BleepingComputer.com: Win32/Sirefef.N Infestation

My desktop became infected with the Win32/Sirefef.N virus (and possibly others) several days ago. I have tried various tools to diagnose and remove it without much success.

MS Security Essentials identifies the problem as Win32/Sirefef.N but then gives me a message that it " ... could not apply the action(s) you selected" which was to clean the computer of the problems it found.

Malwarebytes also detected several "threats" and was told to clean them. Although it appeared to clean the PC, I left it running and Malwarebytes is constantly popping up Anti-Malware messages that say "Successfully blocked access to a potentially malicious website: xxx.xx.xx.xxx

MicroTrend also behaves the same.

Search redirects are sporadic. Occassionally, a new Internet Explorer window will open up with an odd, invalid URL. I can close the window but, of course, it will reappear shortly.

NB: I had to ZIP the Attach.txt file - it was too large to attach as a txt file

==============================
DDS.txt follows:
==============================
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_17
Run by GBostwick at 11:23:03 on 2012-01-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2235 [GMT -6:00]
.
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {EDF01CE5-9644-497B-800D-7214B537236B}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AClient\AClient.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Java\jre1.6.0_07\bin\javaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AClient\AClntUsr.EXE
C:\RightFax87Client\Client\English\FaxCtrl.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NRG-PC-Info\Bginfo.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\GBostwick\Desktop\gmer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\ping.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msfeedssync.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://insider
mSearchAssistant = hxxp://www.google.com/ie
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 6\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Lync Browser Helper: {31d09ba0-12f5-4cce-be8a-2923e76605da} - c:\program files\microsoft lync\OCHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - c:\program files\translatorbar_3.2\prxtbTra2.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 6\SnagItIEAddin.dll
TB: TranslatorBar 3.2 Toolbar: {c55f5517-246e-4426-b745-ee25b08eb8b4} - c:\program files\translatorbar_3.2\prxtbTra2.dll
TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AClntUsr] c:\program files\aclient\AClntUsr.EXE
mRun: [AeXAgentLogon] c:\program files\altiris\altiris agent\AeXAgentActivate.exe /logon
mRun: [Communicator] "c:\program files\microsoft lync\communicator.exe" /fromrunkey
mRun: [RightFAX Print-to-Fax Driver] c:\rightfax87client\client\english\FaxCtrl.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\config~1.lnk - c:\program files\nrg-pc-info\Bginfo.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - c:\program files\informatik\xprint\xPrintFileWatcher.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - c:\program files\microsoft lync\OCHelper.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: ariba.com
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276083774407
DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom.personix.com/eRoomSetup/client.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect114a.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} - hxxp://webts/msrdp.cab
DPF: {BAACAF97-A065-46F0-BB6F-C8EDD4C00761} - hxxps://hou2.personix.com/COM/MOVEitUploadWizard3.1.7.ocx
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 10.40.215.18 10.19.215.200
TCP: Interfaces\{FE9F700F-1E76-4259-874F-E15CE619FDF3} : DhcpNameServer = 10.40.215.18 10.19.215.200
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: PCANotify - PCANotify.dll
AppInit_DLLs: AMINIT32.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSection c:\windows\inf\wmactedp.inf,PerUserStub
.
============= SERVICES / DRIVERS ===============
.
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2007-3-30 18232]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2007-3-30 17848]
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [2007-5-29 9216]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl200cd98c;MpKsl200cd98c;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b30e4fb7-0616-4e95-888f-c0940b60e804}\MpKsl200cd98c.sys [2012-1-9 29904]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
R2 awhost32;Symantec pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2011-1-6 142224]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2011-3-21 12184]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-5 652872]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-3-6 51792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-1-5 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-2-16 136176]
S2 QsRUMAgent;Quest Migration Manager RUM Agent Service;c:\windows\quest resource updating agent\QsResourceUpdatingAgent.exe [2010-2-18 180224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-2-16 136176]
S3 OracleOra9ClientCache;OracleOra9ClientCache;c:\oracle\ora9i\bin\ONRSD.EXE [2002-4-26 242328]
.
=============== Created Last 30 ================
.
2012-01-09 19:29:31 -------- d-----w- c:\documents and settings\gbostwick\local settings\application data\Temp
2012-01-09 13:57:17 -------- d-----w- c:\documents and settings\gbostwick\application data\Helios
2012-01-09 13:51:12 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b30e4fb7-0616-4e95-888f-c0940b60e804}\MpKsl200cd98c.sys
2012-01-09 13:51:09 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b30e4fb7-0616-4e95-888f-c0940b60e804}\offreg.dll
2012-01-09 13:26:19 -------- d-----w- c:\documents and settings\gbostwick\application data\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
2012-01-09 13:00:38 -------- d-----w- c:\documents and settings\gbostwick\application data\Malwarebytes
2012-01-09 12:01:42 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-01-09 12:00:53 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b30e4fb7-0616-4e95-888f-c0940b60e804}\mpengine.dll
2012-01-09 11:55:59 -------- d-----w- c:\documents and settings\gbostwick\local settings\application data\Help
2012-01-05 21:44:32 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-05 21:44:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-05 19:57:59 -------- d-sh--w- c:\documents and settings\gbostwick\IECompatCache
2012-01-05 13:12:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-05 13:12:47 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-01-05 13:11:20 -------- d-----w- c:\documents and settings\gbostwick\application data\RCP 6
2012-01-05 13:10:55 16409960 ----a-w- C:\Spybot_Search_&_Destroy_v.1.6.2.exe
2012-01-04 21:29:27 53248 ----a-r- c:\documents and settings\gbostwick\application data\microsoft\installer\{3ee9bcae-e9a9-45e5-9b1c-83a4d357e05c}\ARPPRODUCTICON.exe
2012-01-04 20:29:10 -------- d-----w- c:\documents and settings\gbostwick\local settings\application data\Logishrd
2012-01-04 20:25:11 -------- d-----w- c:\documents and settings\gbostwick\application data\Logishrd
2012-01-04 16:54:56 -------- d-----w- c:\documents and settings\gbostwick\application data\GlarySoft
2012-01-04 16:50:32 -------- d-----w- c:\documents and settings\gbostwick\local settings\application data\Conduit
2012-01-04 16:50:29 -------- d-sh--w- c:\documents and settings\gbostwick\PrivacIE
2012-01-04 16:50:27 -------- d-----w- c:\documents and settings\gbostwick\local settings\application data\TranslatorBar_3.2
2012-01-04 16:50:26 -------- d-----w- c:\documents and settings\gbostwick\local settings\application data\ConduitEngine
2012-01-04 14:13:45 -------- d-----w- c:\documents and settings\gbostwick\Documentum
2012-01-04 13:51:08 -------- d-----w- c:\documents and settings\gbostwick\Lync Recordings
2012-01-04 13:29:19 -------- d-----w- c:\documents and settings\gbostwick\Tracing
2012-01-04 13:28:26 -------- d-----w- c:\documents and settings\gbostwick\local settings\application data\Apple Computer
2012-01-03 23:22:14 11264 ----a-w- c:\windows\DCEBoot.exe
2012-01-03 17:45:48 222080 ------w- c:\windows\system32\MpSigStub.exe
2012-01-03 17:43:24 -------- d-----w- c:\program files\Microsoft Security Client
2011-12-28 13:28:43 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-21 17:00:47 -------- d-----w- c:\program files\Glary Utilities
.
==================== Find3M ====================
.
2012-01-10 14:30:44 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-11-29 16:20:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 11:23:25.08 ===============

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.
  
• Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Gringo,
Thanks for the quick response.
As instructed, I downloaded and ran ComboFix.
It's first attempt to automatically reboot immediately followed a message "Detected rootkit virus and attemting a reboot" left me with a "Windows is shutting down" dialog box that sat there for 45 minutes with no disk activity or any other sign of life. I forced a power off and rebooted.
It eventually rebooted but I was left with absolutely no network/internet capability whatsoever! I looked around and all settings appeared normal but no connectivity. Went to another PC and Googled a few things. Best match was a suggestion to power down and run ComboFix again and do that as many times as mecessary.
After the third cycle, voila! I've got my network capabilities back again. I've run a Security Essentials scan and a Malwarebytes scan without incident so I've turned Security Essentials back on.

I saved the 1st ComboFix log - let me know if you'd like to see it.
Following is the last ComboFix log created:
===========================================================
ComboFix 12-01-10.02 - GBostwick 01/11/2012 15:11:07.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2877 [GMT -6:00]
Running from: c:\documents and settings\GBostwick\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {EDF01CE5-9644-497B-800D-7214B537236B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled* {070D0F5A-A24D-4414-A797-3C95D0A64376}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled* {2DE0BFB8-A014-4F5C-8464-B2DA47676A12}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\ipsec.sys was missing
Restored copy from - c:\windows\system32\dllcache\ipsec.sys
.
.
((((((((((((((((((((((((( Files Created from 2011-12-11 to 2012-01-11 )))))))))))))))))))))))))))))))
.
.
2012-01-11 21:25 . 2012-01-11 21:25 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{39F7BD24-31B9-4D5C-AEFE-3394EDDE36DC}\offreg.dll
2012-01-11 21:24 . 2008-04-14 05:49 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-01-11 21:24 . 2008-04-14 05:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-11 17:55 . 2012-01-11 17:55 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\PCHealth
2012-01-11 13:30 . 2011-11-30 08:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{39F7BD24-31B9-4D5C-AEFE-3394EDDE36DC}\mpengine.dll
2012-01-11 13:19 . 2012-01-11 13:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-09 19:29 . 2012-01-09 19:29 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Temp
2012-01-09 13:57 . 2012-01-09 13:57 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Helios
2012-01-09 13:26 . 2012-01-09 13:26 -------- d-----w- c:\documents and settings\gbostwick\Application Data\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
2012-01-09 13:00 . 2012-01-09 13:00 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Malwarebytes
2012-01-09 12:01 . 2011-11-30 08:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-09 11:55 . 2012-01-09 11:55 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Help
2012-01-05 21:44 . 2012-01-09 13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-05 21:44 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-05 20:42 . 2012-01-05 20:42 -------- d-----w- c:\documents and settings\Administrator\Tracing
2012-01-05 20:42 . 2012-01-05 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2012-01-05 20:42 . 2012-01-05 20:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-05 19:57 . 2012-01-05 19:57 -------- d-sh--w- c:\documents and settings\GBostwick\IECompatCache
2012-01-05 13:12 . 2012-01-05 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-05 13:12 . 2012-01-05 13:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-05 13:12 . 2012-01-05 13:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-01-05 13:11 . 2012-01-05 13:11 -------- d-----w- c:\documents and settings\gbostwick\Application Data\RCP 6
2012-01-05 13:10 . 2009-07-22 13:05 16409960 ----a-w- C:\Spybot_Search_&_Destroy_v.1.6.2.exe
2012-01-04 21:29 . 2012-01-04 21:29 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Leadertech
2012-01-04 20:29 . 2012-01-04 20:29 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Logishrd
2012-01-04 20:25 . 2012-01-04 20:25 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Logishrd
2012-01-04 16:54 . 2012-01-04 16:54 -------- d-----w- c:\documents and settings\gbostwick\Application Data\GlarySoft
2012-01-04 16:50 . 2012-01-04 16:50 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Conduit
2012-01-04 16:50 . 2012-01-04 16:50 -------- d-sh--w- c:\documents and settings\GBostwick\PrivacIE
2012-01-04 16:50 . 2012-01-04 16:50 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\TranslatorBar_3.2
2012-01-04 14:13 . 2012-01-04 14:15 -------- d-----w- c:\documents and settings\GBostwick\Documentum
2012-01-04 13:51 . 2012-01-04 13:51 -------- d-----w- c:\documents and settings\GBostwick\Lync Recordings
2012-01-04 13:29 . 2012-01-11 21:29 -------- d-----w- c:\documents and settings\GBostwick\Tracing
2012-01-04 13:28 . 2012-01-04 20:25 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Logitech
2012-01-04 13:28 . 2012-01-04 13:28 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Apple Computer
2012-01-03 23:22 . 2012-01-03 23:30 11264 ----a-w- c:\windows\DCEBoot.exe
2012-01-03 17:45 . 2011-11-15 20:29 222080 ------w- c:\windows\system32\MpSigStub.exe
2012-01-03 17:43 . 2012-01-03 17:44 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-03 17:37 . 2012-01-03 17:38 -------- d-----w- c:\documents and settings\mstoval1
2011-12-30 11:53 . 2011-12-30 11:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-28 13:28 . 2011-12-28 13:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-28 13:16 . 2011-12-29 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-12-21 17:00 . 2012-01-03 12:08 -------- d-----w- c:\program files\Glary Utilities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-11 21:27 . 2005-07-13 19:16 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-11-29 16:20 . 2011-05-17 18:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2004-12-09 18:50 . 2005-11-03 15:25 57344 ------w- c:\program files\internet explorer\plugins\FTDWSER.DLL
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-11_13.01.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-11 21:26 . 2012-01-11 21:26 16384 c:\windows\Temp\Perflib_Perfdata_e8.dat
+ 2012-01-11 21:26 . 2012-01-11 21:26 16384 c:\windows\Temp\Perflib_Perfdata_78c.dat
+ 2012-01-11 21:28 . 2012-01-11 21:28 53248 c:\windows\Temp\catchme.dll
+ 2012-01-11 21:27 . 2012-01-11 21:27 73058 c:\windows\Temp\alsmb.exe
+ 2004-08-04 12:00 . 2012-01-11 21:32 97128 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-01-05 21:41 97128 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-01-05 21:41 512820 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2012-01-11 21:32 512820 c:\windows\system32\perfh009.dat
+ 2005-12-01 19:36 . 2012-01-11 21:28 238120 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
2011-01-17 14:54 175912 ----a-w- c:\program files\TranslatorBar_3.2\prxtbTra2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c55f5517-246e-4426-b745-ee25b08eb8b4}"= "c:\program files\TranslatorBar_3.2\prxtbTra2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AClntUsr"="c:\program files\AClient\AClntUsr.EXE" [2010-04-12 184320]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2011-02-26 228696]
"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2010-10-22 11937552]
"RightFAX Print-to-Fax Driver"="c:\rightfax87client\Client\English\FaxCtrl.exe" [2004-01-18 110592]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2008-05-05 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
outlook.bat [2005-7-15 108]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
.
c:\documents and settings\gmelik\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
.
c:\documents and settings\jlanglois\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\jnettles\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\jtamayo\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
.
c:\documents and settings\Ktong1\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
.
c:\documents and settings\mfletcher30\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
Outlook with Self Delete.vbs [2007-8-3 1414]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\mstoval1\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
.
c:\documents and settings\questsvc\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
Outlook with Self Delete.vbs [2007-8-3 1414]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\sfalcone\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\SGerdes\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\Svcaltirisma.retail\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
Outlook with Self Delete.vbs [2007-8-3 1414]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\twinans\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\amigration.services\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
outlook.bat [2005-7-15 108]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\bhoward\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
outlook.bat [2005-7-15 108]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\cmoss\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
.
c:\documents and settings\elopez30\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
config_taskbar.lnk - c:\program files\NRG-PC-Info\Bginfo.exe [2010-8-21 844648]
shortcut_xprint.lnk - c:\program files\Informatik\xPrint\xPrintFileWatcher.exe [N/A]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
Outlook with Self Delete.vbs [2007-8-3 1414]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2011-01-06 20:04 18832 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\AMInit32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3477516186-3207770243-1980310034-12955\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3477516186-3207770243-1980310034-26385\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3477516186-3207770243-1980310034-31291\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-10047\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-10188\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-10190\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-21235\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-24195\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-2990\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-2996\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-36059\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-3765\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-47435\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-47701\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-70550\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-70701\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-74556\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-76339\Scripts\Logon\0\0]
"Script"=new_StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-77176\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-93409\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-9670\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Autoexec.bat]
backup=c:\windows\pss\Autoexec.batCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Citrix XenApp.lnk]
backup=c:\windows\pss\Citrix XenApp.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^allowedSitesWinXPSP2perUser.vbs]
backup=c:\windows\pss\allowedSitesWinXPSP2perUser.vbsStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^EarthDesk.lnk]
backup=c:\windows\pss\EarthDesk.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^No_Screen_Saver_Script.vbs.lnk]
backup=c:\windows\pss\No_Screen_Saver_Script.vbs.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^Shortcut to StockTick.lnk]
backup=c:\windows\pss\Shortcut to StockTick.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^TextPad.lnk]
backup=c:\windows\pss\TextPad.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-23 01:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OLPSYNCH]
2008-02-19 09:00 42288 ----a-w- c:\program files\Offline Course Player\OlpSynch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MvWebServer"=2 (0x2)
"MvServer"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\aclient\\AClntUsr.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [5/29/2007 5:55 PM 9216]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [3/21/2011 6:20 AM 12184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/5/2012 3:44 PM 652872]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/6/2010 7:44 AM 51792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/5/2012 3:44 PM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2011 8:15 AM 136176]
S2 QsRUMAgent;Quest Migration Manager RUM Agent Service;c:\windows\Quest Resource Updating Agent\QsResourceUpdatingAgent.exe [2/18/2010 11:33 AM 180224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2011 8:15 AM 136176]
S3 OracleOra9ClientCache;OracleOra9ClientCache;c:\oracle\Ora9i\bin\ONRSD.EXE [4/26/2002 7:34 PM 242328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-11 c:\windows\Tasks\At1.job
- c:\officescan nt\TrendMicro.vbs [2005-10-10 16:45]
.
2012-01-11 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 21:39]
.
2012-01-11 c:\windows\Tasks\User_Feed_Synchronization-{997CD47B-E935-44CA-9002-DE2EBAC93CC9}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
2012-01-11 c:\windows\Tasks\User_Feed_Synchronization-{E8F8D51F-3C24-4F39-A806-DA874B8D7E0A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://insider
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ariba.com
TCP: DhcpNameServer = 10.40.215.18 10.19.215.200
DPF: {BAACAF97-A065-46F0-BB6F-C8EDD4C00761} - hxxps://hou2.personix.com/COM/MOVEitUploadWizard3.1.7.ocx
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-11 15:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\PCANotify.dll
.
- - - - - - - > 'lsass.exe'(708)
c:\program files\Bonjour\mdnsNSP.dll
.
- - - - - - - > 'explorer.exe'(3060)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Hummingbird\Connectivity\7.00\HostExplorer\Ftp\HESHELL.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\AClient\AClient.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\pcAnywhere\awhost32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\ccsrvc.exe
c:\program files\Altiris\Carbon Copy\shellker.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
c:\windows\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
c:\program files\Java\jre1.6.0_07\bin\javaw.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\msiexec.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
c:\program files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
c:\program files\Citrix\ICA Client\ssonsvr.exe
c:\program files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
c:\program files\Seagate Software\WCS\WebCompServer.exe
c:\progra~1\Altiris\CARBON~1\client.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2012-01-11 15:36:04 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-11 21:36
ComboFix2.txt 2012-01-11 13:07
.
Pre-Run: 111,172,939,776 bytes free
Post-Run: 111,197,564,928 bytes free
.
- - End Of File - - 2C7A3F4007F0324E8863359A60510AFE

