BleepingComputer.com: TDL4.1 +google redirecting

Hi there,
Im running XP with sp3
My browser started redirecting me, and Winpatrol kept informing me of repeated attempts to alter my startup and my hostsAvast was switched off or disabled - I had to
I ran unhack me and it says I have TDL4.1

Help!
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Compaq_Owner at 5:41:51 on 2012-01-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.286 [GMT 0:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hott notes 4\hottnotes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\UnHackMe\Unhackme.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZon0.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZon0.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: ZoneAlarm Security Toolbar: {91da5e8a-3318-4f8c-b67e-5964de3ab546} - c:\program files\zonealarm_security\prxtbZon0.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 5\Suo10_SmartRAM.exe" /m
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [ISW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter4.exe
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
StartupFolder: c:\docume~1\compaq~2.rob\startm~1\programs\startup\hottno~1.lnk - c:\program files\hott notes 4\hottnotes.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{7A545EDF-3EBE-41C5-B268-01AB4F12860F} : DhcpNameServer = 15.243.128.51 15.243.160.51
TCP: Interfaces\{BB55A9FC-185C-45DA-B1F6-F553E815EB7C} : DhcpNameServer = 192.168.0.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: niaxama -
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-1-11 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-1-11 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-1-11 656320]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-1-11 314456]
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-11-9 525840]
R2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\common files\abbyy\finereadersprint\9.00\licensing\NetworkLicenseServer.exe [2009-5-14 759048]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-1-11 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-1-11 44768]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]
R2 ServicepointService;ServicepointService;c:\program files\virgin media\service manager\ServicepointService.exe [2011-5-10 689464]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2011-8-7 3406120]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
S0 ltbnk;ltbnk;c:\windows\system32\drivers\iwjbqrj.sys --> c:\windows\system32\drivers\iwjbqrj.sys [?]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-11 435032]
S2 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-4 14336]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2012-1-11 24416]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2012-1-11 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2012-1-11 1150936]
S4 SpyHunter 4 Service;SpyHunter 4 Service;c:\progra~1\enigma~1\spyhun~1\SH4SER~1.EXE [2011-10-10 736672]
.
=============== Created Last 30 ================
.
2012-01-11 05:12:58 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-11 05:12:34 41184 ----a-w- c:\windows\avastSS.scr
2012-01-11 04:43:36 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-01-11 04:43:36 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-01-11 04:43:35 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-01-11 04:43:24 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-01-11 04:43:24 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-01-11 04:42:56 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-01-11 04:42:46 -------- d-----w- c:\program files\PC Tools Security
2012-01-11 04:42:46 -------- d-----w- c:\program files\common files\PC Tools
2012-01-11 04:42:46 -------- d-----w- c:\documents and settings\compaq_owner.robertscomputer\application data\PC Tools
2012-01-11 04:41:22 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-01-11 04:38:45 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2012-01-11 04:18:47 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2012-01-11 04:13:26 2 --shatr- c:\windows\winstart.bat
2012-01-11 04:13:24 39192 ----a-w- c:\windows\system32\Partizan.exe
2012-01-11 04:13:24 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2012-01-11 04:13:07 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2012-01-11 04:13:03 -------- d-----w- c:\program files\UnHackMe
2012-01-11 03:46:13 110080 ----a-r- c:\documents and settings\compaq_owner.robertscomputer\application data\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconF7A21AF7.exe
2012-01-11 03:46:13 110080 ----a-r- c:\documents and settings\compaq_owner.robertscomputer\application data\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconD7F16134.exe
2012-01-11 03:46:13 110080 ----a-r- c:\documents and settings\compaq_owner.robertscomputer\application data\microsoft\installer\{1c7cc8e2-cfcf-41e6-a863-7c7a45ce8a78}\IconCF33A0CE.exe
2012-01-11 03:46:03 -------- dc----w- C:\sh4ldr
2012-01-11 03:46:03 -------- d-----w- c:\program files\Enigma Software Group
2012-01-11 03:45:31 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-10 17:59:27 -------- d-----w- c:\documents and settings\compaq_owner.robertscomputer\application data\Malwarebytes
2012-01-10 17:24:54 -------- d-----w- c:\documents and settings\compaq_owner.robertscomputer\application data\Zahy
2012-01-10 17:24:54 -------- d-----w- c:\documents and settings\compaq_owner.robertscomputer\application data\Alyno
2012-01-09 17:02:28 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-09 17:02:28 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-03 19:09:45 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-01-03 19:09:38 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-17 16:13:14 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-12-17 16:13:13 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-12-15 23:38:04 -------- d-----w- c:\program files\common files\ODBC
2011-12-13 01:34:23 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-12-13 01:23:19 -------- d-----w- c:\documents and settings\all users\application data\IObit
2011-12-13 00:57:20 -------- d-----w- c:\documents and settings\compaq_owner.robertscomputer\application data\IObit
2011-12-12 17:01:28 8192 ----a-w- c:\windows\system32\wshirda.dll
2011-12-12 17:01:28 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll
2011-12-12 17:01:28 28160 ----a-w- c:\windows\system32\irmon.dll
2011-12-12 17:01:28 28160 ----a-w- c:\windows\system32\dllcache\irmon.dll
2011-12-12 17:01:25 151552 ----a-w- c:\windows\system32\irftp.exe
2011-12-12 17:01:25 151552 ----a-w- c:\windows\system32\dllcache\irftp.exe
.
==================== Find3M ====================
.
2012-01-01 19:08:31 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 15:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP1604N/R rev.TM100-24 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-24
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85A2AFF0]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8612BAB8]
3 CLASSPNP[0xF75D0FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x85C93648]
\Driver\00001321[0x85B0C240] -> IRP_MJ_CREATE -> 0x85A2AFF0
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 5:44:23.62 ===============

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
  
• please Do not Attach logs or put in code boxes.
  
