BleepingComputer.com: redirect infection

Combofix caused a blue screen & the computer began running Checkdisk after restarting itself.

This post has been edited by aeronth: 16 July 2011 - 07:09 PM

It blue-screened and restarted a few more times, but it finally ran and made the new report. I've noticed that iexplorer.exe has been generating multiple processes in the task manager although I am not running it, and combofix attempted to delete iexplorer.exe on one of the earlier attempts to run it again, but this caused an error to pop up.

ComboFix 11-07-12.04 - MCSUser 07/16/2011 22:47:45.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.579 [GMT -5:00]
Running from: c:\documents and settings\MCSUser\My Documents\Downloads\ComboFix.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-06-17 to 2011-07-17 )))))))))))))))))))))))))))))))
.
.
2011-07-04 21:07 . 2011-07-04 21:07 388096 ----a-r- c:\documents and settings\MCSUser\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-04 21:07 . 2011-07-04 21:07 -------- d-----w- c:\program files\Trend Micro
2011-07-04 20:56 . 2011-07-04 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2011-07-03 07:58 . 2011-07-03 07:58 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-07-03 07:48 . 2011-07-03 08:32 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-03 07:46 . 2011-07-03 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-06-28 06:26 . 2011-07-02 09:23 0 ----a-w- c:\windows\Vcugetelaguzeya.bin
2011-06-24 19:57 . 2011-06-24 19:57 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-24 19:57 . 2011-06-24 19:57 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-10 05:00 . 2007-06-10 12:02 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-07-03 07:57 . 2011-06-06 04:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 14:11 . 2010-01-22 16:32 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 19:57 . 2011-04-25 16:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-14_04.20.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-17 02:12 . 2011-07-17 02:12 16384 c:\windows\Temp\Perflib_Perfdata_5b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-24 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BellSouthWCC_McciTrayApp"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2006-03-10 543232]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"Zune Launcher"="c:\program files\lance temp\ZuneLauncher.exe" [2010-11-11 159472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\cssc\Start Menu\Programs\Startup\
SeedLink.exe [2006-4-18 21504]
.
c:\documents and settings\MCSUser\Start Menu\Programs\Startup\
VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-3-19 1474560]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-5-31 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-10 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 02:20 40448 ------w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ------w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\WINDOWS\\system32\\lxdlcoms.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\lxdlamon.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\frun.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\lxdlmon.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\Wireless\\lxdlwpss.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\LXDLFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdlpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdljswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdltime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdlwbgw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\lxdlcfg.exe"=
"c:\\Documents and Settings\\MCSUser\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 lxdl_device;lxdl_device;c:\windows\system32\lxdlcoms.exe -service --> c:\windows\system32\lxdlcoms.exe -service [?]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 5:55 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [4/25/2006 9:00 PM 3456]
S1 akrcmuia;akrcmuia;\??\c:\windows\system32\drivers\akrcmuia.sys --> c:\windows\system32\drivers\akrcmuia.sys [?]
S1 fhmithvf;fhmithvf;\??\c:\windows\system32\drivers\fhmithvf.sys --> c:\windows\system32\drivers\fhmithvf.sys [?]
S1 ghlzlpbt;ghlzlpbt;\??\c:\windows\system32\drivers\ghlzlpbt.sys --> c:\windows\system32\drivers\ghlzlpbt.sys [?]
S1 iyfqykmu;iyfqykmu;\??\c:\windows\system32\drivers\iyfqykmu.sys --> c:\windows\system32\drivers\iyfqykmu.sys [?]
S1 mgmjgoqa;mgmjgoqa;\??\c:\windows\system32\drivers\mgmjgoqa.sys --> c:\windows\system32\drivers\mgmjgoqa.sys [?]
S1 mqhdebck;mqhdebck;\??\c:\windows\system32\drivers\mqhdebck.sys --> c:\windows\system32\drivers\mqhdebck.sys [?]
S1 pigidqnf;pigidqnf;\??\c:\windows\system32\drivers\pigidqnf.sys --> c:\windows\system32\drivers\pigidqnf.sys [?]
S1 pmgvdxfo;pmgvdxfo;\??\c:\windows\system32\drivers\pmgvdxfo.sys --> c:\windows\system32\drivers\pmgvdxfo.sys [?]
S1 qufkaplp;qufkaplp;\??\c:\windows\system32\drivers\qufkaplp.sys --> c:\windows\system32\drivers\qufkaplp.sys [?]
S1 rypegmkq;rypegmkq;\??\c:\windows\system32\drivers\rypegmkq.sys --> c:\windows\system32\drivers\rypegmkq.sys [?]
S1 sqpbfzkt;sqpbfzkt;\??\c:\windows\system32\drivers\sqpbfzkt.sys --> c:\windows\system32\drivers\sqpbfzkt.sys [?]
S1 tfjjsqnb;tfjjsqnb;\??\c:\windows\system32\drivers\tfjjsqnb.sys --> c:\windows\system32\drivers\tfjjsqnb.sys [?]
S1 tsouoemh;tsouoemh;\??\c:\windows\system32\drivers\tsouoemh.sys --> c:\windows\system32\drivers\tsouoemh.sys [?]
S2 gupdate1c987f5ee2c1b18;Google Update Service (gupdate1c987f5ee2c1b18);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 7:57 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 7:57 PM 133104]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\lance temp\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]
.
2011-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 00:57]
.
2011-07-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 00:57]
.
2009-10-21 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-10 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mcsk12.net/
mStart Page = hxxp://att.net/?fr=fp-att
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\MCSUser\Application Data\Mozilla\Firefox\Profiles\v1c243n0.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53414
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-16 22:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1552)
c:\windows\system32\vrlogon.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
- - - - - - - > 'explorer.exe'(5308)
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\ieframe.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
Completion time: 2011-07-16 22:56:12
ComboFix-quarantined-files.txt 2011-07-17 03:56
ComboFix2.txt 2011-07-14 04:24
.
Pre-Run: 43,888,840,704 bytes free
Post-Run: 43,984,240,640 bytes free
.
- - End Of File - - 3F813AE54F6332233A306BD2EE98C232

