Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Explorer redirect virus


  • This topic is locked This topic is locked
22 replies to this topic

#1 hydrosong

hydrosong

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:12:08 PM

Posted 21 January 2012 - 06:17 PM

The "Windows XP Security 2012" faker virus showed up on my computer last Sunday (1/15/2012). No one clicked on anything and we closed the window without clicking on it (task manager closed it). I couldn't open any programs so I rebooted in safe mode and did a system restore that allowed me to resume using my computer. However, it was immediately apparent that I had been infected by an Internet Explorer redirector virus. Actually, it seems to have affected firefox and chrome as well. I immediately unplugged my computer from the internet and began some cleaning activities to include increasing my IE security settings, removing all cookies and IE cash. Then I reviewed that they were gone using windows file explorer. By the time I was able to get into file explorer (a few seconds) a lot of stuff was already back in my cookies directory. So I manually deleted all of that. I continued to look around and saw additional IE cookie and cash directories such as in \documents and settings\networkservice\local settings\temporary interenet files\. I also noted that task manager showed 100% cpu usage by ping.exe while I was unplugged from the internet.

Then I plugged back into the internet and saw ping.exe drop to 0% in about 15-20 seconds but svchost.exe began running the Windows Audio, background intelligent transfer service, crypto. . . etc. beginning activity. This looks like the .NET framework being used to bring in files without openning IE. Then I noticed that all of the files I had deleted from \documents and settings\networkservice\local settings\temporary interenet files\ started showing up again. I could actually see them appear in file explorer. I couldn't delete many of them right then because they were in use by "another program". Eventually, this process loaded over 13,000 files comprising about 650 megabytes. I unplugged from the internet again and was able to delete most of them again.

I looked at a number of the files using a thumbnails display and could see that it included a lot of pictures that looked like they were intended to be part of advertisements. There were also a lot of .html files, .xml files, and .js files. I looked a some of these using notepad. I came to the general conclusion that all of these files were related to advertising web sites. I wondered if they could actually be getting on my computer to use me as an ad-bot zombie. Alternatively, they could just be the intended source of adds to redirect my browser to. \

At the moment, my computer is unplugged from the internet. I have run windows malicious software removal tool, installed windows security essentials, ad-aware, run malware bytes, and installed and run hijack this.

The listing from the initial run of hijack this is below. Any assistance will be appreciated. If I have not posted this issue correctly, please redirect me. I tried to follow the instructions.

I am running windows xp pro sp 3, with ie 8.

Hydrosong
___________________________________________________


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:32:37, on 01/21/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - d:\Program Files\DRM Converter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - d:\Program Files\DRM Converter\YouTubeRipper.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270754227921
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188093441786
O16 - DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} (SAXFileEE FileDownload ActiveX Control) - http://appsnet.bentley.com/myselectcd/SAXFileEE.cab
O16 - DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.custhelp.com/7550-b415h/rnl/java/RntX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6307 bytes

Edited by Budapest, 21 January 2012 - 06:29 PM.
Moved from AII


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,476 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:08 PM

Posted 22 January 2012 - 12:42 PM

Do you have another computer that you can use to download programs and then transfer to the infected PC as you should leave it disconnected from the internet for now.

Please run the following:

Please download DDS from either of these links

LINK 1
LINK 2

and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds to run the tool.
  • When done, two DDS.txt's will open.
  • Save both reports to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


NEXT

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:12:08 PM

Posted 22 January 2012 - 03:23 PM

Thank you for your reply. I do have another computer and will do as you ask this afternoon.
Dhains

#4 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:12:08 PM

Posted 23 January 2012 - 01:30 AM

Attached File  MBR.zip   510bytes   0 downloadsI have done the requested scans. In order to run the aswMBR scan I had to connect to the internet to download the virus definitions so I made a backup of my important data 1st. As soon as I booted (with no internet connection) I started hearing a lot of disk activity. And, again, the svchost.exe was running at about 50%. I had a hard time figuring out what was going on. Eventually (20 minutes) the disk activity ceased and I did a full disk dir on my C: and D: drives. It appears that a ton of stuff in the D-drive Visual Basic directories was zipped (or copied onto that drive).

Finally after performing the backup, I have run the scans. They are posted below:

DDS.txt
____________________________________
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05
Run by dhains at 19:24:57 on 2012-01-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1409 [GMT -6:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uURLSearchHooks: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
TB: {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Ad-Aware Browsing Protection] "c:\documents and settings\all users\application data\ad-aware browsing protection\adawarebp.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f
dRunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {38E51477-DDB4-4aed-9D61-D0C193E10749} - {38E51477-DDB4-4aed-9D61-D0C193E10749} - d:\program files\drm converter\YouTubeRipper.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
LSP: mswsock.dll
Trusted Zone: $talisma_url$
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/A/7/D/A7D1EBE3-8E78-4CBE-B22B-EEECF9E3A1BC/fhg.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270754227921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188093441786
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} - hxxp://appsnet.bentley.com/myselectcd/SAXFileEE.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E7D2588A-7FB5-47DC-8830-832605661009} - hxxp://livenj01.custhelp.com/7550-b415h/rnl/java/RntX.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPID.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\dhains\application data\mozilla\firefox\profiles\z7ooe01l.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
FF - plugin: c:\documents and settings\dhains\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dhains\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: d:\program files\itunes\mozilla plugins\npitunes.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2012-1-21 64512]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [2010-4-8 87064]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-12-23 2152688]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-11 35088]
R2 PortTalk;PortTalk;c:\windows\system32\drivers\porttalk.sys [2007-1-31 3567]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [2006-10-6 34944]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
R3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [2011-6-5 23608]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-12-23 15232]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [2011-6-5 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [2011-6-5 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [2011-6-5 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [2011-6-5 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [2011-6-5 25704]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2007-2-18 16512]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2010-3-18 99416]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2010-3-18 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2010-3-18 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2010-3-18 566360]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [2009-3-4 21016]
S4 bomgar-scc-1327076292;Bomgar Support Customer Client [1327076292];c:\documents and settings\all users\application data\bomgar-scc-4f1993c4\bomgar-scc.exe [2012-1-20 917440]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-12-2 79360]
S4 GSService;GSService;c:\windows\system32\GSService.exe [2011-6-5 745472]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-1 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-11-1 133104]
S4 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\androidusb.sys --> c:\windows\system32\drivers\ANDROIDUSB.sys [?]
S4 IYSODiskOptimizer;IYSODiskOptimizer;c:\program files\iyogi support dock\pccare\iysoDefragSrv.exe [2011-11-17 263168]
S4 MSSQL$ACCUCHEK360;SQL Server (ACCUCHEK360);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2007-2-10 29178224]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]
S4 rcvpn;rcvpn;c:\windows\system32\drivers\rcvpn.sys --> c:\windows\system32\drivers\rcvpn.sys [?]
S4 SDiManage;SDiManage;c:\program files\iyogi\sdimanage\IYogiMonitoringSvc.exe [2011-11-3 17408]
S4 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [2011-6-5 243712]
S4 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S4 SupportDockService.exe;Support Dock Service;c:\program files\iyogi support dock\services\commagent\SupportDockService.exe [2011-8-30 73728]
S4 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\sonicwall\sonicwall global vpn client\SWGVCSvc.exe [2009-3-5 227352]
.
=============== Created Last 30 ================
.
2012-01-23 01:12:17 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2012-01-21 22:31:56 388096 ----a-r- c:\documents and settings\dhains\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-01-21 22:03:54 3076 ---ha-w- C:\aaw7boot.cmd
2012-01-21 20:28:58 -------- d-----w- c:\documents and settings\dhains\local settings\application data\adaware
2012-01-21 20:28:56 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2012-01-21 20:28:49 -------- d-----w- c:\documents and settings\dhains\application data\adawaretb
2012-01-21 20:28:48 -------- d-----w- c:\program files\adawaretb
2012-01-21 20:28:39 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-01-21 18:28:17 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-01-20 16:18:12 -------- d-----w- c:\documents and settings\all users\application data\bomgar-scc-4F1993C4
2012-01-19 15:30:25 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-01-19 15:30:25 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-01-18 16:58:10 6557240 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{889601a7-e2a6-4305-9417-ee1e92468021}\mpengine.dll
2012-01-18 16:57:34 222080 ------w- c:\windows\system32\MpSigStub.exe
2012-01-18 16:41:02 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-16 21:27:45 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-16 21:24:52 -------- d-----w- c:\program files\Toolbar Cleaner
2012-01-16 00:05:22 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-16 00:05:22 -------- d-----w- c:\windows\system32\wbem\Repository
.
==================== Find3M ====================
.
2011-12-10 21:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57:19 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35:08 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21:44 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21:44 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28:36 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28:36 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 19:26:17.53 ===============