• Tell me about any problems that have occurred during the fix.
  
• Tell me of any other symptoms you may be having as these can help also.
  
• Do not run anything while running a fix.
  
• Do not run any other tool untill instructed to do so!

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.

Link 1
Link 2
Link 3

1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

In your next post I need the following


• Log from Combofix
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

Hi there

I did as you listed, but Combofix was a bit erratic
It said I had ZERO ACCESS infection
It then Said that it would reboot
when it came back it said it was an old version and did I want reduced functionality
I downloaded the third listed version from your links
Which eventually told me that
"pev" is not recognised as an internal, external operable or batch file
over and over
I rebooted
This time it ran all the way through but jammed at the making report log bit
After an hour I gave up and tried again
Same thing

Is this to do with the virus

all my anti virus stuff was off (not my firewall though!)

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
  
• Wait 30 seconds, and then turn the computer on.
  
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  
• Ensure that the Safe Mode option is selected.
  
• Press Enter. The computer then begins to start in Safe mode.
  
• Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo

Ok that worked much better


ComboFix 12-01-13.01 - Compaq_Owner 13/01/2012 18:30:04.5.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.958.773 [GMT 0:00]
Running from: d:\working documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2011-12-13 to 2012-01-13 )))))))))))))))))))))))))))))))
.
.
2012-01-12 19:16 . 2012-01-12 19:16 -------- d-----w- c:\documents and settings\Compaq_Owner.ROBERTSCOMPUTER\Application Data\ElevatedDiagnostics
2012-01-11 05:13 . 2011-11-28 17:53 314456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-01-11 05:13 . 2011-11-28 17:51 20568 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-01-11 05:12 . 2011-11-28 17:52 34392 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-01-11 05:12 . 2011-11-28 17:53 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-11 05:12 . 2011-11-28 17:52 52952 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-01-11 05:12 . 2011-11-28 17:52 111320 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-01-11 05:12 . 2011-11-28 17:51 105176 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-01-11 05:12 . 2011-11-28 17:48 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-01-11 05:12 . 2011-11-28 18:01 41184 ----a-w- c:\windows\avastSS.scr
2012-01-11 05:12 . 2011-11-28 18:01 199816 ----a-w- c:\windows\system32\aswBoot.exe
2012-01-11 04:41 . 2012-01-11 10:08 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-01-11 04:38 . 2012-01-11 04:39 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2012-01-11 04:18 . 2012-01-11 04:18 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2012-01-11 04:13 . 2012-01-11 04:13 2 --shatr- c:\windows\winstart.bat
2012-01-11 04:13 . 2011-11-03 12:58 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2012-01-11 04:13 . 2012-01-13 18:07 -------- d-----w- c:\program files\UnHackMe
2012-01-11 03:46 . 2012-01-11 10:06 -------- dc----w- C:\sh4ldr
2012-01-11 03:46 . 2012-01-11 03:46 -------- d-----w- c:\program files\Enigma Software Group
2012-01-11 03:45 . 2012-01-11 10:05 -------- d-----w- c:\windows\1C7CC8E2CFCF41E6A8637C7A45CE8A78.TMP
2012-01-10 17:59 . 2012-01-10 17:59 -------- d-----w- c:\documents and settings\Compaq_Owner.ROBERTSCOMPUTER\Application Data\Malwarebytes
2012-01-10 17:24 . 2012-01-10 19:24 -------- d-----w- c:\documents and settings\Compaq_Owner.ROBERTSCOMPUTER\Application Data\Zahy
2012-01-10 17:24 . 2012-01-10 17:44 -------- d-----w- c:\documents and settings\Compaq_Owner.ROBERTSCOMPUTER\Application Data\Alyno
2012-01-10 17:24 . 2012-01-10 18:21 -------- d-----w- c:\documents and settings\Administrator.ROBERTSCOMPUTER.000
2012-01-09 17:02 . 2012-01-09 17:02 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-03 19:09 . 2001-08-17 22:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-01-03 19:09 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-17 16:13 . 2011-08-02 17:38 42496 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2011-12-17 16:13 . 2011-08-02 17:38 4517664 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-12-17 14:53 . 2011-12-17 14:53 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ZoneAlarm_Security
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-01 19:08 . 2011-05-15 02:43 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-10 15:24 . 2011-05-15 14:10 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-04 19:20 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 19:20 . 2004-08-04 11:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 11:23 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-11-03 15:28 . 2004-08-04 12:00 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2004-08-04 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2011-11-01 16:07 . 2004-08-04 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2004-08-04 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 18:00 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-19 22:16 . 2011-12-13 01:34 20312 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2011-10-18 11:13 . 2004-08-04 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-12-12 12:17 . 2011-05-26 13:21 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
2011-05-09 09:49 176936 ----a-w- c:\program files\ZoneAlarm_Security\prxtbZon0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{91da5e8a-3318-4f8c-b67e-5964de3ab546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{91DA5E8A-3318-4F8C-B67E-5964DE3AB546}"= "c:\program files\ZoneAlarm_Security\prxtbZon0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{91da5e8a-3318-4f8c-b67e-5964de3ab546}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-11-28 18:01 122512 ------w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-11-28 3744552]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-10-29 329096]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-09 73360]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-01 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\Compaq_Owner.ROBERTSCOMPUTER\Start Menu\Programs\Startup\
hott notes 4.lnk - c:\program files\hott notes 4\hottnotes.exe [2007-5-16 1249280]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=DrvTrNTm.dll
"wave"=DrvTrNTm.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ServicepointService]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner.ROBERTSCOMPUTER^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Compaq_Owner.ROBERTSCOMPUTER\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 20:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
2009-12-03 09:12 976320 ----a-w- c:\program files\Epson Software\Event Manager\EEventManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON SX218 Series]
2009-09-14 07:00 200704 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATIGDE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 16:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW]
2011-11-03 14:44 738944 ----a-w- c:\program files\CheckPoint\ZAForceField\ForceField.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-12-08 01:36 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2011-12-24 17:50 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 16:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xvid]
2011-01-17 19:41 8192 ----a-w- c:\program files\Xvid\CheckUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 4\\Dreamweaver.exe"=
"c:\\Program Files\\Virgin Media\\Service Manager\\ServicepointService.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\explorer.exe"= %windir%\explorer.exe
.
R2 ServicepointService;ServicepointService;c:\program files\Virgin Media\Service Manager\ServicepointService.exe [10/05/2011 13:28 689464]
S0 ltbnk;ltbnk;c:\windows\system32\drivers\iwjbqrj.sys --> c:\windows\system32\drivers\iwjbqrj.sys [?]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [11/01/2012 05:12 435032]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [11/01/2012 05:13 314456]
S2 ABBYY.Licensing.FineReader.Sprint.9.0;ABBYY FineReader 9.0 Sprint Licensing Service;c:\program files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe [14/05/2009 16:07 759048]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [11/01/2012 05:13 20568]
S2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [03/11/2011 14:44 27016]
S2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [03/11/2011 14:44 497280]
S2 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [04/08/2004 12:00 14336]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [07/08/2011 17:27 3406120]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [22/08/2011 10:46 47360]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [11/01/2012 04:18 24416]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-SmartRAM - c:\program files\IObit\Advanced SystemCare 5\Suo10_SmartRAM.exe
Notify-niaxama - (no file)
MSConfigStartUp-DHSClient - c:\program files\Virgin Media\Digital Home Support\DHSClient.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-13 18:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_SP1604N/R rev.TM100-24 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-24
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(304)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1764)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-01-13 18:54:08
ComboFix-quarantined-files.txt 2012-01-13 18:53
.
Pre-Run: 76,267,212,800 bytes free
Post-Run: 76,252,524,544 bytes free
.
- - End Of File - - 4D5585AE5F0593E56818C66795753C07