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

 ClearJavaCache:: 

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"

In your next post I need the following


• report from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now after running the script?

Gringo

No problems running ComboFix again as instructed.
Just prior to running ComboFix, MS Security Essentials completed a full scan and still reports the Win32/Sirefef.N virus exists.
I've restarted MAlwareBytes again and will report any new alerts

======================== COMBOFIX LOG ===============================
ComboFix 12-01-12.04 - GBostwick 01/12/2012 13:27:21.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2844 [GMT -6:00]
Running from: c:\documents and settings\GBostwick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\GBostwick\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {EDF01CE5-9644-497B-800D-7214B537236B}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled* {070D0F5A-A24D-4414-A797-3C95D0A64376}
FW: Trend Micro OfficeScan Enterprise Client Firewall *Disabled* {2DE0BFB8-A014-4F5C-8464-B2DA47676A12}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-12 to 2012-01-12 )))))))))))))))))))))))))))))))
.
.
2012-01-12 18:26 . 2012-01-12 18:26 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1F78BF60-AE22-41BD-B65D-B23CDE78EB05}\offreg.dll
2012-01-12 12:01 . 2011-11-30 08:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1F78BF60-AE22-41BD-B65D-B23CDE78EB05}\mpengine.dll
2012-01-11 21:24 . 2008-04-14 05:49 75264 -c--a-w- c:\windows\system32\dllcache\ipsec.sys
2012-01-11 21:24 . 2008-04-14 05:49 75264 ----a-w- c:\windows\system32\drivers\ipsec.sys
2012-01-11 17:55 . 2012-01-11 17:55 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\PCHealth
2012-01-11 13:19 . 2012-01-11 13:19 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-09 19:29 . 2012-01-09 19:29 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Temp
2012-01-09 13:57 . 2012-01-09 13:57 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Helios
2012-01-09 13:26 . 2012-01-09 13:26 -------- d-----w- c:\documents and settings\gbostwick\Application Data\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
2012-01-09 13:00 . 2012-01-09 13:00 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Malwarebytes
2012-01-09 12:01 . 2011-11-30 08:21 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-09 11:55 . 2012-01-09 11:55 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Help
2012-01-05 21:44 . 2012-01-09 13:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-05 21:44 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-05 20:42 . 2012-01-05 20:42 -------- d-----w- c:\documents and settings\Administrator\Tracing
2012-01-05 20:42 . 2012-01-05 20:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2012-01-05 20:42 . 2012-01-05 20:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer
2012-01-05 19:57 . 2012-01-05 19:57 -------- d-sh--w- c:\documents and settings\GBostwick\IECompatCache
2012-01-05 13:12 . 2012-01-05 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-05 13:12 . 2012-01-05 13:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-01-05 13:12 . 2012-01-05 13:12 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2012-01-05 13:11 . 2012-01-05 13:11 -------- d-----w- c:\documents and settings\gbostwick\Application Data\RCP 6
2012-01-05 13:10 . 2009-07-22 13:05 16409960 ----a-w- C:\Spybot_Search_&_Destroy_v.1.6.2.exe
2012-01-04 21:29 . 2012-01-04 21:29 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Leadertech
2012-01-04 20:29 . 2012-01-04 20:29 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Logishrd
2012-01-04 20:25 . 2012-01-04 20:25 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Logishrd
2012-01-04 16:54 . 2012-01-04 16:54 -------- d-----w- c:\documents and settings\gbostwick\Application Data\GlarySoft
2012-01-04 16:50 . 2012-01-04 16:50 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Conduit
2012-01-04 16:50 . 2012-01-04 16:50 -------- d-sh--w- c:\documents and settings\GBostwick\PrivacIE
2012-01-04 16:50 . 2012-01-04 16:50 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\TranslatorBar_3.2
2012-01-04 14:13 . 2012-01-04 14:15 -------- d-----w- c:\documents and settings\GBostwick\Documentum
2012-01-04 13:51 . 2012-01-04 13:51 -------- d-----w- c:\documents and settings\GBostwick\Lync Recordings
2012-01-04 13:29 . 2012-01-12 15:49 -------- d-----w- c:\documents and settings\GBostwick\Tracing
2012-01-04 13:28 . 2012-01-04 20:25 -------- d-----w- c:\documents and settings\gbostwick\Application Data\Logitech
2012-01-04 13:28 . 2012-01-04 13:28 -------- d-----w- c:\documents and settings\gbostwick\Local Settings\Application Data\Apple Computer
2012-01-03 23:22 . 2012-01-03 23:30 11264 ----a-w- c:\windows\DCEBoot.exe
2012-01-03 17:45 . 2010-10-19 20:51 222080 ------w- c:\windows\system32\MpSigStub.exe
2012-01-03 17:43 . 2012-01-03 17:44 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-03 17:37 . 2012-01-03 17:38 -------- d-----w- c:\documents and settings\mstoval1
2011-12-30 11:53 . 2011-12-30 11:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2011-12-28 13:28 . 2011-12-28 13:28 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-28 13:16 . 2011-12-29 13:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-12-21 17:00 . 2012-01-03 12:08 -------- d-----w- c:\program files\Glary Utilities
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-12 18:28 . 2005-07-13 19:16 2401 ----a-w- c:\windows\system32\drivers\AlKernel.sys
2011-11-29 16:20 . 2011-05-17 18:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2004-12-09 18:50 . 2005-11-03 15:25 57344 ------w- c:\program files\internet explorer\plugins\FTDWSER.DLL
.
.
((((((((((((((((((((((((((((( SnapShot@2012-01-11_13.01.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-01-12 18:27 . 2012-01-12 18:27 16384 c:\windows\Temp\Perflib_Perfdata_c8.dat
+ 2012-01-12 18:26 . 2012-01-12 18:26 16384 c:\windows\Temp\Perflib_Perfdata_738.dat
+ 2012-01-12 19:40 . 2012-01-12 19:40 53248 c:\windows\Temp\catchme.dll
+ 2004-08-04 12:00 . 2012-01-12 15:46 97128 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2012-01-05 21:41 97128 c:\windows\system32\perfc009.dat
+ 2012-01-12 15:44 . 2012-01-12 15:44 35448 c:\windows\assembly\GAC\Microsoft.Office.Interop.OutlookViewCtl\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.OutlookViewCtl.dll
- 2004-08-04 12:00 . 2012-01-05 21:41 512820 c:\windows\system32\perfh009.dat
+ 2004-08-04 12:00 . 2012-01-12 15:46 512820 c:\windows\system32\perfh009.dat
+ 2005-12-01 19:36 . 2012-01-12 18:28 238120 c:\windows\system32\inetsrv\MetaBase.bin
+ 2012-01-12 15:44 . 2012-01-12 15:44 408176 c:\windows\assembly\GAC\Microsoft.Office.Interop.Outlook\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Outlook.dll
+ 2005-07-12 13:48 . 2012-01-12 18:27 1772944 c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
2011-01-17 14:54 175912 ----a-w- c:\program files\TranslatorBar_3.2\prxtbTra2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{c55f5517-246e-4426-b745-ee25b08eb8b4}"= "c:\program files\TranslatorBar_3.2\prxtbTra2.dll" [2011-01-17 175912]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-01-17 175912]
.
[HKEY_CLASSES_ROOT\clsid\{c55f5517-246e-4426-b745-ee25b08eb8b4}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AClntUsr"="c:\program files\AClient\AClntUsr.EXE" [2010-04-12 184320]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2011-02-26 228696]
"Communicator"="c:\program files\Microsoft Lync\communicator.exe" [2010-10-22 11937552]
