Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Results Hijacked - BackDoor.Tdss - Oy Vey!


  • This topic is locked This topic is locked
21 replies to this topic

#1 jhirschson

jhirschson

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 04 August 2010 - 08:09 PM

No matter running CureIt, the virus comes back.

CureIt keeps saying:

C:\Windows\explorer.exe:2228 infected with BackDoor.Tdss.565
C:\Windows\system32\drivers\pciide.sys infected with BackDoor.Tdss.2459
C:\Windows\system32\drivers\pciide.sys infected with BackDoor.Tdss.2459

It claims to have eradicated the first one and cured the second two, but upon reboot, if I do a Google search *twice* from within Firefox's native, in-browser search box, then it comes back.

I have attached the Attach.txt and the DDS.txt is below. Please let me know if you want to see the CureIt log.

I could not run GMER without BSOD. Happy to follow instructions on how to get it to work, but no good on my own.

THANKS in advance.

Jay

#DDS


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jay Hirschson at 20:17:59.28 on Wed 08/04/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3015.1813 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\DTS.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\AtService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Apoint2K\ApRunSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Windows\system32\svchost.exe -k regsvc
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Lenovo\Lenovo WUSB\WQ_Tray2.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\explorer.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jay Hirschson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://lenovo.live.com
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
uRun: [Google Update] "c:\users\jay hirschson\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
mRun: [<NO NAME>]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [PrintServer Diagnostic] c:\program files\print server\ptp\PSDiagnostic.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CameraApplicationLauncher] c:\program files\lenovo\camera center\bin\CameraApplicationLaunchpadLauncher.exe
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
StartupFolder: c:\users\jayhir~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files\lenovo\lenovo wusb\WQ_Tray2.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} - hxxps://timetracking.quickbooks.com/ocx/tts/TimeTrackingV2.ocx
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\users\jayhir~1\appdata\roaming\mozilla\firefox\profiles\tafb64d6.default\
FF - plugin: c:\program files\google\google updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\users\jay hirschson\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\jay hirschson\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\jay hirschson\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-7-30 218592]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-19 13480]
R2 ApRunSvc;Alps Application Launcher Service;c:\program files\apoint2k\ApRunSvc.exe [2009-2-19 36864]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-26 1676536]
R2 BPPROT;Intel® WiMAX Link Protocol Driver;c:\windows\system32\drivers\bpprot.sys [2008-8-10 22016]
R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\intel\wimax\bin\DMAgent.exe [2008-8-25 344064]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-26 98304]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-12-26 632792]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-2-19 66848]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-4-6 2440120]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-9-23 53325]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-24 520192]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-2-19 2058776]
R2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\intel\wimax\bin\AppSrv.exe [2008-8-25 2269184]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\RCUVCMNP.sys [2009-9-10 186624]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-26 482176]
R3 bpenum;Intel® WiMAX Link Enumerator;c:\windows\system32\drivers\bpenum.sys [2008-8-25 31744]
R3 bpmp;Intel® WiMAX Link 5050 Series;c:\windows\system32\drivers\bpmp.sys [2008-8-25 117760]
R3 bpusb;Intel® WiMAX Link 5050 Series Function Driver;c:\windows\system32\drivers\bpusb.sys [2008-8-10 51712]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-2-19 29736]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-8-14 220152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-30 102448]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-8-29 3664384]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
R3 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\WQ_hwa.sys [2008-8-21 176952]
R3 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\WQ_rci.sys [2008-8-21 79416]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-24 48192]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-24 253952]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-26 106496]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-4-6 23888]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-7-30 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-7-30 1142224]
S3 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\WQ_ldr.sys [2008-8-21 33720]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-08-04 22:26:12 0 ----a-w- c:\users\jay hirschson\defogger_reenable
2010-08-04 12:40:55 0 d-----w- c:\programdata\PC-Doctor for Windows
2010-08-04 12:40:48 0 d-----w- c:\programdata\PCDr
2010-08-04 12:40:09 0 d-----w- c:\program files\PC-Doctor
2010-07-31 01:36:06 0 d-----w- c:\users\jay hirschson\DoctorWeb
2010-07-30 21:01:04 0 d-----w- c:\windows\pss
2010-07-30 15:52:59 0 d-----w- c:\users\jayhir~1\appdata\roaming\Malwarebytes
2010-07-30 15:52:48 0 d-----w- c:\programdata\Malwarebytes
2010-07-30 15:52:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 15:38:16 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-07-30 15:38:16 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-30 15:38:16 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-07-30 15:37:50 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-07-30 15:37:50 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-07-30 15:37:50 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-30 15:37:49 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-30 15:37:19 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-07-30 15:37:19 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-30 15:36:49 0 d-----w- c:\users\jayhir~1\appdata\roaming\PC Tools
2010-07-30 15:36:49 0 d-----w- c:\programdata\PC Tools
2010-07-30 15:36:49 0 d-----w- c:\program files\Spyware Doctor
2010-07-30 15:35:24 0 d-----w- c:\programdata\Google Updater
2010-07-30 15:27:22 161296 ------w- c:\windows\system32\drivers\tmcomm.sys
2010-07-30 15:15:07 0 d-----w- c:\program files\Trend Micro
2010-07-25 01:19:38 0 d-----w- c:\users\jayhir~1\appdata\roaming\avidemux
2010-07-25 01:19:14 0 d-----w- c:\program files\Avidemux 2.5
2010-07-15 20:44:02 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll

==================== Find3M ====================

2010-07-30 15:45:19 86016 ----a-w- c:\windows\inf\infpub.dat
2010-07-30 15:45:19 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-30 15:45:19 143360 ----a-w- c:\windows\inf\infstor.dat
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-02-19 22:32:37 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-04-16 01:17:20 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-04-16 01:17:20 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-04-16 01:17:20 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-02-19 21:15:11 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 20:18:54.19 ===============

#CureIt

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:49 AM

Posted 12 August 2010 - 08:07 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
  1. Do not run any other tool untill instructed to do so!
  2. Please Do not Attach logs or put in code boxes.
  3. Tell me about any problems that have occurred during the fix.
  4. Tell me of any other symptoms you may be having as these can help also.
  5. Do not run anything while running a fix.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:
    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.

Download DDS:
    Please download DDS by sUBs from one of the links below and save it to your desktop:


    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.
    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


MBRCheck

Please also download MBRCheck to your desktop
  • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
  • It will show a Black screen with some data on it
  • a report called MBRcheck will be on your desktop
  • open this report
  • Right click on the screen and select > Select All
  • Press Control+C
  • now please copy that report to this thread


information and logs:
    In your next post I need the following
      1.logs from DDS
      2.log from RKUnHooker
      3. report from MBRchecker
      4.let me know of any problems you may have had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jhirschson

jhirschson
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 12 August 2010 - 09:23 PM

Thanks, Gringo, for taking the case. Looking forward to working with you.

Defogger run successfully.

DDS has run. 2 logs are below.





DDS.txt

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jay Hirschson at 21:39:18.60 on Thu 08/12/2010
Internet Explorer: 8.0.6001.18882 BrowserJavaVersion: 1.6.0_17
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3015.1346 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
SP: Symantec Endpoint Protection *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\DTS.exe
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\AtService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Apoint2K\ApRunSvc.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k regsvc
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\System32\TPHDEXLG.exe
C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
c:\Program Files\Lenovo\System Update\SUService.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Lenovo\Lenovo WUSB\WQ_Tray2.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Users\Jay Hirschson\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\TEMP\wmsdk64_32.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Jay Hirschson\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://lenovo.live.com
mDefault_Page_URL = hxxp://lenovo.live.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [RegistryMechanic] c:\program files\registry mechanic\RMTray.exe /H
uRun: [Google Update] "c:\users\jay hirschson\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [eFax 4.4] "c:\program files\efax messenger 4.4\J2GDllCmd.exe" /R
mRun: [<NO NAME>]
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe
mRun: [TpShocks] TpShocks.exe
mRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exe
mRun: [TPFNF7] c:\program files\lenovo\npdirect\TPFNF7SP.exe /r
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [PrintServer Diagnostic] c:\program files\print server\ptp\PSDiagnostic.exe
mRun: [picon] "c:\program files\common files\intel\privacy icon\PrivacyIconClient.exe" -startup
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exe
mRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [FingerPrintSoftware] "c:\program files\lenovo fingerprint software\fpapp.exe" \s
mRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.Exe
mRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silent
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CameraApplicationLauncher] c:\program files\lenovo\camera center\bin\CameraApplicationLaunchpadLauncher.exe
mRun: [BLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BTVLogEx.DLL,StartBattLog
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
dRun: [wmsdk64_32.exe] c:\windows\temp\wmsdk64_32.exe
StartupFolder: c:\users\jayhir~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\efax44~1.lnk - c:\program files\efax messenger 4.4\J2GTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\thinkpad\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\wirele~1.lnk - c:\program files\lenovo\lenovo wusb\WQ_Tray2.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableCAD = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
IE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dll
Trusted Zone: intuit.com\ttlc
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} - hxxps://timetracking.quickbooks.com/ocx/tts/TimeTrackingV2.ocx
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli ACGina

================= FIREFOX ===================

FF - ProfilePath - c:\users\jayhir~1\appdata\roaming\mozilla\firefox\profiles\tafb64d6.default\
FF - plugin: c:\program files\google\google updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\users\jay hirschson\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\jay hirschson\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\jay hirschson\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-7-30 218592]
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2008-5-14 19496]
R1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\drivers\smiif32.sys [2008-5-19 13480]
R2 ApRunSvc;Alps Application Launcher Service;c:\program files\apoint2k\ApRunSvc.exe [2009-2-19 36864]
R2 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-26 1676536]
R2 BPPROT;Intel® WiMAX Link Protocol Driver;c:\windows\system32\drivers\bpprot.sys [2008-8-10 22016]
R2 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\intel\wimax\bin\DMAgent.exe [2008-8-25 344064]
R2 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-26 98304]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2009-12-26 632792]
R2 Power Manager DBC Service;Power Manager DBC Service;c:\program files\thinkpad\utilities\PWMDBSVC.exe [2009-2-19 66848]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-4-6 2440120]
R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2008-9-23 53325]
R2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\lenovo\rescue and recovery\rrpservice.exe [2008-5-24 520192]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\common files\intel\privacy icon\uns\UNS.exe [2009-2-19 2058776]
R2 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\intel\wimax\bin\AppSrv.exe [2008-8-25 2269184]
R3 5U875UVC;Integrated Camera;c:\windows\system32\drivers\RCUVCMNP.sys [2009-9-10 186624]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\drivers\ATSwpWDF.sys [2008-10-26 482176]
R3 bpenum;Intel® WiMAX Link Enumerator;c:\windows\system32\drivers\bpenum.sys [2008-8-25 31744]
R3 bpmp;Intel® WiMAX Link 5050 Series;c:\windows\system32\drivers\bpmp.sys [2008-8-25 117760]
R3 bpusb;Intel® WiMAX Link 5050 Series Function Driver;c:\windows\system32\drivers\bpusb.sys [2008-8-10 51712]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-2-19 29736]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6032.sys [2009-8-14 220152]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-30 102448]
R3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2008-8-29 3664384]
R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2008-2-22 37312]
R3 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\drivers\WQ_hwa.sys [2008-8-21 176952]
R3 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\drivers\WQ_rci.sys [2008-8-21 79416]
S1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2008-5-24 48192]
S2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2008-5-24 253952]
S3 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-26 106496]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-4-6 23888]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-4-25 1120752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-7-30 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-7-30 1142224]
S3 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\drivers\WQ_ldr.sys [2008-8-21 33720]

============== File Associations ===============

.txt=

=============== Created Last 30 ================

2010-08-09 02:53:04 1536 ----a-w- c:\windows\system32\file.exe
2010-08-05 17:08:23 0 d-----w- c:\programdata\IsolatedStorage
2010-08-05 17:08:15 0 d-----w- c:\users\jayhir~1\appdata\roaming\bppenu11
2010-08-05 17:06:17 0 d-----w- c:\program files\Business Plan Pro
2010-08-04 22:26:12 0 ----a-w- c:\users\jay hirschson\defogger_reenable
2010-08-04 12:40:55 0 d-----w- c:\programdata\PC-Doctor for Windows
2010-08-04 12:40:48 0 d-----w- c:\programdata\PCDr
2010-08-04 12:40:09 0 d-----w- c:\program files\PC-Doctor
2010-07-31 01:36:06 0 d-----w- c:\users\jay hirschson\DoctorWeb
2010-07-30 21:01:04 0 d-----w- c:\windows\pss
2010-07-30 15:52:59 0 d-----w- c:\users\jayhir~1\appdata\roaming\Malwarebytes
2010-07-30 15:52:48 0 d-----w- c:\programdata\Malwarebytes
2010-07-30 15:52:47 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 15:38:16 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2010-07-30 15:38:16 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-30 15:38:16 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-07-30 15:37:50 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2010-07-30 15:37:50 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2010-07-30 15:37:50 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-30 15:37:49 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-30 15:37:19 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2010-07-30 15:37:19 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-30 15:36:49 0 d-----w- c:\users\jayhir~1\appdata\roaming\PC Tools
2010-07-30 15:36:49 0 d-----w- c:\programdata\PC Tools
2010-07-30 15:36:49 0 d-----w- c:\program files\Spyware Doctor
2010-07-30 15:35:24 0 d-----w- c:\programdata\Google Updater
2010-07-30 15:27:22 161296 ------w- c:\windows\system32\drivers\tmcomm.sys
2010-07-30 15:15:07 0 d-----w- c:\program files\Trend Micro
2010-07-25 01:19:38 0 d-----w- c:\users\jayhir~1\appdata\roaming\avidemux
2010-07-25 01:19:14 0 d-----w- c:\program files\Avidemux 2.5
2010-07-15 20:44:02 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll

==================== Find3M ====================

2010-08-07 15:34:46 120640 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-07-30 15:45:19 86016 ----a-w- c:\windows\inf\infpub.dat
2010-07-30 15:45:19 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-30 15:45:19 143360 ----a-w- c:\windows\inf\infstor.dat
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-02-19 22:32:37 665600 ----a-w- c:\windows\inf\drvindex.dat
2008-01-21 02:43:58 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2010-04-16 01:17:20 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-04-16 01:17:20 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-04-16 01:17:20 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
2009-02-19 21:15:11 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 21:41:11.63 ===============






ATTACH.txt


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume1
Install Date: 2/19/2009 4:30:35 PM
System Uptime: 8/12/2010 8:19:27 AM (13 hours ago)

Motherboard: LENOVO | | 2774CTO
Processor: Intel® Core™2 Duo CPU U9400 @ 1.40GHz | None | 800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 108 GiB total, 25.348 GiB free.
Q: is FIXED (NTFS) - 10 GiB total, 3.677 GiB free.
S: is FIXED (NTFS) - 1 GiB total, 0.69 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================