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

The executable ran fine and requested a restart, but the system failed to restart 3 times. It ran checkdisc again not even reaching the log in screen before blue screening, while trying to start the system normally. I switched to start with last known good configuration which I hope didn't effect the TDSS Killer's curing.


2011/07/17 16:05:12.0421 1272 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/17 16:05:12.0890 1272 ================================================================================
2011/07/17 16:05:12.0890 1272 SystemInfo:
2011/07/17 16:05:12.0890 1272
2011/07/17 16:05:12.0890 1272 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/17 16:05:12.0890 1272 Product type: Workstation
2011/07/17 16:05:12.0890 1272 ComputerName: 159LT-L3B5280
2011/07/17 16:05:12.0890 1272 UserName: MCSUser
2011/07/17 16:05:12.0890 1272 Windows directory: C:\WINDOWS
2011/07/17 16:05:12.0890 1272 System windows directory: C:\WINDOWS
2011/07/17 16:05:12.0890 1272 Processor architecture: Intel x86
2011/07/17 16:05:12.0890 1272 Number of processors: 2
2011/07/17 16:05:12.0890 1272 Page size: 0x1000
2011/07/17 16:05:12.0890 1272 Boot type: Normal boot
2011/07/17 16:05:12.0890 1272 ================================================================================
2011/07/17 16:05:13.0437 1272 Initialize success
2011/07/17 16:05:30.0359 2460 ================================================================================
2011/07/17 16:05:30.0359 2460 Scan started
2011/07/17 16:05:30.0359 2460 Mode: Manual;
2011/07/17 16:05:30.0359 2460 ================================================================================
2011/07/17 16:05:30.0562 2460 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/07/17 16:05:30.0609 2460 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2011/07/17 16:05:30.0671 2460 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/17 16:05:30.0687 2460 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/07/17 16:05:30.0765 2460 ADIHdAudAddService (66614b9fdc7e74ab736a84d89f7b06b6) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/07/17 16:05:30.0781 2460 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/07/17 16:05:30.0828 2460 AEAudioService (03be587e90c8b37c7ff1fe2e9c1d1c90) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/07/17 16:05:30.0921 2460 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/17 16:05:30.0968 2460 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/17 16:05:31.0031 2460 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/07/17 16:05:31.0078 2460 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/07/17 16:05:31.0109 2460 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/07/17 16:05:31.0234 2460 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/07/17 16:05:31.0265 2460 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/07/17 16:05:31.0281 2460 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/07/17 16:05:31.0343 2460 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/07/17 16:05:31.0375 2460 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/07/17 16:05:31.0421 2460 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/07/17 16:05:31.0453 2460 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/07/17 16:05:31.0578 2460 ANC (11ab185a7af224800bbfb5b836974a17) C:\WINDOWS\system32\drivers\ANC.SYS
2011/07/17 16:05:31.0593 2460 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/07/17 16:05:31.0625 2460 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/07/17 16:05:31.0656 2460 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/07/17 16:05:31.0718 2460 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/17 16:05:31.0750 2460 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/17 16:05:31.0953 2460 ati2mtag (e150424208c8a91deed8c45019a6cdd2) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2011/07/17 16:05:32.0140 2460 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/17 16:05:32.0187 2460 atmeltpm (dbf0d7e2df33b469eb55406fea759350) C:\WINDOWS\system32\DRIVERS\atmeltpm.sys
2011/07/17 16:05:32.0203 2460 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/17 16:05:32.0234 2460 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/17 16:05:32.0281 2460 btaudio (6b7d6ca0db38b36c1d95447757741d1a) C:\WINDOWS\system32\drivers\btaudio.sys
2011/07/17 16:05:32.0390 2460 BTDriver (48e37289bae3d006d5583a661168ca00) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/07/17 16:05:32.0437 2460 BTKRNL (dbd408226b00c20158864f30a5a84451) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/07/17 16:05:32.0578 2460 BTWDNDIS (8103112c1016ddc68dc292a083b02487) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/07/17 16:05:32.0609 2460 BTWUSB (7cd8e4303fda5b11da325340778d99d9) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/07/17 16:05:32.0750 2460 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/07/17 16:05:32.0765 2460 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/17 16:05:32.0812 2460 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/07/17 16:05:32.0937 2460 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/17 16:05:32.0968 2460 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/17 16:05:33.0000 2460 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/17 16:05:33.0046 2460 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/17 16:05:33.0078 2460 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/07/17 16:05:33.0093 2460 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/17 16:05:33.0140 2460 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/07/17 16:05:33.0171 2460 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/07/17 16:05:33.0281 2460 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/07/17 16:05:33.0343 2460 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/17 16:05:33.0390 2460 DLABOIOM (35cbc02546335ea41a5d516da6626c8a) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/07/17 16:05:33.0406 2460 DLACDBHM (ec6ae8bc9f773382d2eed49e4dfdae2a) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/07/17 16:05:33.0437 2460 DLADResN (19e3db16de2bb3db81b172a78d140b03) C:\WINDOWS\system32\DLA\DLADResN.SYS
