Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infomoneyservice


  • This topic is locked This topic is locked
25 replies to this topic

#1 Novastang

Novastang

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 15 August 2010 - 02:16 PM

For a few months, I have been plagued by a virus/trojan? which most notably manifests itself through a website pop-up called infomoneyservice.com. I am unable to use the infected computer to do anything financial, as every time I attempt to log in to any financial related site, my browser is redirected to a screen asking for PIN numbers and SSNs and the like.

Every time I reopen either Firefox or IE, there are about 5 windows with the root address of infomoneyservice.com which try to reopen. I have blocked them using TrendMicro Internet Security--but before having done that, audio feeds would randomly begin on my computer (presumably) from these sites.

TrendMicro, CCleaner, Malware Bytes have been able to locate nothing--when they are able to run. Most times I attempt to run a virus scan, however, I receive the blue screen of death.

I tried to run GMER, but it keeps saying that it encounters a problem and needs to close, so I cannot get its log. The DDS Log is posted below.

Thank you for your help!


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:04:23.20 on Sun 08/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.248 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:WINDOWSsystem32svchost.exe -k hpdevmgmt
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSSystem32svchost.exe -k HPZ12
C:WINDOWSSystem32svchost.exe -k HPZ12
C:Trend MicroInternet SecuritySfCtlCom.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Trend MicroInternet SecurityUfSeAgnt.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:iTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
C:BSAPRINTBsaprint.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:NETGEARWPN111wpn111.exe
C:Mozilla Firefoxfirefox.exe
C:WINDOWSsystem32dllhost.exe
C:Program FilesiPodbiniPodService.exe
C:Trend MicroInternet SecurityTmProxy.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:Trend MicroInternet SecurityTmPfw.exe
C:Program FilesHPDigital Imagingbinhpqbam08.exe
C:Program FilesHPDigital Imagingbinhpqgpc01.exe
C:Trend MicroBMTMBMSRV.exe
C:Documents and SettingsOwnerDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mybsa.org/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:program fileshpdigital imagingsmart web printinghpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:program fileshpdigital imagingsmart web printinghpswp_BHO.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:program fileshpdigital imagingsmart web printinghpswp_bho.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [ATIPTA] "c:program filesati technologiesati control panelatiptaxx.exe"
mRun: [hpqSRMon]
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportAppleSyncNotifier.exe
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [UfSeAgnt.exe] "c:trend microinternet securityUfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [iTunesHelper] "c:itunesiTunesHelper.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
StartupFolder: c:docume~1alluse~1startm~1programsstartupbsapri~1.lnk - c:bsaprintBsaprint.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupnetgea~1.lnk - c:netgearwpn111wpn111.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~2office10EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:program fileshpdigital imagingsmart web printinghpswp_BHO.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxps://chicagobsa.doubleknot.com/rosters/SAXFile.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {689ff870-2ac0-11d5-b634-00c04faedb18}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267569656435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.mybsa.org/dana-cached/setup/JuniperSetupSP1.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1ownerapplic~1mozillafirefoxprofiles59tg2xy3.default
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:divxdivx playernpDivxPlayerPlugin.dll
FF - plugin: c:divxdivx web playernpdivx32.dll
FF - plugin: c:itunesmozilla pluginsnpitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
c:mozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:mozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:mozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:mozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:mozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:mozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:mozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:mozilla firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:mozilla firefoxgreprefsall.js - pref("network.buffer.cache.count", 24);
c:mozilla firefoxgreprefsall.js - pref("network.buffer.cache.size", 4096);
c:mozilla firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:mozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:mozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:mozilla firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:mozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:mozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:mozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:mozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:mozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:mozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:mozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:mozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:mozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:mozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:windowssystem32driversxmasbus.sys [2008-9-30 140800]
R0 xmasscsi;xmasscsi;c:windowssystem32driversxmasscsi.sys [2008-9-30 5504]
R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);c:windowssystem32driversNEOFLTR_600_12141.sys [2007-10-2 63024]
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:windowssystem32driversNEOFLTR_630_13881.sys [2009-1-23 64480]
R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
R2 tmpreflt;tmpreflt;c:windowssystem32driverstmpreflt.sys [2010-2-23 36368]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:windowssystem32DNINDIS5.sys [2010-1-9 17149]
R3 tmcfw;Trend Micro Common Firewall Service;c:windowssystem32driversTM_CFW.sys [2010-2-23 339984]
R3 tmevtmgr;tmevtmgr;c:windowssystem32driverstmevtmgr.sys [2010-2-24 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:trend microinternet securityTmPfw.exe [2010-2-24 497008]
R3 TmProxy;Trend Micro Proxy Service;c:trend microinternet securityTmProxy.exe [2010-2-24 689416]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:windowssystem32driversWPN111.sys [2010-1-9 384608]
S0 rhoikio;rhoikio;c:windowssystem32driversxutrfide.sys --> c:windowssystem32driversxutrfide.sys [?]
S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;c:windowssystem32drivers2862WICB.sys [2007-11-23 357632]

=============== Created Last 30 ================

2010-07-24 21:39:51 0 d-----w- c:program filesiPod

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:windowssystem32schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:windowssystem32wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:windowssystem32win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:windowssystem32driverssrv.sys
2010-06-17 14:03:00 80384 ----a-w- c:windowssystem32iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32msxml3.dll
2010-06-06 21:49:33 126280 ---ha-w- c:windowssystem32mlfcache.dat
2010-05-18 21:35:16 91424 ----a-w- c:windowssystem32dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:windowssystem32dns-sd.exe
2008-09-12 15:47:46 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008091220080913index.dat