Attach.txt
___________________________________________________

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/06/2006 11:08:16
System Uptime: 01/22/2012 19:05:50 (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | P5B-E
Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | Socket 775 | 2128/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 20 GiB total, 0.138 GiB free.
D: is FIXED (NTFS) - 130 GiB total, 58.429 GiB free.
E: is Removable
R: is CDROM ()
S: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\DE7B4C11D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\DE7B4C11D800
Service: NIC1394
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SonicWALL Virtual NIC
Device ID: ROOT\SWVNIC\0000
Manufacturer: SonicWALL
Name: SonicWALL Virtual NIC
PNP Device ID: ROOT\SWVNIC\0000
Service: SWVNIC
.
==== System Restore Points ===================
.
RP2135: 01/21/2012 14:28:32 - Installed Ad-Aware
RP2136: 01/21/2012 16:31:55 - Installed HiJackThis
RP2137: 01/22/2012 19:08:09 - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
.
7-Zip 9.22beta
AboutTime
ACCU-CHEK 360°
ActiveHome Pro
Ad-Aware
Ad-Aware SE Personal
Ad-Aware Security Toolbar
Adobe AIR
Adobe Reader X (10.1.1)
Advanced CheckSum Verifier
AI Suite
Aimersoft DRM Media Converter(Build 1.4.7.2)
Airfoil Speakers
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcView 3D Analyst
ArcView GIS 3.3
ArcView Image Analysis
ArcView Spatial Analyst
ARIA Engine v1.0.9.8
ASCOM Platform 5.0b
ASCOM Platform 5.5.1 Update (5.5.23.18)
ASUS Enhanced Display Driver
ASUS nVIDIA Driver
ATT-PRT22
Attansic Giga Ethernet Utility
Attansic L1 Gigabit Ethernet Driver
Audacity 1.2.6
Audible Download Manager
Bentley Descartes 2004 Edition (V 08.05.02.25)
Bentley InRoads Group 2004 Edition (V8.8)
Bentley MicroStation (V 08.05.02.55) - 1
Bonjour
Borland Data Engine
CCleaner
CDBurnerXP
CDBurnerXP Pro 3
CHECKRAS
Civil InRoads Suite V8.5 SP7
Clickie
CloneCD
Compatibility Pack for the 2007 Office system
Corpscon 6.0.1
Creative Audio Console
Creative MediaSource 5
Creative Software AutoUpdate
Creative WaveStudio 7
Daniusoft Video Converter Ultimate(Build 3.0.3.1)
DIADvisor
Diet Pro
DRM Converter 4.2.1
Email Address Collector
FileZilla Client 3.5.3
Finale 2009
Finale 2011
FinePrint
Garmin BaseCamp
Garmin City Navigator North America NT 2011
Garmin MapSource
Garmin TOPO U.S. 24K Southeast v2
Garmin Trip and Waypoint Manager v5
Garmin USB Drivers
Garritan ARIA Player v1.02
Garritan Instruments for Finale
Garritan Instruments for Finale 2009
GIMP 2.6.8
GnuWin32: Groff-1.20.1
Google Earth
Google SketchUp 8
Google Talk Plugin
Google Update Helper
Google Updater
Handbrake
HEC-DSSVue 2.0
HEC-FDA
HEC-RAS 3.1.2
HEC-RAS 3.1.3
HEC-RAS 4.0
HEC-RAS 4.0 Beta
High Definition Audio Driver Package - KB888111
HiJackThis
HijackThis 2.0.2
HomeNet Manager
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
hp deskjet 5550 series
hp deskjet 5550 series (Remove only)
hp print screen utility
HTC BMP USB Driver
IrfanView (remove only)
iTunes
iYogi Support Dock 5.5.1
J2SE Runtime Environment 5.0 Update 6
Japanese Fonts Support For Adobe Reader 8
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
K-Lite Codec Pack 5.1.0 (Full)
KEDIT for Windows 1.5
Launchy 1.25
Lizardtech DjVu Control
Logitech QuickCam
Logitech QuickCam Driver Package
Lookout
LView Pro Full Version
Malwarebytes Anti-Malware version 1.60.0.1800
ManageEngine NetFlow Analyzer 9
MapSource - US Topo v3.02
Microsoft .NET Compact Framework 1.0 SP3 Developer
Microsoft .NET Compact Framework 2.0
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft English TTS Engine
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Access database engine 2007 (English)
Microsoft Office XP Professional
Microsoft Security Client
Microsoft Security Essentials
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (ACCUCHEK360)
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Streets & Trips 2010
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable Package
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Mozilla Firefox 8.0.1 (x86 en-US)
MSN Music Assistant
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB973685)
MSXML 6.0 Parser (KB933579)
Network Print Monitor for Windows 2000/XP/2003
Network Scan
Nmap 5.51
NVIDIA Drivers
PC Wizard 2006.1.70
PC Wizard 2008.1.82
PDFCreator
Photo Paper Saver
PKFQWin 5.2
PowerArchiver
PowerSDR v1.16.2
PS3 Media Server
QFolder
Quicken 2011
QuickTime
RASPLOT
RedistSysFiles
Score Writer 4.15
SDiManage
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB925674)
Security Update for Microsoft Visual Studio 2005 Professional Edition - ENU (KB937060)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sibelius Scorch (ActiveX Only)
Sibelius Scorch Plugin
Silverfrost FTN95
Silverfrost FTN95 for Visual Studio 2005 SP3
Skype™ 4.2
Solero Music Viewer 8.0.25.332
SonicWALL Global VPN Client
Sound Blaster Audigy 2
SoundFont Bank Manager
SoundMAX
Spybot - Search & Destroy
SSIArcPoly
Starry Night Enthusiast 6
Starry Night Pro 6
StormCAD 5.5 by Haestad Methods
The Moving Man
Timex Data Link USB
Timex Data Link USB Update Utility
TurboTax 2008
TurboTax 2008 waliper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 waliper
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wmdiper
TurboTax 2009 wrapper
TurboTax 2010
TurboTax 2010 waliper
TurboTax 2010 WinPerFedFormset
TurboTax 2010 WinPerReleaseEngine
TurboTax 2010 WinPerTaxSupport
TurboTax 2010 wmdiper
TurboTax 2010 wmeiper
TurboTax 2010 wrapper
TurboTax Deluxe 2007
TurboTax Deluxe Deduction Maximizer 2006
TurboTax ItsDeductible 2006
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VBA (2627.01)
Visual Basic for Applications ® Core
Visual Basic for Applications ® Core - English
Visual C++ 8.0 CRT (x86) WinSXS MSM
Wave Corrector PE version 3.3 Revision 1
WebFldrs XP
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
Windows XP Service Pack 3
WinPcap 4.1.2
Xerox WorkCentre 3220
Xilisoft Audio Maker
Xilisoft DVD Copy Express
Xilisoft DVD Copy Express SE
Xilisoft DVD Creator
Xilisoft DVD Ripper Ultimate
Xilisoft Video Converter Ultimate
XY Chart Labeler 7.0
.
==== Event Viewer Messages From Past Week ========
.
01/20/2012 12:10:20, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AsIO asuskbnt ElbyCDIO Fips intelppm IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss sptd SWIPsec Tcpip
01/20/2012 12:09:21, error: sptd [4] - Driver detected an internal error in its data structures for .
01/20/2012 11:05:50, error: Print [19] - Sharing printer failed + 1722, Printer Xerox WorkCentre 3220 PCL 6 share name Printer2.
01/20/2012 10:22:12, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.119.90.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
01/20/2012 09:56:43, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.119.90.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
01/20/2012 08:32:41, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.119.90.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
01/19/2012 22:05:35, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.119.90.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: Default URL Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8007043c Error description: This service cannot be started in Safe Mode
01/19/2012 22:05:35, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
01/19/2012 11:08:18, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.119.90.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.8001.0 Error code: 0x8024402c Error description: An unexpected problem occurred while checking for updates. For information on installing or troubleshooting updates, see Help and Support.
01/19/2012 09:30:12, error: Dhcp [1002] - The IP address lease 10.0.0.26 for the Network Card with network address 0018F35FCDC8 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
01/19/2012 09:12:16, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AsIO asuskbnt ElbyCDIO Fips intelppm MpFilter
01/18/2012 14:35:14, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
01/18/2012 09:50:18, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
01/17/2012 03:08:56, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
01/17/2012 03:06:16, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
01/17/2012 03:04:30, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
01/17/2012 03:03:31, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
01/16/2012 21:20:04, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
01/16/2012 20:55:59, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
01/16/2012 20:53:02, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AsIO asuskbnt ElbyCDIO Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SWIPsec Tcpip
01/16/2012 20:53:02, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
01/16/2012 20:53:02, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
01/16/2012 20:53:02, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
01/16/2012 20:53:02, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
01/16/2012 20:53:02, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
01/16/2012 20:53:02, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
01/16/2012 20:30:56, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
01/16/2012 19:33:15, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 006073D562CF. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
01/15/2012 16:51:29, error: TermDD [50] - The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
.
==== End Of File ===========================