"RightFAX Print-to-Fax Driver"="c:\rightfax87client\Client\English\FaxCtrl.exe" [2004-01-18 110592]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2008-05-05 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
outlook.bat [2005-7-15 108]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
.
c:\documents and settings\gmelik\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
.
c:\documents and settings\jlanglois\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\jnettles\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\jtamayo\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
.
c:\documents and settings\Ktong1\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
.
c:\documents and settings\mfletcher30\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
Outlook with Self Delete.vbs [2007-8-3 1414]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\mstoval1\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
.
c:\documents and settings\questsvc\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
Outlook with Self Delete.vbs [2007-8-3 1414]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\sfalcone\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\SGerdes\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\Svcaltirisma.retail\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
Outlook with Self Delete.vbs [2007-8-3 1414]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\twinans\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\amigration.services\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
outlook.bat [2005-7-15 108]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\bhoward\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
outlook.bat [2005-7-15 108]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
c:\documents and settings\cmoss\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
.
c:\documents and settings\elopez30\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
config_taskbar.lnk - c:\program files\NRG-PC-Info\Bginfo.exe [2010-8-21 844648]
shortcut_xprint.lnk - c:\program files\Informatik\xPrint\xPrintFileWatcher.exe [N/A]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
allowedSitesWinXPSP2perUser.vbs [2008-5-13 1855]
Outlook with Self Delete.vbs [2007-8-3 1414]
SAPLogon_ViewWidth_Fix.vbs [2011-3-3 799]
SetHomepage.vbs [2009-7-8 1049]
TraderCertperUser.vbs [2008-6-26 1655]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2011-01-06 20:04 18832 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\AMInit32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3477516186-3207770243-1980310034-12955\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3477516186-3207770243-1980310034-26385\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3477516186-3207770243-1980310034-31291\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-10047\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-10188\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-10190\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-21235\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-24195\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-2990\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-2996\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-36059\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-3765\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-47435\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-47701\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-70550\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-70701\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-74556\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-76339\Scripts\Logon\0\0]
"Script"=new_StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-77176\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-93409\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-436374069-1343024091-1801674531-9670\Scripts\Logon\0\0]
"Script"=StandardDrives.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Autoexec.bat]
backup=c:\windows\pss\Autoexec.batCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Citrix XenApp.lnk]
backup=c:\windows\pss\Citrix XenApp.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^allowedSitesWinXPSP2perUser.vbs]
backup=c:\windows\pss\allowedSitesWinXPSP2perUser.vbsStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^EarthDesk.lnk]
backup=c:\windows\pss\EarthDesk.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^No_Screen_Saver_Script.vbs.lnk]
backup=c:\windows\pss\No_Screen_Saver_Script.vbs.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^Shortcut to StockTick.lnk]
backup=c:\windows\pss\Shortcut to StockTick.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^gbostwick^Start Menu^Programs^Startup^TextPad.lnk]
backup=c:\windows\pss\TextPad.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2008-07-23 01:42 116040 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OLPSYNCH]
2008-02-19 09:00 42288 ----a-w- c:\program files\Offline Course Player\OlpSynch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-08-10 10:15 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MvWebServer"=2 (0x2)
"MvServer"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\aclient\\AClntUsr.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Roxio\\Digital Home 9\\RoxioUPnPRenderer9.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 CCDevice;CCDevice;c:\windows\system32\drivers\CCDevice.sys [5/29/2007 5:55 PM 9216]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [3/21/2011 6:20 AM 12184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/5/2012 3:44 PM 652872]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [3/6/2010 7:44 AM 51792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/5/2012 3:44 PM 20464]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2011 8:15 AM 136176]
S2 QsRUMAgent;Quest Migration Manager RUM Agent Service;c:\windows\Quest Resource Updating Agent\QsResourceUpdatingAgent.exe [2/18/2010 11:33 AM 180224]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2011 8:15 AM 136176]
S3 OracleOra9ClientCache;OracleOra9ClientCache;c:\oracle\Ora9i\bin\ONRSD.EXE [4/26/2002 7:34 PM 242328]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2009-03-08 10:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-12 c:\windows\Tasks\At1.job
- c:\officescan nt\TrendMicro.vbs [2005-10-10 16:45]
.
2012-01-12 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 21:39]
.
2012-01-12 c:\windows\Tasks\User_Feed_Synchronization-{997CD47B-E935-44CA-9002-DE2EBAC93CC9}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
2012-01-12 c:\windows\Tasks\User_Feed_Synchronization-{E8F8D51F-3C24-4F39-A806-DA874B8D7E0A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://insider
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: ariba.com
TCP: DhcpNameServer = 10.40.215.18 10.19.215.200
DPF: {BAACAF97-A065-46F0-BB6F-C8EDD4C00761} - hxxps://hou2.personix.com/COM/MOVEitUploadWizard3.1.7.ocx
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-12 13:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_b427739.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(648)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\windows\system32\PCANotify.dll
.
- - - - - - - > 'lsass.exe'(704)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2012-01-12 13:42:23
ComboFix-quarantined-files.txt 2012-01-12 19:42
ComboFix2.txt 2012-01-11 21:36
ComboFix3.txt 2012-01-11 13:07
.
Pre-Run: 111,129,743,360 bytes free
Post-Run: 111,224,377,344 bytes free
.
- - End Of File - - 52275264595F1A7840A88C230648CBA7