2011/07/17 16:05:33.0468 2460 DLAIFS_M (e4859ca5bd8412a9a60d62067a653522) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/07/17 16:05:33.0562 2460 DLAOPIOM (20c24a3d1cf0825487c93f806625805e) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/07/17 16:05:33.0578 2460 DLAPoolM (8a530da5dc81954bcf1966813f699b49) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/07/17 16:05:33.0625 2460 DLARTL_N (0605b66052f82b6f07204dbdb61c13ff) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2011/07/17 16:05:33.0656 2460 DLAUDFAM (7eda68af6a91bf64af6f301e39928ebf) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/07/17 16:05:33.0703 2460 DLAUDF_M (a18423bbc6d92b01fdf3c51e7510ee70) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/07/17 16:05:33.0765 2460 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/17 16:05:33.0890 2460 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/17 16:05:33.0921 2460 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/17 16:05:33.0968 2460 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/17 16:05:34.0000 2460 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/07/17 16:05:34.0046 2460 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/17 16:05:34.0062 2460 DRVMCDB (48c7008d23dcfce0d0232f49307efced) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/07/17 16:05:34.0078 2460 DRVNDDM (05467e44a42c777dd1534bb4539b16d1) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/07/17 16:05:34.0109 2460 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/07/17 16:05:34.0234 2460 e1express (00560c3fedf8958fcdc7c68b7906f66f) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/07/17 16:05:34.0281 2460 EGATHDRV (2d0fc676d159525f6cd74c3302c7a61c) C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
2011/07/17 16:05:34.0328 2460 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/17 16:05:34.0375 2460 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/17 16:05:34.0421 2460 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/17 16:05:34.0437 2460 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/17 16:05:34.0531 2460 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/17 16:05:34.0593 2460 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/17 16:05:34.0625 2460 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\FTDISK.SYS
2011/07/17 16:05:34.0671 2460 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/17 16:05:34.0734 2460 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/17 16:05:34.0765 2460 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/17 16:05:34.0859 2460 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/07/17 16:05:34.0921 2460 HSF_DPV (b1fc0b027df4374f9e5b796cfdf797b3) C:\WINDOWS\system32\DRIVERS\hsx_dpv.sys
2011/07/17 16:05:35.0062 2460 HSXHWAZL (3af45f5b4157c88ffae24d89ba408302) C:\WINDOWS\system32\DRIVERS\hsxhwazl.sys
2011/07/17 16:05:35.0109 2460 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/17 16:05:35.0203 2460 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/07/17 16:05:35.0234 2460 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/07/17 16:05:35.0281 2460 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/17 16:05:35.0359 2460 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2011/07/17 16:05:35.0468 2460 IBMPMDRV (067a88764593b1f46a6cfb00c69c11eb) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
2011/07/17 16:05:35.0500 2460 IBMTPCHK (bfc9f3adaad74e13f9ce16c8bd336f95) C:\WINDOWS\system32\Drivers\IBMBLDID.sys
2011/07/17 16:05:35.0546 2460 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/17 16:05:35.0593 2460 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/07/17 16:05:35.0625 2460 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/07/17 16:05:35.0656 2460 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/17 16:05:35.0750 2460 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/17 16:05:35.0781 2460 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/17 16:05:35.0812 2460 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/17 16:05:35.0843 2460 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/17 16:05:35.0875 2460 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/07/17 16:05:35.0906 2460 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/17 16:05:36.0015 2460 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/17 16:05:36.0062 2460 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/17 16:05:36.0093 2460 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/17 16:05:36.0140 2460 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/17 16:05:36.0187 2460 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/17 16:05:36.0281 2460 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/07/17 16:05:36.0390 2460 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/17 16:05:36.0437 2460 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/17 16:05:36.0468 2460 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/17 16:05:36.0500 2460 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/17 16:05:36.0515 2460 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/17 16:05:36.0593 2460 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/07/17 16:05:36.0718 2460 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
2011/07/17 16:05:36.0734 2460 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