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo

09:55:25.0859 3100 TDSS rootkit removing tool 2.7.1.0 Jan 13 2012 15:24:05
09:55:25.0953 3100 ============================================================
09:55:25.0953 3100 Current date / time: 2012/01/14 09:55:25.0953
09:55:25.0953 3100 SystemInfo:
09:55:25.0953 3100
09:55:25.0953 3100 OS Version: 5.1.2600 ServicePack: 3.0
09:55:25.0953 3100 Product type: Workstation
09:55:25.0953 3100 ComputerName: ROBERTSCOMPUTER
09:55:25.0953 3100 UserName: Compaq_Owner
09:55:25.0953 3100 Windows directory: C:\WINDOWS
09:55:25.0953 3100 System windows directory: C:\WINDOWS
09:55:25.0953 3100 Processor architecture: Intel x86
09:55:25.0953 3100 Number of processors: 1
09:55:25.0953 3100 Page size: 0x1000
09:55:25.0953 3100 Boot type: Normal boot
09:55:25.0953 3100 ============================================================
09:55:27.0562 3100 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000, SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
09:55:27.0578 3100 Drive \Device\Harddisk1\DR1 - Size: 0x132C570000, SectorSize: 0x200, Cylinders: 0x271B, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K', Flags 0x00000054
09:55:27.0796 3100 Initialize success
09:55:31.0890 1960 ============================================================
09:55:31.0890 1960 Scan started
09:55:31.0890 1960 Mode: Manual;
09:55:31.0890 1960 ============================================================
09:55:33.0187 1960 Aavmker4 (b6de0336f9f4b687b4ff57939f7b657a) C:\WINDOWS\system32\drivers\Aavmker4.sys
09:55:33.0187 1960 Aavmker4 - ok
09:55:33.0312 1960 Abiosdsk - ok
09:55:33.0437 1960 abp480n5 - ok
09:55:33.0578 1960 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:55:33.0578 1960 ACPI - ok
09:55:33.0718 1960 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:55:33.0718 1960 ACPIEC - ok
09:55:33.0843 1960 adpu160m - ok
09:55:34.0000 1960 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:55:34.0000 1960 aec - ok
09:55:34.0171 1960 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:55:34.0171 1960 AFD - ok
09:55:34.0328 1960 AgereSoftModem (34f27c7d71f1c49c7d3857f28b42f544) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
09:55:34.0359 1960 AgereSoftModem - ok
09:55:34.0468 1960 Aha154x - ok
09:55:34.0562 1960 aic78u2 - ok
09:55:34.0687 1960 aic78xx - ok
09:55:34.0890 1960 ALCXWDM (781c5ec517c53f5214b61253b20c13c4) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
09:55:34.0984 1960 ALCXWDM - ok
09:55:35.0109 1960 AliIde - ok
09:55:35.0218 1960 AmdK8 (59301936898ae62245a6f09c0aba9475) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
09:55:35.0234 1960 AmdK8 - ok
09:55:35.0328 1960 amsint - ok
09:55:35.0468 1960 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
09:55:35.0468 1960 Arp1394 - ok
09:55:35.0578 1960 asc - ok
09:55:35.0718 1960 asc3350p - ok
09:55:35.0828 1960 asc3550 - ok
09:55:35.0984 1960 Aspi32 (5b01af89d16d562825c4db4530f20cbb) C:\WINDOWS\system32\drivers\aspi32.sys
09:55:35.0984 1960 Aspi32 - ok
09:55:36.0156 1960 aswFsBlk (054df24c92b55427e0757cfff160e4f2) C:\WINDOWS\system32\drivers\aswFsBlk.sys
09:55:36.0156 1960 aswFsBlk - ok
09:55:36.0312 1960 aswMon2 (ef0e9ad83380724bd6fbbb51d2d0f5b8) C:\WINDOWS\system32\drivers\aswMon2.sys
09:55:36.0328 1960 aswMon2 - ok
09:55:36.0468 1960 aswRdr (352d5a48ebab35a7693b048679304831) C:\WINDOWS\system32\drivers\aswRdr.sys
09:55:36.0468 1960 aswRdr - ok
09:55:36.0656 1960 aswSnx (8d34d2b24297e27d93e847319abfdec4) C:\WINDOWS\system32\drivers\aswSnx.sys
09:55:36.0687 1960 aswSnx - ok
09:55:36.0843 1960 aswSP (010012597333da1f46c3243f33f8409e) C:\WINDOWS\system32\drivers\aswSP.sys
09:55:36.0859 1960 aswSP - ok
09:55:36.0984 1960 aswTdi (f9f84364416658e9786235904d448d37) C:\WINDOWS\system32\drivers\aswTdi.sys
09:55:36.0984 1960 aswTdi - ok
09:55:37.0125 1960 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:55:37.0125 1960 AsyncMac - ok
09:55:37.0281 1960 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:55:37.0281 1960 atapi - ok
09:55:37.0406 1960 Atdisk - ok
09:55:37.0593 1960 ati2mtag (b33a281dcdf455b069816790275050a7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
09:55:37.0625 1960 ati2mtag - ok
09:55:37.0765 1960 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:55:37.0765 1960 Atmarpc - ok
09:55:37.0906 1960 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:55:37.0906 1960 audstub - ok
09:55:38.0031 1960 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:55:38.0031 1960 Beep - ok
09:55:38.0187 1960 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
09:55:38.0187 1960 BthEnum - ok
09:55:38.0328 1960 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
09:55:38.0343 1960 BthPan - ok
09:55:38.0484 1960 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
09:55:38.0500 1960 BTHPORT - ok
09:55:38.0640 1960 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
09:55:38.0640 1960 BTHUSB - ok
09:55:38.0703 1960 catchme - ok
09:55:38.0843 1960 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:55:38.0843 1960 cbidf2k - ok
09:55:38.0984 1960 cd20xrnt - ok