==== Installed Programs ======================


2007 Microsoft Office system
Access Help
Adobe Acrobat 9 Standard - English, Français, Deutsch
Adobe Acrobat 9.3.3 - CPSID_83708
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
AnswerWorks 5.0 English Runtime
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
Avidemux 2.5
Bonjour
Business Contact Manager for Outlook 2007 SP2
Business Plan Pro 15th Anniversary Edition
Camera Center
Canon iP6700D
Canon Utilities Easy-PhotoPrint
Canon Utilities My Printer
CCScore
Client Security - Password Manager
Conexant 20561 SmartAudio HD
DirectXInstallService
Drag-to-Disc
eFax Messenger
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
Google Talk Plugin
Google Updater
Help Center
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Integrated Camera Driver Installer Package Ver.1.18.500.0
Integrated Camera TWAIN
Intel PROSet Wireless
Intel WiMAX Demo
Intel® Graphics Media Accelerator Driver
Intel® Management Engine Interface
Intel® PROSet/Wireless WiFi Software
Intel® PROSet/Wireless WiMAX Software
Intel® Active Management Technology
InterVideo Register Manager
InterVideo WinDVD
iTunes
Java™ 6 Update 17
Java™ 6 Update 7
Kodak EasyShare software
Lenovo Fingerprint Software
Lenovo System Interface Driver
Lenovo ThinkVantage Toolbox
Lenovo Wireless USB
LiveUpdate 3.3 (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash Communication Server MX
Macromedia Flash MX 2004
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2003 Web Components
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Live Add-in 1.4
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Hybrid 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Connectivity Components
Microsoft Office Suite Activation Assistant
Microsoft Office Visio Standard 2003
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual Studio 2005 Tools for Office Runtime
Mobile Broadband Connect
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
netbrdg
OfotoXMI
On Screen Display
Presentation Director
Print Server Driver
Product Recovery Disc Burning Utility
Productivity Center Supplement for ThinkPad
QuickBooks
QuickBooks Premier: Professional Services Edition 2009
QuickTime
Registry Mechanic 9.0
Registry patch for Windows Vista USB S3 PM Enablement
Registry patch of Changing Timing of IDLE IRP by Finger Print Driver for Windows Vista
Registry Patch of Enabling Device Initiated Power Management(DIPM) on SATA for Windows Vista
Registry patch to improve USB device detection on resume from sleep for Windows Vista
Rescue and Recovery
Roxio Activation Module
Roxio Central Audio
Roxio Central Copy
Roxio Central Core
Roxio Central Data
Roxio Central Tools
Roxio Creator Business Edition
Roxio Express Labeler 3
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
SFR
SHASTA
skin0001
SKINXSDK
Skype Toolbars
Skype™ 4.2
Sonic CinePlayer Decoder Pack
Sonic Icons for Lenovo
Spyware Doctor 7.0
Stamps.com
Stamps.com Address Book Support for Microsoft Outlook 97-2007
Stamps.com Application Support for Microsoft Outlook 2000, 2002, 2003
Stamps.com Application Support for Microsoft Word 2000, 2002, 2003
Stamps.com support for Microsoft Outlook 2000-2007
Stamps.com support for Microsoft Outlook 97-2007
Stamps.com support for Microsoft Word 2000-2007
staticcr
SupportSoft Assisted Service
Symantec Endpoint Protection
System Update
Tax Forms Helper 2009 9.0
ThinkPad Bluetooth with Enhanced Data Rate Software 6.1.0.4500
ThinkPad EasyEject Utility
ThinkPad FullScreen Magnifier
ThinkPad Hotkey Features Setup
ThinkPad Mobility Center Customization
ThinkPad Power Management Driver
ThinkPad Power Manager
ThinkPad UltraNav Driver
ThinkPad UltraNav Utility
ThinkVantage Access Connections
ThinkVantage Active Protection System
ThinkVantage Productivity Center
ThinkVantage Status Gadget
ThinkVantage Technologies Welcome Message
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnyiper
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wnyiper
TurboTax 2009 wrapper
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb979895)
Verizon FiOS Media Manager
Verizon Wireless BroadbandAccess Self Activation
Visual Studio 2005 Tools for Office Second Edition Runtime
VPRINTOL
Wallpapers
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (10/02/2008 8.1.2.37)
Windows Driver Package - Intel (e1yexpress) Net (08/22/2008 9.52.10.1001)
Windows Driver Package - Intel (iaStor) hdc (09/12/2008 8.6.0.1007)
Windows Driver Package - Intel hdc (02/20/2008 6.9.1.1001)
Windows Driver Package - Intel System (01/30/2008 8.6.1.1001)
Windows Driver Package - Intel System (02/20/2008 8.6.1.1002)
Windows Driver Package - Intel System (02/20/2008 8.7.0.1007)
Windows Driver Package - Intel System (09/15/2006 7.0.0.1011)
Windows Driver Package - Intel USB (02/05/2007 8.3.0.1011)
Windows Driver Package - Lenovo 1.45 (02/18/2008 1.45)
Windows Live ID Sign-in Assistant
WIRELESS

==== End Of File ===========================







I ran RKUnhooker but had big problems. The first time I ran it, I got BSOD with the error occuring at normandy.sys.

I then tried to run in safe mode. Couldn't launch.

Rebooted to normal windows but RKUnhooker froze. Rebooted and the same thing happened. I have given up on RKUnhooker unless you have other ideas about how to do it sucessfully.








MBRCheck report is below:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows Vista Business Edition
Windows Information: Service Pack 1 (build 6001), 32-bit
Base Board Manufacturer: LENOVO
BIOS Manufacturer: LENOVO
System Manufacturer: LENOVO
System Product Name: 2774CTO
Logical Drives Mask: 0x0005000c

Kernel Drivers (total 195):
0x81E3A000 \SystemRoot\system32\ntkrnlpa.exe
0x81E07000 \SystemRoot\system32\hal.dll
0x80405000 \SystemRoot\system32\kdcom.dll
0x8040D000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8046D000 \SystemRoot\system32\PSHED.dll
0x8047E000 \SystemRoot\system32\BOOTVID.dll
0x80486000 \SystemRoot\system32\CLFS.SYS
0x804C7000 \SystemRoot\system32\CI.dll
0x8060D000 \SystemRoot\system32\drivers\Wdf01000.sys
0x80689000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80696000 \SystemRoot\system32\drivers\fltmgr.sys
0x806C8000 \SystemRoot\system32\drivers\acpi.sys
0x8070E000 \SystemRoot\system32\drivers\WMILIB.SYS
0x80717000 \SystemRoot\system32\drivers\msisadrv.sys
0x8071F000 \SystemRoot\system32\drivers\pci.sys
0x80746000 \SystemRoot\System32\drivers\partmgr.sys
0x80755000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x80758000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x80762000 \SystemRoot\system32\drivers\volmgr.sys
0x80771000 \SystemRoot\System32\drivers\volmgrx.sys
0x807BB000 \SystemRoot\system32\drivers\pciide.sys
0x807C2000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x807D0000 \SystemRoot\System32\drivers\mountmgr.sys
0x8280B000 \SystemRoot\system32\DRIVERS\iaStor.sys
0x828E6000 \SystemRoot\system32\drivers\atapi.sys
0x828EE000 \SystemRoot\system32\drivers\ataport.SYS
0x8290C000 \SystemRoot\system32\drivers\msahci.sys
0x82916000 \SystemRoot\system32\drivers\fileinfo.sys
0x82926000 \SystemRoot\system32\drivers\PCTCore.sys
0x8295F000 \SystemRoot\System32\Drivers\DRVMCDB.SYS
0x82976000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x82980000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82A00000 \SystemRoot\system32\drivers\ndis.sys
0x82B0B000 \SystemRoot\system32\drivers\msrpc.sys
0x82B36000 \SystemRoot\system32\drivers\NETIO.SYS
0x8A20D000 \SystemRoot\System32\drivers\tcpip.sys
0x8A2F6000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8A404000 \SystemRoot\System32\Drivers\Ntfs.sys
0x8A513000 \SystemRoot\system32\drivers\volsnap.sys
0x8A54C000 \SystemRoot\System32\DRIVERS\ApsHM86.sys
0x8A554000 \SystemRoot\System32\Drivers\spldr.sys
0x8A55C000 \SystemRoot\System32\DRIVERS\Apsx86.sys
0x8A57A000 \SystemRoot\System32\Drivers\mup.sys
0x8A589000 \SystemRoot\System32\drivers\ecache.sys
0x8A5B0000 \SystemRoot\system32\drivers\disk.sys
0x8A5C1000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x8A5E2000 \SystemRoot\system32\drivers\crcdisk.sys
0x8A3EC000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8A3F7000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x82B70000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x91C0F000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
0x922F3000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x92392000 \SystemRoot\System32\drivers\watchdog.sys
0x9239F000 \SystemRoot\system32\DRIVERS\HECI.sys
0x923A9000 \SystemRoot\system32\DRIVERS\serial.sys
0x923C3000 \SystemRoot\system32\DRIVERS\serenum.sys
0x82B7F000 \SystemRoot\system32\DRIVERS\e1y6032.sys
0x923CD000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x82BB9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x923D8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x923E7000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x93E01000 \SystemRoot\system32\DRIVERS\NETw5v32.sys
0x94189000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0x9419C000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x941A7000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0x941D1000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x941DC000 \SystemRoot\system32\drivers\tpm.sys
0x941EA000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x941EE000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0x941F2000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0x807E0000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x941F4000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0x91C00000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0x805A7000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x99C05000 \SystemRoot\system32\DRIVERS\storport.sys
0x99C46000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x99C51000 \SystemRoot\System32\Drivers\RootMdm.sys
0x99C59000 \SystemRoot\system32\drivers\modem.sys
0x99C66000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x99C7D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x99C88000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x99CAB000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x99CBA000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x99CCE000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x99CE3000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0x99CEA000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0x99D73000 \SystemRoot\system32\DRIVERS\termdd.sys
0x99D83000 \SystemRoot\system32\DRIVERS\psadd.sys
0x99D8A000 \SystemRoot\system32\DRIVERS\Tvti2c.sys
0x99D92000 \SystemRoot\system32\DRIVERS\teefer2.sys
0x99DC8000 \SystemRoot\system32\DRIVERS\swenum.sys
0x99DCA000 \SystemRoot\system32\DRIVERS\ks.sys
0x9660A000 \SystemRoot\system32\DRIVERS\NWADIenum.sys
0x96645000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x9664F000 \SystemRoot\system32\DRIVERS\umbus.sys
0x9665C000 \SystemRoot\system32\DRIVERS\bpenum.sys
0x96689000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x966BD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x966CE000 \SystemRoot\system32\drivers\CHDRT32.sys
0x96743000 \SystemRoot\system32\drivers\portcls.sys
0x96770000 \SystemRoot\system32\drivers\drmk.sys
0x96795000 \SystemRoot\System32\Drivers\SRTSP.SYS
0x95607000 \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100729.040\NAVEX15.SYS
0x95753000 \SystemRoot\System32\Drivers\ATSwpWDF.sys
0x957C8000 \??\C:\Windows\system32\Drivers\SYMEVENT.SYS
0x967DF000 \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100729.040\NAVENG.SYS
0x957ED000 \SystemRoot\System32\Drivers\BTHUSB.sys
0x96C04000 \SystemRoot\System32\Drivers\bthport.sys
0x96C84000 \SystemRoot\System32\Drivers\USBD.SYS
0x96C86000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x96CA5000 \SystemRoot\System32\Drivers\bpusb.sys
0x96CB6000 \SystemRoot\system32\DRIVERS\RCUVCMNP.sys
0x96CE4000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0x96CF1000 \SystemRoot\system32\DRIVERS\rfcomm.sys
0x96D1A000 \SystemRoot\system32\DRIVERS\BthEnum.sys
0x96D24000 \SystemRoot\system32\DRIVERS\bthpan.sys
0x96D3E000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0x96D57000 \SystemRoot\system32\DRIVERS\bpmp.sys
0x96D79000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x96D82000 \SystemRoot\system32\drivers\btwavdt.sys
0x96DF3000 \SystemRoot\System32\Drivers\Null.SYS
0x9C40F000 \SystemRoot\system32\drivers\btwaudio.sys
0x9C48F000 \SystemRoot\System32\Drivers\Beep.SYS
0x9C496000 \SystemRoot\system32\DRIVERS\btwl2cap.sys
0x9C4A0000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0x9C4A6000 \SystemRoot\system32\DRIVERS\btwrchid.sys
0x9C4A9000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x9C4B9000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x9C4C0000 \SystemRoot\System32\drivers\vga.sys
0x9C4CC000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x9C4ED000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x9C4F5000 \SystemRoot\system32\drivers\rdpencdd.sys
0x9C4FD000 \SystemRoot\System32\Drivers\Msfs.SYS
0x9C508000 \SystemRoot\System32\Drivers\Npfs.SYS
0x9C516000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x9C51F000 \SystemRoot\system32\DRIVERS\tdx.sys
0x9C535000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0x9C563000 \SystemRoot\system32\DRIVERS\WQ_rci.sys
0x9C576000 \??\C:\Windows\system32\drivers\wpsdrvnt.sys
0x9C584000 \SystemRoot\system32\DRIVERS\WQ_hwa.sys
0x9C5AF000 \SystemRoot\system32\DRIVERS\smb.sys
0x9CE0B000 \SystemRoot\system32\drivers\afd.sys
0x9CE53000 \SystemRoot\System32\DRIVERS\netbt.sys
0x9CE85000 \SystemRoot\system32\DRIVERS\pacer.sys
0x9CE9B000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9CEA9000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9CEBC000 \SystemRoot\System32\drivers\Tppwr32v.sys
0x9CEC2000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0x9CF2C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9CF68000 \SystemRoot\system32\drivers\nsiproxy.sys
0x9CF72000 \SystemRoot\system32\DRIVERS\smiif32.sys
0x9CF74000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0x9CFD2000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0x9D60D000 \SystemRoot\system32\drivers\csc.sys
0x9D667000 \SystemRoot\System32\Drivers\dfsc.sys
0x9D67E000 \SystemRoot\System32\Drivers\crashdmp.sys
0x9D68B000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xA0230000 \SystemRoot\System32\win32k.sys
0x9D766000 \SystemRoot\System32\drivers\Dxapi.sys
0x9D770000 \SystemRoot\system32\DRIVERS\monitor.sys
0xA0450000 \SystemRoot\System32\TSDDD.dll
0xA0470000 \SystemRoot\System32\cdd.dll
0x9D77F000 \SystemRoot\system32\drivers\luafv.sys
0x9D79A000 \SystemRoot\system32\DRIVERS\tvtfilter.sys
0x9D7A3000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0x9D7AE000 \SystemRoot\System32\DLA\DLADResM.SYS
0x9D7AF000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0x9D7C7000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0x9D7CC000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0x9D7CE000 \SystemRoot\System32\DLA\DLABMFSM.SYS
0x9D7D5000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0x9D7DC000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0x9C5C3000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xA0480000 \SystemRoot\System32\ATMFD.DLL
0x8A311000 \SystemRoot\system32\drivers\spsys.sys
0x9D7F2000 \SystemRoot\system32\DRIVERS\bpprot.sys
0x9CFEF000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8A3C0000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x9D600000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9C5DA000 \SystemRoot\system32\DRIVERS\rspndr.sys
0xB900F000 \SystemRoot\system32\drivers\HTTP.sys
0xB907C000 \SystemRoot\System32\DRIVERS\srvnet.sys
0xB9099000 \SystemRoot\system32\DRIVERS\bowser.sys
0xB90B2000 \SystemRoot\System32\drivers\mpsdrv.sys
0xB90C7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB90E6000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0xB911F000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0xB9137000 \SystemRoot\System32\DRIVERS\srv2.sys
0xB915E000 \SystemRoot\System32\DRIVERS\srv.sys
0xBDC00000 \SystemRoot\system32\drivers\peauth.sys
0xBDCDE000 \SystemRoot\System32\Drivers\secdrv.SYS
0xBDCE8000 \SystemRoot\System32\drivers\tcpipreg.sys
0xBDCF4000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xBDCFA000 \SystemRoot\system32\DRIVERS\cdfs.sys
0x77840000 \Windows\System32\ntdll.dll