2011/07/17 16:05:36.0750 2460 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
2011/07/17 16:05:36.0781 2460 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
2011/07/17 16:05:36.0875 2460 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/17 16:05:36.0937 2460 MRxSmb (60ae98742484e7ab80c3c1450e708148) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/17 16:05:37.0046 2460 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/17 16:05:37.0093 2460 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/17 16:05:37.0140 2460 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/17 16:05:37.0156 2460 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/17 16:05:37.0187 2460 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/17 16:05:37.0218 2460 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/17 16:05:37.0250 2460 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/17 16:05:37.0281 2460 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/17 16:05:37.0312 2460 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/17 16:05:37.0390 2460 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/17 16:05:37.0437 2460 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/17 16:05:37.0453 2460 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/17 16:05:37.0484 2460 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/17 16:05:37.0625 2460 NETw3x32 (e2f396f71a793a04839dbb6af304a026) C:\WINDOWS\system32\DRIVERS\NETw3x32.sys
2011/07/17 16:05:37.0765 2460 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/17 16:05:37.0796 2460 NSCIRDA (2adc0ca9945c65284b3d19bc18765974) C:\WINDOWS\system32\DRIVERS\nscirda.sys
2011/07/17 16:05:37.0828 2460 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/17 16:05:37.0953 2460 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/17 16:05:38.0046 2460 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/17 16:05:38.0203 2460 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/17 16:05:38.0234 2460 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/17 16:05:38.0281 2460 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/07/17 16:05:38.0343 2460 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/07/17 16:05:38.0359 2460 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/07/17 16:05:38.0406 2460 NWRDR (36b9b950e3d2e100970a48d8bad86740) C:\WINDOWS\system32\DRIVERS\nwrdr.sys
2011/07/17 16:05:38.0531 2460 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/17 16:05:38.0562 2460 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/17 16:05:38.0593 2460 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/17 16:05:38.0609 2460 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/17 16:05:38.0656 2460 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/17 16:05:38.0671 2460 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/07/17 16:05:38.0781 2460 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/07/17 16:05:38.0796 2460 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/07/17 16:05:38.0875 2460 pmem (dedef40e1d05842639491365cb2c069e) C:\WINDOWS\System32\drivers\pmemnt.sys
2011/07/17 16:05:38.0921 2460 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/17 16:05:39.0062 2460 prepdrvr (1fcce507f2435d52decae38c91a5eead) C:\WINDOWS\system32\CCM\prepdrv.sys
2011/07/17 16:05:39.0125 2460 PROCDD (6f9e6e874fd74ee6dd0bbecde9d3f795) C:\WINDOWS\system32\DRIVERS\PROCDD.SYS
2011/07/17 16:05:39.0187 2460 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/17 16:05:39.0218 2460 psadd (fb4c54f3a168b178dabf15eebaed8276) C:\WINDOWS\system32\DRIVERS\psadd.sys
2011/07/17 16:05:39.0250 2460 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/17 16:05:39.0281 2460 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/17 16:05:39.0359 2460 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/17 16:05:39.0406 2460 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/07/17 16:05:39.0437 2460 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/07/17 16:05:39.0453 2460 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/07/17 16:05:39.0484 2460 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/07/17 16:05:39.0515 2460 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/07/17 16:05:39.0562 2460 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/17 16:05:39.0593 2460 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/07/17 16:05:39.0671 2460 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/17 16:05:39.0703 2460 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/17 16:05:39.0734 2460 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/17 16:05:39.0781 2460 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/17 16:05:39.0812 2460 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/17 16:05:39.0843 2460 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/07/17 16:05:39.0984 2460 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/17 16:05:40.0062 2460 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/17 16:05:40.0156 2460 s24trans (2862adb14481ac28f98105ff33a99eb0) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/07/17 16:05:40.0187 2460 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/17 16:05:40.0218 2460 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/17 16:05:40.0328 2460 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/17 16:05:40.0390 2460 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
2011/07/17 16:05:40.0421 2460 ShockMgr (1a9b76c8e0d77bcaca24fdf36781b59d) C:\WINDOWS\system32\drivers\ShockMgr.sys
2011/07/17 16:05:40.0468 2460 Shockprf (cb0c065af3ac9ac307408ea021cdd20e) C:\WINDOWS\system32\drivers\Shockprf.sys