aswMBR.txt
_____________________________
aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-22 23:47:30
-----------------------------
23:47:30.968 OS Version: Windows 5.1.2600 Service Pack 3
23:47:30.968 Number of processors: 2 586 0xF06
23:47:30.968 ComputerName: HAINS1 UserName: dhains
23:47:31.140 Initialize success
23:48:48.156 AVAST engine defs: 12012201
23:49:44.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-19
23:49:44.546 Disk 0 Vendor: WDC_WD1600JS-60MHB5 10.02E04 Size: 152627MB BusType: 3
23:49:44.562 Disk 0 MBR read successfully
23:49:44.562 Disk 0 MBR scan
23:49:44.640 Disk 0 Windows XP default MBR code
23:49:44.656 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 20002 MB offset 63
23:49:44.718 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 132622 MB offset 40965750
23:49:44.734 Disk 0 scanning sectors +312576705
23:49:44.828 Disk 0 scanning C:\WINDOWS\system32\drivers
23:49:57.078 File: C:\WINDOWS\system32\drivers\netbt.sys **INFECTED** Win32:Aluroot-B [Rtk]
23:50:05.406 Disk 0 trace - called modules:
23:50:05.421 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89004ff0]<<
23:50:05.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6b0ab8]
23:50:05.421 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> [0x890928d8]
23:50:05.437 \Driver\00001353[0x890db418] -> IRP_MJ_CREATE -> 0x89004ff0
23:50:06.500 AVAST engine scan C:\WINDOWS
23:50:21.203 AVAST engine scan C:\WINDOWS\system32
23:52:18.953 AVAST engine scan C:\WINDOWS\system32\drivers
23:52:26.031 File: C:\WINDOWS\system32\drivers\netbt.sys **INFECTED** Win32:Aluroot-B [Rtk]
23:52:31.468 AVAST engine scan C:\Documents and Settings\dhains
23:55:37.937 AVAST engine scan C:\Documents and Settings\All Users
23:57:30.937 Scan finished successfully
00:01:55.468 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\dhains\Desktop\Bleep\MBR.dat"
00:01:55.468 The log file has been saved successfully to "C:\Documents and Settings\dhains\Desktop\Bleep\aswMBR.txt"

#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,476 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:08 PM

Posted 23 January 2012 - 08:27 AM

Hi,

Please do the following:


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT


Note: Combo Fix will run from a USB stick > you will need to be connected while running ComboFix as it needs to download and install the Recovery Console:

Download ComboFix from either of these locations:
Link 1
Link 2


VERY IMPORTANT !!!
Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#6 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:12:08 PM

Posted 23 January 2012 - 01:21 PM

I have completed the actions requested and my hard disk sounds eerily quite. Have become accustomed to hearing random activity ever since moving to windows-95 from DOS. Since installing winXP, that random disk activity has only increased. Now, this morning, I hear almost nothing going on. As I look at my disk activity light, it is only blinking, just for an instant, very occasionally--maybe every 5-10 seconds. And I am still plugged into the internet as required for ComboFix. Task Manager shows 0% cpu usage. SecurityTaskManager still shows svchost.exe as the most active process but its activity is so small that it reports as 0% cpu usage.

Now I will reboot and try use Internet Explorer.

OK. I have rebooted and been on Internet Explorer and everything still seems good.

I have Ad-Aware (your request) and Spybot Search and Destroy running. Spybot is catching every attempt to change things in the registry and startup directories. For instance, when I 1st lauched IE8, Spybot said that something was trying to put CTFMON into the startup directory. I said no. But I am guessing that this will continue to occur. Should I say yes? Should I turn off that function in Spybot? All of my previous viruses could be removed by a little scanning and a careful review of my directory listing sorted by date. I had stopped using Antivirus software because it slowed my machine down so much and my 1st infection (about 2002) occured while Norton AV was installed and fully updated. Norton couldn't get rid of it so I did it myself. Since then, I have just tried to be careful and do occasional scans. Should I remove Ad-Aware and Spybot and install a full functioning Antivirus program? I looked at some reviews and it looked like Bitdefender was the current best recommendation.

And just to keep things interesting, we were awakened last night with 3 tornado sirens. Lots of damage here in the Birmingham area. Fortunately, it missed us.

Thank you so much for your assistance. I really felt invaded and powerless to fix it.

hydrosong

The requested log files are below:


TDSSKiller_Report.txt
______________________________________________________

10:20:43.0234 3812 TDSS rootkit removing tool 2.7.6.0 Jan 19 2012 13:09:04
10:20:43.0296 3812 ============================================================
10:20:43.0296 3812 Current date / time: 2012/01/23 10:20:43.0296
10:20:43.0296 3812 SystemInfo:
10:20:43.0296 3812
10:20:43.0296 3812 OS Version: 5.1.2600 ServicePack: 3.0
10:20:43.0296 3812 Product type: Workstation
10:20:43.0296 3812 ComputerName: HAINS1
10:20:43.0296 3812 UserName: dhains
10:20:43.0296 3812 Windows directory: C:\WINDOWS
10:20:43.0296 3812 System windows directory: C:\WINDOWS
10:20:43.0296 3812 Processor architecture: Intel x86
10:20:43.0296 3812 Number of processors: 2
10:20:43.0296 3812 Page size: 0x1000
10:20:43.0296 3812 Boot type: Normal boot
10:20:43.0296 3812 ============================================================
10:20:44.0890 3812 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:20:44.0937 3812 Drive \Device\Harddisk1\DR3 - Size: 0x3D17C000 (0.95 Gb), SectorSize: 0x200, Cylinders: 0x7C, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
10:20:45.0000 3812 Initialize success
10:21:08.0500 2876 ============================================================
10:21:08.0500 2876 Scan started
10:21:08.0500 2876 Mode: Manual;
10:21:08.0500 2876 ============================================================
10:21:08.0703 2876 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
10:21:08.0703 2876 61883 - ok
10:21:08.0718 2876 Abiosdsk - ok
10:21:08.0734 2876 abp480n5 - ok
10:21:08.0765 2876 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:21:08.0765 2876 ACPI - ok
10:21:08.0796 2876 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:21:08.0796 2876 ACPIEC - ok
10:21:08.0828 2876 ADIHdAudAddService (ab0d9669bab1009e48cc91117e59912b) C:\WINDOWS\system32\drivers\ADIHdAud.sys
10:21:08.0843 2876 ADIHdAudAddService - ok
10:21:08.0843 2876 adpu160m - ok
10:21:08.0875 2876 AEAudio (03be587e90c8b37c7ff1fe2e9c1d1c90) C:\WINDOWS\system32\drivers\AEAudio.sys
10:21:08.0875 2876 AEAudio - ok
10:21:08.0906 2876 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:21:08.0906 2876 aec - ok
10:21:08.0937 2876 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:21:08.0937 2876 AFD - ok
10:21:09.0000 2876 Aha154x - ok
10:21:09.0000 2876 aic78u2 - ok
10:21:09.0015 2876 aic78xx - ok
10:21:09.0031 2876 AliIde - ok
10:21:09.0031 2876 amsint - ok
10:21:09.0078 2876 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:21:09.0078 2876 Arp1394 - ok
10:21:09.0093 2876 asc - ok
10:21:09.0093 2876 asc3350p - ok
10:21:09.0109 2876 asc3550 - ok
10:21:09.0125 2876 AsIO (19a1dac5bc607c212e8a94c05886ed52) C:\WINDOWS\system32\drivers\AsIO.sys
10:21:09.0125 2876 AsIO - ok
10:21:09.0156 2876 ASPI (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\System32\DRIVERS\ASPI32.sys
10:21:09.0171 2876 ASPI - ok
10:21:09.0171 2876 Aspi32 (54ab078660e536da72b21a27f56b035b) C:\WINDOWS\system32\drivers\aspi32.sys
10:21:09.0171 2876 Aspi32 - ok
10:21:09.0203 2876 asuskbnt (f5c2ccdb273a546e9c3a15250f1d9165) C:\WINDOWS\system32\drivers\atkkbnt.sys
10:21:09.0218 2876 asuskbnt - ok
10:21:09.0234 2876 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:21:09.0234 2876 AsyncMac - ok
10:21:09.0250 2876 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:21:09.0250 2876 atapi - ok
10:21:09.0281 2876 AtcL001 (e0c144c291304952f035b69c60f0d4a6) C:\WINDOWS\system32\DRIVERS\atl01_xp.sys
10:21:09.0281 2876 AtcL001 - ok
10:21:09.0296 2876 Atdisk - ok
10:21:09.0312 2876 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:21:09.0312 2876 Atmarpc - ok
10:21:09.0343 2876 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:21:09.0343 2876 audstub - ok
10:21:09.0406 2876 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
10:21:09.0406 2876 Avc - ok
10:21:09.0421 2876 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:21:09.0421 2876 Beep - ok
10:21:09.0468 2876 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
10:21:09.0468 2876 Bridge - ok
10:21:09.0468 2876 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
10:21:09.0468 2876 BridgeMP - ok
10:21:09.0500 2876 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:21:09.0500 2876 cbidf2k - ok
10:21:09.0531 2876 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:21:09.0531 2876 CCDECODE - ok
10:21:09.0531 2876 cd20xrnt - ok
10:21:09.0562 2876 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:21:09.0562 2876 Cdaudio - ok
10:21:09.0578 2876 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:21:09.0578 2876 Cdfs - ok
10:21:09.0609 2876 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:21:09.0609 2876 Cdrom - ok
10:21:09.0625 2876 Changer - ok
10:21:09.0640 2876 CmdIde - ok
10:21:09.0671 2876 COMMONFX (ef44c32b1aef62380426b260bf2c66f1) C:\WINDOWS\system32\drivers\COMMONFX.SYS
10:21:09.0671 2876 COMMONFX - ok
10:21:09.0703 2876 COMMONFX.SYS (ef44c32b1aef62380426b260bf2c66f1) C:\WINDOWS\System32\drivers\COMMONFX.SYS
10:21:09.0703 2876 COMMONFX.SYS - ok
10:21:09.0765 2876 Cpqarray - ok
10:21:09.0796 2876 ctac32k (357c534b38019b597f51c8bf7186c118) C:\WINDOWS\system32\drivers\ctac32k.sys
10:21:09.0812 2876 ctac32k - ok
10:21:09.0843 2876 ctaud2k (691f8259a1f9c983356d8db2cde8043c) C:\WINDOWS\system32\drivers\ctaud2k.sys
10:21:09.0843 2876 ctaud2k - ok
10:21:09.0875 2876 CTAUDFX (7fc78aa6521ef3d9f16e51efab0bf13b) C:\WINDOWS\system32\drivers\CTAUDFX.SYS
10:21:09.0890 2876 CTAUDFX - ok
10:21:09.0921 2876 CTAUDFX.SYS (7fc78aa6521ef3d9f16e51efab0bf13b) C:\WINDOWS\System32\drivers\CTAUDFX.SYS
10:21:09.0921 2876 CTAUDFX.SYS - ok
10:21:09.0968 2876 ctdvda2k (8545d70b0335a05498f34e7e3f8ca9a2) C:\WINDOWS\system32\drivers\ctdvda2k.sys
10:21:09.0968 2876 ctdvda2k - ok
10:21:09.0984 2876 CTERFXFX (16f448354067914e7deaea709011bd60) C:\WINDOWS\system32\drivers\CTERFXFX.SYS
10:21:10.0000 2876 CTERFXFX - ok
10:21:10.0000 2876 CTERFXFX.SYS (16f448354067914e7deaea709011bd60) C:\WINDOWS\System32\drivers\CTERFXFX.SYS
10:21:10.0000 2876 CTERFXFX.SYS - ok
10:21:10.0031 2876 ctprxy2k (4d71541283aea28fb839007be90b5fc7) C:\WINDOWS\system32\drivers\ctprxy2k.sys
10:21:10.0031 2876 ctprxy2k - ok
10:21:10.0078 2876 CTSBLFX (64c83684661be137023f5186a612cf34) C:\WINDOWS\system32\drivers\CTSBLFX.SYS
10:21:10.0078 2876 CTSBLFX - ok
10:21:10.0140 2876 CTSBLFX.SYS (64c83684661be137023f5186a612cf34) C:\WINDOWS\System32\drivers\CTSBLFX.SYS
10:21:10.0156 2876 CTSBLFX.SYS - ok
10:21:10.0187 2876 ctsfm2k (632194572ebde8d461728cf382a7e964) C:\WINDOWS\system32\drivers\ctsfm2k.sys
10:21:10.0187 2876 ctsfm2k - ok
10:21:10.0203 2876 dac2w2k - ok
10:21:10.0203 2876 dac960nt - ok
10:21:10.0250 2876 DgiVecp (770471de2550820feeb7e5d24bf2e273) C:\WINDOWS\system32\Drivers\DgiVecp.sys
10:21:10.0250 2876 DgiVecp - ok
10:21:10.0281 2876 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:21:10.0281 2876 Disk - ok
10:21:10.0312 2876 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:21:10.0328 2876 dmboot - ok
10:21:10.0343 2876 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:21:10.0359 2876 dmio - ok
10:21:10.0359 2876 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:21:10.0359 2876 dmload - ok
10:21:10.0390 2876 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:21:10.0390 2876 DMusic - ok
10:21:10.0421 2876 DNE (b5aa5aa5ac327bd7c1aec0c58f0c1144) C:\WINDOWS\system32\DRIVERS\dne2000.sys
10:21:10.0421 2876 DNE - ok
10:21:10.0484 2876 dpti2o - ok
10:21:10.0515 2876 DrmCAudio (7c2d2b593b837fd59c17ef649cda1ea6) C:\WINDOWS\system32\drivers\DrmCAudio.sys
10:21:10.0515 2876 DrmCAudio - ok
10:21:10.0546 2876 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:21:10.0546 2876 drmkaud - ok
10:21:10.0578 2876 EIO (6f41da43aa4806a7bdbb2f9a8b05023e) C:\WINDOWS\system32\drivers\EIO.sys
10:21:10.0578 2876 EIO - ok
10:21:10.0609 2876 ElbyCDFL (ce37e3d51912e59c80c6d84337c0b4cd) C:\WINDOWS\system32\Drivers\ElbyCDFL.sys
10:21:10.0609 2876 ElbyCDFL - ok
10:21:10.0640 2876 ElbyCDIO (aaa8999a169e39fb8b48ae49cd6ac30a) C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
10:21:10.0640 2876 ElbyCDIO - ok
10:21:10.0671 2876 emupia (bacd9cc06d7a787e529e7ebf56b671aa) C:\WINDOWS\system32\drivers\emupia2k.sys
10:21:10.0671 2876 emupia - ok
10:21:10.0718 2876 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:21:10.0718 2876 Fastfat - ok
10:21:10.0750 2876 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:21:10.0750 2876 Fdc - ok
10:21:10.0781 2876 FilterService (1edc0df2da14e04504dd3bac21aa32cd) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
10:21:10.0781 2876 FilterService - ok
10:21:10.0796 2876 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:21:10.0796 2876 Fips - ok
10:21:10.0812 2876 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:21:10.0812 2876 Flpydisk - ok
10:21:10.0828 2876 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:21:10.0828 2876 FltMgr - ok
10:21:10.0890 2876 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:21:10.0890 2876 Fs_Rec - ok