============= FINISH: 14:05:03.04 ===============


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 14:04:23.20 on Sun 08/15/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.248 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
C:WINDOWSsystem32svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32spoolsv.exe
svchost.exe
C:Program FilesCommon FilesAppleMobile Device SupportAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:WINDOWSeHomeehRecvr.exe
C:WINDOWSeHomeehSched.exe
C:WINDOWSsystem32svchost.exe -k hpdevmgmt
C:Program FilesJavajre6binjqs.exe
C:Program FilesCommon FilesMicrosoft SharedVS7Debugmdm.exe
C:WINDOWSSystem32svchost.exe -k HPZ12
C:WINDOWSSystem32svchost.exe -k HPZ12
C:Trend MicroInternet SecuritySfCtlCom.exe
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:Trend MicroInternet SecurityUfSeAgnt.exe
svchost.exe
C:WINDOWSsystem32svchost.exe -k imgsvc
C:iTunesiTunesHelper.exe
C:WINDOWSsystem32ctfmon.exe
C:BSAPRINTBsaprint.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:NETGEARWPN111wpn111.exe
C:Mozilla Firefoxfirefox.exe
C:WINDOWSsystem32dllhost.exe
C:Program FilesiPodbiniPodService.exe
C:Trend MicroInternet SecurityTmProxy.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:Trend MicroInternet SecurityTmPfw.exe
C:Program FilesHPDigital Imagingbinhpqbam08.exe
C:Program FilesHPDigital Imagingbinhpqgpc01.exe
C:Trend MicroBMTMBMSRV.exe
C:Documents and SettingsOwnerDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mybsa.org/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:program fileshpdigital imagingsmart web printinghpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:program filesjavajre6libdeployjqsiejqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:program fileshpdigital imagingsmart web printinghpswp_BHO.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:program fileshpdigital imagingsmart web printinghpswp_bho.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
mRun: [ATIPTA] "c:program filesati technologiesati control panelatiptaxx.exe"
mRun: [hpqSRMon]
mRun: [AppleSyncNotifier] c:program filescommon filesapplemobile device supportAppleSyncNotifier.exe
mRun: [Adobe ARM] "c:program filescommon filesadobearm1.0AdobeARM.exe"
mRun: [UfSeAgnt.exe] "c:trend microinternet securityUfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mRun: [iTunesHelper] "c:itunesiTunesHelper.exe"
mRun: [QuickTime Task] "c:program filesquicktimeqttask.exe" -atboottime
StartupFolder: c:docume~1alluse~1startm~1programsstartupbsapri~1.lnk - c:bsaprintBsaprint.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartuphpdigi~1.lnk - c:program fileshpdigital imagingbinhpqtra08.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupmicros~1.lnk - c:program filesmicrosoft officeoffice10OSA.EXE
StartupFolder: c:docume~1alluse~1startm~1programsstartupnetgea~1.lnk - c:netgearwpn111wpn111.exe
IE: E&xport to Microsoft Excel - c:progra~1micros~2office10EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:program fileshpdigital imagingsmart web printinghpswp_BHO.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxps://chicagobsa.doubleknot.com/rosters/SAXFile.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {689ff870-2ac0-11d5-b634-00c04faedb18}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267569656435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.mybsa.org/dana-cached/setup/JuniperSetupSP1.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:docume~1ownerapplic~1mozillafirefoxprofiles59tg2xy3.default
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:divxdivx playernpDivxPlayerPlugin.dll
FF - plugin: c:divxdivx web playernpdivx32.dll
FF - plugin: c:itunesmozilla pluginsnpitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
c:mozilla firefoxgreprefsall.js - pref("ui.use_native_colors", true);
c:mozilla firefoxgreprefsall.js - pref("ui.use_native_popup_windows", false);
c:mozilla firefoxgreprefsall.js - pref("browser.enable_click_image_resizing", true);
c:mozilla firefoxgreprefsall.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:mozilla firefoxgreprefsall.js - pref("javascript.options.mem.high_water_mark", 32);
c:mozilla firefoxgreprefsall.js - pref("javascript.options.mem.gc_frequency", 1600);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.lu", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nu", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.nz", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:mozilla firefoxgreprefsall.js - pref("network.IDN.whitelist.tel", true);
c:mozilla firefoxgreprefsall.js - pref("network.auth.force-generic-ntlm", false);
c:mozilla firefoxgreprefsall.js - pref("network.proxy.type", 5);
c:mozilla firefoxgreprefsall.js - pref("network.buffer.cache.count", 24);
c:mozilla firefoxgreprefsall.js - pref("network.buffer.cache.size", 4096);
c:mozilla firefoxgreprefsall.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:mozilla firefoxgreprefsall.js - pref("svg.smil.enabled", false);
c:mozilla firefoxgreprefsall.js - pref("ui.trackpoint_hack.enabled", -1);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.debug", false);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.agedWeight", 2);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.bucketSize", 1);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.maxTimeGroupings", 25);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.timeGroupingSize", 604800);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.boundaryWeight", 25);
c:mozilla firefoxgreprefsall.js - pref("browser.formfill.prefixWeight", 5);
c:mozilla firefoxgreprefsall.js - pref("accelerometer.enabled", true);
c:mozilla firefoxgreprefsall.js - pref("html5.enable", false);
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:mozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:mozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:mozilla firefoxdefaultspreffirefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:mozilla firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:mozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:mozilla firefoxdefaultspreffirefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:mozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:mozilla firefoxdefaultspreffirefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:mozilla firefoxdefaultspreffirefox.js - pref("lightweightThemes.update.enabled", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("browser.allTabs.previews", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("plugins.update.notifyUser", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("toolbar.customization.usesheet", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:mozilla firefoxdefaultspreffirefox.js - pref("dom.ipc.plugins.enabled", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.enable", false);
c:mozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.max", 20);
c:mozilla firefoxdefaultspreffirefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:windowssystem32driversxmasbus.sys [2008-9-30 140800]
R0 xmasscsi;xmasscsi;c:windowssystem32driversxmasscsi.sys [2008-9-30 5504]
R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);c:windowssystem32driversNEOFLTR_600_12141.sys [2007-10-2 63024]
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:windowssystem32driversNEOFLTR_630_13881.sys [2009-1-23 64480]
R2 McrdSvc;Media Center Extender Service;c:windowsehomemcrdsvc.exe [2005-8-5 99328]
R2 tmpreflt;tmpreflt;c:windowssystem32driverstmpreflt.sys [2010-2-23 36368]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:windowssystem32DNINDIS5.sys [2010-1-9 17149]
R3 tmcfw;Trend Micro Common Firewall Service;c:windowssystem32driversTM_CFW.sys [2010-2-23 339984]
R3 tmevtmgr;tmevtmgr;c:windowssystem32driverstmevtmgr.sys [2010-2-24 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:trend microinternet securityTmPfw.exe [2010-2-24 497008]
R3 TmProxy;Trend Micro Proxy Service;c:trend microinternet securityTmProxy.exe [2010-2-24 689416]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:windowssystem32driversWPN111.sys [2010-1-9 384608]
S0 rhoikio;rhoikio;c:windowssystem32driversxutrfide.sys --> c:windowssystem32driversxutrfide.sys [?]
S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;c:windowssystem32drivers2862WICB.sys [2007-11-23 357632]