2011/07/17 16:05:40.0546 2460 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/07/17 16:05:40.0609 2460 Smapint (26341d0dd225d19fd50e0ee3c3c77502) C:\WINDOWS\system32\drivers\Smapint.sys
2011/07/17 16:05:40.0687 2460 smi2 (3ba9d0c8a0fbd9fb4029b6cd87c8ce0b) C:\Program Files\SMI2\smi2.sys
2011/07/17 16:05:40.0734 2460 smihlp (01a4388e45ba272082bfc35b0c8dbf8a) C:\Program Files\ThinkVantage Fingerprint Software\smihlp.sys
2011/07/17 16:05:40.0796 2460 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/07/17 16:05:40.0828 2460 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/17 16:05:40.0953 2460 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/17 16:05:41.0015 2460 Srv (3bb03f2ba89d2be417206c373d2af17c) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/17 16:05:41.0125 2460 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/17 16:05:41.0171 2460 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/17 16:05:41.0218 2460 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/07/17 16:05:41.0265 2460 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/07/17 16:05:41.0312 2460 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/07/17 16:05:41.0390 2460 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/07/17 16:05:41.0437 2460 SynTP (7c02db7416d52c02b131d0e3a8d2337c) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/07/17 16:05:41.0484 2460 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/17 16:05:41.0562 2460 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/17 16:05:41.0671 2460 TcUsb (fc6fe02f400308606a911640e72326b5) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/07/17 16:05:41.0718 2460 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/17 16:05:41.0750 2460 TDSMAPI (564b337034271b7bddcabfddc91c6b7a) C:\WINDOWS\system32\drivers\TDSMAPI.SYS
2011/07/17 16:05:41.0796 2460 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/17 16:05:41.0828 2460 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/17 16:05:41.0968 2460 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/07/17 16:05:42.0015 2460 TPHKDRV (29f3601d4233a53f819010fee8c04a60) C:\WINDOWS\system32\drivers\TPHKDRV.sys
2011/07/17 16:05:42.0062 2460 TPPWRIF (44672de6cea9569c21c4b7a8d2560750) C:\WINDOWS\system32\drivers\Tppwrif.sys
2011/07/17 16:05:42.0093 2460 TSMAPIP (f2aba3066d7921d7fcdbd66dea88be11) C:\WINDOWS\system32\drivers\TSMAPIP.SYS
2011/07/17 16:05:42.0156 2460 tvtfilter (dd957007df98aecffaaa2656d4b981e4) C:\WINDOWS\system32\drivers\tvtfilter.sys
2011/07/17 16:05:42.0171 2460 TVTPktFilter (0727cce3ff1a4446f4a1d507361567ab) C:\WINDOWS\system32\DRIVERS\tvtpktfilter.sys
2011/07/17 16:05:42.0281 2460 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/17 16:05:42.0328 2460 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/07/17 16:05:42.0390 2460 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/17 16:05:42.0515 2460 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/17 16:05:42.0531 2460 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/17 16:05:42.0593 2460 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/17 16:05:42.0625 2460 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/17 16:05:42.0640 2460 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/17 16:05:42.0671 2460 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/17 16:05:42.0765 2460 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/17 16:05:42.0796 2460 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/17 16:05:42.0843 2460 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/07/17 16:05:42.0890 2460 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/07/17 16:05:42.0921 2460 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/17 16:05:42.0921 2460 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/07/17 16:05:42.0921 2460 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/07/17 16:05:42.0968 2460 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/17 16:05:43.0078 2460 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/07/17 16:05:43.0171 2460 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/17 16:05:43.0234 2460 winachsf (11ec1afceb5c917ce73d3c301ff4291e) C:\WINDOWS\system32\DRIVERS\hsx_cnxt.sys
2011/07/17 16:05:43.0359 2460 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
2011/07/17 16:05:43.0421 2460 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/07/17 16:05:43.0468 2460 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/07/17 16:05:43.0515 2460 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/17 16:05:43.0546 2460 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/17 16:05:43.0593 2460 zumbus (337b9607f041b77824411750069aff2d) C:\WINDOWS\system32\DRIVERS\zumbus.sys
2011/07/17 16:05:43.0640 2460 MBR (0x1B8) (79edc67d41a95c587f61241200819424) \Device\Harddisk0\DR0
2011/07/17 16:05:43.0656 2460 Boot (0x1200) (673466aab9da575bde855ee6da9389d8) \Device\Harddisk0\DR0\Partition0
2011/07/17 16:05:43.0671 2460 ================================================================================
2011/07/17 16:05:43.0671 2460 Scan finished
2011/07/17 16:05:43.0671 2460 ================================================================================
2011/07/17 16:05:43.0687 0800 Detected object count: 1
2011/07/17 16:05:43.0687 0800 Actual detected object count: 1
2011/07/17 16:05:51.0828 0800 VolSnap (7c38f81f40d61d1607ddb62fe5817bb9) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/17 16:05:51.0828 0800 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 7c38f81f40d61d1607ddb62fe5817bb9, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/07/17 16:05:52.0937 0800 Backup copy found, using it..
2011/07/17 16:05:52.0984 0800 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/07/17 16:05:52.0984 0800 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/07/17 16:06:03.0468 5824 Deinitialize success