10:21:10.0890 2876 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:21:10.0906 2876 Ftdisk - ok
10:21:10.0937 2876 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
10:21:10.0937 2876 GEARAspiWDM - ok
10:21:10.0968 2876 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:21:10.0968 2876 Gpc - ok
10:21:10.0984 2876 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys
10:21:10.0984 2876 grmnusb - ok
10:21:11.0046 2876 ha10kx2k (70606233f3ed0e53cb3ea17f846d6a4f) C:\WINDOWS\system32\drivers\ha10kx2k.sys
10:21:11.0046 2876 ha10kx2k - ok
10:21:11.0093 2876 hamachi (64b48a0d899deca24c424a2cac3ecffa) C:\WINDOWS\system32\DRIVERS\hamachi.sys
10:21:11.0093 2876 hamachi - ok
10:21:11.0125 2876 hap16v2k (a0c69ad2a61e576b0207acdd9626e167) C:\WINDOWS\system32\drivers\hap16v2k.sys
10:21:11.0125 2876 hap16v2k - ok
10:21:11.0187 2876 hap17v2k (2ee89452c574d259ada4fc9fc1c07243) C:\WINDOWS\system32\drivers\hap17v2k.sys
10:21:11.0187 2876 hap17v2k - ok
10:21:11.0203 2876 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:21:11.0203 2876 HDAudBus - ok
10:21:11.0250 2876 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:21:11.0250 2876 HidUsb - ok
10:21:11.0265 2876 hpn - ok
10:21:11.0296 2876 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:21:11.0296 2876 HPZid412 - ok
10:21:11.0328 2876 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:21:11.0328 2876 HPZipr12 - ok
10:21:11.0359 2876 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:21:11.0359 2876 HPZius12 - ok
10:21:11.0375 2876 HTCAND32 - ok
10:21:11.0406 2876 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:21:11.0406 2876 HTTP - ok
10:21:11.0437 2876 i2omgmt - ok
10:21:11.0453 2876 i2omp - ok
10:21:11.0468 2876 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:21:11.0468 2876 i8042prt - ok
10:21:11.0515 2876 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:21:11.0515 2876 Imapi - ok
10:21:11.0531 2876 ini910u - ok
10:21:11.0546 2876 IntelIde - ok
10:21:11.0562 2876 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:21:11.0562 2876 intelppm - ok
10:21:11.0578 2876 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:21:11.0578 2876 Ip6Fw - ok
10:21:11.0625 2876 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:21:11.0625 2876 IpFilterDriver - ok
10:21:11.0656 2876 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:21:11.0656 2876 IpInIp - ok
10:21:11.0671 2876 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:21:11.0671 2876 IpNat - ok
10:21:11.0734 2876 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:21:11.0734 2876 IPSec - ok
10:21:11.0765 2876 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:21:11.0765 2876 IRENUM - ok
10:21:11.0781 2876 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:21:11.0781 2876 isapnp - ok
10:21:11.0812 2876 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:21:11.0812 2876 Kbdclass - ok
10:21:11.0843 2876 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:21:11.0843 2876 kmixer - ok
10:21:11.0859 2876 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:21:11.0859 2876 KSecDD - ok
10:21:11.0937 2876 Lavasoft Kernexplorer (6c4a3804510ad8e0f0c07b5be3d44ddb) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
10:21:11.0937 2876 Lavasoft Kernexplorer - ok
10:21:11.0984 2876 Lbd (336abe8721cbc3110f1c6426da633417) C:\WINDOWS\system32\DRIVERS\Lbd.sys
10:21:11.0984 2876 Lbd - ok
10:21:12.0031 2876 lbrtfdc - ok
10:21:12.0078 2876 LVPr2Mon (f96cfb47903854f228baaf3e2d41a0a3) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
10:21:12.0078 2876 LVPr2Mon - ok
10:21:12.0125 2876 LVRS (b895839b8743e400d7c7dae156f74e7e) C:\WINDOWS\system32\DRIVERS\lvrs.sys
10:21:12.0125 2876 LVRS - ok
10:21:12.0171 2876 LVUSBSta (23f8ef78bb9553e465a476f3cee5ca18) C:\WINDOWS\system32\drivers\LVUSBSta.sys
10:21:12.0171 2876 LVUSBSta - ok
10:21:12.0296 2876 LVUVC (8bc0d5f6e3898f465a94c6d03afb5a20) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
10:21:12.0328 2876 LVUVC - ok
10:21:12.0359 2876 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:21:12.0359 2876 mnmdd - ok
10:21:12.0421 2876 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:21:12.0421 2876 Modem - ok
10:21:12.0437 2876 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:21:12.0437 2876 Mouclass - ok
10:21:12.0500 2876 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:21:12.0500 2876 mouhid - ok
10:21:12.0531 2876 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:21:12.0531 2876 MountMgr - ok
10:21:12.0578 2876 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
10:21:12.0578 2876 MpFilter - ok
10:21:12.0578 2876 mraid35x - ok
10:21:12.0656 2876 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
10:21:12.0656 2876 MREMP50 - ok
10:21:12.0687 2876 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
10:21:12.0687 2876 MREMPR5 - ok
10:21:12.0687 2876 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
10:21:12.0703 2876 MRENDIS5 - ok
10:21:12.0718 2876 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
10:21:12.0734 2876 MRESP50 - ok
10:21:12.0796 2876 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:21:12.0796 2876 MRxDAV - ok
10:21:12.0843 2876 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:21:12.0843 2876 MRxSmb - ok
10:21:12.0875 2876 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
10:21:12.0875 2876 MSDV - ok
10:21:12.0906 2876 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:21:12.0906 2876 Msfs - ok
10:21:12.0937 2876 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:21:12.0937 2876 MSKSSRV - ok
10:21:12.0953 2876 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:21:12.0953 2876 MSPCLOCK - ok
10:21:12.0984 2876 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:21:12.0984 2876 MSPQM - ok
10:21:13.0000 2876 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:21:13.0000 2876 mssmbios - ok
10:21:13.0046 2876 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
10:21:13.0046 2876 MSTEE - ok
10:21:13.0109 2876 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
10:21:13.0109 2876 MTsensor - ok
10:21:13.0125 2876 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:21:13.0125 2876 Mup - ok
10:21:13.0171 2876 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:21:13.0171 2876 NABTSFEC - ok
10:21:13.0203 2876 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:21:13.0203 2876 NDIS - ok
10:21:13.0234 2876 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:21:13.0234 2876 NdisIP - ok
10:21:13.0250 2876 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:21:13.0250 2876 NdisTapi - ok
10:21:13.0265 2876 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:21:13.0265 2876 Ndisuio - ok
10:21:13.0296 2876 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:21:13.0296 2876 NdisWan - ok
10:21:13.0328 2876 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:21:13.0328 2876 NDProxy - ok
10:21:13.0375 2876 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:21:13.0375 2876 NetBIOS - ok
10:21:13.0406 2876 NetBT (41abba0dae1d6c6e9d9b4a0cace6d326) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:21:13.0406 2876 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 41abba0dae1d6c6e9d9b4a0cace6d326, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d
10:21:13.0406 2876 NetBT ( Virus.Win32.ZAccess.k ) - infected
10:21:13.0406 2876 NetBT - detected Virus.Win32.ZAccess.k (0)
10:21:13.0437 2876 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:21:13.0437 2876 NIC1394 - ok
10:21:13.0484 2876 npf (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
10:21:13.0484 2876 npf - ok
10:21:13.0515 2876 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:21:13.0515 2876 Npfs - ok
10:21:13.0562 2876 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:21:13.0562 2876 Ntfs - ok
10:21:13.0593 2876 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:21:13.0593 2876 Null - ok
10:21:13.0703 2876 nv (94c9962a2d51115be99dbed20801edae) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:21:13.0718 2876 nv - ok
10:21:13.0812 2876 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:21:13.0812 2876 NwlnkFlt - ok
10:21:13.0828 2876 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:21:13.0828 2876 NwlnkFwd - ok
10:21:13.0859 2876 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:21:13.0859 2876 ohci1394 - ok
10:21:13.0890 2876 ossrv (ae896073e1bbf98fefc2ec52f62c0fba) C:\WINDOWS\system32\drivers\ctoss2k.sys
10:21:13.0890 2876 ossrv - ok
10:21:13.0921 2876 Packet (115da220149517a247a9c7aff7e73b9c) C:\WINDOWS\system32\DRIVERS\packet.sys
10:21:13.0937 2876 Packet - ok
10:21:13.0953 2876 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:21:13.0953 2876 Parport - ok
10:21:13.0984 2876 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:21:13.0984 2876 PartMgr - ok
10:21:14.0015 2876 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:21:14.0015 2876 ParVdm - ok
