 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-09 19:07 . 2011-12-09 19:07 -------- d-sh--w- c:\documents and settings\NetworkService.NT AUTHORITY\PrivacIE
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 13:45 . 2004-08-04 10:00 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2011-11-23 13:25 . 2004-08-04 10:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-10 10:54 . 2010-06-25 21:20 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 08:27 . 2010-06-25 21:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2004-08-04 10:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 10:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-03-30 01:21 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2005-03-30 01:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2004-08-04 10:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2010-06-25 00:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-30_01.04.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-02 22:37 . 2012-01-02 22:37 16384 c:\windows\temp\Perflib_Perfdata_558.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellAutomatedPCTuneUp"="c:\program files\DellAutomatedPCTuneUp\PTAgnt.exe" [2007-10-11 465136]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-03 68856]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2011-09-28 3077528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-26 2289664]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-27 851968]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 303104]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-4-3 50688]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59156:TCP"= 59156:TCP:*:Disabled:Pando Media Booster
"59156:UDP"= 59156:UDP:*:Disabled:Pando Media Booster
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [9/1/2008 8:12 AM 652872]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/9/2011 5:58 PM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 8:57 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/4/2010 8:57 AM 135664]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 5:43 PM 32408]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 13:57]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-04 13:57]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1343024091-725345543-1005Core.job
- c:\documents and settings\Ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-14 09:26]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1343024091-725345543-1005UA.job
- c:\documents and settings\Ryan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-14 09:26]
.
2012-01-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1343024091-725345543-1006Core.job
- c:\documents and settings\Jessica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-25 00:00]
.
2012-01-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-1343024091-725345543-1006UA.job
- c:\documents and settings\Jessica\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-25 00:00]
.
2012-01-02 c:\windows\Tasks\Norton Security Scan for Ryan.job
- c:\progra~1\NORTON~2\Engine\361~1.11\Nss.exe [2011-12-15 07:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mail.lycos.com/
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080404
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
Trusted Zone: paflyfish.com\www
Trusted Zone: progressive.com\onlineservice1
Trusted Zone: progressive.com\onlineservice2
TCP: DhcpNameServer = 192.168.1.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\4f38q9o3.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.paflyfish.com/
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-02 18:05
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,0b,c6,b4,cf,09,f1,4b,bd,99,a1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b5,0b,c6,b4,cf,09,f1,4b,bd,99,a1,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\DbgagD\1*]
"value"="?\09\02\1b\0c\0e\"?"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(800)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_150c9e8b\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'explorer.exe'(2640)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-02 18:09:21
ComboFix-quarantined-files.txt 2012-01-02 23:09
ComboFix2.txt 2011-12-30 01:18
ComboFix3.txt 2008-09-03 12:12
.
Pre-Run: 29,966,761,984 bytes free
Post-Run: 29,955,522,560 bytes free
.
- - End Of File - - 6C41CB84AE730B6F00D916077207D1BA