Hello

rerun TDSSkiller again to see if it did clear it up



gringo

Infection not found and I'm no longer being redirected so it seems fixed. Thank you very much for your time and help, Gringo.

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

File::
c:\windows\Vcugetelaguzeya.bin

Driver::
krcmuia
fhmithvf
ghlzlpbt
iyfqykmu
mgmjgoqa
mqhdebck
pigidqnf
pmgvdxfo
qufkaplp
rypegmkq
sqpbfzkt
tfjjsqnb
tsouoemh

Firefox::
FF - ProfilePath - c:\documents and settings\MCSUser\Application Data\Mozilla\Firefox\Profiles\v1c243n0.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 53414

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

ComboFix 11-07-18.05 - MCSUser 07/18/2011 22:46:33.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.571 [GMT -5:00]
Running from: c:\documents and settings\MCSUser\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\MCSUser\Desktop\CFScript.txt
.
FILE ::
"c:\windows\Vcugetelaguzeya.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Vcugetelaguzeya.bin
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_fhmithvf
-------\Service_ghlzlpbt
-------\Service_iyfqykmu
-------\Service_mgmjgoqa
-------\Service_mqhdebck
-------\Service_pigidqnf
-------\Service_pmgvdxfo
-------\Service_qufkaplp
-------\Service_rypegmkq
-------\Service_sqpbfzkt
-------\Service_tfjjsqnb
-------\Service_tsouoemh
.
.
((((((((((((((((((((((((( Files Created from 2011-06-19 to 2011-07-19 )))))))))))))))))))))))))))))))
.
.
2011-07-19 03:55 . 2011-07-19 03:55 0 ---ha-w- c:\documents and settings\MCSUser\Local Settings\Application Data\BIT7.tmp
2011-07-04 21:07 . 2011-07-04 21:07 388096 ----a-r- c:\documents and settings\MCSUser\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-04 21:07 . 2011-07-04 21:07 -------- d-----w- c:\program files\Trend Micro
2011-07-04 20:56 . 2011-07-04 20:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2011-07-03 07:58 . 2011-07-03 07:58 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-07-03 07:48 . 2011-07-03 08:32 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-07-03 07:46 . 2011-07-03 07:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-06-24 19:57 . 2011-06-24 19:57 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-24 19:57 . 2011-06-24 19:57 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-07-17 21:06 . 2006-04-30 06:56 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2011-07-17 05:00 . 2007-06-10 12:02 5427 ----a-w- c:\windows\system32\EGATHDRV.SYS
2011-07-03 07:57 . 2011-06-06 04:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-29 14:11 . 2010-01-22 16:32 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 19:57 . 2011-04-25 16:49 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-14_04.20.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-07-19 03:54 . 2011-07-19 03:54 16384 c:\windows\Temp\Perflib_Perfdata_154.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-24 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BellSouthWCC_McciTrayApp"="c:\program files\BellSouthWCC\McciTrayApp.exe" [2006-03-10 543232]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2009-10-22 1577984]
"Zune Launcher"="c:\program files\lance temp\ZuneLauncher.exe" [2010-11-11 159472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-01 282624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\cssc\Start Menu\Programs\Startup\
SeedLink.exe [2006-4-18 21504]
.
c:\documents and settings\MCSUser\Start Menu\Programs\Startup\
VirtualExpander.lnk - c:\windows\system32\VirtualExpander\VirtualExpander.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Belkin Wireless Networking Utility.lnk - c:\program files\Belkin\F5D8053v4\BelkinWCUI.exe [2009-3-19 1474560]
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2006-5-31 622653]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-6-10 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [N/A]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AwayNotify]