=============== Created Last 30 ================

2010-07-24 21:39:51 0 d-----w- c:program filesiPod

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:windowssystem32schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:windowssystem32wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:windowssystem32win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:windowssystem32driverssrv.sys
2010-06-17 14:03:00 80384 ----a-w- c:windowssystem32iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:windowssystem32msxml3.dll
2010-06-06 21:49:33 126280 ---ha-w- c:windowssystem32mlfcache.dat
2010-05-18 21:35:16 91424 ----a-w- c:windowssystem32dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:windowssystem32dns-sd.exe
2008-09-12 15:47:46 32768 --sha-w- c:windowssystem32configsystemprofilelocal settingshistoryhistory.ie5mshist012008091220080913index.dat

============= FINISH: 14:05:03.04 ===============

After repeated attempts with GMER, I ran a report with RootRepeal. Here is it's log, I hope that it is helpful:
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/08/15 17:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name:
Image Path:
Address: 0xF7470000 Size: 96512 File Visible: No Signed: -
Status: -

Name: agdoypog.sys
Image Path: C:DOCUME~1OwnerLOCALS~1Tempagdoypog.sys
Address: 0xED0F0000 Size: 93056 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:WINDOWSSystem32Driversdump_atapi.sys
Address: 0xF0DAB000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:WINDOWSSystem32Driversdump_WMILIB.SYS
Address: 0xF7B74000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:WINDOWSsystem32driversrootrepeal.sys
Address: 0xED83F000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:
Status: MBR Rootkit Detected!

Path: C:RootRepeal report 08-15-10 (17-52-29).txt
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x8514ece0

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8514fe80

#: 047 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8514e1e0

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x8514e4a0

#: 053 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8514fb40

#: 063 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8514f260

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8514f520

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8514fce0

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x8514e760

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x85150020

#: 247 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x8514efa0

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8514ea20

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8514f9a0

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System Address: 0x863e8b8c Size: 11

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]
Process: System Address: 0x863827a8 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System Address: 0x85f7bf00 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_QUERY_EA]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_SET_EA]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_SHUTDOWN]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLEANUP]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_SET_SECURITY]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_SET_QUOTA]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]
Process: System Address: 0x861ec008 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_CREATE]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_CREATE_NAMED_PIPE]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_CLOSE]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_READ]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_WRITE]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_QUERY_INFORMATION]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_SET_INFORMATION]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_QUERY_EA]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_SET_EA]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_FLUSH_BUFFERS]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_DIRECTORY_CONTROL]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_DEVICE_CONTROL]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_SHUTDOWN]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_LOCK_CONTROL]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_CLEANUP]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_CREATE_MAILSLOT]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_QUERY_SECURITY]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_SET_SECURITY]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_POWER]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_SYSTEM_CONTROL]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_DEVICE_CHANGE]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_QUERY_QUOTA]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_SET_QUOTA]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: xmasscsi, IRP_MJ_PNP]
Process: System Address: 0x85f352a8 Size: 99

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]
Process: System Address: 0x8604263c Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]
Process: System Address: 0x86062424 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System Address: 0x8602c7ec Size: 11

Object: Hidden Code [Driver: NpfsЅఋ扏济{CA27A7A0-27, IRP_MJ_READ]
Process: System Address: 0x85dce63c Size: 11

Object: Hidden Code [Driver: Msfsȅఊ灐敲, IRP_MJ_READ]
Process: System Address: 0x8603753c Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]
Process: System Address: 0x85dd8664 Size: 11

Object: Hidden Code [Driver: Cdfsȅఆ剒敬, IRP_MJ_READ]
Process: System Address: 0x860874e4 Size: 11

Shadow SSDT
-------------------
#: 548 Function Name: NtUserSetWindowsHookAW
Status: Hooked by "<unknown>" at address 0x85150680

#: 549 Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x851504a0

==EOF==

EDIT: Posts merged ~BP

Additionally...here is the MBRcheck log...it definitely seems to have found something...