Processes (total 120):
0 System Idle Process
4 System
576 C:\Windows\System32\smss.exe
644 csrss.exe
688 csrss.exe
696 C:\Windows\System32\wininit.exe
736 C:\Windows\System32\services.exe
752 C:\Windows\System32\lsass.exe
760 C:\Windows\System32\lsm.exe
832 C:\Windows\System32\winlogon.exe
936 C:\Windows\System32\svchost.exe
1000 C:\Windows\System32\DTS.exe
1012 C:\Windows\System32\ibmpmsvc.exe
1040 C:\Windows\System32\AtService.exe
1100 C:\Windows\System32\svchost.exe
1292 C:\Windows\System32\svchost.exe
1332 C:\Windows\System32\svchost.exe
1352 C:\Windows\System32\svchost.exe
1440 C:\Windows\System32\audiodg.exe
1468 C:\Program Files\Apoint2K\ApRunSvc.exe
1488 C:\Windows\System32\svchost.exe
1504 C:\Windows\System32\SLsvc.exe
1564 C:\Windows\System32\svchost.exe
1688 C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
1720 C:\Windows\System32\svchost.exe
1896 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
1928 C:\Windows\System32\wlanext.exe
944 C:\Windows\System32\spoolsv.exe
1384 C:\Windows\System32\svchost.exe
2044 C:\Program Files\Apoint2K\Apoint.exe
2072 C:\Windows\System32\dwm.exe
2084 C:\Program Files\Apoint2K\ApMsgFwd.exe
2148 C:\Program Files\Apoint2K\ApntEx.exe
2160 C:\Windows\explorer.exe
2204 C:\Windows\System32\taskeng.exe
2296 C:\Program Files\Lenovo\HOTKEY\TPHKSVC.exe
2464 C:\Windows\System32\taskeng.exe
2512 C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
2524 C:\Windows\System32\TpShocks.exe
2588 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
2616 C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
2632 C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
2664 C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
2688 C:\Program Files\Java\jre6\bin\jusched.exe
2764 C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
2792 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2836 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
2876 C:\Program Files\Bonjour\mDNSResponder.exe
2912 C:\Windows\System32\svchost.exe
2928 C:\Windows\System32\rundll32.exe
2956 C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
2988 C:\Program Files\Print Server\PTP\PSDiagnostic.exe
3004 C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
3040 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
3184 C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
3232 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
3296 C:\Windows\System32\igfxpers.exe
3340 C:\Program Files\Intel\AMT\LMS.exe
3440 C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
3520 C:\Windows\System32\svchost.exe
3548 C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe
3580 C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
3644 C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
3704 C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
3712 C:\Windows\System32\igfxsrvc.exe
3772 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
3792 C:\Windows\System32\svchost.exe
3804 C:\Program Files\iTunes\iTunesHelper.exe
3820 C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
3848 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
3928 C:\Windows\System32\svchost.exe
3960 C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
3996 C:\Windows\System32\igfxtray.exe
4024 C:\Windows\System32\TPHDEXLG.exe
4068 C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
2108 C:\Windows\System32\hkcmd.exe
2132 C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
2228 C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
1832 C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
2288 C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
1644 C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
2532 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2672 C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
1708 C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
1768 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
2708 C:\Windows\System32\svchost.exe
2800 C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe
1208 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
3064 C:\Windows\System32\SearchIndexer.exe
3428 C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
3540 C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
2724 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
2156 WmiPrvSE.exe
3560 C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
3988 C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
3684 C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
2760 C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
3572 C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
876 C:\Program Files\Lenovo\Lenovo WUSB\WQ_Tray2.exe
1220 C:\Program Files\eFax Messenger 4.4\J2GTray.exe
4128 C:\Program Files\Lenovo\System Update\SUService.exe
4144 WmiPrvSE.exe
4564 C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
4688 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
4792 C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
5664 C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe
5760 C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
5840 C:\Program Files\Registry Mechanic\RegMech.exe
5868 C:\Program Files\Lenovo\ZOOM\TpScrex.exe
1224 C:\Program Files\ThinkPad\Bluetooth Software\BTStackServer.exe
4624 C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
4628 C:\Program Files\iPod\bin\iPodService.exe
5520 C:\Program Files\Mozilla Firefox\firefox.exe
5744 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.EXE
4124 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
7044 C:\Program Files\Java\jre6\bin\jucheck.exe
7864 C:\Windows\System32\notepad.exe
8036 C:\Windows\System32\SearchProtocolHost.exe
176 C:\Windows\System32\SearchFilterHost.exe
2384 C:\Users\Jay Hirschson\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)
\\.\Q: --> \\.\PhysicalDrive0 at offset 0x0000001b`5e700000 (NTFS)
\\.\S: --> \\.\PhysicalDrive0 at offset 0x00000000`00100000 (NTFS)

PhysicalDrive0 Model Number: SAMSUNGMMCQE28G8MUP-0VA, Rev: VAM08L1Q

Size Device Name MBR Status
--------------------------------------------
119 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: D3F4F8936CA72A7B4C996BD0D5CA8EE45337A8C3


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:49 AM

Posted 13 August 2010 - 01:05 AM

I ran RKUnhooker but had big problems.

make sure this part is correct
•Check (Tick) Drivers, Stealth,. Uncheck the rest. then Click OK.

Make sure all security progams are shut down.

Try to shut down as many other programs as possible

Let me know if you have any luck

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jhirschson

jhirschson
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 13 August 2010 - 07:38 AM

Launching Windows in "diagnostic Mode" -- i.e., with minimal services -- allowed me to run RkUnhooker successfully.

Please advise as to next steps. Thanks again.

The log file is quoted below:

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows Vista
Version 6.0.6001 (Service Pack 1)
Number of processors #2
==============================================
>Drivers
==============================================
0x9140E000 C:\Windows\system32\DRIVERS\igdkmd32.sys 7225344 bytes (Intel Corporation, Intel Graphics Kernel Mode Driver)
0x81E1E000 C:\Windows\system32\ntkrnlpa.exe 3907584 bytes (Microsoft Corporation, NT Kernel & System)
0x81E1E000 PnpManager 3907584 bytes
0x81E1E000 RAW 3907584 bytes
0x81E1E000 WMIxWDM 3907584 bytes
0x93A08000 C:\Windows\system32\DRIVERS\NETw5v32.sys 3702784 bytes (Intel Corporation, Intel® Wireless WiFi Link Driver)
0x9ECD0000 Win32k 2105344 bytes
0x9ECD0000 C:\Windows\System32\win32k.sys 2105344 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0x9560E000 C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100729.040\NAVEX15.SYS 1359872 bytes (Symantec Corporation, AV Engine)
0x8A408000 C:\Windows\System32\Drivers\Ntfs.sys 1110016 bytes (Microsoft Corporation, NT File System Driver)
0x82A09000 C:\Windows\system32\drivers\ndis.sys 1093632 bytes (Microsoft Corporation, NDIS 6.0 wrapper driver)
0x8A20D000 C:\Windows\System32\drivers\tcpip.sys 954368 bytes (Microsoft Corporation, TCP/IP Driver)
0x804D0000 C:\Windows\system32\CI.dll 917504 bytes (Microsoft Corporation, Code Integrity Module)
0x9F606000 C:\Windows\system32\drivers\peauth.sys 909312 bytes (Microsoft Corporation, Protected Environment Authentication and Authorization Export Driver)
0x9CE65000 C:\Windows\System32\Drivers\dump_iaStor.sys 897024 bytes
0x82806000 C:\Windows\system32\DRIVERS\iaStor.sys 897024 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0x9F6FA000 C:\Windows\system32\drivers\spsys.sys 716800 bytes (Microsoft Corporation, security processor)
0x91AF2000 C:\Windows\System32\drivers\dxgkrnl.sys 651264 bytes (Microsoft Corporation, DirectX Graphics Kernel)
0x9A2EA000 C:\Windows\system32\DRIVERS\rdpdr.sys 561152 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0x9708A000 C:\Windows\System32\Drivers\bthport.sys 524288 bytes (Microsoft Corporation, Bluetooth Bus Driver)
0x9B75D000 C:\Windows\system32\drivers\btwaudio.sys 524288 bytes (Broadcom Corporation., Bluetooth Audio Device)
0x80602000 C:\Windows\system32\drivers\Wdf01000.sys 507904 bytes (Microsoft Corporation, WDF Dynamic)
0x97008000 C:\Windows\System32\Drivers\ATSwpWDF.sys 479232 bytes (AuthenTec, Inc., AuthenTec Swipe Sensor WDF USB Driver)
0x97CC5000 C:\Windows\system32\drivers\CHDRT32.sys 479232 bytes (Conexant Systems Inc., High Definition Audio Function Driver)
0x9B6EC000 C:\Windows\system32\drivers\btwavdt.sys 462848 bytes (Broadcom Corporation., Broadcom Bluetooth AVDT Service)
0x8297B000 C:\Windows\System32\Drivers\ksecdd.sys 462848 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0x9A8B9000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 434176 bytes (Symantec Corporation, SPBBC Driver)
0x80416000 C:\Windows\system32\mcupdate_GenuineIntel.dll 393216 bytes (Microsoft Corporation, Intel Microcode Update Library)
0x9A96B000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0x9B60A000 C:\Windows\system32\drivers\csc.sys 368640 bytes (Microsoft Corporation, Windows Client Side Caching Driver)
0x9EF20000 C:\Windows\System32\ATMFD.DLL 311296 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x97D8C000 C:\Windows\System32\Drivers\SRTSP.SYS 303104 bytes (Symantec Corporation, Symantec AutoProtect)
0x80766000 C:\Windows\System32\drivers\volmgrx.sys 303104 bytes (Microsoft Corporation, Volume Manager Extension Driver)
0x9A802000 C:\Windows\system32\drivers\afd.sys 294912 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806BD000 C:\Windows\system32\drivers\acpi.sys 286720 bytes (Microsoft Corporation, ACPI Driver for NT)
0x8048F000 C:\Windows\system32\CLFS.SYS 266240 bytes (Microsoft Corporation, Common Log File System Driver)
0x9A205000 C:\Windows\system32\DRIVERS\storport.sys 266240 bytes (Microsoft Corporation, Microsoft Storage Port Driver)
0x82BC2000 C:\Windows\system32\DRIVERS\USBPORT.SYS 253952 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0x9A923000 C:\Windows\system32\DRIVERS\rdbss.sys 245760 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0x97C01000 C:\Windows\system32\DRIVERS\NWADIenum.sys 241664 bytes (Novatel Wireless Inc, NWADI Interface Bus Enumerator)
0x82B88000 C:\Windows\system32\DRIVERS\e1y6032.sys 237568 bytes (Intel Corporation, Intel® Gigabit Network Connection NDIS 6 deserialized driver)
0x82B3F000 C:\Windows\system32\drivers\NETIO.SYS 237568 bytes (Microsoft Corporation, Network I/O Subsystem)
0x82921000 C:\Windows\system32\drivers\PCTCore.sys 233472 bytes (PC Tools, PC Tools KDS Core Driver)
0x8A517000 C:\Windows\system32\drivers\volsnap.sys 233472 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0x9A392000 C:\Windows\system32\DRIVERS\teefer2.sys 221184 bytes (Symantec Corporation, Symantec CMC Firewall Teefer2)
0x97C80000 C:\Windows\system32\DRIVERS\usbhub.sys 212992 bytes (Microsoft Corporation, Default Hub Driver for USB)
0x821D8000 ACPI_HAL 208896 bytes
0x821D8000 C:\Windows\system32\hal.dll 208896 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0x8068B000 C:\Windows\system32\drivers\fltmgr.sys 204800 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0x9A84A000 C:\Windows\System32\DRIVERS\netbt.sys 204800 bytes (Microsoft Corporation, MBT Transport driver)
0x805B0000 C:\Windows\system32\DRIVERS\msiscsi.sys 188416 bytes (Microsoft Corporation, Microsoft iSCSI Initiator Driver)
0x9712B000 C:\Windows\system32\DRIVERS\RCUVCMNP.sys 188416 bytes (Ricoh co.,Ltd., Ricoh UVC miniport driver)
0x957A9000 C:\Windows\System32\Drivers\SYMTDI.SYS 188416 bytes (Symantec Corporation, Network Dispatch Driver)
0x97C53000 C:\Windows\system32\DRIVERS\bpenum.sys 184320 bytes (Intel Corporation, Intel® WiMax Link 5050 Series Enumerator)
0x97D3A000 C:\Windows\system32\drivers\portcls.sys 184320 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0x82B14000 C:\Windows\system32\drivers\msrpc.sys 176128 bytes (Microsoft Corporation, Kernel Remote Procedure Call Provider)
0x9CE0B000 C:\Windows\system32\DRIVERS\WQ_hwa.sys 176128 bytes (WiQuest Communications, Inc., WiQuest Usb Host Wire Adapter Driver)
0x93DAE000 C:\Windows\system32\DRIVERS\Apfiltr.sys 172032 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0x9A3CA000 C:\Windows\system32\DRIVERS\ks.sys 172032 bytes (Microsoft Corporation, Kernel CSA Library)
0x9B664000 C:\Windows\system32\DRIVERS\rfcomm.sys 167936 bytes (Microsoft Corporation, Bluetooth RFCOMM Driver)
0x8A58D000 C:\Windows\System32\drivers\ecache.sys 159744 bytes (Microsoft Corporation, Special Memory Device Cache)
0x80714000 C:\Windows\system32\drivers\pci.sys 159744 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0x97D67000 C:\Windows\system32\drivers\drmk.sys 151552 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0x9575A000 C:\Windows\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0x9A288000 C:\Windows\system32\DRIVERS\ndiswan.sys 143360 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9CE36000 C:\Windows\system32\DRIVERS\bpmp.sys 139264 bytes (Intel Corporation, Intel® WiMax Link 5050 Series Driver)
0x8A5C5000 C:\Windows\system32\drivers\CLASSPNP.SYS 135168 bytes (Microsoft Corporation, SCSI Class System Dll)
0x971A8000 C:\Windows\System32\drivers\VIDEOPRT.SYS 135168 bytes (Microsoft Corporation, Video Port Driver)
0x8A560000 C:\Windows\System32\DRIVERS\Apsx86.sys 122880 bytes (Lenovo., Shockproof Disk Driver)
0x828E9000 C:\Windows\system32\drivers\ataport.SYS 122880 bytes (Microsoft Corporation, ATAPI Driver Extension)
0x9A9C9000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0x8A2F6000 C:\Windows\System32\drivers\fwpkclnt.sys 110592 bytes (Microsoft Corporation, FWP/IPsec Kernel-Mode API)
0x9CF59000 C:\Windows\system32\drivers\luafv.sys 110592 bytes (Microsoft Corporation, LUA File Virtualization Filter Driver)
0x9B6AE000 C:\Windows\system32\DRIVERS\bthpan.sys 106496 bytes (Microsoft Corporation, Bluetooth Personal Area Networking)
0x91BA8000 C:\Windows\system32\DRIVERS\serial.sys 106496 bytes (Microsoft Corporation, Serial Device Driver)
0x807D5000 C:\Windows\system32\DRIVERS\cdrom.sys 98304 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0x9CF89000 C:\Windows\System32\DLA\DLAIFS_M.SYS 98304 bytes (Roxio, Drive Letter Access Component)
0x9B68D000 C:\Windows\System32\Drivers\dfsc.sys 94208 bytes (Microsoft Corporation, DFS Namespace Client Driver)
0x9CFCC000 C:\Windows\System32\DLA\DLAUDF_M.SYS 94208 bytes (Roxio, Drive Letter Access Component)
0x8295A000 C:\Windows\System32\Drivers\DRVMCDB.SYS 94208 bytes (Sonic Solutions, Device Driver)
0x9A266000 C:\Windows\system32\DRIVERS\rasl2tp.sys 94208 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0x9710C000 C:\Windows\system32\DRIVERS\usbccgp.sys 94208 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0x9F7A9000 C:\Windows\system32\DRIVERS\cdfs.sys 90112 bytes (Microsoft Corporation, CD-ROM File System Driver)
0x9CFB6000 C:\Windows\System32\DLA\DLAUDFAM.SYS 90112 bytes (Roxio, Drive Letter Access Component)
0x9A87C000 C:\Windows\system32\DRIVERS\pacer.sys 90112 bytes (Microsoft Corporation, QoS Packet Scheduler)
0x95793000 C:\Windows\system32\DRIVERS\tdx.sys 90112 bytes (Microsoft Corporation, TDI Translation Driver)
0x9A2CE000 C:\Windows\system32\DRIVERS\rassstp.sys 86016 bytes (Microsoft Corporation, RAS SSTP Miniport Call Manager)
0x9577F000 C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100729.040\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0x9A2BA000 C:\Windows\system32\DRIVERS\raspptp.sys 81920 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0x957D7000 C:\Windows\system32\DRIVERS\smb.sys 81920 bytes (Microsoft Corporation, SMB Transport driver)
0x93D90000 C:\Windows\system32\DRIVERS\i8042prt.sys 77824 bytes (Microsoft Corporation, i8042 Port Driver)
0x9A9E6000 C:\Windows\system32\DRIVERS\rspndr.sys 77824 bytes (Microsoft Corporation, Link-Layer Topology Responder Driver for NDIS 6)
0x9A8A0000 C:\Windows\system32\DRIVERS\wanarp.sys 77824 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0x9B6D9000 C:\Windows\system32\DRIVERS\WQ_rci.sys 77824 bytes (WiQuest Communications, Inc., WiQuest Radio Control Interface Driver)
0x91BE6000 C:\Windows\system32\DRIVERS\HDAudBus.sys 73728 bytes (Microsoft Corporation, High Definition Audio Bus Driver)
0x9B6C8000 C:\Windows\System32\Drivers\bpusb.sys 69632 bytes (Intel Corporation, Intel® WiMax Link 5050 Series Function Driver)
0x8A5B4000 C:\Windows\system32\drivers\disk.sys 69632 bytes (Microsoft Corporation, PnP Disk Driver)
0x97CB4000 C:\Windows\System32\Drivers\NDProxy.SYS 69632 bytes (Microsoft Corporation, NDIS Proxy)
0x80476000 C:\Windows\system32\PSHED.dll 69632 bytes (Microsoft Corporation, Platform Specific Hardware Error Driver)
0x82911000 C:\Windows\system32\drivers\fileinfo.sys 65536 bytes (Microsoft Corporation, FileInfo Filter Driver)
0x9B7EA000 C:\Windows\system32\DRIVERS\HIDCLASS.SYS 65536 bytes (Microsoft Corporation, Hid Class Library)
0x9CFEE000 C:\Windows\system32\DRIVERS\lltdio.sys 65536 bytes (Microsoft Corporation, Link-Layer Topology Mapper I/O Driver)
0x807C5000 C:\Windows\System32\drivers\mountmgr.sys 65536 bytes (Microsoft Corporation, Mount Point Manager)
0x9A373000 C:\Windows\system32\DRIVERS\termdd.sys 65536 bytes (Microsoft Corporation, Terminal Server Driver)
0x82B79000 C:\Windows\system32\DRIVERS\intelppm.sys 61440 bytes (Microsoft Corporation, Processor Device Driver)
0x9CF4A000 C:\Windows\system32\DRIVERS\monitor.sys 61440 bytes (Microsoft Corporation, Monitor Driver)
0x8A57E000 C:\Windows\System32\Drivers\mup.sys 61440 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0x8073B000 C:\Windows\System32\drivers\partmgr.sys 61440 bytes (Microsoft Corporation, Partition Management Driver)
0x9A2AB000 C:\Windows\system32\DRIVERS\raspppoe.sys 61440 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0x91BD7000 C:\Windows\system32\DRIVERS\usbehci.sys 61440 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0x80757000 C:\Windows\system32\drivers\volmgr.sys 61440 bytes (Microsoft Corporation, Volume Manager Driver)
0x9EF10000 C:\Windows\System32\cdd.dll 57344 bytes (Microsoft Corporation, Canonical Display Driver)
0x9A892000 C:\Windows\system32\DRIVERS\netbios.sys 57344 bytes (Microsoft Corporation, NetBIOS interface driver)
0x971E4000 C:\Windows\System32\Drivers\Npfs.SYS 57344 bytes (Microsoft Corporation, NPFS Driver)
0x807B7000 C:\Windows\system32\drivers\PCIIDEX.SYS 57344 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0x93DE3000 C:\Windows\system32\drivers\tpm.sys 57344 bytes (Microsoft Corporation, TPM Device Driver)
0x97170000 C:\Windows\system32\drivers\wpsdrvnt.sys 57344 bytes (Symantec Corporation, Symantec CMC Firewall WPS)
0x9707D000 C:\Windows\System32\Drivers\BTHUSB.sys 53248 bytes (Microsoft Corporation, Bluetooth Miniport Driver)
0x9CE58000 C:\Windows\System32\Drivers\crashdmp.sys 53248 bytes (Microsoft Corporation, Crash Dump Driver)
0x9A259000 C:\Windows\system32\drivers\modem.sys 53248 bytes (Microsoft Corporation, Modem Device Driver)
0x97159000 C:\Windows\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0x97C46000 C:\Windows\system32\DRIVERS\umbus.sys 53248 bytes (Microsoft Corporation, User-Mode Bus Enumerator)
0x91B91000 C:\Windows\System32\drivers\watchdog.sys 53248 bytes (Microsoft Corporation, Watchdog Driver)
0x8067E000 C:\Windows\system32\drivers\WDFLDR.SYS 53248 bytes (Microsoft Corporation, WDFLDR)
0x9F6EE000 C:\Windows\System32\drivers\tcpipreg.sys 49152 bytes (Microsoft Corporation, TCP/IP Registry Compatibility Driver)
0x9719C000 C:\Windows\System32\drivers\vga.sys 49152 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x9CFE3000 C:\Windows\system32\DRIVERS\bpprot.sys 45056 bytes (Intel Corporation, Intel® WiMax Link 5050 Series Protocol driver)
0x9CF7D000 C:\Windows\System32\Drivers\DRVNDDM.SYS 45056 bytes (Roxio, Device Driver Manager)
0x93DA3000 C:\Windows\system32\DRIVERS\kbdclass.sys 45056 bytes (Microsoft Corporation, Keyboard Class Driver)
0x93DD8000 C:\Windows\system32\DRIVERS\mouclass.sys 45056 bytes (Microsoft Corporation, Mouse Class Driver)
0x971D9000 C:\Windows\System32\Drivers\Msfs.SYS 45056 bytes (Microsoft Corporation, Mailslot driver)
0x9A27D000 C:\Windows\system32\DRIVERS\ndistapi.sys 45056 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0x9A246000 C:\Windows\system32\DRIVERS\TDI.SYS 45056 bytes (Microsoft Corporation, TDI Wrapper)
0x8A3EC000 C:\Windows\system32\DRIVERS\tunnel.sys 45056 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x91BCC000 C:\Windows\system32\DRIVERS\usbuhci.sys 45056 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0x8074D000 C:\Windows\system32\DRIVERS\BATTC.SYS 40960 bytes (Microsoft Corporation, Battery Class Driver)
0x9B6A4000 C:\Windows\system32\DRIVERS\BthEnum.sys 40960 bytes (Microsoft Corporation, Bluetooth Bus Extender)
0x9B7DD000 C:\Windows\system32\DRIVERS\btwl2cap.sys 40960 bytes (Broadcom Corporation., Broadcom Bluetooth L2CAP Service)
0x9CF40000 C:\Windows\System32\drivers\Dxapi.sys 40960 bytes (Microsoft Corporation, DirectX API Driver)
0x91B9E000 C:\Windows\system32\DRIVERS\HECI.sys 40960 bytes (Intel Corporation, Intel® Management Engine Interface)
0x82907000 C:\Windows\system32\drivers\msahci.sys 40960 bytes (Microsoft Corporation, MS AHCI 1.0 Standard Driver)
0x97C3C000 C:\Windows\system32\DRIVERS\mssmbios.sys 40960 bytes (Microsoft Corporation, System Management BIOS Driver)
0x9A95F000 C:\Windows\system32\drivers\nsiproxy.sys 40960 bytes (Microsoft Corporation, NSI Proxy)
0x82971000 C:\Windows\System32\Drivers\PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0x9F6E4000 C:\Windows\System32\Drivers\secdrv.SYS 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0x91BC2000 C:\Windows\system32\DRIVERS\serenum.sys 40960 bytes (Microsoft Corporation, Serial Port Enumerator)
0x97166000 C:\Windows\System32\Drivers\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0x8A5E6000 C:\Windows\system32\drivers\crcdisk.sys 36864 bytes (Microsoft Corporation, Disk Block Verification Filter Driver)
0x9717F000 C:\Windows\System32\Drivers\Fs_Rec.SYS 36864 bytes (Microsoft Corporation, File System Recognizer Driver)
0x9F7BF000 C:\Windows\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0x971F2000 C:\Windows\System32\DRIVERS\rasacd.sys 36864 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9EEF0000 C:\Windows\System32\TSDDD.dll 36864 bytes (Microsoft Corporation, Framebuffer Display Driver)
0x8A3F7000 C:\Windows\system32\DRIVERS\tunmp.sys 36864 bytes (Microsoft Corporation, Microsoft Tunnel Interface Driver)
0x9CF74000 C:\Windows\system32\DRIVERS\tvtfilter.sys 36864 bytes (Lenovo, Rescue and Recovery filter driver)
0x91400000 C:\Windows\system32\DRIVERS\wmiacpi.sys 36864 bytes (Microsoft Corporation, Windows Management Interface for ACPI)
0x80703000 C:\Windows\system32\drivers\WMILIB.SYS 36864 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0x8A550000 C:\Windows\System32\DRIVERS\ApsHM86.sys 32768 bytes (Lenovo., ThinkVantage Active Protection System HID Digitizer Activity Monitor Driver)
0x828E1000 C:\Windows\system32\drivers\atapi.sys 32768 bytes (Microsoft Corporation, ATAPI IDE Miniport Driver)
0x80487000 C:\Windows\system32\BOOTVID.dll 32768 bytes (Microsoft Corporation, VGA Boot Driver)
0x8040E000 C:\Windows\system32\kdcom.dll 32768 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x8070C000 C:\Windows\system32\drivers\msisadrv.sys 32768 bytes (Microsoft Corporation, ISA Driver)
0x971C9000 C:\Windows\System32\DRIVERS\RDPCDD.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x971D1000 C:\Windows\system32\drivers\rdpencdd.sys 32768 bytes (Microsoft Corporation, RDP Miniport)
0x9A251000 C:\Windows\System32\Drivers\RootMdm.sys 32768 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0x8A558000 C:\Windows\System32\Drivers\spldr.sys 32768 bytes (Microsoft Corporation, loader for security processor)
0x9A38A000 C:\Windows\system32\DRIVERS\Tvti2c.sys 32768 bytes (Lenovo (United States) Inc., SMBUS Driver)
0x9718F000 C:\Windows\System32\Drivers\Beep.SYS 28672 bytes (Microsoft Corporation, BEEP Driver)
0x9CFA8000 C:\Windows\System32\DLA\DLABMFSM.SYS 28672 bytes (Roxio, Drive Letter Access Component)
0x9CFAF000 C:\Windows\System32\DLA\DLABOIOM.SYS 28672 bytes (Roxio, Drive Letter Access Component)
0x9B600000 C:\Windows\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0x97188000 C:\Windows\System32\Drivers\Null.SYS 28672 bytes (Microsoft Corporation, NULL Driver)
0x807B0000 C:\Windows\system32\drivers\pciide.sys 28672 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0x9A383000 C:\Windows\system32\DRIVERS\psadd.sys 28672 bytes (Lenovo (United States) Inc., SMBIOS Driver)
0x9A2E3000 C:\Windows\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)
0x97196000 C:\Windows\System32\Drivers\DLARTL_M.SYS 24576 bytes (Roxio, Shared Driver Component)
0x93A00000 C:\Windows\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0x9A8B3000 C:\Windows\System32\drivers\Tppwr32v.sys 24576 bytes
0x9CFA1000 C:\Windows\System32\DLA\DLAOPIOM.SYS 20480 bytes (Roxio, Drive Letter Access Component)
0x93DF1000 C:\Windows\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x93DF5000 C:\Windows\system32\DRIVERS\ibmpmdrv.sys 16384 bytes (Lenovo., ThinkPad Power Management Driver)
0x9B7E7000 C:\Windows\system32\DRIVERS\btwrchid.sys 12288 bytes (Broadcom Corporation., Bluetooth Remote Control HID Minidriver)
0x8074A000 C:\Windows\system32\DRIVERS\compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x93DF9000 C:\Windows\System32\Drivers\DLACDBHM.SYS 8192 bytes (Roxio, Shared Driver Component)
0x9CFA6000 C:\Windows\System32\DLA\DLAPoolM.SYS 8192 bytes (Roxio, Drive Letter Access Component)
0x9A969000 C:\Windows\system32\DRIVERS\smiif32.sys 8192 bytes (Lenovo Group Limited, SMI Driver for Lenovo system)
0x9A3C8000 C:\Windows\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0x9710A000 C:\Windows\System32\Drivers\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0x9CF88000 C:\Windows\System32\DLA\DLADResM.SYS 4096 bytes (Roxio, Drive Letter Access Component)
!!!!!!!!!!!Hidden driver: 0x8552AAEA ?_empty_? 1302 bytes
0x8552AEC5 unknown_irp_handler 315 bytes
!!!!!!!!!!!Hidden driver: 0x86162D00 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0x82806000 WARNING: suspicious driver modification [iaStor.sys::0x8552AAEA]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)




#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:49 AM

Posted 13 August 2010 - 08:22 AM

Hello

Very good and I seen what I need to see

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.



Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:49 AM

Posted 16 August 2010 - 12:37 AM

Hello

three day bump

It has been Three days since my last post.
  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 jhirschson

jhirschson
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 16 August 2010 - 08:57 AM

Ack! Can't believe i missed your earlier reply. Sorry to leave you hanging.

Here is the log from tdsskiller. (I like the name of that program.)