Hello

Just prior to running ComboFix, MS Security Essentials completed a full scan and still reports the Win32/Sirefef.N virus exists.
Location is very important - next time you get the warning please tell me the lacation

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

Gringo,
The scan ran very quickly and found no threats.
No reboot was required.
Following is the report.

Regards,
Gene
-------------------------------------------------------------------------------------
14:57:41.0819 2988 TDSS rootkit removing tool 2.7.0.0 Jan 10 2012 09:14:26
14:57:42.0350 2988 ============================================================
14:57:42.0350 2988 Current date / time: 2012/01/12 14:57:42.0350
14:57:42.0350 2988 SystemInfo:
14:57:42.0350 2988
14:57:42.0350 2988 OS Version: 5.1.2600 ServicePack: 3.0
14:57:42.0350 2988 Product type: Workstation
14:57:42.0350 2988 ComputerName: GBOSTWICKPC2
14:57:42.0350 2988 UserName: GBostwick
14:57:42.0350 2988 Windows directory: C:\WINDOWS
14:57:42.0350 2988 System windows directory: C:\WINDOWS
14:57:42.0350 2988 Processor architecture: Intel x86
14:57:42.0350 2988 Number of processors: 1
14:57:42.0350 2988 Page size: 0x1000
14:57:42.0350 2988 Boot type: Normal boot
14:57:42.0350 2988 ============================================================
14:57:44.0133 2988 Drive \Device\Harddisk0\DR0 - Size: 0x2540BE4000, SectorSize: 0x200, Cylinders: 0x4BFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
14:57:44.0213 2988 Initialize success
14:57:48.0459 1868 ============================================================
14:57:48.0459 1868 Scan started
14:57:48.0459 1868 Mode: Manual;
14:57:48.0459 1868 ============================================================
14:57:49.0851 1868 Abiosdsk - ok
14:57:49.0901 1868 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:57:49.0911 1868 abp480n5 - ok
14:57:50.0001 1868 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
14:57:50.0001 1868 ac97intc - ok
14:57:50.0081 1868 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:57:50.0081 1868 ACPI - ok
14:57:50.0171 1868 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:57:50.0171 1868 ACPIEC - ok
14:57:50.0271 1868 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:57:50.0281 1868 adpu160m - ok
14:57:50.0331 1868 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
14:57:50.0331 1868 aeaudio - ok
14:57:50.0382 1868 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:57:50.0382 1868 aec - ok
14:57:50.0512 1868 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
14:57:50.0512 1868 AFD - ok
14:57:50.0562 1868 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
14:57:50.0562 1868 agp440 - ok
14:57:50.0612 1868 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:57:50.0612 1868 agpCPQ - ok
14:57:50.0652 1868 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:57:50.0662 1868 Aha154x - ok
14:57:50.0702 1868 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:57:50.0702 1868 aic78u2 - ok
14:57:50.0752 1868 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:57:50.0752 1868 aic78xx - ok
14:57:50.0822 1868 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
14:57:50.0822 1868 AliIde - ok
14:57:50.0882 1868 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:57:50.0882 1868 alim1541 - ok
14:57:50.0962 1868 AlKernel (06112696a1b06692939cf087d1f1c84e) C:\WINDOWS\system32\Drivers\AlKernel.sys
14:57:50.0962 1868 AlKernel - ok
14:57:51.0012 1868 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:57:51.0012 1868 amdagp - ok
14:57:51.0063 1868 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
14:57:51.0063 1868 amsint - ok
14:57:51.0113 1868 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
14:57:51.0113 1868 asc - ok
14:57:51.0163 1868 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:57:51.0163 1868 asc3350p - ok
14:57:51.0213 1868 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:57:51.0213 1868 asc3550 - ok
14:57:51.0303 1868 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:57:51.0313 1868 AsyncMac - ok
14:57:51.0373 1868 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:57:51.0373 1868 atapi - ok
14:57:51.0413 1868 Atdisk - ok
14:57:51.0523 1868 ati2mtag (c82240ce60a9326e52282f62ba923f27) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:57:51.0523 1868 ati2mtag - ok
14:57:51.0603 1868 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:57:51.0603 1868 Atmarpc - ok
14:57:51.0693 1868 ATNT40K (a9a124c15b5f2fe1ffd1ea238bd5aeed) C:\WINDOWS\SYSTEM32\DRIVERS\ATNT40K.SYS
14:57:51.0693 1868 ATNT40K - ok
14:57:51.0814 1868 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:57:51.0814 1868 audstub - ok
14:57:51.0924 1868 awecho (6cf7a77dea4af43fd1907e9cdfd65f24) C:\WINDOWS\system32\drivers\awechomd.sys
14:57:51.0924 1868 awecho - ok
14:57:51.0974 1868 awlegacy (fcd631b75d01fecb673d52bfe87774ac) C:\WINDOWS\System32\Drivers\awlegacy.sys
14:57:51.0974 1868 awlegacy - ok
14:57:52.0014 1868 AW_HOST (be23b51d1af7ab948f883f864454393d) C:\WINDOWS\system32\drivers\aw_host5.sys
14:57:52.0014 1868 AW_HOST - ok
14:57:52.0074 1868 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
14:57:52.0074 1868 b57w2k - ok
14:57:52.0184 1868 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:57:52.0184 1868 Beep - ok
14:57:52.0294 1868 catchme - ok
14:57:52.0384 1868 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:57:52.0384 1868 cbidf - ok
14:57:52.0434 1868 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:57:52.0434 1868 cbidf2k - ok
14:57:52.0515 1868 CCDevice (cf91ecc3de13ce765f9ab4b9b2b1970e) C:\WINDOWS\system32\drivers\CCDevice.sys
14:57:52.0515 1868 CCDevice - ok
14:57:52.0565 1868 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:57:52.0575 1868 cd20xrnt - ok
14:57:52.0625 1868 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:57:52.0625 1868 Cdaudio - ok
14:57:52.0715 1868 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:57:52.0715 1868 Cdfs - ok
14:57:52.0775 1868 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:57:52.0775 1868 Cdrom - ok
14:57:52.0815 1868 Changer - ok
14:57:52.0905 1868 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:57:52.0905 1868 CmBatt - ok
14:57:52.0965 1868 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:57:52.0965 1868 CmdIde - ok
14:57:53.0035 1868 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:57:53.0035 1868 Compbatt - ok
14:57:53.0115 1868 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:57:53.0115 1868 Cpqarray - ok
14:57:53.0176 1868 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:57:53.0176 1868 dac2w2k - ok
14:57:53.0206 1868 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:57:53.0206 1868 dac960nt - ok
14:57:53.0246 1868 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:57:53.0246 1868 Disk - ok
14:57:53.0336 1868 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:57:53.0366 1868 dmboot - ok
14:57:53.0426 1868 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:57:53.0426 1868 dmio - ok
14:57:53.0536 1868 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:57:53.0536 1868 dmload - ok
14:57:53.0596 1868 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:57:53.0596 1868 DMusic - ok
14:57:53.0636 1868 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:57:53.0636 1868 dpti2o - ok
14:57:53.0686 1868 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:57:53.0696 1868 drmkaud - ok
14:57:53.0766 1868 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
14:57:53.0766 1868 EL90XBC - ok
14:57:53.0826 1868 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:57:53.0837 1868 Fastfat - ok
14:57:53.0867 1868 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
14:57:53.0877 1868 Fdc - ok
14:57:53.0947 1868 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:57:53.0947 1868 Fips - ok
14:57:53.0987 1868 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:57:53.0987 1868 Flpydisk - ok