10:21:14.0062 2876 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:21:14.0062 2876 PCI - ok
10:21:14.0078 2876 PCIDump - ok
10:21:14.0109 2876 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:21:14.0109 2876 PCIIde - ok
10:21:14.0140 2876 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:21:14.0140 2876 Pcmcia - ok
10:21:14.0140 2876 PDCOMP - ok
10:21:14.0156 2876 PDFRAME - ok
10:21:14.0171 2876 PDRELI - ok
10:21:14.0187 2876 PDRFRAME - ok
10:21:14.0187 2876 perc2 - ok
10:21:14.0203 2876 perc2hib - ok
10:21:14.0265 2876 PortTalk (7d5a2d755b6c6579f63657b527d6ff1b) C:\WINDOWS\system32\Drivers\PortTalk.sys
10:21:14.0265 2876 PortTalk - ok
10:21:14.0281 2876 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:21:14.0281 2876 PptpMiniport - ok
10:21:14.0296 2876 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:21:14.0296 2876 PSched - ok
10:21:14.0328 2876 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:21:14.0328 2876 Ptilink - ok
10:21:14.0343 2876 ql1080 - ok
10:21:14.0359 2876 Ql10wnt - ok
10:21:14.0359 2876 ql12160 - ok
10:21:14.0375 2876 ql1240 - ok
10:21:14.0390 2876 ql1280 - ok
10:21:14.0406 2876 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:21:14.0406 2876 RasAcd - ok
10:21:14.0437 2876 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:21:14.0437 2876 Rasl2tp - ok
10:21:14.0468 2876 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:21:14.0468 2876 RasPppoe - ok
10:21:14.0500 2876 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:21:14.0500 2876 Raspti - ok
10:21:14.0515 2876 rcvpn - ok
10:21:14.0531 2876 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:21:14.0531 2876 Rdbss - ok
10:21:14.0562 2876 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:21:14.0562 2876 RDPCDD - ok
10:21:14.0625 2876 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:21:14.0625 2876 rdpdr - ok
10:21:14.0656 2876 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:21:14.0656 2876 RDPWD - ok
10:21:14.0671 2876 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:21:14.0671 2876 redbook - ok
10:21:14.0734 2876 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:21:14.0734 2876 Secdrv - ok
10:21:14.0765 2876 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
10:21:14.0765 2876 SenFiltService - ok
10:21:14.0796 2876 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:21:14.0796 2876 serenum - ok
10:21:14.0843 2876 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:21:14.0843 2876 Serial - ok
10:21:14.0859 2876 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:21:14.0859 2876 Sfloppy - ok
10:21:14.0890 2876 Simbad - ok
10:21:14.0921 2876 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:21:14.0921 2876 SLIP - ok
10:21:14.0968 2876 Sparrow - ok
10:21:14.0984 2876 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:21:14.0984 2876 splitter - ok
10:21:15.0046 2876 sptd (d390675b8ce45e5fb359338e5e649329) C:\WINDOWS\system32\Drivers\sptd.sys
10:21:15.0046 2876 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: d390675b8ce45e5fb359338e5e649329
10:21:15.0046 2876 sptd ( LockedFile.Multi.Generic ) - warning
10:21:15.0046 2876 sptd - detected LockedFile.Multi.Generic (1)
10:21:15.0078 2876 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:21:15.0078 2876 sr - ok
10:21:15.0125 2876 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:21:15.0125 2876 Srv - ok
10:21:15.0140 2876 SSPORT - ok
10:21:15.0187 2876 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
10:21:15.0187 2876 StarOpen - ok
10:21:15.0234 2876 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:21:15.0234 2876 streamip - ok
10:21:15.0296 2876 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:21:15.0296 2876 swenum - ok
10:21:15.0328 2876 SWIPsec (ebd83e322b4eb50f6a1d8d7b42d3745e) C:\WINDOWS\system32\Drivers\SWIPsec.sys
10:21:15.0328 2876 SWIPsec - ok
10:21:15.0359 2876 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:21:15.0359 2876 swmidi - ok
10:21:15.0390 2876 SWVNIC (962b13026b10b82d2874bfda4ecc048d) C:\WINDOWS\system32\DRIVERS\swvnic.sys
10:21:15.0390 2876 SWVNIC - ok
10:21:15.0406 2876 symc810 - ok
10:21:15.0406 2876 symc8xx - ok
10:21:15.0421 2876 sym_hi - ok
10:21:15.0437 2876 sym_u3 - ok
10:21:15.0453 2876 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:21:15.0453 2876 sysaudio - ok
10:21:15.0500 2876 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:21:15.0500 2876 Tcpip - ok
10:21:15.0531 2876 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:21:15.0531 2876 TDPIPE - ok
10:21:15.0578 2876 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:21:15.0578 2876 TDTCP - ok
10:21:15.0609 2876 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:21:15.0609 2876 TermDD - ok
10:21:15.0656 2876 TosIde - ok
10:21:15.0687 2876 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:21:15.0687 2876 Udfs - ok
10:21:15.0687 2876 ultra - ok
10:21:15.0734 2876 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:21:15.0734 2876 Update - ok
10:21:15.0781 2876 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
10:21:15.0781 2876 usbaudio - ok
10:21:15.0796 2876 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:21:15.0796 2876 usbccgp - ok
10:21:15.0812 2876 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:21:15.0812 2876 usbehci - ok
10:21:15.0828 2876 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:21:15.0828 2876 usbhub - ok
10:21:15.0859 2876 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:21:15.0859 2876 usbprint - ok
10:21:15.0890 2876 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:21:15.0890 2876 usbscan - ok
10:21:15.0953 2876 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:21:15.0953 2876 USBSTOR - ok
10:21:15.0968 2876 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:21:15.0968 2876 usbuhci - ok
10:21:16.0000 2876 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:21:16.0000 2876 VgaSave - ok
10:21:16.0015 2876 ViaIde - ok
10:21:16.0046 2876 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:21:16.0046 2876 VolSnap - ok
10:21:16.0078 2876 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:21:16.0078 2876 Wanarp - ok
10:21:16.0125 2876 Wdf01000 (4769596d7cc0f5fa447d2babc239672a) C:\WINDOWS\system32\Drivers\wdf01000.sys
10:21:16.0125 2876 Wdf01000 - ok
10:21:16.0156 2876 WDICA - ok
10:21:16.0171 2876 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:21:16.0187 2876 wdmaud - ok
10:21:16.0296 2876 WsAudio_DeviceS(1) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(1).sys
10:21:16.0296 2876 WsAudio_DeviceS(1) - ok
10:21:16.0312 2876 WsAudio_DeviceS(2) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(2).sys
10:21:16.0312 2876 WsAudio_DeviceS(2) - ok
10:21:16.0328 2876 WsAudio_DeviceS(3) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(3).sys
10:21:16.0343 2876 WsAudio_DeviceS(3) - ok
10:21:16.0359 2876 WsAudio_DeviceS(4) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(4).sys
10:21:16.0359 2876 WsAudio_DeviceS(4) - ok
10:21:16.0375 2876 WsAudio_DeviceS(5) (4160cbe59d9b5be22e4c3897e8db9d56) C:\WINDOWS\system32\drivers\WsAudio_DeviceS(5).sys
10:21:16.0375 2876 WsAudio_DeviceS(5) - ok
10:21:16.0406 2876 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
10:21:16.0406 2876 WSTCODEC - ok
10:21:16.0453 2876 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:21:16.0453 2876 WudfPf - ok
10:21:16.0500 2876 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:21:16.0500 2876 WudfRd - ok
10:21:16.0546 2876 XUIF (41cf36a3cc7786575247ed456918e112) C:\WINDOWS\system32\Drivers\x10ufx2.sys
10:21:16.0546 2876 XUIF - ok
10:21:16.0593 2876 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:21:16.0718 2876 \Device\Harddisk0\DR0 - ok
10:21:16.0718 2876 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR3
10:21:16.0718 2876 \Device\Harddisk1\DR3 - ok
10:21:16.0734 2876 Boot (0x1200) (2496a97aa9aa70dd727ac8a3360d692f) \Device\Harddisk0\DR0\Partition0
10:21:16.0734 2876 \Device\Harddisk0\DR0\Partition0 - ok
10:21:16.0734 2876 Boot (0x1200) (c4496fb8ed261e78794262c9f34ba19f) \Device\Harddisk0\DR0\Partition1
10:21:16.0750 2876 \Device\Harddisk0\DR0\Partition1 - ok
10:21:16.0750 2876 Boot (0x1200) (d73927831a6bad7ef9f2204f4b80db0b) \Device\Harddisk1\DR3\Partition0
10:21:16.0750 2876 \Device\Harddisk1\DR3\Partition0 - ok
10:21:16.0750 2876 ============================================================
10:21:16.0750 2876 Scan finished
10:21:16.0750 2876 ============================================================
10:21:16.0765 2868 Detected object count: 2
10:21:16.0765 2868 Actual detected object count: 2
10:23:06.0203 2868 Backup copy found, using it..
10:23:06.0218 2868 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
10:23:08.0312 2868 NetBT ( Virus.Win32.ZAccess.k ) - User select action: Cure
10:23:08.0390 2868 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
10:23:08.0390 2868 sptd ( LockedFile.Multi.Generic ) - User select action: Quarantine