2010/08/16 09:50:35.0195 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
2010/08/16 09:50:35.0195 ================================================================================
2010/08/16 09:50:35.0195 SystemInfo:
2010/08/16 09:50:35.0195
2010/08/16 09:50:35.0195 OS Version: 6.0.6001 ServicePack: 1.0
2010/08/16 09:50:35.0195 Product type: Workstation
2010/08/16 09:50:35.0195 ComputerName: NYC-JHIRSCHSON2
2010/08/16 09:50:35.0211 UserName: Jay Hirschson
2010/08/16 09:50:35.0211 Windows directory: C:\Windows
2010/08/16 09:50:35.0211 System windows directory: C:\Windows
2010/08/16 09:50:35.0211 Processor architecture: Intel x86
2010/08/16 09:50:35.0211 Number of processors: 2
2010/08/16 09:50:35.0211 Page size: 0x1000
2010/08/16 09:50:35.0211 Boot type: Normal boot
2010/08/16 09:50:35.0211 ================================================================================
2010/08/16 09:50:36.0116 Initialize success
2010/08/16 09:50:42.0746 ================================================================================
2010/08/16 09:50:42.0746 Scan started
2010/08/16 09:50:42.0746 Mode: Manual;
2010/08/16 09:50:42.0746 ================================================================================
2010/08/16 09:50:43.0120 5U875UVC (63284b5c1bfd106d3db685bd22820960) C:\Windows\system32\DRIVERS\RCUVCMNP.sys
2010/08/16 09:50:43.0182 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
2010/08/16 09:50:43.0292 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
2010/08/16 09:50:43.0370 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
2010/08/16 09:50:43.0432 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
2010/08/16 09:50:43.0526 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
2010/08/16 09:50:43.0650 AFD (763e172a55177e478cb419f88fd0ba03) C:\Windows\system32\drivers\afd.sys
2010/08/16 09:50:43.0697 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
2010/08/16 09:50:43.0760 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2010/08/16 09:50:43.0838 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
2010/08/16 09:50:43.0900 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
2010/08/16 09:50:43.0962 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
2010/08/16 09:50:44.0025 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
2010/08/16 09:50:44.0087 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
2010/08/16 09:50:44.0150 ApfiltrService (14660206dc539db62f37b4a75a984578) C:\Windows\system32\DRIVERS\Apfiltr.sys
2010/08/16 09:50:44.0274 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
2010/08/16 09:50:44.0384 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
2010/08/16 09:50:44.0446 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2010/08/16 09:50:44.0493 atapi (2d9c903dc76a66813d350a562de40ed9) C:\Windows\system32\drivers\atapi.sys
2010/08/16 09:50:44.0571 ATSwpWDF (40e3212da94acf9e120c30acebc6ea80) C:\Windows\system32\Drivers\ATSwpWDF.sys
2010/08/16 09:50:44.0727 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2010/08/16 09:50:44.0805 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
2010/08/16 09:50:44.0898 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2010/08/16 09:50:44.0930 bpenum (a3f0b475e5bef7e4c85a59216fdd4a80) C:\Windows\system32\DRIVERS\bpenum.sys
2010/08/16 09:50:45.0008 bpmp (50b243359512a40b504e3bd2efeeba92) C:\Windows\system32\DRIVERS\bpmp.sys
2010/08/16 09:50:45.0070 BPPROT (dac8d9625cd8500bd56f095dee5b54d3) C:\Windows\system32\DRIVERS\bpprot.sys
2010/08/16 09:50:45.0101 bpusb (568d5222b88e093c31a9d998f1c73144) C:\Windows\system32\Drivers\bpusb.sys
2010/08/16 09:50:45.0164 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2010/08/16 09:50:45.0242 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2010/08/16 09:50:45.0304 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2010/08/16 09:50:45.0366 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2010/08/16 09:50:45.0413 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2010/08/16 09:50:45.0476 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2010/08/16 09:50:45.0554 BthEnum (cce53afc28347cc18ea139972e5b5e5a) C:\Windows\system32\DRIVERS\BthEnum.sys
2010/08/16 09:50:45.0585 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2010/08/16 09:50:45.0647 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
2010/08/16 09:50:45.0694 BTHPORT (ac8a1689d5efc4d214201155a78d8f4b) C:\Windows\system32\Drivers\BTHport.sys
2010/08/16 09:50:45.0788 BTHUSB (288c1f74e3e2eed6c7b54eb3aac70856) C:\Windows\system32\Drivers\BTHUSB.sys
2010/08/16 09:50:45.0850 btwaudio (f2f7342742180d5060285499dee50f99) C:\Windows\system32\drivers\btwaudio.sys
2010/08/16 09:50:45.0897 btwavdt (32f59f26a30cfc508da11db3ea0f8b77) C:\Windows\system32\drivers\btwavdt.sys
2010/08/16 09:50:45.0990 btwl2cap (ecb98391c756a7b9cfbae89d9d1235e1) C:\Windows\system32\DRIVERS\btwl2cap.sys
2010/08/16 09:50:46.0053 btwrchid (03658734ef7d0f3b3f4636d3e8a38964) C:\Windows\system32\DRIVERS\btwrchid.sys
2010/08/16 09:50:46.0115 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2010/08/16 09:50:46.0162 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
2010/08/16 09:50:46.0240 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
2010/08/16 09:50:46.0287 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
2010/08/16 09:50:46.0349 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2010/08/16 09:50:46.0396 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
2010/08/16 09:50:46.0490 CnxtHdAudService (12299b25263c5d5ed3cf5b9a97a71401) C:\Windows\system32\drivers\CHDRT32.sys
2010/08/16 09:50:46.0568 COH_Mon (86a22dff16e8ca67601044efe6825537) C:\Windows\system32\Drivers\COH_Mon.sys
2010/08/16 09:50:46.0630 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2010/08/16 09:50:46.0692 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
2010/08/16 09:50:46.0739 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
2010/08/16 09:50:46.0817 CSC (9a5434125c3dfe42393de4bbb791bd19) C:\Windows\system32\drivers\csc.sys
2010/08/16 09:50:46.0895 DfsC (9e635ae5e8ad93e2b5989e2e23679f97) C:\Windows\system32\Drivers\dfsc.sys
2010/08/16 09:50:46.0973 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
2010/08/16 09:50:47.0020 DLABMFSM (5b149ccfe275f4de0b4b8ec6b9f6821e) C:\Windows\system32\DLA\DLABMFSM.SYS
2010/08/16 09:50:47.0051 DLABOIOM (ad4cb3d783634c90a9d0ce360933a63c) C:\Windows\system32\DLA\DLABOIOM.SYS
2010/08/16 09:50:47.0098 DLACDBHM (5230cdb7e715f3a3b4a882e254cdd35d) C:\Windows\system32\Drivers\DLACDBHM.SYS
2010/08/16 09:50:47.0145 DLADResM (93d03238cc3f0ee3c0b3985d110ec575) C:\Windows\system32\DLA\DLADResM.SYS
2010/08/16 09:50:47.0192 DLAIFS_M (6a82f77c4a6f5235bf352f0028e2ef52) C:\Windows\system32\DLA\DLAIFS_M.SYS
2010/08/16 09:50:47.0238 DLAOPIOM (0e6052c0ada37504896a847231a3907d) C:\Windows\system32\DLA\DLAOPIOM.SYS
2010/08/16 09:50:47.0270 DLAPoolM (29670bb4e2b973c5b55a76107d4910b2) C:\Windows\system32\DLA\DLAPoolM.SYS
2010/08/16 09:50:47.0316 DLARTL_M (77fe51f0f8d86804cb81f6ef6bfb86dd) C:\Windows\system32\Drivers\DLARTL_M.SYS
2010/08/16 09:50:47.0363 DLAUDFAM (6b087732b86c1d866d69dbbe463ea90a) C:\Windows\system32\DLA\DLAUDFAM.SYS
2010/08/16 09:50:47.0394 DLAUDF_M (bbeecb95f2841ae4a3e3690d46d7153d) C:\Windows\system32\DLA\DLAUDF_M.SYS
2010/08/16 09:50:47.0488 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2010/08/16 09:50:47.0535 DRVMCDB (83106585494d5eb96f59187200c144bd) C:\Windows\system32\Drivers\DRVMCDB.SYS
2010/08/16 09:50:47.0597 DRVNDDM (ffc371525aa55d1bae18715ebcb8797c) C:\Windows\system32\Drivers\DRVNDDM.SYS
2010/08/16 09:50:47.0660 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
2010/08/16 09:50:47.0722 e1express (908ed85b7806e8af3af5e9b74f7809d4) C:\Windows\system32\DRIVERS\e1e6032.sys
2010/08/16 09:50:47.0784 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
2010/08/16 09:50:47.0847 e1yexpress (a6aa4882616e7da283c12b30f577ac0c) C:\Windows\system32\DRIVERS\e1y6032.sys
2010/08/16 09:50:47.0956 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
2010/08/16 09:50:48.0003 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/08/16 09:50:48.0065 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
2010/08/16 09:50:48.0143 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/08/16 09:50:48.0190 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
2010/08/16 09:50:48.0315 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
2010/08/16 09:50:48.0377 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
2010/08/16 09:50:48.0440 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
2010/08/16 09:50:48.0518 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2010/08/16 09:50:48.0564 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2010/08/16 09:50:48.0689 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
2010/08/16 09:50:48.0783 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
2010/08/16 09:50:48.0845 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2010/08/16 09:50:48.0892 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
2010/08/16 09:50:48.0970 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2010/08/16 09:50:49.0064 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2010/08/16 09:50:49.0126 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
2010/08/16 09:50:49.0157 HECI (2df64415a28ce036ac6acec7645a996f) C:\Windows\system32\DRIVERS\HECI.sys
2010/08/16 09:50:49.0220 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2010/08/16 09:50:49.0266 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2010/08/16 09:50:49.0344 HidUsb (3c64042b95e583b366ba4e5d2450235e) C:\Windows\system32\drivers\hidusb.sys
2010/08/16 09:50:49.0407 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
2010/08/16 09:50:49.0469 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2010/08/16 09:50:49.0563 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2010/08/16 09:50:49.0672 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
2010/08/16 09:50:49.0719 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
2010/08/16 09:50:49.0781 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2010/08/16 09:50:49.0844 iaStor (71ecc07bc7c5e24c3dd01d8a29a24054) C:\Windows\system32\DRIVERS\iaStor.sys
2010/08/16 09:50:49.0890 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
2010/08/16 09:50:49.0953 IBMPMDRV (699052e165698013020d2ac693cd80c7) C:\Windows\system32\DRIVERS\ibmpmdrv.sys
2010/08/16 09:50:50.0140 igfx (e26105b5853cad0dd2258943f3abf5c1) C:\Windows\system32\DRIVERS\igdkmd32.sys
2010/08/16 09:50:50.0280 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2010/08/16 09:50:50.0390 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2010/08/16 09:50:50.0436 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2010/08/16 09:50:50.0514 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2010/08/16 09:50:50.0670 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
2010/08/16 09:50:50.0733 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2010/08/16 09:50:50.0811 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2010/08/16 09:50:50.0858 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
2010/08/16 09:50:50.0920 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
2010/08/16 09:50:50.0967 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2010/08/16 09:50:51.0029 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2010/08/16 09:50:51.0107 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2010/08/16 09:50:51.0185 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\drivers\kbdhid.sys
2010/08/16 09:50:51.0263 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
2010/08/16 09:50:51.0357 lenovo.smi (3c3f7f424e324c6971632c5de5ff458f) C:\Windows\system32\DRIVERS\smiif32.sys
2010/08/16 09:50:51.0419 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2010/08/16 09:50:51.0497 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
2010/08/16 09:50:51.0560 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
2010/08/16 09:50:51.0638 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
2010/08/16 09:50:51.0716 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2010/08/16 09:50:51.0762 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
2010/08/16 09:50:51.0825 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
2010/08/16 09:50:51.0918 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2010/08/16 09:50:52.0028 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2010/08/16 09:50:52.0059 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2010/08/16 09:50:52.0137 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\drivers\mouhid.sys
2010/08/16 09:50:52.0230 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2010/08/16 09:50:52.0277 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
2010/08/16 09:50:52.0324 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2010/08/16 09:50:52.0386 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2010/08/16 09:50:52.0449 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
2010/08/16 09:50:52.0511 mrxsmb (66592e91051728c3571b0d77175686ab) C:\Windows\system32\DRIVERS\mrxsmb.sys
2010/08/16 09:50:52.0558 mrxsmb10 (aa9496b3b8f1d3cb2d2a731ba05464e0) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2010/08/16 09:50:52.0589 mrxsmb20 (3268b8c3fa92bfc086355c39b45e9cc9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2010/08/16 09:50:52.0667 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
2010/08/16 09:50:52.0714 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
2010/08/16 09:50:52.0808 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2010/08/16 09:50:52.0839 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2010/08/16 09:50:52.0917 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2010/08/16 09:50:52.0964 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2010/08/16 09:50:53.0042 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2010/08/16 09:50:53.0088 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
2010/08/16 09:50:53.0151 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2010/08/16 09:50:53.0213 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2010/08/16 09:50:53.0260 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