14:57:54.0027 1868 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:57:54.0027 1868 FltMgr - ok
14:57:54.0087 1868 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:57:54.0087 1868 Fs_Rec - ok
14:57:54.0147 1868 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:57:54.0157 1868 Ftdisk - ok
14:57:54.0207 1868 Gernuwa (b390bc5aa09f333c5d95be651c073564) C:\WINDOWS\system32\drivers\Gernuwa.sys
14:57:54.0217 1868 Gernuwa - ok
14:57:54.0297 1868 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:57:54.0297 1868 Gpc - ok
14:57:54.0417 1868 Hardlock (c1cc0c9742b881c42f1cc628e6f9ebd1) C:\WINDOWS\system32\drivers\hardlock.sys
14:57:54.0447 1868 Hardlock - ok
14:57:54.0528 1868 Haspnt (2dd25f060dc9f79b5cdf33d90ed93669) C:\WINDOWS\system32\drivers\Haspnt.sys
14:57:54.0528 1868 Haspnt - ok
14:57:54.0608 1868 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:57:54.0608 1868 HidUsb - ok
14:57:54.0678 1868 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
14:57:54.0678 1868 hpn - ok
14:57:54.0748 1868 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
14:57:54.0748 1868 HTTP - ok
14:57:54.0788 1868 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
14:57:54.0788 1868 i2omgmt - ok
14:57:54.0828 1868 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:57:54.0828 1868 i2omp - ok
14:57:54.0868 1868 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:57:54.0868 1868 i8042prt - ok
14:57:54.0918 1868 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:57:54.0918 1868 Imapi - ok
14:57:54.0958 1868 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:57:54.0958 1868 ini910u - ok
14:57:54.0998 1868 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:57:54.0998 1868 IntelIde - ok
14:57:55.0038 1868 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:57:55.0038 1868 intelppm - ok
14:57:55.0088 1868 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:57:55.0088 1868 Ip6Fw - ok
14:57:55.0158 1868 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:57:55.0158 1868 IpFilterDriver - ok
14:57:55.0229 1868 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:57:55.0229 1868 IpInIp - ok
14:57:55.0279 1868 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:57:55.0289 1868 IpNat - ok
14:57:55.0399 1868 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:57:55.0399 1868 IPSec - ok
14:57:55.0449 1868 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:57:55.0449 1868 IRENUM - ok
14:57:55.0499 1868 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:57:55.0499 1868 isapnp - ok
14:57:55.0559 1868 Jukebox3 (6c24d3878f44c271d94ea6cab1acd739) C:\WINDOWS\system32\DRIVERS\ctpdusb.sys
14:57:55.0559 1868 Jukebox3 - ok
14:57:55.0609 1868 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:57:55.0619 1868 Kbdclass - ok
14:57:55.0649 1868 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:57:55.0649 1868 kbdhid - ok
14:57:55.0689 1868 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:57:55.0689 1868 kmixer - ok
14:57:55.0729 1868 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
14:57:55.0739 1868 KSecDD - ok
14:57:55.0799 1868 L8042PR2 (0f8b7bf7097d1e8d78f2f52a2bea03cd) C:\WINDOWS\system32\Drivers\l8042pr2.sys
14:57:55.0799 1868 L8042PR2 - ok
14:57:55.0869 1868 LBeepKE (be2dc24d403643a2d1d98f33c7087b38) C:\WINDOWS\system32\Drivers\LBeepKE.sys
14:57:55.0869 1868 LBeepKE - ok
14:57:55.0909 1868 lbrtfdc - ok
14:57:55.0980 1868 LHidFlt2 (3c357dfdbbf2b4b01aa4b9c8a26e4416) C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
14:57:55.0980 1868 LHidFlt2 - ok
14:57:56.0050 1868 LHidUsb (ffb851b1b2f6596b7d3182b977a85206) C:\WINDOWS\system32\Drivers\LHidUsb.Sys
14:57:56.0050 1868 LHidUsb - ok
14:57:56.0110 1868 LMouFlt2 (aef09673376a4d93c09e8341854f1bf4) C:\WINDOWS\system32\Drivers\LMouFlt2.sys
14:57:56.0110 1868 LMouFlt2 - ok
14:57:56.0150 1868 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
14:57:56.0150 1868 MBAMProtector - ok
14:57:56.0250 1868 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:57:56.0250 1868 mnmdd - ok
14:57:56.0290 1868 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:57:56.0290 1868 Modem - ok
14:57:56.0370 1868 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:57:56.0370 1868 Mouclass - ok
14:57:56.0410 1868 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:57:56.0410 1868 mouhid - ok
14:57:56.0450 1868 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:57:56.0450 1868 MountMgr - ok
14:57:56.0520 1868 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
14:57:56.0520 1868 MpFilter - ok
14:57:56.0610 1868 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:57:56.0610 1868 mraid35x - ok
14:57:56.0671 1868 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:57:56.0671 1868 MRxDAV - ok
14:57:56.0791 1868 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:57:56.0811 1868 MRxSmb - ok
14:57:56.0861 1868 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:57:56.0861 1868 Msfs - ok
14:57:56.0931 1868 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:57:56.0931 1868 MSKSSRV - ok
14:57:56.0971 1868 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:57:56.0971 1868 MSPCLOCK - ok
14:57:57.0021 1868 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:57:57.0021 1868 MSPQM - ok
14:57:57.0071 1868 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:57:57.0071 1868 mssmbios - ok
14:57:57.0131 1868 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:57:57.0131 1868 Mup - ok
14:57:57.0221 1868 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:57:57.0231 1868 NDIS - ok
14:57:57.0271 1868 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:57:57.0271 1868 NdisTapi - ok
14:57:57.0312 1868 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:57:57.0312 1868 Ndisuio - ok
14:57:57.0352 1868 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:57:57.0362 1868 NdisWan - ok
14:57:57.0442 1868 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:57:57.0452 1868 NDProxy - ok
14:57:57.0532 1868 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:57:57.0532 1868 NetBIOS - ok
14:57:57.0592 1868 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:57:57.0602 1868 NetBT - ok
14:57:57.0662 1868 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:57:57.0662 1868 Npfs - ok
14:57:57.0742 1868 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:57:57.0762 1868 Ntfs - ok
14:57:57.0852 1868 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:57:57.0852 1868 Null - ok
14:57:57.0912 1868 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:57:57.0912 1868 NwlnkFlt - ok
14:57:57.0952 1868 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:57:57.0962 1868 NwlnkFwd - ok
14:57:58.0003 1868 omci (b17228142cec9b3c222239fd935a37ca) C:\WINDOWS\system32\DRIVERS\omci.sys
14:57:58.0003 1868 omci - ok
14:57:58.0093 1868 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
14:57:58.0093 1868 P3 - ok
14:57:58.0143 1868 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:57:58.0143 1868 Parport - ok
14:57:58.0173 1868 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:57:58.0173 1868 PartMgr - ok
14:57:58.0213 1868 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:57:58.0213 1868 ParVdm - ok
14:57:58.0263 1868 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:57:58.0273 1868 PCI - ok
14:57:58.0313 1868 PCIDump - ok
14:57:58.0363 1868 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:57:58.0363 1868 PCIIde - ok
14:57:58.0423 1868 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:57:58.0423 1868 Pcmcia - ok
14:57:58.0463 1868 PDCOMP - ok
14:57:58.0493 1868 PDFRAME - ok
14:57:58.0533 1868 PDRELI - ok
14:57:58.0563 1868 PDRFRAME - ok
14:57:58.0623 1868 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
14:57:58.0623 1868 perc2 - ok
14:57:58.0663 1868 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:57:58.0663 1868 perc2hib - ok