ComboFix Log.txt
__________________________________________________________________________________________

ComboFix 12-01-23.02 - dhains 01/23/2012 10:45:18.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1635 [GMT -6:00]
Running from: c:\documents and settings\dhains\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\dhains\Local Settings\Application Data\{1F38B911-3EA3-4E9A-B111-1E35915A9EFD}
c:\documents and settings\dhains\Local Settings\Application Data\{1F38B911-3EA3-4E9A-B111-1E35915A9EFD}\chrome\content\overlay.xul
c:\documents and settings\dhains\Local Settings\Application Data\{1F38B911-3EA3-4E9A-B111-1E35915A9EFD}\install.rdf
c:\documents and settings\dhains\Local Settings\Temporary Internet Files\FLIST.FL
c:\documents and settings\dhains\WINDOWS
c:\windows\$NtUninstallKB41287$
c:\windows\$NtUninstallKB41287$\1222057413
c:\windows\$NtUninstallKB41287$\491437069\@
c:\windows\$NtUninstallKB41287$\491437069\bckfg.tmp
c:\windows\$NtUninstallKB41287$\491437069\cfg.ini
c:\windows\$NtUninstallKB41287$\491437069\Desktop.ini
c:\windows\$NtUninstallKB41287$\491437069\keywords
c:\windows\$NtUninstallKB41287$\491437069\kwrd.dll
c:\windows\$NtUninstallKB41287$\491437069\L\tqnllyna
c:\windows\$NtUninstallKB41287$\491437069\lsflt7.ver
c:\windows\$NtUninstallKB41287$\491437069\U\00000001.@
c:\windows\$NtUninstallKB41287$\491437069\U\00000002.@
c:\windows\$NtUninstallKB41287$\491437069\U\00000004.@
c:\windows\$NtUninstallKB41287$\491437069\U\80000000.@
c:\windows\$NtUninstallKB41287$\491437069\U\80000004.@
c:\windows\$NtUninstallKB41287$\491437069\U\80000032.@
c:\windows\iun6002.exe
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\command.pif
c:\windows\system32\msvcrt40.dll.tmp
c:\windows\system32\roboot.exe
c:\windows\system32\SET98.tmp
c:\windows\system32\SETA4.tmp
c:\windows\system32\SETB5.tmp
c:\windows\system32\SETB7.tmp
c:\windows\system32\SETC5.tmp
c:\windows\system32\SETE9.tmp
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((( Files Created from 2011-12-23 to 2012-01-23 )))))))))))))))))))))))))))))))
.
.
2012-01-23 16:23 . 2012-01-23 16:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-23 01:15 . 2012-01-23 01:15 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help
2012-01-23 01:12 . 2012-01-23 01:12 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2012-01-21 22:31 . 2012-01-21 22:31 388096 ----a-r- c:\documents and settings\dhains\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-01-21 22:03 . 2012-01-21 22:03 3076 ---ha-w- C:\aaw7boot.cmd
2012-01-21 20:28 . 2012-01-21 20:28 -------- d-----w- c:\documents and settings\dhains\Local Settings\Application Data\adaware
2012-01-21 20:28 . 2012-01-23 16:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection
2012-01-21 20:28 . 2012-01-23 01:18 -------- d-----w- c:\documents and settings\dhains\Application Data\adawaretb
2012-01-21 20:28 . 2012-01-21 20:28 -------- d-----w- c:\program files\adawaretb
2012-01-21 20:28 . 2011-12-23 13:12 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2012-01-21 18:28 . 2012-01-21 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-20 16:18 . 2012-01-20 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\bomgar-scc-4F1993C4
2012-01-19 17:08 . 2012-01-19 17:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-19 15:30 . 2009-08-07 01:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2012-01-18 16:58 . 2012-01-06 02:19 6557240 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{889601A7-E2A6-4305-9417-EE1E92468021}\mpengine.dll
2012-01-18 16:57 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2012-01-18 16:41 . 2012-01-18 16:41 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-16 21:27 . 2012-01-16 21:27 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2012-01-16 21:24 . 2012-01-16 21:24 -------- d-----w- c:\program files\Toolbar Cleaner
2012-01-16 00:17 . 2012-01-16 00:17 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2012-01-16 00:05 . 2012-01-16 00:05 -------- d-----w- c:\windows\system32\wbem\Repository
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-23 16:25 . 2006-02-28 12:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-10 21:24 . 2011-09-07 20:12 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-02-28 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-02-28 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-02-28 12:00 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-02-28 12:00 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-04 19:20 . 2006-02-28 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2006-02-28 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2006-02-28 12:00 385024 ------w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2006-02-28 12:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-02-28 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2006-02-28 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-12-20 18:32 . 2011-12-20 18:32 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
2011-12-21 15:44 87440 ----a-w- c:\program files\adawaretb\adawareDx.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6c97a91e-4524-4019-86af-2aa2d567bf5c}"= "c:\program files\adawaretb\adawareDx.dll" [2011-12-21 87440]
.
[HKEY_CLASSES_ROOT\clsid\{6c97a91e-4524-4019-86af-2aa2d567bf5c}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ad-Aware Browsing Protection"="c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.exe" [2011-11-14 197288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"adaware"="reg.exe delete HKCU\Software\AppDataLow\Software\adaware" [X]
"adaware_XP"="reg.exe delete HKCU\Software\adaware" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 0 (0x0)
"ConsentPromptBehaviorAdmin"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launchy.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launchy.lnk
backup=c:\windows\pss\Launchy.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^login.vbs]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\login.vbs
backup=c:\windows\pss\login.vbsCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 18:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ai Nap]
2006-08-22 17:46 1422848 ----a-w- c:\program files\ASUS\AI Suite\AiNap\AiNap.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsusServiceProvider]
2006-08-03 09:25 591360 ----a-r- c:\program files\ASUS\AASP\1.00.05\aaCenter.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
2006-09-28 19:21 57344 ----a-w- c:\program files\SlySoft\CloneCD\CloneCDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 10:42 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2010-03-19 01:17 19456 ----a-w- c:\windows\system32\CtHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-10-19 19:15 136176 ----atw- c:\documents and settings\dhains\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2005-12-17 05:55 176128 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-18 02:59 421160 ----a-w- d:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-12-20 13:50 2656528 ----a-w- d:\program files\Logitech\QuickCam\Quickcam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MagicSpeed]
2004-01-12 15:13 214016 ----a-w- c:\program files\SamsungODD\Magic Speed\MagicSL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSC]
2011-06-15 21:16 997920 ----a-w- c:\program files\Microsoft Security Client\msseces.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSCSysTrayUI_XEROX]
2009-01-13 22:29 266240 ------w- c:\program files\xerox\NetworkScan\NSCSysUI_XEROX.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-12-14 06:51 7323648 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-12-14 06:51 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-12-14 06:51 1519616 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 17:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 07:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xerox PanelMgr]
2009-04-08 11:19 557056 ----a-w- c:\windows\Xerox\PanelMgr\SSMMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=3 (0x3)
"SQLBrowser"=3 (0x3)
"SDiManage"=2 (0x2)
"ose"=3 (0x3)
"MDM"=2 (0x2)
"McciCMService"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"IYSODiskOptimizer"=2 (0x2)
"IntuitUpdateService"=2 (0x2)
"SupportDockService.exe"=2 (0x2)
"hnmsvc"=2 (0x2)
"GSService"=3 (0x3)
"bomgar-scc-1327076292"=2 (0x2)
"x10nets"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"SWGVCSvc"=2 (0x2)
"SMServer"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"NVSvc"=2 (0x2)
"NMSAccess"=2 (0x2)
"MsMpSvc"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"CTAudSvcService"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Creative Audio Engine Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"ATKKeyboardService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\dhains\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\xerox\\NetworkScan\\NSCSysUI_XEROX.exe"=
"d:\\Program Files\\AboutTime\\AboutTime.exe"=
"c:\\Program Files\\Common Files\\SingleClick Systems\\Advanced Networking Service\\hnm_svc.exe"=
"d:\\Program Files\\Airfoil Speakers\\AirfoilSpeakers.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\DIAD\\DIADvisor\\SWatch25.exe"=
"c:\\Program Files\\SingleClick Systems\\HomeNet Manager\\ezi_hnm2.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVC.exe"=
"c:\\WINDOWS\\twain_32\\Xerox\\WC3220\\Sscan2io.exe"=
"c:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVCSvc.exe"=
"c:\\Program Files\\adawaretb\\dtUser.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"1947:TCP"= 1947:TCP:*:Disabled:HASP SRM
"1947:UDP"= 1947:UDP:*:Disabled:HASP SRM
"6000:TCP"= 6000:TCP:*:Disabled:SingleClick Network Metrics
"17567:UDP"= 17567:UDP:*:Disabled:SingleClick Discovery Protocol
"17667:TCP"= 17667:TCP:*:Disabled:SingleClick Transport Protocol
"10426:UDP"= 10426:UDP:*:Disabled:SingleClick Inter-Computer Communication
"5902:TCP"= 5902:TCP:VNC
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [01/21/2012 14:28 64512]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [09/01/2007 17:34 685816]
R1 SWIPsec;SonicWALL IPsec Driver;c:\windows\system32\drivers\SWIPsec.sys [04/08/2010 13:01 87064]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [02/11/2011 15:23 35088]
R2 PortTalk;PortTalk;c:\windows\system32\drivers\porttalk.sys [01/31/2007 16:38 3567]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [10/06/2006 15:46 34944]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [03/18/2010 20:39 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [03/18/2010 20:39 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [03/18/2010 20:39 566360]
R3 DrmCAudio;DrmCAudio;c:\windows\system32\drivers\DrmCAudio.sys [06/05/2011 17:02 23608]
R3 WsAudio_DeviceS(1);WsAudio_DeviceS(1);c:\windows\system32\drivers\WsAudio_DeviceS(1).sys [06/05/2011 15:46 25704]
R3 WsAudio_DeviceS(2);WsAudio_DeviceS(2);c:\windows\system32\drivers\WsAudio_DeviceS(2).sys [06/05/2011 15:46 25704]
R3 WsAudio_DeviceS(3);WsAudio_DeviceS(3);c:\windows\system32\drivers\WsAudio_DeviceS(3).sys [06/05/2011 15:46 25704]
R3 WsAudio_DeviceS(4);WsAudio_DeviceS(4);c:\windows\system32\drivers\WsAudio_DeviceS(4).sys [06/05/2011 15:47 25704]
R3 WsAudio_DeviceS(5);WsAudio_DeviceS(5);c:\windows\system32\drivers\WsAudio_DeviceS(5).sys [06/05/2011 15:47 25704]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/23/2011 07:12 2152688]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [02/18/2007 03:05 16512]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [03/18/2010 20:39 99416]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [03/18/2010 20:39 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [03/18/2010 20:39 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [03/18/2010 20:39 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [03/18/2010 20:39 566360]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/23/2011 07:12 15232]
S3 SWVNIC;SonicWALL Virtual Miniport;c:\windows\system32\drivers\SWVNIC.sys [03/04/2009 17:03 21016]
S4 bomgar-scc-1327076292;Bomgar Support Customer Client [1327076292];c:\documents and settings\All Users\Application Data\bomgar-scc-4F1993C4\bomgar-scc.exe [01/20/2012 10:18 917440]
S4 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [12/02/2010 00:26 79360]
S4 GSService;GSService;c:\windows\system32\GSService.exe [06/05/2011 17:02 745472]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/01/2009 17:25 133104]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/01/2009 17:25 133104]
S4 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
S4 IYSODiskOptimizer;IYSODiskOptimizer;c:\program files\iYogi Support Dock\pccare\iysoDefragSrv.exe [11/17/2011 09:18 263168]
S4 MSSQL$ACCUCHEK360;SQL Server (ACCUCHEK360);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [02/10/2007 04:29 29178224]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;d:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [09/23/2005 07:01 2799808]
S4 rcvpn;rcvpn;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S4 SDiManage;SDiManage;c:\program files\iYogi\SDiManage\IYogiMonitoringSvc.exe [11/03/2011 17:03 17408]
S4 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [06/05/2011 17:02 243712]
S4 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S4 SupportDockService.exe;Support Dock Service;c:\program files\iYogi Support Dock\Services\CommAgent\SupportDockService.exe [08/30/2011 07:31 73728]
S4 SWGVCSvc;SonicWALL Global VPN Client Service;c:\program files\SonicWALL\SonicWALL Global VPN Client\SWGVCSvc.exe [03/05/2009 22:57 227352]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2011-12-23 13:12]
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 23:25]
.
2011-11-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-01 23:25]
.
2012-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-527237240-725345543-1003Core.job
- c:\documents and settings\dhains\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-16 19:15]
.
2012-01-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-527237240-725345543-1003UA.job
- c:\documents and settings\dhains\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-16 19:15]
.
2012-01-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 21:39]
.
2010-11-27 c:\windows\Tasks\SystemIdleDetector.job
- d:\program files\Roche Diagnostics\ACCU-CHEK 360\Application\RunAtSystemIdle.exe [2008-09-17 15:09]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
Trusted Zone: $talisma_url$
Trusted Zone: intuit.com\ttlc
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/2.9.2.0/GarminAxControl.CAB
DPF: {AD58C149-8AE2-4878-99DC-3A164E32F814} - hxxp://appsnet.bentley.com/myselectcd/SAXFileEE.cab
FF - ProfilePath - c:\documents and settings\dhains\Application Data\Mozilla\Firefox\Profiles\z7ooe01l.default\
FF - prefs.js: browser.search.selectedEngine - Search the Web
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-53109975.sys
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
AddRemove-Score Writer 4.15 - c:\windows\unvise32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-23 10:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bomgar-scc-1327076292]
"ImagePath"="\"c:\documents and settings\All Users\Application Data\bomgar-scc-4F1993C4\bomgar-scc.exe\" -service:run"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,90,af,7e,0e,e4,b5,48,ae,16,be,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,90,af,7e,0e,e4,b5,48,ae,16,be,\
.
[HKEY_USERS\S-1-5-21-1801674531-527237240-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(264)
c:\windows\system32\WININET.dll
c:\documents and settings\All Users\Application Data\Ad-Aware Browsing Protection\adawarebp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-01-23 10:59:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-23 16:59
.
Pre-Run: 191,213,568 bytes free
Post-Run: 565,899,264 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - A4EC46F5750A88F4F53CA18124FC1EA2