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00003bfc

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7B30000 \WINDOWS\system32\KDCOM.DLL
0xF7A40000 \WINDOWS\system32\BOOTVID.dll
0xF750C000 xmasbus.sys
0xF74DE000 ACPI.sys
0xF7B32000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74CD000 pci.sys
0xF7630000 isapnp.sys
0xF7640000 ohci1394.sys
0xF7650000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7BF8000 pciide.sys
0xF78B0000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7660000 MountMgr.sys
0xF74AE000 ftdisk.sys
0xF7B34000 dmload.sys
0xF7488000 dmio.sys
0xF78B8000 PartMgr.sys
0xF7670000 VolSnap.sys
0xF7470000
0xF7B36000 xmasscsi.sys
0xF7458000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7680000 disk.sys
0xF7690000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF7438000 fltmgr.sys
0xF76A0000 PxHelp20.sys
0xF7421000 KSecDD.sys
0xF740E000 WudfPf.sys
0xF7381000 Ntfs.sys
0xF7354000 NDIS.sys
0xF76B0000 sbp2port.sys
0xF733A000 Mup.sys
0xF7700000 \SystemRoot\system32\DRIVERS\processr.sys
0xF66BE000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF66AA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF79E8000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF6686000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF79F0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7710000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7720000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7730000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF6663000 \SystemRoot\system32\DRIVERS\ks.sys
0xF79F8000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF654A000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xF7B64000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7A00000 \SystemRoot\System32\Drivers\Modem.SYS
0xF6532000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xF7740000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6146000 \SystemRoot\system32\drivers\ALCXWDM.SYS
0xF6122000 \SystemRoot\system32\drivers\portcls.sys
0xF7750000 \SystemRoot\system32\drivers\drmk.sys
0xF610E000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7760000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7A08000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7A10000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7D19000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7B66000 \SystemRoot\System32\Drivers\RootMdm.sys
0xF7770000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7B28000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF60F7000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7780000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7790000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7A18000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF60E6000 \SystemRoot\system32\DRIVERS\psched.sys
0xF77A0000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7A20000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7A28000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7A30000 \SystemRoot\system32\DRIVERS\RimSerial.sys
0xF5343000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF77B0000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7B68000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF52E5000 \SystemRoot\system32\DRIVERS\update.sys
0xF72FE000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF5105000 \SystemRoot\system32\DRIVERS\TM_CFW.sys
0xF77C0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF687C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7B6A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7C80000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B6C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7908000 \SystemRoot\System32\drivers\vga.sys
0xF7B6E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B70000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7910000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7918000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7AF0000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF108A000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF1031000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF685C000 \??\C:\WINDOWS\system32\Drivers\NEOFLTR_630_13881.SYS
0xF684C000 \??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_12141.SYS
0xF1009000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF0FE7000 \SystemRoot\System32\drivers\afd.sys
0xF683C000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF0F32000 \SystemRoot\system32\DRIVERS\tmtdi.sys
0xF0F07000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF0E6F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF682C000 \SystemRoot\System32\Drivers\Fips.SYS
0xF0E49000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF681C000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF680C000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF7920000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF0DEB000 \SystemRoot\system32\DRIVERS\WPN111.sys
0xF7928000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF7B14000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF7930000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF7938000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF77D0000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF52E1000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF77F0000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF0DAB000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7B74000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF52BD000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7940000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C5F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF051000 \SystemRoot\System32\ati2cqag.dll
0xBF08A000 \SystemRoot\System32\atikvmag.dll
0xBF0BF000 \SystemRoot\System32\ati3duag.dll
0xBF30C000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF0F97000 \SystemRoot\system32\DRIVERS\tmpreflt.sys
0xEEA51000 \SystemRoot\system32\DRIVERS\vsapint.sys
0xEE9E0000 \SystemRoot\system32\DRIVERS\tmxpflt.sys
0xF7970000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xEE9B4000 \SystemRoot\system32\DRIVERS\mdc8021x.sys
0xEE9B0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEE75B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF7BB0000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xEE707000 \??\C:\WINDOWS\system32\drivers\tmcomm.sys
0xEE50E000 \SystemRoot\System32\Drivers\HTTP.sys
0xEE48F000 \SystemRoot\system32\DRIVERS\srv.sys
0xF79D8000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xEDC9C000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xEDBE7000 \SystemRoot\system32\drivers\wdmaud.sys
0xEE1B7000 \SystemRoot\system32\drivers\sysaudio.sys
0xEE32B000 \??\C:\WINDOWS\system32\DNINDIS5.SYS
0xEDD37000 \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys
0xED157000 \??\C:\WINDOWS\system32\drivers\tmactmon.sys
0xED0F0000 \??\C:\DOCUME~1\Owner\LOCALS~1\Temp\agdoypog.sys
0xEC7FD000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 59):
0 System Idle Process
4 System
1264 C:\WINDOWS\system32\smss.exe
1320 csrss.exe
1352 C:\WINDOWS\system32\winlogon.exe
1412 C:\WINDOWS\system32\services.exe
1424 C:\WINDOWS\system32\lsass.exe
1620 C:\WINDOWS\system32\ati2evxx.exe
1636 C:\WINDOWS\system32\svchost.exe
1708 svchost.exe
1904 C:\WINDOWS\system32\svchost.exe
1936 C:\WINDOWS\system32\svchost.exe
272 svchost.exe
332 svchost.exe
732 C:\WINDOWS\system32\spoolsv.exe
808 svchost.exe
860 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
896 C:\Program Files\Bonjour\mDNSResponder.exe
956 C:\WINDOWS\ehome\ehrecvr.exe
988 C:\WINDOWS\ehome\ehSched.exe
1072 C:\WINDOWS\system32\svchost.exe
1140 C:\Program Files\Java\jre6\bin\jqs.exe
1236 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
1792 C:\WINDOWS\system32\svchost.exe
1852 C:\WINDOWS\system32\svchost.exe
2584 C:\Trend Micro\Internet Security\SfCtlCom.exe
2624 svchost.exe
2680 C:\WINDOWS\system32\svchost.exe
3008 mcrdsvc.exe
3508 C:\WINDOWS\system32\ati2evxx.exe
3652 C:\WINDOWS\explorer.exe
328 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
944 C:\Trend Micro\Internet Security\UfSeAgnt.exe
1000 C:\iTunes\iTunesHelper.exe
1112 C:\WINDOWS\system32\ctfmon.exe
764 C:\BSAPRINT\Bsaprint.exe
2116 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
2160 C:\NETGEAR\WPN111\WPN111.exe
3592 C:\WINDOWS\system32\dllhost.exe
932 C:\Program Files\iPod\bin\iPodService.exe
3396 C:\Trend Micro\Internet Security\TmProxy.exe
268 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
468 C:\Trend Micro\Internet Security\TmPfw.exe
1964 alg.exe
200 C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
2744 C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
4448 C:\Trend Micro\BM\TMBMSRV.exe
5940 C:\Program Files\Internet Explorer\iexplore.exe
4332 C:\Program Files\Internet Explorer\iexplore.exe
5584 C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
2448 C:\Mozilla Firefox\firefox.exe
5400 C:\iTunes\iTunes.exe
3428 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
6028 C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
1884 C:\WINDOWS\system32\svchost.exe
4888 C:\Program Files\Internet Explorer\iexplore.exe
3988 C:\Program Files\Internet Explorer\iexplore.exe
3708 C:\Mozilla Firefox\plugin-container.exe
5668 C:\Documents and Settings\Owner\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\M: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST3320620AS, Rev: 3.AAE
PhysicalDrive5 Model Number: MaxtorOneTouch, Rev: 0121

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 MBR Code Faked (known infection: Whistler / Black Internet)!
SHA1: 4C73F18103C9BEEC7A59697F7C30E616317435F9
931 GB \\.\PhysicalDrive5 Unknown MBR code
SHA1: CEECB0630DEB98A912C967BD5561D0F2BFE7D8C6


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.