09:55:39.0125 1960 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:55:39.0125 1960 Cdaudio - ok
09:55:39.0250 1960 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:55:39.0250 1960 Cdfs - ok
09:55:39.0406 1960 cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:55:39.0406 1960 cdrom - ok
09:55:39.0531 1960 Changer - ok
09:55:39.0656 1960 CmdIde - ok
09:55:39.0796 1960 Cpqarray - ok
09:55:39.0921 1960 dac2w2k - ok
09:55:40.0031 1960 dac960nt - ok
09:55:40.0203 1960 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:55:40.0203 1960 Disk - ok
09:55:40.0406 1960 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:55:40.0437 1960 dmboot - ok
09:55:40.0578 1960 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:55:40.0593 1960 dmio - ok
09:55:40.0750 1960 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:55:40.0750 1960 dmload - ok
09:55:40.0890 1960 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:55:40.0890 1960 DMusic - ok
09:55:41.0031 1960 dpti2o - ok
09:55:41.0171 1960 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:55:41.0171 1960 drmkaud - ok
09:55:41.0343 1960 FA312 (aa855fb8a866281aacb393c1feab91ae) C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
09:55:41.0343 1960 FA312 - ok
09:55:41.0484 1960 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:55:41.0500 1960 Fastfat - ok
09:55:41.0656 1960 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
09:55:41.0656 1960 Fdc - ok
09:55:41.0796 1960 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:55:41.0796 1960 Fips - ok
09:55:41.0937 1960 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
09:55:41.0937 1960 Flpydisk - ok
09:55:42.0078 1960 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
09:55:42.0078 1960 FltMgr - ok
09:55:42.0234 1960 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:55:42.0234 1960 Fs_Rec - ok
09:55:42.0406 1960 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:55:42.0406 1960 Ftdisk - ok
09:55:42.0546 1960 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
09:55:42.0562 1960 GEARAspiWDM - ok
09:55:42.0703 1960 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:55:42.0703 1960 Gpc - ok
09:55:42.0859 1960 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:55:42.0875 1960 hidusb - ok
09:55:42.0984 1960 hpn - ok
09:55:43.0125 1960 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:55:43.0140 1960 HTTP - ok
09:55:43.0265 1960 i2omgmt - ok
09:55:43.0375 1960 i2omp - ok
09:55:43.0531 1960 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:55:43.0531 1960 i8042prt - ok
09:55:43.0703 1960 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:55:43.0718 1960 Imapi - ok
09:55:43.0828 1960 ini910u - ok
09:55:43.0984 1960 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
09:55:43.0984 1960 IntelIde - ok
09:55:44.0140 1960 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:55:44.0140 1960 intelppm - ok
09:55:44.0265 1960 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
09:55:44.0265 1960 Ip6Fw - ok
09:55:44.0421 1960 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:55:44.0421 1960 IpFilterDriver - ok
09:55:44.0562 1960 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:55:44.0562 1960 IpInIp - ok
09:55:44.0687 1960 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:55:44.0687 1960 IpNat - ok
09:55:44.0843 1960 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:55:44.0843 1960 IPSec - ok
09:55:44.0984 1960 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:55:44.0984 1960 IRENUM - ok
09:55:45.0125 1960 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:55:45.0125 1960 isapnp - ok
09:55:45.0218 1960 ISWKL (08a811bfd207dfdec588881c18bacbaa) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
09:55:45.0218 1960 ISWKL - ok
09:55:45.0343 1960 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:55:45.0343 1960 Kbdclass - ok
09:55:45.0484 1960 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:55:45.0484 1960 kbdhid - ok
09:55:45.0625 1960 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:55:45.0625 1960 kmixer - ok
09:55:45.0781 1960 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:55:45.0781 1960 KSecDD - ok
09:55:45.0921 1960 lbrtfdc - ok
09:55:46.0062 1960 ltbnk - ok
09:55:46.0218 1960 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:55:46.0218 1960 mnmdd - ok
09:55:46.0375 1960 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:55:46.0390 1960 Modem - ok
09:55:46.0515 1960 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:55:46.0531 1960 Mouclass - ok
09:55:46.0656 1960 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:55:46.0671 1960 mouhid - ok
09:55:46.0796 1960 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:55:46.0796 1960 MountMgr - ok
09:55:46.0937 1960 mraid35x - ok
09:55:47.0078 1960 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:55:47.0093 1960 MRxDAV - ok
09:55:47.0250 1960 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:55:47.0281 1960 MRxSmb - ok
09:55:47.0406 1960 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:55:47.0421 1960 Msfs - ok
09:55:47.0578 1960 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:55:47.0578 1960 MSKSSRV - ok