14:57:58.0764 1868 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:57:58.0764 1868 PptpMiniport - ok
14:57:58.0834 1868 ProxyHostDriver (74ea56e4f33305ad0fe97b845fe3384b) C:\WINDOWS\system32\Drivers\phw2ksys.sys
14:57:58.0834 1868 ProxyHostDriver - ok
14:57:58.0874 1868 ProxyHostMirrorDisplay (88bb80efc69d8d63875b16b34288eaed) C:\WINDOWS\system32\Drivers\phmmini.sys
14:57:58.0874 1868 ProxyHostMirrorDisplay - ok
14:57:58.0914 1868 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:57:58.0914 1868 PSched - ok
14:57:58.0964 1868 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:57:58.0974 1868 Ptilink - ok
14:57:59.0024 1868 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:57:59.0034 1868 PxHelp20 - ok
14:57:59.0084 1868 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
14:57:59.0084 1868 ql1080 - ok
14:57:59.0114 1868 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
14:57:59.0114 1868 Ql10wnt - ok
14:57:59.0144 1868 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
14:57:59.0154 1868 ql12160 - ok
14:57:59.0194 1868 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
14:57:59.0194 1868 ql1240 - ok
14:57:59.0224 1868 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
14:57:59.0224 1868 ql1280 - ok
14:57:59.0264 1868 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:57:59.0264 1868 RasAcd - ok
14:57:59.0304 1868 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:57:59.0304 1868 Rasl2tp - ok
14:57:59.0384 1868 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:57:59.0384 1868 RasPppoe - ok
14:57:59.0415 1868 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:57:59.0415 1868 Raspti - ok
14:57:59.0455 1868 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:57:59.0465 1868 Rdbss - ok
14:57:59.0495 1868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:57:59.0495 1868 RDPCDD - ok
14:57:59.0545 1868 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:57:59.0555 1868 rdpdr - ok
14:57:59.0605 1868 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
14:57:59.0605 1868 RDPWD - ok
14:57:59.0675 1868 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:57:59.0685 1868 redbook - ok
14:57:59.0755 1868 RimSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
14:57:59.0755 1868 RimSerPort - ok
14:57:59.0835 1868 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
14:57:59.0835 1868 RimUsb - ok
14:57:59.0875 1868 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
14:57:59.0875 1868 RimVSerPort - ok
14:57:59.0925 1868 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
14:57:59.0925 1868 ROOTMODEM - ok
14:58:00.0035 1868 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:58:00.0035 1868 Secdrv - ok
14:58:00.0096 1868 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:58:00.0106 1868 serenum - ok
14:58:00.0146 1868 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:58:00.0146 1868 Serial - ok
14:58:00.0246 1868 sermouse (1f16931c722c69e4a7866244796c66a0) C:\WINDOWS\system32\DRIVERS\sermouse.sys
14:58:00.0246 1868 sermouse - ok
14:58:00.0316 1868 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:58:00.0316 1868 Sfloppy - ok
14:58:00.0356 1868 Simbad - ok
14:58:00.0396 1868 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:58:00.0406 1868 sisagp - ok
14:58:00.0526 1868 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
14:58:00.0596 1868 smwdm - ok
14:58:00.0656 1868 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
14:58:00.0656 1868 Sparrow - ok
14:58:00.0746 1868 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:58:00.0746 1868 splitter - ok
14:58:00.0787 1868 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:58:00.0797 1868 sr - ok
14:58:00.0877 1868 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:58:00.0887 1868 Srv - ok
14:58:00.0957 1868 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:58:00.0957 1868 swenum - ok
14:58:00.0987 1868 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:58:00.0987 1868 swmidi - ok
14:58:01.0027 1868 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
14:58:01.0037 1868 symc810 - ok
14:58:01.0067 1868 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
14:58:01.0067 1868 symc8xx - ok
14:58:01.0097 1868 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
14:58:01.0097 1868 sym_hi - ok
14:58:01.0127 1868 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
14:58:01.0137 1868 sym_u3 - ok
14:58:01.0177 1868 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:58:01.0177 1868 sysaudio - ok
14:58:01.0257 1868 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:58:01.0277 1868 Tcpip - ok
14:58:01.0337 1868 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:58:01.0337 1868 TDPIPE - ok
14:58:01.0417 1868 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:58:01.0417 1868 TDTCP - ok
14:58:01.0467 1868 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:58:01.0467 1868 TermDD - ok
14:58:01.0578 1868 tmactmon (ca9e9c2c04a198ed345c1752222a5f3e) C:\WINDOWS\system32\drivers\tmactmon.sys
14:58:01.0578 1868 tmactmon - ok
14:58:01.0698 1868 tmcomm (a3d20789b3ff0576a29462bef25bcfcc) C:\WINDOWS\system32\drivers\tmcomm.sys
14:58:01.0698 1868 tmcomm - ok
14:58:01.0788 1868 tmevtmgr (21f215e54770c4bf93efaf63f58fe57e) C:\WINDOWS\system32\drivers\tmevtmgr.sys
14:58:01.0788 1868 tmevtmgr - ok
14:58:01.0868 1868 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
14:58:01.0868 1868 TosIde - ok
14:58:01.0958 1868 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys
14:58:01.0958 1868 tunmp - ok
14:58:02.0018 1868 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:58:02.0018 1868 Udfs - ok
14:58:02.0068 1868 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
14:58:02.0068 1868 ultra - ok
14:58:02.0138 1868 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:58:02.0148 1868 Update - ok
14:58:02.0219 1868 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:58:02.0229 1868 usbccgp - ok
14:58:02.0299 1868 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:58:02.0299 1868 usbehci - ok
14:58:02.0409 1868 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:58:02.0409 1868 usbhub - ok
14:58:02.0479 1868 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:58:02.0479 1868 USBSTOR - ok
14:58:02.0529 1868 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:58:02.0529 1868 usbuhci - ok
14:58:02.0569 1868 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:58:02.0569 1868 VgaSave - ok
14:58:02.0599 1868 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:58:02.0599 1868 viaagp - ok
14:58:02.0649 1868 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
14:58:02.0649 1868 ViaIde - ok
14:58:02.0699 1868 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:58:02.0699 1868 VolSnap - ok
14:58:02.0759 1868 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:58:02.0759 1868 Wanarp - ok
14:58:02.0789 1868 WDICA - ok
14:58:02.0859 1868 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:58:02.0859 1868 wdmaud - ok
14:58:02.0970 1868 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:58:02.0970 1868 WS2IFSL - ok
14:58:03.0040 1868 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:58:03.0050 1868 WudfPf - ok
14:58:03.0110 1868 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:58:03.0110 1868 WudfRd - ok
14:58:03.0140 1868 MBR (0x1B8) (7fe58d296933b265a57cb6a2d3060af5) \Device\Harddisk0\DR0
14:58:03.0280 1868 \Device\Harddisk0\DR0 - ok
14:58:03.0310 1868 Boot (0x1200) (0c194fbe11b1aadd275d69c3efc604d5) \Device\Harddisk0\DR0\Partition0
14:58:03.0310 1868 \Device\Harddisk0\DR0\Partition0 - ok
14:58:03.0320 1868 ============================================================
14:58:03.0320 1868 Scan finished
14:58:03.0320 1868 ============================================================
14:58:03.0320 1808 Detected object count: 0
14:58:03.0320 1808 Actual detected object count: 0