2010/08/16 09:50:53.0322 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
2010/08/16 09:50:53.0354 NAVENG (0953bb24c1e70a99c315f44f15993c17) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100729.040\NAVENG.SYS
2010/08/16 09:50:53.0447 NAVEX15 (3ddb0bef60b65df6b110c23e17cd67dc) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20100729.040\NAVEX15.SYS
2010/08/16 09:50:53.0572 NDIS (c8560010a542b5dca94c62468dc20784) C:\Windows\system32\drivers\ndis.sys
2010/08/16 09:50:53.0619 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2010/08/16 09:50:53.0681 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2010/08/16 09:50:53.0775 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
2010/08/16 09:50:53.0915 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2010/08/16 09:50:53.0978 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2010/08/16 09:50:54.0040 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
2010/08/16 09:50:54.0243 NETw5v32 (ba420e8ebfcad35581fe8e4c64f71469) C:\Windows\system32\DRIVERS\NETw5v32.sys
2010/08/16 09:50:54.0383 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2010/08/16 09:50:54.0477 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
2010/08/16 09:50:54.0539 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2010/08/16 09:50:54.0633 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
2010/08/16 09:50:54.0695 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2010/08/16 09:50:54.0758 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2010/08/16 09:50:54.0820 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
2010/08/16 09:50:54.0882 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
2010/08/16 09:50:54.0945 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
2010/08/16 09:50:55.0038 NWADI (0973c0c696780161f4526586d5eac422) C:\Windows\system32\DRIVERS\NWADIenum.sys
2010/08/16 09:50:55.0179 ohci1394 (790e27c3db53410b40ff9ef2fd10a1d9) C:\Windows\system32\DRIVERS\ohci1394.sys
2010/08/16 09:50:55.0288 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2010/08/16 09:50:55.0335 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
2010/08/16 09:50:55.0366 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2010/08/16 09:50:55.0444 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\Windows\system32\Drivers\PCASp50.sys
2010/08/16 09:50:55.0506 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
2010/08/16 09:50:55.0553 pciide (516a0702601331149532339fb576d8ab) C:\Windows\system32\drivers\pciide.sys
2010/08/16 09:50:55.0553 Suspicious file (Forged): C:\Windows\system32\drivers\pciide.sys. Real md5: 516a0702601331149532339fb576d8ab, Fake md5: fc175f5ddab666d7f4d17449a547626f
2010/08/16 09:50:55.0569 pciide - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/16 09:50:55.0616 pcmcia (b7c5a8769541900f6dfa6fe0c5e4d513) C:\Windows\system32\DRIVERS\pcmcia.sys
2010/08/16 09:50:55.0928 PCTCore (807ff1dd6e1bdf8e7d2062fca0daecaf) C:\Windows\system32\drivers\PCTCore.sys
2010/08/16 09:50:56.0052 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2010/08/16 09:50:56.0380 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2010/08/16 09:50:56.0474 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
2010/08/16 09:50:56.0583 psadd (271f3e304cf2a467188ef393c8fbd2b7) C:\Windows\system32\DRIVERS\psadd.sys
2010/08/16 09:50:56.0645 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
2010/08/16 09:50:56.0708 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
2010/08/16 09:50:56.0801 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
2010/08/16 09:50:56.0895 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2010/08/16 09:50:56.0973 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2010/08/16 09:50:57.0020 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2010/08/16 09:50:57.0066 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2010/08/16 09:50:57.0144 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
2010/08/16 09:50:57.0191 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
2010/08/16 09:50:57.0254 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
2010/08/16 09:50:57.0300 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2010/08/16 09:50:57.0363 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\DRIVERS\rdpdr.sys
2010/08/16 09:50:57.0441 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2010/08/16 09:50:57.0503 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
2010/08/16 09:50:57.0597 RFCOMM (23f486726da7a9b2f3ec7326421a9c36) C:\Windows\system32\DRIVERS\rfcomm.sys
2010/08/16 09:50:57.0644 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
2010/08/16 09:50:57.0722 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2010/08/16 09:50:57.0800 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2010/08/16 09:50:57.0862 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2010/08/16 09:50:57.0987 sdbus (126ea89bcc413ee45e3004fb0764888f) C:\Windows\system32\DRIVERS\sdbus.sys
2010/08/16 09:50:58.0080 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2010/08/16 09:50:58.0143 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\DRIVERS\serenum.sys
2010/08/16 09:50:58.0190 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\DRIVERS\serial.sys
2010/08/16 09:50:58.0252 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2010/08/16 09:50:58.0377 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
2010/08/16 09:50:58.0424 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
2010/08/16 09:50:58.0486 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
2010/08/16 09:50:58.0548 sfloppy (c33bfbd6e9e41fcd9ffef9729e9faed6) C:\Windows\system32\DRIVERS\sfloppy.sys
2010/08/16 09:50:58.0626 Shockprf (1310c5e81966e86b2ced7ae8ce3d74f1) C:\Windows\system32\DRIVERS\Apsx86.sys
2010/08/16 09:50:58.0673 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
2010/08/16 09:50:58.0736 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
2010/08/16 09:50:58.0814 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
2010/08/16 09:50:58.0923 Smb (031e6bcd53c9b2b9ace111eafec347b6) C:\Windows\system32\DRIVERS\smb.sys
2010/08/16 09:50:59.0032 SPBBCDrv (d7bb213566e16bca372e2cb517eda907) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/08/16 09:50:59.0094 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2010/08/16 09:50:59.0172 SRTSP (522651a0e7dc6415e083317370b609cc) C:\Windows\system32\Drivers\SRTSP.SYS
2010/08/16 09:50:59.0250 SRTSPL (34e823b8d730099d032608fcccbc6a25) C:\Windows\system32\Drivers\SRTSPL.SYS
2010/08/16 09:50:59.0328 SRTSPX (469006e15f5b0fe8ae94184a18a81586) C:\Windows\system32\Drivers\SRTSPX.SYS
2010/08/16 09:50:59.0391 srv (8e5fc19b3b38364c5f44ccecec5248e9) C:\Windows\system32\DRIVERS\srv.sys
2010/08/16 09:50:59.0438 srv2 (4ceeb95e0b79e48b81f2da0a6c24c64b) C:\Windows\system32\DRIVERS\srv2.sys
2010/08/16 09:50:59.0484 srvnet (f9c65e1e00a6bbf7c57d9b8ea068c525) C:\Windows\system32\DRIVERS\srvnet.sys
2010/08/16 09:50:59.0594 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2010/08/16 09:50:59.0656 swmsflt (150ab4fa272130ec55b2a4faebdf47f9) C:\Windows\system32\DRIVERS\swmsflt.sys
2010/08/16 09:50:59.0750 swmx00 (2712cc6d42f1c620e3b5d81b215b942d) C:\Windows\system32\DRIVERS\swmx00.sys
2010/08/16 09:50:59.0812 SWNC5E00 (47edcd5fdd249e5273cb90e56be97a5d) C:\Windows\system32\DRIVERS\SWNC5E00.sys
2010/08/16 09:50:59.0906 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2010/08/16 09:50:59.0968 SymEvent (e03ee3ef1037099554d17bed99545a5e) C:\Windows\system32\Drivers\SYMEVENT.SYS
2010/08/16 09:51:00.0030 SYMREDRV (be3c117150c055e50a4caf23e548c856) C:\Windows\System32\Drivers\SYMREDRV.SYS
2010/08/16 09:51:00.0077 SYMTDI (7b0af4e22b32f8c5bfba5a5d53522160) C:\Windows\System32\Drivers\SYMTDI.SYS
2010/08/16 09:51:00.0108 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2010/08/16 09:51:00.0171 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2010/08/16 09:51:00.0264 SysPlant (5383efa1351463f2f036a3e1b5f87d0c) C:\Windows\SYSTEM32\Drivers\SysPlant.sys
2010/08/16 09:51:00.0374 Tcpip (1acbb7a47e78f4cc82d2effb72901528) C:\Windows\system32\drivers\tcpip.sys
2010/08/16 09:51:00.0452 Tcpip6 (1acbb7a47e78f4cc82d2effb72901528) C:\Windows\system32\DRIVERS\tcpip.sys
2010/08/16 09:51:00.0498 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
2010/08/16 09:51:00.0561 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2010/08/16 09:51:00.0608 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2010/08/16 09:51:00.0670 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
2010/08/16 09:51:00.0717 Teefer2 (0dc098cc18a974e7c1e96e6846bd06e4) C:\Windows\system32\DRIVERS\teefer2.sys
2010/08/16 09:51:00.0779 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
2010/08/16 09:51:00.0935 TPDIGIMN (d7a29e343632e2fc5f7ebfc886f12675) C:\Windows\system32\DRIVERS\ApsHM86.sys
2010/08/16 09:51:01.0029 TPM (cb258c2f726f1be73c507022be33ebb3) C:\Windows\system32\drivers\tpm.sys
2010/08/16 09:51:01.0076 TPPWRIF (1bd5719ef160e0ab739cd0ff3ba5e298) C:\Windows\system32\drivers\Tppwr32v.sys
2010/08/16 09:51:01.0247 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2010/08/16 09:51:01.0294 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2010/08/16 09:51:01.0372 tunnel (119b8184e106baedc83fce5ddf3950da) C:\Windows\system32\DRIVERS\tunnel.sys
2010/08/16 09:51:01.0481 tvtfilter (49258a02a1e8d304ed88b0f1c56b1738) C:\Windows\system32\DRIVERS\tvtfilter.sys
2010/08/16 09:51:01.0512 TVTI2C (7e66dda1ef146bfc3a6e36e08e036602) C:\Windows\system32\DRIVERS\Tvti2c.sys
2010/08/16 09:51:01.0575 tvtumon (2d1ec233c89416ba8187c9d7d49a075a) C:\Windows\system32\DRIVERS\tvtumon.sys
2010/08/16 09:51:01.0653 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
2010/08/16 09:51:01.0715 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
2010/08/16 09:51:01.0840 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
2010/08/16 09:51:01.0934 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
2010/08/16 09:51:02.0043 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2010/08/16 09:51:02.0152 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2010/08/16 09:51:02.0214 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2010/08/16 09:51:02.0464 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\Windows\system32\Drivers\usbaapl.sys
2010/08/16 09:51:02.0511 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2010/08/16 09:51:02.0573 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2010/08/16 09:51:02.0636 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
2010/08/16 09:51:02.0698 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
2010/08/16 09:51:02.0760 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2010/08/16 09:51:02.0823 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
2010/08/16 09:51:02.0870 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2010/08/16 09:51:02.0932 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2010/08/16 09:51:02.0994 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2010/08/16 09:51:03.0104 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
2010/08/16 09:51:03.0150 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2010/08/16 09:51:03.0197 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
2010/08/16 09:51:03.0275 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
2010/08/16 09:51:03.0338 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
2010/08/16 09:51:03.0400 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2010/08/16 09:51:03.0447 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
2010/08/16 09:51:03.0509 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
2010/08/16 09:51:03.0540 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
2010/08/16 09:51:03.0681 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2010/08/16 09:51:03.0728 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/16 09:51:03.0774 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2010/08/16 09:51:03.0899 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
2010/08/16 09:51:03.0977 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2010/08/16 09:51:04.0149 WimFltr (f9ad3a5e3fd7e0bdb18b8202b0fdd4e4) C:\Windows\system32\DRIVERS\wimfltr.sys
2010/08/16 09:51:04.0227 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2010/08/16 09:51:04.0430 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2010/08/16 09:51:04.0523 WpdUsb (0cec23084b51b8288099eb710224e955) C:\Windows\system32\DRIVERS\wpdusb.sys
2010/08/16 09:51:04.0570 WPS (28d229ba1182591e43aca9d58f539dce) C:\Windows\system32\drivers\wpsdrvnt.sys
2010/08/16 09:51:04.0632 WpsHelper (d253d6ebd33fffa6d229c8df8d76121a) C:\Windows\system32\drivers\WpsHelper.sys
2010/08/16 09:51:04.0679 WQ_USBHWA (6de5fe49ea11770fe6ccacec39273d0d) C:\Windows\system32\DRIVERS\WQ_hwa.sys
2010/08/16 09:51:04.0726 WQ_USBLOAD (8dcc2b2cdd4df6fb1e42e48ca81b31ac) C:\Windows\system32\DRIVERS\WQ_ldr.sys
2010/08/16 09:51:04.0773 WQ_USBRCI (c06bdfa7fe8c1f0ad4fdb8e8d8a47f08) C:\Windows\system32\DRIVERS\WQ_rci.sys
2010/08/16 09:51:04.0835 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2010/08/16 09:51:04.0944 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2010/08/16 09:51:05.0116 ================================================================================
2010/08/16 09:51:05.0116 Scan finished
2010/08/16 09:51:05.0116 ================================================================================
2010/08/16 09:51:05.0194 Detected object count: 1
2010/08/16 09:51:13.0212 pciide (516a0702601331149532339fb576d8ab) C:\Windows\system32\drivers\pciide.sys
2010/08/16 09:51:13.0212 Suspicious file (Forged): C:\Windows\system32\drivers\pciide.sys. Real md5: 516a0702601331149532339fb576d8ab, Fake md5: fc175f5ddab666d7f4d17449a547626f
2010/08/16 09:51:13.0571 Backup copy found, using it..
2010/08/16 09:51:13.0634 C:\Windows\system32\drivers\pciide.sys - will be cured after reboot
2010/08/16 09:51:13.0634 Rootkit.Win32.TDSS.tdl3(pciide) - User select action: Cure
2010/08/16 09:51:30.0903 Deinitialize success