2006-08-16 17:07 49152 ------w- c:\program files\Lenovo\AwayTask\AwayNotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-04-26 02:20 40448 ------w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2005-07-05 14:45 28672 ------w- c:\windows\system32\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2005-11-30 11:16 24576 ------w- c:\windows\system32\tphklock.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\WINDOWS\\system32\\lxdlcoms.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\lxdlamon.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\frun.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\lxdlmon.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\Wireless\\lxdlwpss.exe"=
"c:\\Program Files\\Lexmark 7500 Series\\LXDLFax.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdlpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdljswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdltime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdlwbgw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\lxdlcfg.exe"=
"c:\\Documents and Settings\\MCSUser\\Local Settings\\Application Data\\Abacast\\Abaclient2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 lxdl_device;lxdl_device;c:\windows\system32\lxdlcoms.exe -service --> c:\windows\system32\lxdlcoms.exe -service [?]
R2 smi2;smi2;c:\program files\SMI2\smi2.sys [7/14/2006 5:55 PM 3968]
R2 smihlp;SMI helper driver;c:\program files\ThinkVantage Fingerprint Software\smihlp.sys [4/25/2006 9:00 PM 3456]
S1 akrcmuia;akrcmuia;\??\c:\windows\system32\drivers\akrcmuia.sys --> c:\windows\system32\drivers\akrcmuia.sys [?]
S2 gupdate1c987f5ee2c1b18;Google Update Service (gupdate1c987f5ee2c1b18);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 7:57 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/5/2009 7:57 PM 133104]
S3 WMZuneComm;Zune Windows Mobile Connectivity Service;c:\program files\lance temp\WMZuneComm.exe [11/11/2010 2:57 PM 268528]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 22:13]
.
2011-07-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 00:57]
.
2011-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-06 00:57]
.
2009-10-21 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2007-06-10 16:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.mcsk12.net/
mStart Page = hxxp://att.net/?fr=fp-att
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 192.168.1.254 192.168.1.254
FF - ProfilePath - c:\documents and settings\MCSUser\Application Data\Mozilla\Firefox\Profiles\v1c243n0.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-18 22:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1528)
c:\windows\system32\vrlogon.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\psqlpwd.dll
c:\program files\ThinkVantage Fingerprint Software\infra.dll
c:\program files\ThinkVantage Fingerprint Software\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\ThinkVantage Fingerprint Software\homepass.dll
c:\program files\ThinkVantage Fingerprint Software\bio.dll
c:\program files\ThinkVantage Fingerprint Software\remote.dll
c:\windows\system32\tphklock.dll
c:\program files\Lenovo\AwayTask\AwayNotify.dll
c:\windows\system32\msacm32.drv
.
- - - - - - - > 'explorer.exe'(3860)
c:\windows\system32\PROCHLP.DLL
c:\windows\system32\ieframe.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\IPSSVC.EXE
c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
c:\program files\ThinkPad\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdlcoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
c:\windows\System32\TPHDEXLG.EXE
c:\windows\system32\TpKmpSVC.exe
c:\program files\Lenovo\Client Security Solution\tvttcsd.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\progra~1\ThinkPad\BLUETO~1\BTSTAC~1.EXE
c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\Lenovo\Rescue and Recovery\ADM\IUService.exe
c:\program files\lance temp\ZuneBusEnum.exe
c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe
c:\windows\system32\CCM\CcmExec.exe
c:\program files\lenovo\system update\suservice.exe
c:\program files\Common Files\Lenovo\Logger\logmon.exe
c:\windows\system32\msiexec.exe
c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
.
**************************************************************************
.
Completion time: 2011-07-18 22:58:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-19 03:58
ComboFix2.txt 2011-07-17 03:56
ComboFix3.txt 2011-07-14 04:24
.
Pre-Run: 43,903,934,464 bytes free
Post-Run: 43,905,921,024 bytes free
.
- - End Of File - - D8E3B3E944E0D8150EE356B1D46DE28D