C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinZBot.zip Win32/Bagle.gen.zip worm cleaned by deleting - quarantined
C:\Documents and Settings\Jessica\Desktop\Music\Perry Farrell - Go All Way (Into the Twilight)2.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\Jessica\Desktop\Music\robert pattinson -never think.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan cleaned - quarantined
C:\Documents and Settings\Jessica\Local Settings\Temp\nps1C2D.tmp JS/Exploit.Pdfka.OCR.Gen trojan cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\Sun\Java\Deployment\cache\6.0\48\79dd2570-70fd7dd8 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\10\7c88068a-14b4f34f Java/Agent.BV trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\12\6d0f390c-570a424b multiple threats deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\14\691e0a8e-2db4690c probably a variant of Java/Agent.BR trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\30\3a25b1e-16fea1a4 multiple threats deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\35\6e9ba0e3-24a26870 multiple threats deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\35\ece84e3-6b0186b0 Java/Exploit.CVE-2009-3867.AL trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-3020ad5f Java/Agent.BV trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\45\4d0ed4ad-6e877c88 a variant of Java/Agent.DZ trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\51\4c81ed73-6f75de1a probably a variant of Java/Agent.BR trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\53\42b098b5-2eb9f2ac multiple threats deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\53\52614f75-18eb48c9 probably a variant of Java/Agent.BR trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-3b22002b Java/Agent.BV trojan deleted - quarantined
C:\Documents and Settings\Ryan\Desktop\Apps\Nero-8.3.2.1b_eng_trial.exe Win32/Toolbar.AskSBar application deleted - quarantined
C:\Documents and Settings\Ryan\Desktop\Music\Meatloaf - Bat out of hell.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\Documents and Settings\Ryan\Desktop\Music\shes got way to move me.mp3 WMA/TrojanDownloader.GetCodec.C trojan cleaned by deleting - quarantined
C:\Documents and Settings\Ryan\My Documents\Downloads\cnet_dvdflick_setup_1_3_0_7_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP801\A0082867.exe Win32/Spy.Zbot.YW trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP802\A0082878.exe Win32/Spy.Zbot.JF trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP805\A0084053.dll Win32/Olmarik.ZC trojan cleaned - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054647.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054727.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054744.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054752.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054769.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054779.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054785.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054795.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054831.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP556\A0054833.exe a variant of Win32/Kryptik.EZB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP559\A0054988.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP561\A0055115.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP562\A0058327.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP562\A0058395.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP562\A0059394.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP563\A0060394.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP563\A0061394.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP563\A0062394.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP563\A0062408.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP563\A0063408.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP565\A0064408.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP568\A0064643.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP571\A0064797.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP573\A0064842.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP573\A0065842.sys a variant of Win32/Rootkit.Kryptik.GY trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{A6E0A222-AF21-4BA9-B92E-00DE3F8DD839}\RP580\A0066454.exe Win32/Toolbar.AskSBar application deleted - quarantined

Critical vulnerabilities have been identified in Adobe Flash Player 10.3.183.10 and earlier versions... being exploited in the wild in active targeted attacks... update to Adobe Adobe Flash Player 11.0.1.152

Flash Player 11.0.1.152

On the top of the page you will be given an opportunity to download the version for your operating system.
Make sure you select appropriate version.

You will also have an option to install the Free! McAfee Security Scan Plus Un-check the box if you are NOT using McAfee's virus protection software.

For the users of Internet Explorer download version 11.
Flash Player 11 (64 bit)
Flash Player 11 (32 bit)
===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.


===

This booster has two ports open.
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe"
Do you need this process to run at startup?

This may be helpful.
http://na.leagueoflegends.com/board/showthread.php?t=1420124

Keep me posted.

Ok, I updated everything you recommended. The computer seems to be closer to it former glory, with the exception of the multiple browser processes running when only one browser window is open. Tomorrow I am off work and I will defrag my hard drive unless you recommend something else be done first.

Just as a security issue run this tool.

Please download DrWeb-CureIt and save it to your Desktop. Do NOT perform a scan yet

• Double-click on drweb-cureit.exe to start the program.
  An Express Scan of your PC notice will appear.
• Under Start the Express Scan Now, Click OK to start the scan.
  This is a short scan that will scan the files currently running in memory.
  If something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the Scan tab and UNcheck Heuristic analysis
• Back at the main window, click Custom Scan, then Select drives (a red dot will show which drives have been chosen).
• Then click the Start/Stop Scanning button (green arrow on the right, and the scan will start.
• When finished, a message will be displayed at the bottom advising if any viruses were found.
• Click Yes to all if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found.
  If so, click it, then click the next icon right below and select Move incurable.
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit when you have finished.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Are you still with me?

I am, sorry. My furnace blew and I have thus been a bit preoccupied. I ran the drweb-cureit as recommended, but it found no threats. When there was no log to post, I ran the program a second time to see if I had missed. Apparently if there is no problems no log is created. As of yet, I have still not defragged.

nasdaq, I appreciate your patience with my rather inconsistent schedule.

I think this topic will answer your Chrome issue.

http://www.google.com/support/forum/p/Chrome/thread?tid=5d15844c7c5ac9db&hl=en

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.