09:55:47.0718 1960 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:55:47.0718 1960 MSPCLOCK - ok
09:55:47.0859 1960 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:55:47.0859 1960 MSPQM - ok
09:55:48.0000 1960 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:55:48.0000 1960 mssmbios - ok
09:55:48.0140 1960 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:55:48.0140 1960 Mup - ok
09:55:48.0312 1960 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:55:48.0312 1960 NDIS - ok
09:55:48.0468 1960 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:55:48.0484 1960 NdisTapi - ok
09:55:48.0609 1960 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:55:48.0609 1960 Ndisuio - ok
09:55:48.0734 1960 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:55:48.0734 1960 NdisWan - ok
09:55:48.0859 1960 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:55:48.0875 1960 NDProxy - ok
09:55:49.0000 1960 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:55:49.0000 1960 NetBIOS - ok
09:55:49.0156 1960 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:55:49.0156 1960 NetBT - ok
09:55:49.0343 1960 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
09:55:49.0343 1960 NIC1394 - ok
09:55:49.0484 1960 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:55:49.0484 1960 Npfs - ok
09:55:49.0656 1960 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:55:49.0671 1960 Ntfs - ok
09:55:49.0843 1960 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:55:49.0843 1960 Null - ok
09:55:49.0968 1960 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:55:49.0984 1960 NwlnkFlt - ok
09:55:50.0093 1960 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:55:50.0109 1960 NwlnkFwd - ok
09:55:50.0234 1960 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
09:55:50.0234 1960 ohci1394 - ok
09:55:50.0406 1960 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:55:50.0406 1960 Parport - ok
09:55:50.0531 1960 Partizan - ok
09:55:50.0656 1960 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:55:50.0671 1960 PartMgr - ok
09:55:50.0828 1960 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:55:50.0828 1960 ParVdm - ok
09:55:50.0968 1960 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:55:50.0984 1960 PCI - ok
09:55:51.0109 1960 PCIDump - ok
09:55:51.0250 1960 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:55:51.0265 1960 PCIIde - ok
09:55:51.0421 1960 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:55:51.0421 1960 Pcmcia - ok
09:55:51.0562 1960 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
09:55:51.0562 1960 pcouffin - ok
09:55:51.0671 1960 PDCOMP - ok
09:55:51.0890 1960 PDFRAME - ok
09:55:52.0015 1960 PDRELI - ok
09:55:52.0125 1960 PDRFRAME - ok
09:55:52.0250 1960 perc2 - ok
09:55:52.0359 1960 perc2hib - ok
09:55:52.0562 1960 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:55:52.0562 1960 PptpMiniport - ok
09:55:52.0703 1960 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
09:55:52.0703 1960 Processor - ok
09:55:52.0843 1960 Ps2 (0e2eb30605ca6ed2509d59af6a7362b4) C:\WINDOWS\system32\DRIVERS\PS2.sys
09:55:52.0843 1960 Ps2 - ok
09:55:52.0968 1960 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:55:52.0984 1960 PSched - ok
09:55:53.0125 1960 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:55:53.0125 1960 Ptilink - ok
09:55:53.0265 1960 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
09:55:53.0281 1960 PxHelp20 - ok
09:55:53.0406 1960 ql1080 - ok
09:55:53.0531 1960 Ql10wnt - ok
09:55:53.0640 1960 ql12160 - ok
09:55:53.0765 1960 ql1240 - ok
09:55:53.0875 1960 ql1280 - ok
09:55:54.0031 1960 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:55:54.0031 1960 RasAcd - ok
09:55:54.0171 1960 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:55:54.0171 1960 Rasl2tp - ok
09:55:54.0312 1960 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:55:54.0312 1960 RasPppoe - ok
09:55:54.0453 1960 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:55:54.0453 1960 Raspti - ok
09:55:54.0609 1960 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:55:54.0609 1960 Rdbss - ok
09:55:54.0750 1960 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:55:54.0750 1960 RDPCDD - ok
09:55:54.0921 1960 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:55:54.0921 1960 RDPWD - ok
09:55:55.0062 1960 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:55:55.0062 1960 redbook - ok
09:55:55.0203 1960 RegGuard (37ecebdd930395a9c399fb18a3c236d3) C:\WINDOWS\system32\Drivers\regguard.sys
09:55:55.0203 1960 RegGuard - ok
09:55:55.0343 1960 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
09:55:55.0359 1960 RFCOMM - ok
09:55:55.0515 1960 RTL8023xp (7f0413bdd7d53eb4c7a371e7f6f84df1) C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys
09:55:55.0531 1960 RTL8023xp - ok
09:55:55.0625 1960 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
09:55:55.0625 1960 rtl8139 - ok
09:55:55.0781 1960 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:55:55.0781 1960 Secdrv - ok
09:55:55.0921 1960 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:55:55.0921 1960 serenum - ok