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,476 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:08 PM

Posted 23 January 2012 - 06:24 PM

c:\documents and settings\Default User\Local Settings\Application Data\Microsoft Help

this folder (hidden)is from installing MSDN CD/DVDs - did you install them?


BitDefender is a very highly rated AntiVirus, another excellent Antivirus is Kaspersky

For a free antivirus I highly recommend Microsoft Security Essentials

they are all fairly light on resources and do an excellent job. Personally I use Microsoft Security Essentials and the paid version of Malwarebytes, windows firewall, web of Trust and I'm behind a secure router.


Please run the following:


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#8 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:12:08 PM

Posted 24 January 2012 - 11:21 PM

My computer continues to appear to function normally.

Here is the Malwarebytes scan:
____________________________________________________

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.24.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
dhains :: HAINS1 [administrator]

01/24/2012 09:06:43
mbam-log-2012-01-24 (09-06-43).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 201247
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


Here is the ESETscan.txt

C:\Documents and Settings\dhains\Application Data\Sun\Java\Deployment\cache\6.0\18\456472d2-57640bce a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\dhains\Application Data\Sun\Java\Deployment\cache\6.0\27\60b5d41b-6df4502b a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\dhains\Application Data\Sun\Java\Deployment\cache\6.0\46\4c2baf2e-3dc2db58 a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\dhains\Application Data\Sun\Java\Deployment\cache\6.0\47\21282ef-6465911e a variant of Java/Agent.DU trojan
C:\Documents and Settings\dhains\Application Data\Sun\Java\Deployment\cache\6.0\7\43c3de87-3b18769e a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\18\456472d2-127f6c15 a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\40\2b3c0be8-66c87948 a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\44\4cbed6ec-10b0419c a variant of Java/TrojanDownloader.Agent.NDJ trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\46\4c2baf2e-126506fd a variant of Java/TrojanDownloader.Agent.NDJ trojan
D:\DHAINS--backup\My Download Files\dreamweaver4.zip probably a variant of Win32/Agent.TLPJMP trojan


I have looked up each of these files to get their date stamps and find that each of the 1st 9 is accompanied with a .idx file of the same name.

The dates of the Agent.NDJ trojans are similar--either 1/15 or 1/16 2012.

The Agent.DU trogan has a 9/30/2011 date.

The dreamweaver4.zip file I had downloaded from Macromedia and installed on a previous computer and probably has never been active in this machine. It is just in a backup directory. The file is dated 4/7/2002.

I would be happy to delete all of these files. I do see several other files of similar naming convention in the ..\Java\Deployment\cache\6.0\. . . directories listed here but they have different dates.

Let me know what to do about these files.

Thank you for your efforts.

Hydrosong

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,476 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:08 PM

Posted 25 January 2012 - 08:29 PM

Hi

We just need to update you Java and clear your Java cache and that will clear those items, the Dreamweaver is likely a false positive


also, we have some housekeeping to do now, please do the following:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java SE 6 Update 30
  • Click the Download button under JRE to the right.
  • Read the License Agreement then select Accept License Agreement
  • Click on the link to download Windows x86 Offline and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u30-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



NEXT



You can delete the DDS and aswMBR logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#10 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:12:08 PM

Posted 26 January 2012 - 11:18 PM

I previously posted this but it's not showing up so here it is again.

I have updated Java.

I tried to removed ComboFix but when I did, it said, "Can not find 'Combofix'. I ran Security Task Manager and saw a process called "Catchme" that is running from a file called C:Combofix\Catchme.sys. That suggests that Combofix may still be running or at least a sys file associated with it.

Any suggestions?

I will take a little longer with the security measures you suggest. Definitely yes on the antivirus protection. I am currently running spybot, Ad-aware, and MS Security Essentials (I think--can you tell me how to identify it?). I am considering installing Bitdefender.

Thanks

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,476 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:08 PM

Posted 26 January 2012 - 11:42 PM

thanks for reminding me,

I meant to mention this before

the log shows you have two anti virus products installed

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

having more than one antivirus can cause system slow downs, conflicts and crashes, so I recommend uninstalling the AV component for Lavasoft.

Bit Defender is a very good product as well, if you decide to buy it, make sure you uninstall Microsoft Security essentials first

Try the ComboFix stand alone uninstaller

Download the ComboFix Uninstaller from here

Double click the icon to run it and follow the prompts
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#12 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:12:08 PM

Posted 27 January 2012 - 10:17 AM

OK. The stand alone uninstaller worked. I have dissabled the live protection component of Lavasoft.

I have one more issue to set up for protection. If it needs to be a new post on a different forum, please redirect me.

I do a lot of work at home and at the office. For that, I use Sonic Wall VPN to connect with my office from home.

However, since I am 64 and can't always remember everything anymore, I often need to get on my home computer from the office to find a file I forgot or just to look up what I was doing the other day when I worked at home.

Up till now, I have been using RealVNC (free edition) that has no encryption or Remote desktop. Both of these do use a password that I will need to make more robust following your previous recomendation. But I have not been using a VPN to get to my home computer. I would like to either set up windows vpn for that or set up an ssl tunnel. I have looked at the Microsoft pages on windows vpn and find that they don't describe some of the process sufficiently to get it going. There is a paid version of RealVNC that does support a secure logon and data encryption. I thought I would explore the options I might already have before purchasing a paid version of VNC.

I understand that the ssl tunnel is much more secure because all commmunication is encrypted (and scrambled?). And I have no idea how to set up an ssl tunnel. My computer engineer son has set up ssl tunnels for all of his connections to his computers at the University but they are Linux machines. When he wants to get to a windows machine, he uses the Linux machines to manage the ssl tunnel and then connects to the windows machine from a local network. He has tried to set up a windows ssl tunnel but has not been able to figure it out. Do you have any suggestions either as to how to accomplish the ssl tunnel in windows or a recommendation about where I should be able to get help with this?

Edited by hydrosong, 27 January 2012 - 10:19 AM.


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,476 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:08 PM

Posted 27 January 2012 - 11:27 AM

Hi,

Post in the Networking forum

the expert techs there may be able to help you

http://www.bleepingcomputer.com/forums/forum21.html

sorry I can't help you with this, I'd have to be sitting at the machine to figure it out, but we have excellent techs here that may be able to assist

good luck

~CB
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#14 hydrosong

hydrosong
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Birmingham, AL
  • Local time:12:08 PM

Posted 30 January 2012 - 11:47 PM

Since updating Java, none of my Java aplets run. Have I done something wrong?

an example of what I am talking about can be found at:

http://weather.rap.ucar.edu/satellite/

Be sure that you set it for a loop duration of more than a single image. Before I deleted all of my old Java environments, this would work. Now I just get a blank box where the satellite animation should be.

Thanks

Hydrosong.

Edited by hydrosong, 30 January 2012 - 11:48 PM.


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,476 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:12:08 PM

Posted 31 January 2012 - 06:53 PM

that's unusual,it must not have installed properly, did you test the installation at the Java web site?

try uninstalling all mention of Java (including browser add-ons)

use revo uninstaller to do it

then download and install the latest version of Java

Download and install the Revo Uninstaller
  • Double click the new Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish
  • Repeat the above steps for any other programs you wish to remove.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users