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Adobe Reader 7.0
J2SE Runtime Environment 5.0 Update 6
Java™ SE Runtime Environment 6 Update 1


and click on remove

Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.


If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  
• An update should begin;
  
• follow the prompts

Clear your Java Cache

• click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
  
  • On the General tab, under Temporary Internet Files, click the Settings button.
    
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    Applications and Applets
    Trace and Log Files
    
    
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    
  • Click OK to leave the Temporary Files Window
    
  • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM


• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

• Go Here to download HijackThis Installer
  
• Save HijackThis Installer to your desktop.
  
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed it will launch Hijackthis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"

In your next post I need the following


• Log From MBAM
  
• report from Hijackthis
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7196

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/19/2011 2:12:55 AM
mbam-log-2011-07-19 (02-12-55).txt

Scan type: Quick scan
Objects scanned: 192087
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:18:00 AM, on 7/19/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
c:\Program Files\lance temp\ZuneBusEnum.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcsk12.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net/?fr=fp-att
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O3 - Toolbar: att.net Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BellSouthWCC_McciTrayApp] C:\Program Files\BellSouthWCC\McciTrayApp.exe
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\lance temp\ZuneLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Belkin Wireless Networking Utility.lnk = ?
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://avery1.mcsk12.net/iNotes6W.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mcsk12.net
O17 - HKLM\Software\..\Telephony: DomainName = mcsk12.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mcsk12.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mcsk12.net
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mcsk12.net
O20 - Winlogon Notify: AwayNotify - C:\Program Files\Lenovo\AwayTask\AwayNotify.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate1c987f5ee2c1b18) (gupdate1c987f5ee2c1b18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lmab_device - - C:\WINDOWS\system32\LMabcoms.exe
O23 - Service: lxdl_device - - C:\WINDOWS\system32\lxdlcoms.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: tvtnetwk - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\ADM\IUService.exe

--
End of file - 9597 bytes

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

• Run HijackThis
  
• Click on the Scan button
  
• Put a check beside all of the items listed below (if present):
  
  
  O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\lance temp\ZuneLauncher.exe"
  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
  O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
  O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
  O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
  
  
  
  
• Close all open windows and browsers/email, etc...
  
• Click on the "Fix Checked" button
  
• When completed, close the application.
  
  
  NOTE**You can research each of those lines >here< and see if you want to keep them or not
  just copy the name between the brakets and paste into the search space
  O4 - HKLM\..\Run: [IntelliPoint]

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
• When asked, allow the activex control to install
  
  • Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options
  
  Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
  
• Wait for the scan to finish
  
• Click on copy to clipboard and paste the results here in this topic
  
• you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6528
# api_version=3.0.2
# EOSSerial=d1043a8c9a7349459163efd56f75d3cf
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2011-07-19 09:29:11
# local_time=2011-07-19 04:29:11 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 1205951 1205951 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 0 9 46009563 78447316 0 0
# scanned=89184
# found=0
# cleaned=0
# scan_time=4977

Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK

Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

• turn off all active protection software
  
• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  
• please copy and past the following into the box ComboFix /Uninstall and click OK.
  
• Note the space between the X and the /Uninstall, it needs to be there.
  
• 

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  
• If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialise and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
  
• Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  
  
• Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.