Seems promising. Can't wait to hear what's next.

Thanks again!

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:49 AM

Posted 16 August 2010 - 12:46 PM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 jhirschson

jhirschson
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 16 August 2010 - 10:37 PM

In order to disable my Symantec Endpoint Protection, I had to again reboot in Windows' "diagnostic mode" -- i.e., minimal services. I hope that was OK for ComboFix.

In any case, the ComboFix.txt log file is below:

ComboFix 10-08-16.01 - Jay Hirschson 08/16/2010 19:12:14.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3015.2219 [GMT -4:00]
Running from: c:\users\Jay Hirschson\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%
c:\windows\system32\file.exe
c:\windows\system32\Thumbs.db
Q:\AUTORUN.INF
S:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-16 23:21 . 2010-08-17 03:02 -------- d-----w- c:\users\JAYHIR~1\AppData\Local\temp
2010-08-16 23:21 . 2010-08-17 03:02 -------- d-----w- c:\users\Jay Hirschson\AppData\Local\temp
2010-08-16 23:21 . 2010-08-16 23:21 -------- d-----w- c:\users\jhirschson\AppData\Local\temp
2010-08-16 23:21 . 2010-08-16 23:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-16 23:21 . 2010-08-16 23:21 -------- d-----w- c:\users\Admin\AppData\Local\temp
2010-08-16 23:21 . 2010-08-16 23:21 -------- d-----w- c:\users\achalemian\AppData\Local\temp
2010-08-13 12:48 . 2010-08-13 12:48 -------- d-----w- c:\program files\iPod
2010-08-13 12:48 . 2010-08-13 12:49 -------- d-----w- c:\program files\iTunes
2010-08-13 12:43 . 2010-08-13 12:43 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-07 15:34 . 2010-08-07 15:34 -------- d-----w- c:\users\Admin\Bluetooth Software
2010-08-07 15:34 . 2010-08-07 15:34 -------- d-----w- c:\users\Admin\AppData\Roaming\Apple Computer
2010-08-05 17:08 . 2010-08-05 17:08 -------- d-----w- c:\programdata\IsolatedStorage
2010-08-05 17:08 . 2010-08-05 18:44 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\bppenu11
2010-08-05 17:08 . 2010-08-05 18:44 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\bppenu11
2010-08-05 17:08 . 2010-08-05 17:08 -------- d-----w- c:\users\JAYHIR~1\AppData\Local\Palo_Alto_Software
2010-08-05 17:08 . 2010-08-05 17:08 -------- d-----w- c:\users\Jay Hirschson\AppData\Local\Palo_Alto_Software
2010-08-05 17:06 . 2010-08-05 17:06 -------- d-----w- c:\program files\Business Plan Pro
2010-08-05 17:03 . 2010-08-05 17:03 -------- d-----w- c:\users\JAYHIR~1\AppData\Local\Downloaded Installations
2010-08-05 17:03 . 2010-08-05 17:03 -------- d-----w- c:\users\Jay Hirschson\AppData\Local\Downloaded Installations
2010-08-04 12:40 . 2010-08-04 12:40 -------- d-----w- c:\programdata\PC-Doctor for Windows
2010-08-04 12:40 . 2010-08-04 12:42 -------- d-----w- c:\programdata\PCDr
2010-08-04 12:40 . 2010-08-04 12:41 -------- d-----w- c:\program files\PC-Doctor
2010-07-31 01:36 . 2010-07-31 12:36 -------- d-----w- c:\users\Jay Hirschson\DoctorWeb
2010-07-30 20:17 . 2010-07-30 20:17 -------- d-----w- c:\program files\Common Files\Skype
2010-07-30 15:52 . 2010-07-30 15:52 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\Malwarebytes
2010-07-30 15:52 . 2010-07-30 15:52 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\Malwarebytes
2010-07-30 15:52 . 2010-07-30 15:52 -------- d-----w- c:\programdata\Malwarebytes
2010-07-30 15:52 . 2010-07-31 01:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 15:38 . 2010-02-05 13:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-07-30 15:38 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-30 15:37 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-30 15:37 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-30 15:37 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-30 15:36 . 2010-07-30 15:52 -------- d-----w- c:\program files\Spyware Doctor
2010-07-30 15:36 . 2010-07-30 15:36 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\PC Tools
2010-07-30 15:36 . 2010-07-30 15:36 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\PC Tools
2010-07-30 15:36 . 2010-07-30 15:36 -------- d-----w- c:\programdata\PC Tools
2010-07-30 15:35 . 2010-07-30 15:39 -------- d-----w- c:\programdata\Google Updater
2010-07-30 15:35 . 2010-07-30 15:35 -------- d-----w- c:\program files\Google
2010-07-30 15:27 . 2010-07-30 15:27 161296 ------w- c:\windows\system32\drivers\tmcomm.sys
2010-07-30 15:15 . 2010-08-03 02:12 -------- d-----w- c:\program files\Trend Micro
2010-07-29 00:58 . 2010-07-29 00:58 -------- d-----w- c:\users\JAYHIR~1\AppData\Local\ywljryxqc
2010-07-29 00:58 . 2010-07-29 00:58 -------- d-----w- c:\users\Jay Hirschson\AppData\Local\ywljryxqc
2010-07-25 01:19 . 2010-07-25 01:20 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\avidemux
2010-07-25 01:19 . 2010-07-25 01:20 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\avidemux
2010-07-25 01:19 . 2010-07-25 01:47 -------- d-----w- c:\program files\Avidemux 2.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 23:03 . 2009-02-19 21:29 12 ----a-w- c:\windows\bthservsdp.dat
2010-08-16 13:53 . 2009-10-04 22:29 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-08-16 13:52 . 2006-11-02 08:51 16440 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-08-16 13:37 . 2009-11-21 23:59 680 ----a-w- c:\users\JAYHIR~1\AppData\Local\d3d9caps.dat
2010-08-16 13:37 . 2009-11-21 23:59 680 ----a-w- c:\users\Jay Hirschson\AppData\Local\d3d9caps.dat
2010-08-13 12:48 . 2009-10-03 10:12 -------- d-----w- c:\program files\Common Files\Apple
2010-08-07 15:34 . 2009-10-03 10:06 120640 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-08-05 23:03 . 2009-10-03 11:34 5242 ----a-w- c:\programdata\Intuit\QuickBooks 2009\qbbackup.sys
2010-08-04 12:53 . 2009-02-19 21:55 -------- d-----w- c:\programdata\PC-Doctor
2010-08-03 02:12 . 2009-02-19 21:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-30 20:22 . 2009-10-10 12:27 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\Skype
2010-07-30 20:22 . 2009-10-10 12:27 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\Skype
2010-07-30 15:38 . 2009-12-26 23:32 -------- d-----w- c:\program files\Common Files\PC Tools
2010-07-30 13:37 . 2010-02-08 09:46 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\Raewh
2010-07-30 13:37 . 2010-02-08 09:46 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\Raewh
2010-07-25 01:48 . 2010-02-16 20:55 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\Ohorgo
2010-07-25 01:48 . 2010-02-16 20:55 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\Ohorgo
2010-07-22 23:46 . 2009-02-19 22:20 -------- d-----w- c:\programdata\Microsoft Help
2010-07-02 15:34 . 2009-10-03 16:53 856880 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
2010-07-02 15:34 . 2009-10-03 16:53 791856 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2010-07-02 15:34 . 2009-10-03 16:53 763184 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2010-07-02 15:34 . 2009-10-03 16:53 570672 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2010-07-02 15:34 . 2009-10-03 16:53 496944 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2010-07-02 15:34 . 2009-10-03 16:53 423216 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2010-07-02 15:34 . 2009-10-03 16:53 398640 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2010-07-02 15:34 . 2009-10-03 16:53 296240 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2010-07-02 15:34 . 2009-10-03 16:53 267568 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2010-07-02 15:34 . 2009-10-03 16:53 2184496 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-07-02 15:34 . 2009-10-03 16:53 1372424 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-07-02 15:34 . 2009-10-03 16:53 1152304 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2010-06-22 23:42 . 2010-06-22 23:42 -------- d-----w- c:\program files\Bonjour
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\users\Jay Hirschson\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\users\Jay Hirschson\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-02-19 21:15 . 2009-02-19 21:14 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Wireless USB Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Wireless USB Manager.lnk
backup=c:\windows\pss\Wireless USB Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jay Hirschson^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^StartUp^eFax 4.4.lnk]
path=c:\users\Jay Hirschson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-19 16:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
2008-10-27 19:01 431392 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-06-19 23:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 06:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2008-09-18 17:35 214576 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraApplicationLauncher]
2008-08-12 22:47 16384 ----a-w- c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchPadLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-07-21 06:10 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2009-04-06 18:12 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2008-06-25 10:14 3077432 ----a-w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2008-10-07 20:25 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-06-04 17:36 242976 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-15 20:36 135664 ----atw- c:\users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-09-17 04:23 170520 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-09-17 04:23 150040 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2009-12-22 13:47 1092872 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-08-31 18:02 124248 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-08-31 18:02 165208 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-09-17 04:23 145944 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picon]
2008-05-29 08:12 367128 ----a-w- c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintServer Diagnostic]
2005-06-03 14:15 266240 ----a-w- c:\program files\Print Server\PTP\PSDiagnostic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
2008-09-18 17:35 632096 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-11-25 20:42 292824 ----a-w- c:\program files\Registry Mechanic\RMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSDMonitor]
2009-11-25 20:42 104408 ----a-w- c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-15 14:28 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2008-03-24 01:15 68464 ----a-w- c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2008-06-07 02:21 181536 ----a-w- c:\windows\System32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-05-25 00:49 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-05-24 48192]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-04-06 23888]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [x]
R3 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\DRIVERS\WQ_ldr.sys [2008-08-21 33720]
R4 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-27 106496]
R4 ApRunSvc;Alps Application Launcher Service;c:\program files\Apoint2K\ApRunSvc.exe [2007-07-23 36864]
R4 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-27 1676536]
R4 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2008-08-25 344064]
R4 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-27 98304]
R4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-03-07 632792]
R4 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-09-18 66848]
R4 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R4 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
R4 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-05-24 253952]
R4 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-05-29 2058776]
R4 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2008-08-25 2269184]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2008-05-15 19496]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 BPPROT;Intel® WiMAX Link Protocol Driver;c:\windows\system32\DRIVERS\bpprot.sys [2008-08-10 22016]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-25 520192]
S3 5U875UVC;Integrated Camera;c:\windows\system32\DRIVERS\RCUVCMNP.sys [2009-09-10 186624]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-10-27 482176]
S3 bpenum;Intel® WiMAX Link Enumerator;c:\windows\system32\DRIVERS\bpenum.sys [2008-08-25 31744]
S3 bpmp;Intel® WiMAX Link 5050 Series;c:\windows\system32\DRIVERS\bpmp.sys [2008-08-25 117760]
S3 bpusb;Intel® WiMAX Link 5050 Series Function Driver;c:\windows\system32\Drivers\bpusb.sys [2008-08-10 51712]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-08-15 220152]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-29 102448]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-29 3664384]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]
S3 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\DRIVERS\WQ_hwa.sys [2008-08-21 176952]
S3 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\DRIVERS\WQ_rci.sys [2008-08-21 79416]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-08-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-07-30 15:35]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3805010505-555375832-3243484014-1005Core.job
- c:\users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-15 20:36]

2010-08-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3805010505-555375832-3243484014-1005UA.job
- c:\users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-15 20:36]

2010-08-04 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46]

2010-08-04 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-05-08 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\JAYHIR~1\AppData\Roaming\Mozilla\Firefox\Profiles\tafb64d6.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\users\Jay Hirschson\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Jay Hirschson\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\Jay Hirschson\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
.
------- File Associations -------
.
.txt=
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
SafeBoot-Symantec Antvirus



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
@SACL=(02 0001)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
@SACL=(02 0001)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1912)
c:\program files\PC-Doctor\ATLPcdToolbar551452.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\windows\system32\RacAgent.exe
.
**************************************************************************
.
Completion time: 2010-08-16 23:09:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 03:08

Pre-Run: 27,102,289,920 bytes free
Post-Run: 27,900,133,376 bytes free

- - End Of File - - 1945548AAC72D20A4E8989DB50E347E8


#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:49 AM

Posted 16 August 2010 - 10:49 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me. Also let me know how things are running now.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
Folder::
c:\users\JAYHIR~1\AppData\Local\ywljryxqc
c:\users\Jay Hirschson\AppData\Local\ywljryxqc


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?
Gringo

Edited by gringo_pr, 16 August 2010 - 10:50 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 jhirschson

jhirschson
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 17 August 2010 - 07:38 PM

Once again running in Windows "diagnostics" mode, I ran ComboFix using the CFScript.txt, as instructed. Below is the resulting log:

ComboFix 10-08-16.03 - Jay Hirschson 08/17/2010 0:31.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3015.2203 [GMT -4:00]
Running from: c:\users\Jay Hirschson\Desktop\ComboFix.exe
Command switches used :: c:\users\Jay Hirschson\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Jay Hirschson\AppData\Local\ywljryxqc
c:\windows\system32\%appdata%

.
((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
.

2010-08-17 04:41 . 2010-08-17 12:14 -------- d-----w- c:\users\JAYHIR~1\AppData\Local\temp
2010-08-17 04:41 . 2010-08-17 12:14 -------- d-----w- c:\users\Jay Hirschson\AppData\Local\temp
2010-08-17 04:41 . 2010-08-17 04:41 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-17 04:41 . 2010-08-17 04:41 -------- d-----w- c:\users\jhirschson\AppData\Local\temp
2010-08-17 04:41 . 2010-08-17 04:41 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-17 04:41 . 2010-08-17 04:41 -------- d-----w- c:\users\Admin\AppData\Local\temp
2010-08-17 04:41 . 2010-08-17 04:41 -------- d-----w- c:\users\achalemian\AppData\Local\temp
2010-08-13 12:48 . 2010-08-13 12:48 -------- d-----w- c:\program files\iPod
2010-08-13 12:48 . 2010-08-13 12:49 -------- d-----w- c:\program files\iTunes
2010-08-13 12:43 . 2010-08-13 12:43 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-08-07 15:34 . 2010-08-07 15:34 -------- d-----w- c:\users\Admin\Bluetooth Software
2010-08-07 15:34 . 2010-08-07 15:34 -------- d-----w- c:\users\Admin\AppData\Roaming\Apple Computer
2010-08-05 17:08 . 2010-08-05 17:08 -------- d-----w- c:\programdata\IsolatedStorage
2010-08-05 17:08 . 2010-08-05 18:44 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\bppenu11
2010-08-05 17:08 . 2010-08-05 18:44 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\bppenu11
2010-08-05 17:08 . 2010-08-05 17:08 -------- d-----w- c:\users\JAYHIR~1\AppData\Local\Palo_Alto_Software
2010-08-05 17:08 . 2010-08-05 17:08 -------- d-----w- c:\users\Jay Hirschson\AppData\Local\Palo_Alto_Software
2010-08-05 17:06 . 2010-08-05 17:06 -------- d-----w- c:\program files\Business Plan Pro
2010-08-05 17:03 . 2010-08-05 17:03 -------- d-----w- c:\users\JAYHIR~1\AppData\Local\Downloaded Installations
2010-08-05 17:03 . 2010-08-05 17:03 -------- d-----w- c:\users\Jay Hirschson\AppData\Local\Downloaded Installations
2010-08-04 12:40 . 2010-08-04 12:40 -------- d-----w- c:\programdata\PC-Doctor for Windows
2010-08-04 12:40 . 2010-08-04 12:42 -------- d-----w- c:\programdata\PCDr
2010-08-04 12:40 . 2010-08-04 12:41 -------- d-----w- c:\program files\PC-Doctor
2010-07-31 01:36 . 2010-07-31 12:36 -------- d-----w- c:\users\Jay Hirschson\DoctorWeb
2010-07-30 20:17 . 2010-07-30 20:17 -------- d-----w- c:\program files\Common Files\Skype
2010-07-30 15:52 . 2010-07-30 15:52 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\Malwarebytes
2010-07-30 15:52 . 2010-07-30 15:52 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\Malwarebytes
2010-07-30 15:52 . 2010-07-30 15:52 -------- d-----w- c:\programdata\Malwarebytes
2010-07-30 15:52 . 2010-07-31 01:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 15:38 . 2010-02-05 13:18 100136 ----a-w- c:\windows\system32\drivers\pctwfpfilter.sys
2010-07-30 15:38 . 2010-02-05 13:17 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-07-30 15:37 . 2010-03-29 14:06 218592 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-07-30 15:37 . 2009-11-23 17:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2010-07-30 15:37 . 2010-04-08 18:29 63360 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-07-30 15:36 . 2010-07-30 15:52 -------- d-----w- c:\program files\Spyware Doctor
2010-07-30 15:36 . 2010-07-30 15:36 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\PC Tools
2010-07-30 15:36 . 2010-07-30 15:36 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\PC Tools
2010-07-30 15:36 . 2010-07-30 15:36 -------- d-----w- c:\programdata\PC Tools
2010-07-30 15:35 . 2010-07-30 15:39 -------- d-----w- c:\programdata\Google Updater
2010-07-30 15:35 . 2010-07-30 15:35 -------- d-----w- c:\program files\Google
2010-07-30 15:27 . 2010-07-30 15:27 161296 ------w- c:\windows\system32\drivers\tmcomm.sys
2010-07-30 15:15 . 2010-08-03 02:12 -------- d-----w- c:\program files\Trend Micro
2010-07-25 01:19 . 2010-07-25 01:20 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\avidemux
2010-07-25 01:19 . 2010-07-25 01:20 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\avidemux
2010-07-25 01:19 . 2010-07-25 01:47 -------- d-----w- c:\program files\Avidemux 2.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-17 04:24 . 2009-02-19 21:29 12 ----a-w- c:\windows\bthservsdp.dat
2010-08-17 03:55 . 2009-10-04 22:29 720 ----a-w- c:\programdata\ArcSoft\kodak-printcreations-22-080812-oem\acforall.dll
2010-08-16 13:52 . 2006-11-02 08:51 16440 ----a-w- c:\windows\system32\drivers\pciide.sys
2010-08-16 13:37 . 2009-11-21 23:59 680 ----a-w- c:\users\JAYHIR~1\AppData\Local\d3d9caps.dat
2010-08-16 13:37 . 2009-11-21 23:59 680 ----a-w- c:\users\Jay Hirschson\AppData\Local\d3d9caps.dat
2010-08-13 12:48 . 2009-10-03 10:12 -------- d-----w- c:\program files\Common Files\Apple
2010-08-07 15:34 . 2009-10-03 10:06 120640 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-08-05 23:03 . 2009-10-03 11:34 5242 ----a-w- c:\programdata\Intuit\QuickBooks 2009\qbbackup.sys
2010-08-04 12:53 . 2009-02-19 21:55 -------- d-----w- c:\programdata\PC-Doctor
2010-08-03 02:12 . 2009-02-19 21:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-30 20:22 . 2009-10-10 12:27 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\Skype
2010-07-30 20:22 . 2009-10-10 12:27 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\Skype
2010-07-30 15:38 . 2009-12-26 23:32 -------- d-----w- c:\program files\Common Files\PC Tools
2010-07-30 13:37 . 2010-02-08 09:46 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\Raewh
2010-07-30 13:37 . 2010-02-08 09:46 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\Raewh
2010-07-25 01:48 . 2010-02-16 20:55 -------- d-----w- c:\users\JAYHIR~1\AppData\Roaming\Ohorgo
2010-07-25 01:48 . 2010-02-16 20:55 -------- d-----w- c:\users\Jay Hirschson\AppData\Roaming\Ohorgo
2010-07-22 23:46 . 2009-02-19 22:20 -------- d-----w- c:\programdata\Microsoft Help
2010-07-02 15:34 . 2009-10-03 16:53 856880 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\dblgen11.dll
2010-07-02 15:34 . 2009-10-03 16:53 791856 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblgen10.dll
2010-07-02 15:34 . 2009-10-03 16:53 763184 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dblib10.dll
2010-07-02 15:34 . 2009-10-03 16:53 570672 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlhttps10.dll
2010-07-02 15:34 . 2009-10-03 16:53 496944 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlrsa10.dll
2010-07-02 15:34 . 2009-10-03 16:53 423216 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbmlsync.exe
2010-07-02 15:34 . 2009-10-03 16:53 398640 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbcon10.dll
2010-07-02 15:34 . 2009-10-03 16:53 296240 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlsock10.dll
2010-07-02 15:34 . 2009-10-03 16:53 267568 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\mlcrsa10.dll
2010-07-02 15:34 . 2009-10-03 16:53 2184496 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\iAnywhere.Data.SQLAnywhere.dll
2010-07-02 15:34 . 2009-10-03 16:53 1372424 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-07-02 15:34 . 2009-10-03 16:53 1152304 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\Sybase10\dbtool10.dll
2010-06-22 23:42 . 2010-06-22 23:42 -------- d-----w- c:\program files\Bonjour
2010-06-11 20:51 . 2010-06-11 20:51 3055600 ----a-w- c:\users\Jay Hirschson\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
2010-06-11 20:36 . 2010-06-11 20:36 275952 ----a-w- c:\users\Jay Hirschson\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-02-19 21:15 . 2009-02-19 21:14 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Wireless USB Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Wireless USB Manager.lnk
backup=c:\windows\pss\Wireless USB Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jay Hirschson^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^StartUp^eFax 4.4.lnk]
path=c:\users\Jay Hirschson\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\eFax 4.4.lnk
backup=c:\windows\pss\eFax 4.4.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FingerPrintSoftware]
c:\program files\Lenovo Fingerprint Software\fpapp.exe \s [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2010-06-19 16:36 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTray]
2008-10-27 19:01 431392 ----a-w- c:\program files\ThinkPad\ConnectUtilities\ACTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2010-06-19 23:04 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 06:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 15:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
2008-09-18 17:35 214576 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\BTVLOGEX.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CameraApplicationLauncher]
2008-08-12 22:47 16384 ----a-w- c:\program files\Lenovo\Camera Center\bin\CameraApplicationLaunchPadLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-07-21 06:10 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2009-04-06 18:12 115560 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cssauth]
2008-06-25 10:14 3077432 ----a-w- c:\program files\Lenovo\Client Security Solution\cssauth.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.4]
2008-10-07 20:25 95744 ----a-w- c:\program files\eFax Messenger 4.4\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
2008-06-04 17:36 242976 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\EZEJMNAP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2009-11-15 20:36 135664 ----atw- c:\users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-09-17 04:23 170520 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-09-17 04:23 150040 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Intuit SyncManager]
2009-12-22 13:47 1092872 ----a-w- c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-07-21 19:53 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPMailChecker]
2008-08-31 18:02 124248 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMLCHK.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LPManager]
2008-08-31 18:02 165208 ----a-w- c:\progra~1\THINKV~1\PrdCtr\LPMGR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-09-17 04:23 145944 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\picon]
2008-05-29 08:12 367128 ----a-w- c:\program files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintServer Diagnostic]
2005-06-03 14:15 266240 ----a-w- c:\program files\Print Server\PTP\PSDiagnostic.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWMTRV]
2008-09-18 17:35 632096 ----a-w- c:\progra~1\ThinkPad\UTILIT~1\PWMTR32V.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2009-11-25 20:42 292824 ----a-w- c:\program files\Registry Mechanic\RMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSDMonitor]
2009-11-25 20:42 104408 ----a-w- c:\program files\Common Files\PC Tools\sMonitor\SSDMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-15 14:28 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPFNF7]
2008-07-30 19:00 60192 ----a-w- c:\program files\Lenovo\NPDIRECT\tpfnf7sp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
2008-03-24 01:15 68464 ----a-w- c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]
2008-06-07 02:21 181536 ----a-w- c:\windows\System32\TpShocks.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVT Scheduler Proxy]
2008-05-25 00:49 487424 ----a-w- c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:23 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