Enter your choice:

Done!

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 19 August 2010 - 04:13 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:55 PM

Posted 22 August 2010 - 04:11 AM

Hi,

If help still needed post contents of fresh dds logs, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 Novastang

Novastang
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 22 August 2010 - 09:03 AM

Hello,

Here are the fresh logs:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 9:02:03.41 on Sun 08/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.246 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Trend Micro\Internet Security\SfCtlCom.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Trend Micro\Internet Security\UfSeAgnt.exe
C:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\BSAPRINT\Bsaprint.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Mozilla Firefox\firefox.exe
C:\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mybsa.org/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [hpqSRMon]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UfSeAgnt.exe] "c:\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bsapri~1.lnk - c:\bsaprint\Bsaprint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\netgear\wpn111\wpn111.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxps://chicagobsa.doubleknot.com/rosters/SAXFile.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {689ff870-2ac0-11d5-b634-00c04faedb18}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267569656435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.mybsa.org/dana-cached/setup/JuniperSetupSP1.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\59tg2xy3.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\divx web player\npdivx32.dll
FF - plugin: c:\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2008-9-30 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2008-9-30 5504]
R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);c:\windows\system32\drivers\NEOFLTR_600_12141.sys [2007-10-2 63024]
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [2009-1-23 64480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-2-23 36368]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2010-1-9 17149]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-2-23 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-2-24 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\trend micro\internet security\TmPfw.exe [2010-2-24 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\trend micro\internet security\TmProxy.exe [2010-2-24 689416]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2010-1-9 384608]
S0 rhoikio;rhoikio;c:\windows\system32\drivers\xutrfide.sys --> c:\windows\system32\drivers\xutrfide.sys [?]
S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;c:\windows\system32\drivers\2862WICB.sys [2007-11-23 357632]

=============== Created Last 30 ================

2010-07-24 21:39:51 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 21:49:33 126280 ---ha-w- c:\windows\system32\mlfcache.dat
2008-09-12 15:47:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 9:02:53.26 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/23/2007 9:38:32 PM
System Uptime: 8/15/2010 5:21:44 PM (160 hours ago)

Motherboard: MSI | | ALBACORE
Processor: AMD Athlon™ 64 Processor 3500+ | Socket 939 | 2188/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 87.343 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is CDROM ()
I: is CDROM ()
J: is Removable
L: is Removable
M: is FIXED (NTFS) - 932 GiB total, 385.497 GiB free.
N: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A20103C&REV_10\3&61AAA01&0&A0
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A20103C&REV_10\3&61AAA01&0&A0
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

32 Bit HP CIO Components Installer
ABC Amber BlackBerry Converter
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.3
Agere Systems PCI Soft Modem
AiO_Scan
Alcohol 120%
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AutoUpdate
AVS DVD Player version 2.4
AVS4YOU Software Navigator 1.2
Azureus
BlackBerry Desktop Software 4.3
Bonjour
BSAPrint with Preview 1.48.44.01.04
BufferChm
C8100
C8100_Help
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner
Compatibility Pack for the 2007 Office system
Cool Edit Pro 2.0
Copy
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DocProc
DocProcQFolder
DVD Flick 1.3.0.7
DVD Shrink 3.2
eSupportQFolder
Fax
ffdshow [rev 2936] [2009-05-03]
FrostWire 4.13.3
GPBaseService
GPBaseService2
HandBrake 0.9.3
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 10.0
HP Image Zone 4.7
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 2.5
HP PSC & OfficeJet 4.7
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
ImgBurn
iTunes
Java™ 6 Update 14
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Juniper Networks Secure Application Manager
Lexmark 730 Series
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
MobileMe Control Panel
Mozilla Firefox (3.6.8)
MSVCSetup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111
OCR Software by I.R.I.S. 10.0
Oracle JInitiator 1.1.8.10
PanoStandAlone
PrintMaster Platinum 18
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
QFolder
QuickTime
Realtek AC'97 Audio
Roxio Media Manager
RoxioShim
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Shop for HP Supplies
SmartWebPrinting
SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter
SolutionCenter
Status
Swift Elite 3 Release 3.0
Toolbox
TrayApp
Trend Micro Internet Security
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoToolkit01
WD Diagnostics
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall

==== Event Viewer Messages From Past Week ========

8/18/2010 6:21:07 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.2 with the system having network hardware address 70:1A:04:D4:97:EB. Network operations on this system may be disrupted as a result.
8/18/2010 6:20:48 PM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0026F28895D0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/17/2010 9:16:13 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.3 with the system having network hardware address D4:9A:20:93:60:E7. Network operations on this system may be disrupted as a result.
8/17/2010 4:09:33 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0026F28895D0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/15/2010 5:20:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/15/2010 5:17:19 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/15/2010 5:16:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NEOFLTR_600_12141 NEOFLTR_630_13881 NetBIOS NetBT Processor RasAcd Rdbss Tcpip tmtdi
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:06:14 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxcf_device service to connect.
8/15/2010 5:06:14 PM, error: Service Control Manager [7000] - The lxcf_device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/15/2010 5:06:14 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service lxcf_device with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E44106F}
8/15/2010 1:37:17 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
8/15/2010 1:36:03 PM, error: System Error [1003] - Error code 1000000a, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 805345d2.
8/15/2010 1:34:26 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/15/2010 1:29:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips Processor tmtdi

==== End Of File ===========================


#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:55 PM

Posted 22 August 2010 - 09:15 AM

Hi,

Azureus

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.


Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Novastang

Novastang
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 22 August 2010 - 10:32 AM

Here is the Combofix log:

ComboFix 10-08-21.06 - Owner 08/22/2010 9:39.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.400 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\AcrE33.tmp
C:\AcrE34.tmp
C:\AcrE35.tmp
C:\AcrE36.tmp
C:\AcrE37.tmp
C:\AcrE38.tmp
C:\AcrE39.tmp
C:\AcrE3A.tmp
C:\AcrE3B.tmp
C:\AcrE3C.tmp
C:\AcrE3D.tmp
C:\AcrE3E.tmp
C:\AcrE3F.tmp
C:\AcrE40.tmp
C:\AcrE41.tmp
C:\AcrE42.tmp
C:\AcrE43.tmp
C:\AcrE44.tmp
C:\AcrE45.tmp
C:\AcrE46.tmp
C:\AcrE47.tmp
C:\AcrE48.tmp
C:\AcrE49.tmp
C:\AcrE4A.tmp
C:\AcrE4B.tmp
C:\AcrE4C.tmp
C:\AcrE4D.tmp
C:\AcrE4E.tmp
C:\AcrE4F.tmp
C:\AcrE50.tmp
C:\AcrE51.tmp
C:\AcrE52.tmp
C:\AcrE53.tmp
C:\AcrE54.tmp
C:\AcrE55.tmp
C:\AcrE56.tmp
C:\AcrE57.tmp
C:\AcrE58.tmp
C:\AcrE59.tmp
C:\AcrE5A.tmp
C:\AcrE5B.tmp
C:\AcrE5C.tmp
C:\AcrE5D.tmp
C:\AcrE5E.tmp
C:\AcrE5F.tmp
C:\AcrE60.tmp
C:\AcrE61.tmp
C:\AcrE62.tmp
C:\AcrE63.tmp
C:\AcrE64.tmp
C:\AcrE65.tmp
C:\AcrE66.tmp
C:\AcrE67.tmp
C:\AcrE68.tmp
C:\AcrE69.tmp
C:\AcrE6A.tmp
C:\AcrE6B.tmp
C:\AcrE6C.tmp
C:\AcrE6D.tmp
C:\AcrE6E.tmp
C:\AcrE6F.tmp
C:\AcrE70.tmp
C:\AcrE71.tmp
C:\AcrE72.tmp
C:\AcrE73.tmp
C:\AcrE74.tmp
C:\AcrE75.tmp
C:\AcrE76.tmp
C:\AcrE77.tmp
C:\AcrE78.tmp
C:\AcrE79.tmp
C:\AcrE7A.tmp
C:\AcrE7B.tmp
C:\AcrE7C.tmp
C:\AcrE7D.tmp
C:\AcrE7E.tmp
C:\AcrE7F.tmp
C:\AcrE80.tmp
C:\AcrE81.tmp
C:\AcrE82.tmp
C:\AcrE83.tmp
C:\AcrE84.tmp
C:\AcrE85.tmp
C:\AcrE86.tmp
C:\AcrE87.tmp
C:\AcrE88.tmp
C:\AcrE89.tmp
C:\AcrE8A.tmp
C:\AcrE8B.tmp
C:\AcrE8C.tmp
C:\AcrE8D.tmp
C:\AcrE8E.tmp
C:\AcrE8F.tmp
C:\AcrE90.tmp
C:\AcrE91.tmp
C:\AcrE92.tmp
C:\AcrE93.tmp
C:\AcrE94.tmp
C:\AcrE95.tmp
C:\AcrE96.tmp
C:\AcrE97.tmp
C:\AcrE98.tmp
C:\AcrE99.tmp
C:\AcrE9A.tmp
C:\AcrE9B.tmp
C:\AcrE9C.tmp
C:\AcrE9D.tmp
C:\AcrE9E.tmp
C:\AcrE9F.tmp
C:\AcrEA0.tmp
C:\AcrEA1.tmp
C:\AcrEA2.tmp
C:\AcrEA3.tmp
C:\AcrEA4.tmp
C:\AcrEA5.tmp
C:\AcrEA6.tmp
C:\AcrEA7.tmp
C:\AcrEA8.tmp
C:\AcrEA9.tmp
C:\AcrEAA.tmp
C:\AcrEAB.tmp
C:\AcrEAC.tmp
C:\AcrEAD.tmp
C:\AcrEAE.tmp
C:\AcrEAF.tmp
C:\AcrEB0.tmp
C:\AcrEB1.tmp
C:\AcrEB2.tmp
C:\AcrEB3.tmp
C:\AcrEB4.tmp
C:\AcrEB5.tmp
C:\AcrEB6.tmp
C:\AcrEB7.tmp
C:\AcrEB8.tmp
C:\AcrEB9.tmp
C:\AcrEBA.tmp
C:\AcrEBB.tmp
C:\AcrEBC.tmp
C:\AcrEBD.tmp
C:\AcrEBE.tmp
C:\AcrEBF.tmp
C:\AcrEC0.tmp
C:\AcrEC1.tmp
C:\AcrEC2.tmp
C:\AcrEC3.tmp
C:\AcrEC4.tmp
C:\AcrEC5.tmp
C:\AcrEC6.tmp
C:\AcrEC7.tmp
C:\AcrEC8.tmp
C:\AcrEC9.tmp
C:\AcrECA.tmp
C:\AcrECB.tmp
C:\AcrECC.tmp
C:\AcrECD.tmp
C:\AcrECE.tmp
C:\AcrECF.tmp
C:\AcrED0.tmp
C:\AcrED1.tmp
C:\AcrED2.tmp
C:\AcrED3.tmp
C:\AcrED4.tmp
C:\AcrED5.tmp
C:\AcrED6.tmp
C:\AcrED7.tmp
C:\AcrED8.tmp
C:\AcrED9.tmp
C:\AcrEDA.tmp
C:\AcrEDB.tmp
C:\AcrEDC.tmp
C:\AcrEDD.tmp
C:\AcrEDE.tmp
C:\AcrEDF.tmp
C:\AcrEE0.tmp
C:\AcrEE1.tmp
C:\AcrEE2.tmp
C:\AcrEE3.tmp
C:\AcrEE4.tmp
C:\AcrEE5.tmp
C:\AcrEE6.tmp
C:\AcrEE7.tmp
C:\AcrEE8.tmp
C:\AcrEE9.tmp
C:\AcrEEA.tmp
C:\AcrEEB.tmp
C:\AcrEEC.tmp
C:\AcrEED.tmp
C:\AcrEEE.tmp
C:\AcrEEF.tmp
C:\AcrEF0.tmp
C:\AcrEF1.tmp
C:\AcrEF2.tmp
C:\AcrEF3.tmp
C:\AcrEF4.tmp
C:\AcrEF5.tmp
C:\AcrEF6.tmp
C:\AcrEF7.tmp
C:\AcrEF8.tmp
C:\AcrEF9.tmp
C:\AcrEFA.tmp
C:\AcrEFB.tmp
C:\AcrEFC.tmp
C:\AcrEFD.tmp
C:\AcrEFE.tmp
C:\AcrEFF.tmp
C:\AcrF00.tmp
C:\AcrF01.tmp
C:\AcrF02.tmp
C:\AcrF03.tmp
C:\AcrF04.tmp
C:\AcrF05.tmp
C:\AcrF06.tmp
C:\AcrF07.tmp
C:\AcrF08.tmp
C:\AcrF09.tmp
C:\AcrF0A.tmp
C:\AcrF0B.tmp
C:\AcrF0C.tmp
C:\AcrF0D.tmp
C:\AcrF0E.tmp
C:\AcrF0F.tmp
C:\AcrF10.tmp
C:\AcrF11.tmp
C:\AcrF12.tmp
C:\AcrF13.tmp
C:\AcrF14.tmp
C:\AcrF15.tmp
C:\AcrF16.tmp
C:\AcrF17.tmp
C:\AcrF18.tmp
C:\AcrF19.tmp
C:\AcrF1A.tmp
C:\AcrF1B.tmp
C:\AcrF1C.tmp
C:\AcrF1D.tmp
C:\AcrF1E.tmp
C:\AcrF1F.tmp
C:\AcrF20.tmp
C:\AcrF21.tmp
C:\AcrF22.tmp
C:\AcrF23.tmp
C:\AcrF24.tmp
C:\AcrF25.tmp
C:\AcrF26.tmp
C:\AcrF27.tmp
C:\AcrF28.tmp
C:\AcrF29.tmp
C:\AcrF2A.tmp
C:\AcrF2B.tmp
C:\AcrF2C.tmp
C:\AcrF2D.tmp
C:\AcrF2E.tmp
C:\AcrF2F.tmp
C:\AcrF30.tmp
C:\AcrF31.tmp
M:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
.