09:55:56.0078 1960 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:55:56.0078 1960 Serial - ok
09:55:56.0234 1960 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:55:56.0234 1960 Sfloppy - ok
09:55:56.0359 1960 Simbad - ok
09:55:56.0484 1960 Sparrow - ok
09:55:56.0609 1960 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:55:56.0625 1960 splitter - ok
09:55:56.0765 1960 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:55:56.0781 1960 sr - ok
09:55:56.0953 1960 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:55:56.0968 1960 Srv - ok
09:55:57.0125 1960 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:55:57.0125 1960 swenum - ok
09:55:57.0250 1960 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:55:57.0250 1960 swmidi - ok
09:55:57.0375 1960 symc810 - ok
09:55:57.0500 1960 symc8xx - ok
09:55:57.0609 1960 sym_hi - ok
09:55:57.0734 1960 sym_u3 - ok
09:55:57.0859 1960 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:55:57.0875 1960 sysaudio - ok
09:55:58.0046 1960 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:55:58.0062 1960 Tcpip - ok
09:55:58.0218 1960 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:55:58.0234 1960 TDPIPE - ok
09:55:58.0375 1960 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:55:58.0375 1960 TDTCP - ok
09:55:58.0531 1960 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:55:58.0531 1960 TermDD - ok
09:55:58.0656 1960 TosIde - ok
09:55:58.0812 1960 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:55:58.0812 1960 Udfs - ok
09:55:58.0921 1960 ultra - ok
09:55:59.0078 1960 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:55:59.0093 1960 Update - ok
09:55:59.0250 1960 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
09:55:59.0250 1960 USBAAPL - ok
09:55:59.0375 1960 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
09:55:59.0390 1960 usbaudio - ok
09:55:59.0515 1960 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:55:59.0515 1960 usbccgp - ok
09:55:59.0671 1960 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:55:59.0671 1960 usbehci - ok
09:55:59.0812 1960 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:55:59.0812 1960 usbhub - ok
09:55:59.0937 1960 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
09:55:59.0937 1960 usbohci - ok
09:56:00.0078 1960 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:56:00.0078 1960 usbprint - ok
09:56:00.0218 1960 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:56:00.0234 1960 usbscan - ok
09:56:00.0359 1960 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:56:00.0359 1960 usbstor - ok
09:56:00.0484 1960 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:56:00.0484 1960 usbuhci - ok
09:56:00.0625 1960 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:56:00.0625 1960 VgaSave - ok
09:56:00.0765 1960 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
09:56:00.0765 1960 ViaIde - ok
09:56:00.0921 1960 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:56:00.0921 1960 VolSnap - ok
09:56:01.0031 1960 Vsdatant (558cee3d9c470651f1843d51b42d761b) C:\WINDOWS\system32\vsdatant.sys
09:56:01.0062 1960 Vsdatant - ok
09:56:01.0234 1960 wacommousefilter (427a8bc96f16c40df81c2d2f4edd32dd) C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys
09:56:01.0234 1960 wacommousefilter - ok
09:56:01.0375 1960 wacomvhid (73e6f16a1f187d71fb26af308551e54a) C:\WINDOWS\system32\DRIVERS\wacomvhid.sys
09:56:01.0375 1960 wacomvhid - ok
09:56:01.0515 1960 WacomVKHid (889459833432b161cb99cfdf84a1a9bb) C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys
09:56:01.0531 1960 WacomVKHid - ok
09:56:01.0671 1960 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:56:01.0671 1960 Wanarp - ok
09:56:01.0781 1960 WDICA - ok
09:56:01.0937 1960 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:56:01.0937 1960 wdmaud - ok
09:56:02.0156 1960 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:56:02.0156 1960 WS2IFSL - ok
09:56:02.0312 1960 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:56:02.0312 1960 WudfPf - ok
09:56:02.0437 1960 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
09:56:02.0453 1960 WudfRd - ok
09:56:02.0531 1960 MBR (0x1B8) (0ac6d996bce152aed9600e6d6b797e2e) \Device\Harddisk0\DR0
09:56:02.0593 1960 \Device\Harddisk0\DR0 - ok
09:56:02.0609 1960 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
09:56:03.0015 1960 \Device\Harddisk1\DR1 - ok
09:56:03.0031 1960 Boot (0x1200) (423a084f5c4e8dda36ce7470d099cdd7) \Device\Harddisk0\DR0\Partition0
09:56:03.0031 1960 \Device\Harddisk0\DR0\Partition0 - ok
09:56:03.0031 1960 Boot (0x1200) (e7291f8d66e5abba77359ae61a51fe21) \Device\Harddisk0\DR0\Partition1
09:56:03.0031 1960 \Device\Harddisk0\DR0\Partition1 - ok
09:56:03.0046 1960 Boot (0x1200) (cd5bdc1d5ee6b99655f58d99f8e6161b) \Device\Harddisk1\DR1\Partition0
09:56:03.0046 1960 \Device\Harddisk1\DR1\Partition0 - ok
09:56:03.0046 1960 ============================================================
09:56:03.0046 1960 Scan finished
09:56:03.0046 1960 ============================================================
09:56:03.0062 1936 Detected object count: 0
09:56:03.0062 1936 Actual detected object count: 0