R1 tvtumon;tvtumon;c:\windows\system32\DRIVERS\tvtumon.sys [2008-05-24 48192]
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-04-06 23888]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\DRIVERS\TMPassthru.sys [x]
R3 WQ_USBLOAD;WiQuest WUSB Loader driver;c:\windows\system32\DRIVERS\WQ_ldr.sys [2008-08-21 33720]
R4 ADMonitor;AD Monitor;c:\windows\system32\ADMonitor.exe [2008-10-27 106496]
R4 ApRunSvc;Alps Application Launcher Service;c:\program files\Apoint2K\ApRunSvc.exe [2007-07-23 36864]
R4 ATService;AuthenTec Fingerprint Service;c:\windows\system32\AtService.exe [2008-10-27 1676536]
R4 DMAgent;Intel® PROSet/Wireless WiMAX Red Bend Device Management Service;c:\program files\Intel\WiMAX\Bin\DMAgent.exe [2008-08-25 344064]
R4 dtsvc;Data Transfer Service;c:\windows\system32\DTS.exe [2008-10-27 98304]
R4 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2010-03-07 632792]
R4 Power Manager DBC Service;Power Manager DBC Service;c:\program files\ThinkPad\Utilities\PWMDBSVC.EXE [2008-09-18 66848]
R4 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [2008-04-25 1120752]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2010-03-11 366840]
R4 TPHKSVC;On Screen Display;c:\program files\LENOVO\HOTKEY\TPHKSVC.exe [2008-08-08 53325]
R4 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\Lenovo\Rescue and Recovery\UpdateMonitor.exe [2008-05-24 253952]
R4 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2008-05-29 2058776]
R4 WiMAXAppSrv;Intel® PROSet/Wireless WiMAX Service;c:\program files\Intel\WiMAX\Bin\AppSrv.exe [2008-08-25 2269184]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-03-29 218592]
S0 TPDIGIMN;TPDIGIMN;c:\windows\System32\DRIVERS\ApsHM86.sys [2008-05-15 19496]
S1 lenovo.smi;Lenovo System Interface Driver;c:\windows\system32\DRIVERS\smiif32.sys [2008-05-12 13480]
S2 BPPROT;Intel® WiMAX Link Protocol Driver;c:\windows\system32\DRIVERS\bpprot.sys [2008-08-10 22016]
S2 TVT Backup Protection Service;TVT Backup Protection Service;c:\program files\Lenovo\Rescue and Recovery\rrpservice.exe [2008-05-25 520192]
S3 5U875UVC;Integrated Camera;c:\windows\system32\DRIVERS\RCUVCMNP.sys [2009-09-10 186624]
S3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-10-27 482176]
S3 bpenum;Intel® WiMAX Link Enumerator;c:\windows\system32\DRIVERS\bpenum.sys [2008-08-25 31744]
S3 bpmp;Intel® WiMAX Link 5050 Series;c:\windows\system32\DRIVERS\bpmp.sys [2008-08-25 117760]
S3 bpusb;Intel® WiMAX Link 5050 Series Function Driver;c:\windows\system32\Drivers\bpusb.sys [2008-08-10 51712]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2008-01-29 29736]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6032.sys [2009-08-15 220152]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-07-29 102448]
S3 NETw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-08-29 3664384]
S3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\DRIVERS\Tvti2c.sys [2008-02-22 37312]
S3 WQ_USBHWA;WiQuest Host Wire Adapter driver;c:\windows\system32\DRIVERS\WQ_hwa.sys [2008-08-21 176952]
S3 WQ_USBRCI;WiQuest UltraWideBand driver;c:\windows\system32\DRIVERS\WQ_rci.sys [2008-08-21 79416]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
.
Contents of the 'Scheduled Tasks' folder

2010-08-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-07-30 15:35]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3805010505-555375832-3243484014-1005Core.job
- c:\users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-15 20:36]

2010-08-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3805010505-555375832-3243484014-1005UA.job
- c:\users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe [2009-11-15 20:36]

2010-08-04 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\PC-Doctor\uaclauncher.exe [2010-05-07 19:46]

2010-08-04 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\PC-Doctor\pcdrcui.exe [2010-05-08 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie.htm
Trusted Zone: intuit.com\ttlc
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\users\JAYHIR~1\AppData\Roaming\Mozilla\Firefox\Profiles\tafb64d6.default\
FF - plugin: c:\program files\Google\Google Updater\2.4.1970.7372\npCIDetect14.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\users\Jay Hirschson\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\Jay Hirschson\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\Jay Hirschson\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-{C47C3689-112B-7A2E-46A6-63F281D7EA32} - c:\users\Jay Hirschson\AppData\Roaming\Ohorgo\arxod.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-17 08:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
@SACL=(02 0001)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
@SACL=(02 0001)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2788)
c:\program files\PC-Doctor\ATLPcdToolbar551452.dll
c:\windows\system32\btncopy.dll
c:\program files\Lenovo\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Lenovo\Drag-to-Disc\ShellRes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\windows\System32\TPHDEXLG.exe
c:\program files\Lenovo\Rescue and Recovery\rrservice.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-08-17 08:19:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-17 12:19
ComboFix2.txt 2010-08-17 03:09

Pre-Run: 27,822,764,032 bytes free
Post-Run: 27,823,210,496 bytes free

- - End Of File - - 460CA15E668C6FBEC4AE17DF9E005BAA


#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:49 AM

Posted 17 August 2010 - 09:28 PM

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 8.1.2
    Java™ 6 Update 7


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

It can be updated by the Java control panel
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup) -> Update Tab -> Update Now.
  • An update should begin;
  • follow the prompts

Clear your Java Cache
  • click on Start-> Control Panel (Classic View)-> Java (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis
  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

"information and logs"
    In your next post I need the following
    1. Log From MBAM
    2. report from Hijackthis
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 jhirschson

jhirschson
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:49 AM

Posted 18 August 2010 - 10:56 PM

I followed all instructions to the letter, and the MBAM and HijackThis log files are pasted below. Awaiting next steps, but things seem better...

"mbam-log-2010-08-18 (23-36-27)"

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4447

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882

8/18/2010 11:36:27 PM
mbam-log-2010-08-18 (23-36-27).txt

Scan type: Quick scan
Objects scanned: 173264
Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wireshark Antivirus (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\system32\config\systemprofile\AppData\Roaming\conhost.exe (VirTool.Obfuscator) -> Quarantined and deleted successfully.
C:\Windows\system32\config\systemprofile\AppData\Roaming\csrss.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\csrss.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Wireshark Antivirus\Wireshark Antivirus.lnk (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\Desktop\Wireshark Antivirus.LNK (Rogue.WiresharkAntivirus) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.



"HijackThis.txt"

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:50:45 PM, on 8/18/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
C:\Windows\System32\TpShocks.exe
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe
C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Print Server\PTP\PSDiagnostic.exe
C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\ThinkVantage\PrdCtr\LPMGR.EXE
C:\Program Files\ThinkVantage\PrdCtr\LPMLCHK.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Lenovo\Client Security Solution\cssauth.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Lenovo\Lenovo WUSB\WQ_Tray2.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Program Files\Registry Mechanic\regmech.exe
C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PWMUIAux.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Password Manager Browser Helper Object - {BF468356-BB7E-42D7-9F15-4F3B9BCFCED2} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [TPFNF7] C:\Program Files\Lenovo\NPDIRECT\TPFNF7SP.exe /r
O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PWMTRV] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Program Files\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [cssauth] "C:\Program Files\Lenovo\Client Security Solution\cssauth.exe" silent
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BTVLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H
O4 - HKCU\..\Run: [Google Update] "C:\Users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKUS\S-1-5-21-1761176027-4166393175-961920544-1121\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-21-1761176027-4166393175-961920544-1121\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-21-1761176027-4166393175-961920544-1653\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
O4 - HKUS\S-1-5-21-3805010505-555375832-3243484014-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Admin')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless USB Manager.lnk = C:\Program Files\Lenovo\Lenovo WUSB\WQ_Tray2.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O9 - Extra 'Tools' menuitem: Lenovo Password Manager... - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - C:\Program Files\Lenovo\Client Security Solution\tvtpwm_ie_com.dll
O16 - DPF: {C2ED62BE-4FF5-4FAF-9274-3BA328DCA35C} (TimeTrackingV2.UserControl1) - https://timetracking.quickbooks.com/ocx/tts...eTrackingV2.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = emg.dev
O17 - HKLM\Software\..\Telephony: DomainName = emg.dev
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = emg.dev
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: AD Monitor (ADMonitor) - Unknown owner - C:\Windows\system32\ADMonitor.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Alps Application Launcher Service (ApRunSvc) - Unknown owner - C:\Program Files\Apoint2K\ApRunSvc.exe
O23 - Service: AuthenTec Fingerprint Service (ATService) - AuthenTec, Inc. - C:\Windows\system32\AtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless WiMAX Red Bend Device Management Service (DMAgent) - Red Bend Ltd. - C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe
O23 - Service: Data Transfer Service (dtsvc) - Unknown owner - C:\Windows\system32\DTS.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel® Corporation - C:\Program Files\Intel\WiFi\bin\EvtEng.exe
O23 - Service: Flash Communication Server (FlashCom) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
O23 - Service: Flash Communication Admin Service (FlashComAdmin) - Macromedia, Inc. - C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\Windows\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: Power Manager DBC Service - Lenovo - C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel® Corporation - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\Program Files\Lenovo\System Update\SUService.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\Windows\System32\TPHDEXLG.exe
O23 - Service: On Screen Display (TPHKSVC) - Lenovo Group Limited - C:\Program Files\LENOVO\HOTKEY\TPHKSVC.exe
O23 - Service: TSS Core Service (TSSCoreService) - Lenovo - C:\Program Files\Lenovo\Client Security Solution\tvttcsd.exe
O23 - Service: TVT Backup Protection Service - Unknown owner - C:\Program Files\Lenovo\Rescue and Recovery\rrpservice.exe
O23 - Service: TVT Backup Service - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\rrservice.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - c:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
O23 - Service: TVT Windows Update Monitor (TVT_UpdateMonitor) - Lenovo Group Limited - C:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exe
O23 - Service: Intel® Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe
O23 - Service: Intel® PROSet/Wireless WiMAX Service (WiMAXAppSrv) - Intel® Corporation - C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe

--
End of file - 17039 bytes


THANKS AGAIN!!

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:07:49 AM

Posted 19 August 2010 - 03:11 AM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded startup entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
      O4 - HKLM\..\Run: [SSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
      O4 - HKLM\..\Run: [PrintServer Diagnostic] C:\Program Files\Print Server\PTP\PSDiagnostic.exe
      O4 - HKLM\..\Run: [picon] "C:\Program Files\Common Files\Intel\Privacy Icon\PrivacyIconClient.exe" -startup
      O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
      O4 - HKLM\..\Run: [LPMailChecker] C:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exe
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
      O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
      O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
      O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
      O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
      O4 - HKLM\..\Run: [CameraApplicationLauncher] C:\Program Files\Lenovo\Camera Center\bin\CameraApplicationLaunchpadLauncher.exe
      O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
      O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
      O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RMTray.exe /H
      O4 - HKCU\..\Run: [Google Update] "C:\Users\Jay Hirschson\AppData\Local\Google\Update\GoogleUpdate.exe" /c
      O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
      O4 - HKUS\S-1-5-21-1761176027-4166393175-961920544-1121\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
      O4 - HKUS\S-1-5-21-1761176027-4166393175-961920544-1121\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
      O4 - HKUS\S-1-5-21-1761176027-4166393175-961920544-1653\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User '?')
      O4 - HKUS\S-1-5-21-3805010505-555375832-3243484014-1003\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (User 'Admin')
      O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
      O4 - Global Startup: Wireless USB Manager.lnk = C:\Program Files\Lenovo\Lenovo WUSB\WQ_Tray2.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

      NOTE**You can research each of those lines >here< and see if you want to keep them or not
      just copy the name between the brakets and paste into the search space
      O4 - HKLM\..\Run: [IntelliPoint]


Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Report from ESET
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users