2010-07-24 21:39 . 2010-07-24 21:39 -------- d-----w- c:\program files\iPod
2010-07-24 21:32 . 2010-07-24 21:32 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 01:43 . 2008-08-08 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-07-24 21:39 . 2007-09-28 05:23 -------- d-----w- c:\program files\Common Files\Apple
2010-07-20 09:29 . 2008-04-24 21:27 -------- d-----w- c:\program files\Lx_cats
2010-07-07 15:53 . 2007-09-28 05:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2010-06-30 12:31 . 2004-08-10 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 00:05 . 2010-06-25 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\DVD Flick
2010-06-25 22:00 . 2010-06-25 21:59 -------- d-----w- c:\documents and settings\Owner\Application Data\ImgBurn
2010-06-25 21:54 . 2010-06-25 21:54 -------- d-----w- c:\program files\ImgBurn
2010-06-24 12:22 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-10 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2007-09-24 02:32 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 21:49 . 2010-06-06 21:49 126280 ---ha-w- c:\windows\system32\mlfcache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe" [2010-06-19 231888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"UfSeAgnt.exe"="c:\trend micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BSA Print.lnk - c:\bsaprint\Bsaprint.exe [2008-12-22 232960]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WPN111 Smart Wizard.lnk - c:\netgear\WPN111\wpn111.exe [2010-1-9 884795]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\BSAPRINT\\Bsaprint.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"3246:TCP"= 3246:TCP:Services
"2479:TCP"= 2479:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"7586:TCP"= 7586:TCP:Services
"7587:TCP"= 7587:TCP:Services

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [9/30/2008 2:27 PM 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [9/30/2008 2:27 PM 5504]
R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);c:\windows\system32\drivers\NEOFLTR_600_12141.sys [10/2/2007 6:51 PM 63024]
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [1/23/2009 2:51 AM 64480]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/23/2010 6:30 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/23/2010 8:39 AM 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/24/2010 11:49 AM 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\trend micro\Internet Security\TmPfw.exe [2/24/2010 11:50 AM 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\trend micro\Internet Security\TmProxy.exe [2/24/2010 11:50 AM 689416]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [1/9/2010 1:51 AM 384608]
S0 rhoikio;rhoikio;c:\windows\system32\drivers\xutrfide.sys --> c:\windows\system32\drivers\xutrfide.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [1/9/2010 1:51 AM 17149]
S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;c:\windows\system32\drivers\2862WICB.sys [11/23/2007 10:43 AM 357632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mybsa.org/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {689ff870-2ac0-11d5-b634-00c04faedb18}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\59tg2xy3.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-hpqSRMon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-22 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x855FB78A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7694f28
\Driver\ACPI -> ACPI.sys @ 0xf74e4cb8
\Driver\atapi -> ntkrnlpa.exe @ 0x8057c2df
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1392)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-22 10:23:55
ComboFix-quarantined-files.txt 2010-08-22 15:23