Hello

I would like an update to how the computer is doing so I would know what I need to do next

This is the tool I would like you to try and run next.

Please download aswMBR ( 511KB ) to your desktop.

• Double click the aswMBR.exe icon to run it
  
• Click the Scan button to start the scan
  
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Gringo

Everything seems to be working fine, no redirects since combofix. Yippee!!!


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-15 02:16:12
-----------------------------
02:16:12.359 OS Version: Windows 5.1.2600 Service Pack 3
02:16:12.359 Number of processors: 1 586 0x2F02
02:16:12.359 ComputerName: ROBERTSCOMPUTER UserName: Compaq_Owner
02:16:14.203 Initialize success
02:16:16.234 AVAST engine defs: 12011401
02:16:22.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1c
02:16:22.546 Disk 0 Vendor: SAMSUNG_SP1604N/R TM100-24 Size: 152627MB BusType: 3
02:16:22.562 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-24
02:16:22.562 Disk 1 Vendor: HDS728080PLAT20 PF2OA21B Size: 78533MB BusType: 3
02:16:22.609 Disk 0 MBR read successfully
02:16:22.625 Disk 0 MBR scan
02:16:22.781 Disk 0 unknown MBR code
02:16:22.796 Disk 0 Partition 1 00 0C FAT32 LBA RECOVERY 7138 MB offset 63
02:16:22.859 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 145479 MB offset 14619150
02:16:22.906 Disk 0 scanning sectors +312560640
02:16:23.093 Disk 0 scanning C:\WINDOWS\system32\drivers
02:16:40.750 Service scanning
02:16:42.500 Modules scanning
02:17:00.328 Disk 0 trace - called modules:
02:17:00.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
02:17:00.375 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8612bab8]
02:17:00.375 3 CLASSPNP.SYS[f75d0fd7] -> nt!IofCallDriver -> \Device\00000067[0x86183030]
02:17:00.375 5 ACPI.sys[f7447620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-1c[0x861a8a88]
02:17:01.140 AVAST engine scan C:\WINDOWS
02:17:09.109 AVAST engine scan C:\WINDOWS\system32
02:19:04.671 AVAST engine scan C:\WINDOWS\system32\drivers
02:19:20.000 AVAST engine scan C:\Documents and Settings\Compaq_Owner.ROBERTSCOMPUTER
02:28:33.781 AVAST engine scan C:\Documents and Settings\All Users
02:32:18.750 Scan finished successfully
02:35:06.671 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Compaq_Owner.ROBERTSCOMPUTER\Desktop\MBR.dat"
02:35:06.750 The log file has been saved successfully to "C:\Documents and Settings\Compaq_Owner.ROBERTSCOMPUTER\Desktop\aswMBR.txt"

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add/remove programs
click on the following programs

J2SE Runtime Environment 5.0
Java™ 6 Update 24
ZoneAlarm Security Toolbar
ZoneAlarm Toolbar


and click on remove

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.


If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.

Install Java:

Please go here to install Java

• click on the Free Java Download Button
  
• click on Agree and start Free download
  
• click on Run
  
• click on run again
  
• click on install
  
• when install is complete click on close

TFC(Temp File Cleaner):

• Please download TFC to your desktop,
  
• Save any unsaved work. TFC will close all open application windows.
  
• Double-click TFC.exe to run the program.
  
• If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

I would like you to rerun MBAM


• Double-click mbam icon
  
• go to the update tab at the top
  
• click on check for updates
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  
  • If you accidentally close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

• Go Here to download HijackThis Installer
  
• Save HijackThis Installer to your desktop.
  
• Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• Click on Install.
  
• It will create a HijackThis icon on the desktop.
  
• Once installed it will launch Hijackthis.
  
• Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  
• Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  
• Come back here to this thread and Paste the log in your next reply.
  
• DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  
• DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

In your next post I need the following


• Log From MBAM
  
• report from Hijackthis
  
• let me know of any problems you may have had
  
• How is the computer doing now?

Gringo

No problems so far, computer seems to be ok, no redirects
Mbam seems to have deleted one file, I rebooted.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.15.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Compaq_Owner :: ROBERTSCOMPUTER [administrator]

15/01/2012 19:01:47
mbam-log-2012-01-15 (19-01-47).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 205501
Time elapsed: 9 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Compaq_Owner.ROBERTSCOMPUTER\My Documents\Downloads\cnet2_unhackme_zip.exe (PUP.CNET.Adware.Bundle) -> Quarantined and deleted successfully.

(end)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:50:16, on 15/01/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\hott notes 4\hottnotes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy Photo Print - {9421DD08-935F-4701-A9CA-22DF90AC4EA6} - C:\Program Files\Epson Software\Easy Photo Print\EPTBL.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: hott notes 4.lnk = C:\Program Files\hott notes 4\hottnotes.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: ABBYY FineReader 9.0 Sprint Licensing Service (ABBYY.Licensing.FineReader.Sprint.9.0) - ABBYY - C:\Program Files\Common Files\ABBYY\FineReaderSprint\9.00\Licensing\NetworkLicenseServer.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ZoneAlarm Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ServicepointService - Radialpoint Inc. - C:\Program Files\Virgin Media\Service Manager\ServicepointService.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

--
End of file - 7658 bytes

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

• Run HijackThis
  
• Click on the Scan button
  
• Put a check beside all of the items listed below (if present):
  
  
  O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
  O4 - Startup: hott notes 4.lnk = C:\Program Files\hott notes 4\hottnotes.exe
  
  
  
  
• Close all open windows and browsers/email, etc...
  