Hello

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.

• Double click the aswMBR.exe icon to run it
  
• Click the Scan button to start the scan
  
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo

Gringo,
I've downloaded and run aswMBR.
Looks like it found something else.
Following is the log:
==================== aswMBR Log File ============================================
aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-13 05:57:21
-----------------------------
05:57:21.301 OS Version: Windows 5.1.2600 Service Pack 3
05:57:21.301 Number of processors: 1 586 0x401
05:57:21.301 ComputerName: GBOSTWICKPC2 UserName: GBostwick
05:57:22.012 Initialize success
05:59:23.837 AVAST engine defs: 12011201
06:00:43.021 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
06:00:43.021 Disk 0 Vendor: Maxtor_6Y160M0 YAR51HW0 Size: 152587MB BusType: 3
06:00:43.041 Disk 0 MBR read successfully
06:00:43.041 Disk 0 MBR scan
06:00:43.091 Disk 0 unknown MBR code
06:00:43.091 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 47 MB offset 63
06:00:43.101 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152539 MB offset 96390
06:00:43.101 Disk 0 scanning sectors +312496380
06:00:43.171 Disk 0 scanning C:\WINDOWS\system32\drivers
06:00:55.499 Service scanning
06:00:56.480 Modules scanning
06:01:02.348 Disk 0 trace - called modules:
06:01:02.378 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
06:01:02.699 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b040ab8]
06:01:02.699 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8afdbb00]
06:01:03.430 AVAST engine scan C:\WINDOWS
06:01:18.131 File: C:\WINDOWS\PEV.exe **INFECTED** Win32:Rootkit-gen [Rtk]
06:01:22.207 AVAST engine scan C:\WINDOWS\system32
06:03:25.825 AVAST engine scan C:\WINDOWS\system32\drivers
06:03:44.131 AVAST engine scan C:\Documents and Settings\GBostwick
06:04:17.900 AVAST engine scan C:\Documents and Settings\All Users
06:05:31.505 Scan finished successfully
06:21:59.236 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\GBostwick\Desktop\MBR.dat"
06:21:59.236 The log file has been saved successfully to "C:\Documents and Settings\GBostwick\Desktop\aswMBR.txt"

Gringo,
I just took a look at the Security Essentials history.
It showed 12 identical lines like this:

Detected Item: Win32/Sirefef.N
Level: Severe
Date: 1/13/2012 5:53 A.M.
Action Taken: Disinfected

Followed by this discussion:
---------------------------------
Security Essentials encountered the following error: Error code 0x800704ec. Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.

Category: Virus

Description: This program is dangerous and replicates by infecting other files.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:C:\System Volume Information\_restore{344EAB0C-AF96-4F95-9A03-7217AB92EDF8}\RP2577\A0204981.sys

This post has been edited by GBostwick: 13 January 2012 - 07:35 AM

Hello

That is very good - it is in system restore and is not problem being in there


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

Conduit Engine
J2SE Runtime Environment 5.0 Update 17
Java™ 6 Update 7


and click on remove

Install Java:

Please go here to install Java

• click on the Free Java Download Button
  
• click on Agree and start Free download
  
• click on Run
  
• click on run again
  
• click on install
  
• when install is complete click on close

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM


• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidentally close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

• Go Here to download HijackThis Installer
  
• Save HijackThis Installer to your desktop.
  
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed it will launch Hijackthis.
  
• Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

In your next post I need the following


• Log From MBAM
  
• report from Hijackthis
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
  
• do you need more time?
  
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Gringo,
I most definitely still need your assistance.
I was able to perform the uninstalls as directed.
I was also able to re-install Java.

The TFC website was blocked from my location so I had to D/L the executable and transfer it via flash drive this morning. I brought up the task manager to see what processes were running and then started TFC. It displayed the information as to what it was going to do and I started it. It immediately shut down several processes and then hung. No CPU or disk activity. I let it sit for 30 minutes but still no activity. I forced a reboot and went through the process again but got the same results ... it starts and then hangs.

I have local administrator rights for my PC so that shouldn't be an issue.

Should I continue with MBAM and HiJack This or is it imperative that I successfully run TFC?

Thanks,
Gene

just continue and move to MBAM

Ran both MBAM & HiJackThis

==============================
MBAM results:
==============================
Malwarebytes Anti-Malware (Trial) 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.16.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
GBostwick :: GBOSTWICKPC2 [administrator]

Protection: Enabled

1/16/2012 10:37:05 AM
mbam-log-2012-01-16 (10-37-05).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 506736
Time elapsed: 12 minute(s), 21 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


======================================
HiJackThis Log:
======================================
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:00:20 AM, on 1/16/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AClient\AClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\ccsrvc.exe
C:\Program Files\Altiris\Carbon Copy\shellker.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\hjavaw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
C:\WINDOWS\TEMP\fsprocsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Altiris\CARBON~1\client.exe
C:\Program Files\AClient\AClntUsr.EXE
C:\RightFax87Client\Client\English\FaxCtrl.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NRG-PC-Info\Bginfo.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insider
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Lync add-on BHO - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: TranslatorBar 3.2 - {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files\TranslatorBar_3.2\prxtbTra2.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: TranslatorBar 3.2 Toolbar - {c55f5517-246e-4426-b745-ee25b08eb8b4} - C:\Program Files\TranslatorBar_3.2\prxtbTra2.dll
O4 - HKLM\..\Run: [AClntUsr] C:\Program Files\AClient\AClntUsr.EXE
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Lync\communicator.exe" /fromrunkey
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\RightFax87Client\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - S-1-5-18 Startup: outlook.bat (User 'SYSTEM')
O4 - .DEFAULT Startup: outlook.bat (User 'Default user')
O4 - .DEFAULT User Startup: allowedSitesWinXPSP2perUser.vbs (User 'Default user')
O4 - .DEFAULT User Startup: Outlook with Self Delete.vbs (User 'Default user')
O4 - .DEFAULT User Startup: SAPLogon_ViewWidth_Fix.vbs (User 'Default user')
O4 - .DEFAULT User Startup: SetHomepage.vbs (User 'Default user')
O4 - .DEFAULT User Startup: TraderCertperUser.vbs (User 'Default user')
O4 - Global Startup: config_taskbar.lnk = C:\Program Files\NRG-PC-Info\Bginfo.exe
O4 - Global Startup: shortcut_xprint.lnk = C:\Program Files\Informatik\xPrint\xPrintFileWatcher.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll
O9 - Extra 'Tools' menuitem: Lync add-on - {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - C:\Program Files\Microsoft Lync\OCHelper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1276083774407
O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} (ERPageAddin Class) - https://eroom.personix.com/eRoomSetup/client.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect114a.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://webts/msrdp.cab
O16 - DPF: {BAACAF97-A065-46F0-BB6F-C8EDD4C00761} (MOVEitUpDownWiz Class) - https://hou2.personix.com/COM/MOVEitUploadWizard3.1.7.ocx
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = retail.nrgenergy.com
O17 - HKLM\Software\..\Telephony: DomainName = retail.nrgenergy.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = retail.nrgenergy.com
O20 - AppInit_DLLs: C:\WINDOWS\system32\AMInit32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Altiris Client Service (AClient) - Altiris, Inc. - C:\Program Files\AClient\AClient.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Altiris Carbon Copy (CarbonCopy32) - Altiris - C:\WINDOWS\system32\ccsrvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForeScout Remote Inspection Service (fsprocsvc) - ForeScout - C:\WINDOWS\TEMP\fsprocsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINDOWS\system32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: OracleOra9ClientCache - Unknown owner - C:\oracle\Ora9i\BIN\ONRSD.EXE
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
O23 - Service: Quest Migration Manager RUM Agent Service (QsRUMAgent) - Quest Software - C:\WINDOWS\Quest Resource Updating Agent\QsResourceUpdatingAgent.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\OfficeScan NT\..\BM\TMBMSRV.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe

--
End of file - 12902 bytes