• Click on the "Fix Checked" button
  
• When completed, close the application.
  
  
  NOTE**You can research each of those lines >here< and see if you want to keep them or not
  just copy the name between the brackets and paste into the search space
  O4 - HKLM\..\Run: [IntelliPoint]

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
  
• click on the ESET Online Scanner button
  
• Tick the box next to YES, I accept the Terms of Use.
  
  • Click Start
• When asked, allow the ActiveX control to install
  
  • Click Start
• Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  
• Click on Advanced Settings, ensure the options
  
  Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
• Click Scan
  
• Wait for the scan to finish
  
• Click on copy to clipboard and paste the results here in this topic
  
• you may also find here C:\Program Files\Eset\Eset Online Scanner\log.txt

Copy and paste that log as a reply to this topic

Gringo

Hi there
Internet running extremely slowly, couldnt get it to connect at all this morning until i rebooted the modem

heres the ESET log
C:\Documents and Settings\Compaq_Owner.ROBERTSCOMPUTER\My Documents\Downloads\asc-setup.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster application
C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster application
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP248\A0086697.sys a variant of Win32/Rootkit.Kryptik.HL trojan
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP249\A0086837.sys a variant of Win32/Rootkit.Kryptik.HL trojan
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP253\A0087837.sys a variant of Win32/Rootkit.Kryptik.HL trojan
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP256\A0088291.sys a variant of Win32/Rootkit.Kryptik.HL trojan
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP256\A0089318.sys a variant of Win32/Rootkit.Kryptik.HL trojan
D:\Working Documents\Art History Degree\A216 - Art And Its Histories\05 - Views Of Difference\PDF Resourses\african\SoftonicDownloader44840.exe a variant of Win32/SoftonicDownloader.A application
D:\Working Documents\Downloads\Misc Applications\virus killers\RegGenie_ErrorRepair_Setup.exe probably a variant of Win32/Adware.RegGenie application
D:\Working Documents\Downloads\Music Apps\Protools M-powered incl serial Full works\Protools\PROTOOLS 7.3\New Folder\Arturia.minimoog.V.VSTi.RTAS.v1.6.Incl.Keygen-AiR\keygen.exe a variant of Win32/Keygen.AD application
D:\Working Documents\Downloads\Music Apps\Recorders\Protools\PROTOOLS 7.3\New Folder\Arturia.minimoog.V.VSTi.RTAS.v1.6.Incl.Keygen-AiR\keygen.exe a variant of Win32/Keygen.AD application

Hello

There are some minor things in your online scan that should be removed.


delete files

• Copy all text in the quote box (below)...to Notepad.
  

  Quote

  @echo off
  del /f /s /q "C:\Documents and Settings\Compaq_Owner.ROBERTSCOMPUTER\My Documents\Downloads\asc-setup.exe"
  del /f /s /q "C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe"
  del /f /s /q "C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe"
  del /f /s /q "D:\Working Documents\Art History Degree\A216 - Art And Its Histories\05 - Views Of Difference\PDF Resourses\african\SoftonicDownloader44840.exe"
  del /f /s /q "D:\Working Documents\Downloads\Misc Applications\virus killers\RegGenie_ErrorRepair_Setup.exe"
  del /f /s /q "D:\Working Documents\Downloads\Music Apps\Protools M-powered incl serial Full works\Protools\PROTOOLS 7.3\New Folder\Arturia.minimoog.V.VSTi.RTAS.v1.6.Incl.Keygen-AiR\keygen.exe"
  del /f /s /q "D:\Working Documents\Downloads\Music Apps\Recorders\Protools\PROTOOLS 7.3\New Folder\Arturia.minimoog.V.VSTi.RTAS.v1.6.Incl.Keygen-AiR\keygen.exe"
  del %0
  
  
• Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
  It should look like this: <--XP<--vista
  
• Double click on delfile.bat to execute it.
  A black CMD window will flash, then disappear...this is normal.
  
• The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.


Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.

Any programs and logs that are left over you can just be deleted from the desktop. TFC is a free temp file cleaner that is very easy to use, I would keep this and use before you do any scans or when you want to free up some space.

:DeFogger:

To re-enable your Emulation drivers, double click DeFogger to run the tool.

• The application window will appear
  
• Click the Re-enable button to re-enable your CD Emulation drivers
  
• Click Yes to continue
  
• A 'Finished!' message will appear
  
• Click OK
  
• DeFogger will now ask to reboot the machine - click OK

Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

• turn off all active protection software
  
• push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  
• please copy and past the following into the box ComboFix /Uninstall and click OK.
  
• Note the space between the X and the /Uninstall, it needs to be there.
  
• 

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it by yourself.
  
• If asked to restart the computer, please do so

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.


:Make your Internet Explorer more secure:

• From within Internet Explorer click on the Tools menu and then click on Options.
  
• Click once on the Security tab
  
• Click once on the Internet icon so it becomes highlighted.
  
• Click once on the Custom Level button.
  
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialise and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  Next press the Apply button and then the OK to exit the Internet Properties page.

:Make Firefox more secure:

please visit this page to explain how to make Firefox more secure - How to Secure Firefox

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector


:Turn On Automatic Updates:

Turn On Automatic Updates
1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:

• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
  
• Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  
  
• Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often.

Here is some great reading about how to be safer online:

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum
and
COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here --><-- Don't worry every little bit helps.

Gringo

A Million Thanks for your help in this problem youve been great.