Pre-Run: 94,168,276,992 bytes free
Post-Run: 94,917,001,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 3260A66C3439BAC5DAD2AF0DBE0BA6D1

Here are the DDS Files





DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 10:30:52.45 on Sun 08/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.370 [GMT -5:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Trend Micro\Internet Security\SfCtlCom.exe
svchost.exe
C:\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\Trend Micro\Internet Security\TmProxy.exe
C:\Trend Micro\Internet Security\TmPfw.exe
C:\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Mozilla Firefox\firefox.exe
C:\NETGEAR\WPN111\wpn111.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://mybsa.org/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UfSeAgnt.exe] "c:\trend micro\internet security\UfSeAgnt.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [iTunesHelper] "c:\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bsapri~1.lnk - c:\bsaprint\Bsaprint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\netgear\wpn111\wpn111.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} - hxxps://chicagobsa.doubleknot.com/rosters/SAXFile.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {689ff870-2ac0-11d5-b634-00c04faedb18}
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1267569656435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://secure.mybsa.org/dana-cached/setup/JuniperSetupSP1.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\59tg2xy3.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\divx web player\npdivx32.dll
FF - plugin: c:\itunes\mozilla plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2008-9-30 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2008-9-30 5504]
R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);c:\windows\system32\drivers\NEOFLTR_600_12141.sys [2007-10-2 63024]
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [2009-1-23 64480]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2010-2-23 36368]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2010-1-9 17149]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2010-2-23 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2010-2-24 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\trend micro\internet security\TmPfw.exe [2010-2-24 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\trend micro\internet security\TmProxy.exe [2010-2-24 689416]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2010-1-9 384608]
S0 rhoikio;rhoikio;c:\windows\system32\drivers\xutrfide.sys --> c:\windows\system32\drivers\xutrfide.sys [?]
S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;c:\windows\system32\drivers\2862WICB.sys [2007-11-23 357632]

=============== Created Last 30 ================

2010-08-22 14:33:35 0 d-sha-r- C:\cmdcons
2010-08-22 14:30:36 98816 ----a-w- c:\windows\sed.exe
2010-08-22 14:30:36 77312 ----a-w- c:\windows\MBR.exe
2010-08-22 14:30:36 256512 ----a-w- c:\windows\PEV.exe
2010-08-22 14:30:36 161792 ----a-w- c:\windows\SWREG.exe
2010-07-24 21:39:51 0 d-----w- c:\program files\iPod

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 21:49:33 126280 ---ha-w- c:\windows\system32\mlfcache.dat
2008-09-12 15:47:46 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 10:31:18.19 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 9/23/2007 9:38:32 PM
System Uptime: 8/22/2010 9:36:03 AM (1 hours ago)

Motherboard: MSI | | ALBACORE
Processor: AMD Athlon™ 64 Processor 3500+ | Socket 939 | 2188/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 88.462 GiB free.
D: is CDROM ()
E: is Removable
F: is Removable
G: is Removable
H: is CDROM ()
I: is CDROM ()
J: is Removable
L: is Removable
M: is FIXED (NTFS) - 932 GiB total, 385.497 GiB free.
N: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: SM Bus Controller
Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A20103C&REV_10\3&61AAA01&0&A0
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_1002&DEV_4372&SUBSYS_2A20103C&REV_10\3&61AAA01&0&A0
Service:

==== System Restore Points ===================

RP1: 8/22/2010 9:30:53 AM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
ABC Amber BlackBerry Converter
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.2.3
Agere Systems PCI Soft Modem
AIO_Scan
Alcohol 120%
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AutoUpdate
AVS DVD Player version 2.4
AVS4YOU Software Navigator 1.2
BlackBerry Desktop Software 4.3
Bonjour
BSAPrint with Preview 1.48.44.01.04
BufferChm
C8100
C8100_Help
Cards_Calendar_OrderGift_DoMorePlugout
CCleaner
Compatibility Pack for the 2007 Office system
Cool Edit Pro 2.0
Copy
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DocProc
DocProcQFolder
DVD Flick 1.3.0.7
DVD Shrink 3.2
eSupportQFolder
Fax
ffdshow [rev 2936] [2009-05-03]
GPBaseService
GPBaseService2
HandBrake 0.9.3
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 10.0
HP Image Zone 4.7
HP Imaging Device Functions 10.0
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Photosmart Essential 2.5
HP PSC & OfficeJet 4.7
HP Smart Web Printing 4.60
HP Solution Center 13.0
HP Update
HPPhotoSmartDiscLabel_PaperLabel
HPPhotoSmartDiscLabel_PrintOnDisc
HPPhotoSmartDiscLabelContent1
hpphotosmartdisclabelplugin
HPPhotoSmartPhotobookWebPack1
HPProductAssistant
HPSSupply
ImgBurn
iTunes
Java™ 6 Update 14
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Juniper Networks Secure Application Manager
Lexmark 730 Series
Malwarebytes' Anti-Malware
MarketResearch
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
MobileMe Control Panel
Mozilla Firefox (3.6.8)
MSVCSetup
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
NETGEAR RangeMax™ Wireless USB 2.0 Adapter WPN111
OCR Software by I.R.I.S. 10.0
Oracle JInitiator 1.1.8.10
PanoStandAlone
PrintMaster Platinum 18
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PSSWCORE
QFolder
QuickTime
Realtek AC'97 Audio
Roxio Media Manager
RoxioShim
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Shop for HP Supplies
SmartWebPrinting
SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter
SolutionCenter
Status
Swift Elite 3 Release 3.0
Toolbox
TrayApp
Trend Micro Internet Security
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VideoToolkit01
WD Diagnostics
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
Xvid 1.1.3 final uninstall

==== Event Viewer Messages From Past Week ========

8/22/2010 9:58:56 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: No more results can be returned by WSALookupServiceNext. (0x80072776)
8/22/2010 9:43:54 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: No more results can be returned by WSALookupServiceNext. (0x80072776)
8/22/2010 9:36:49 AM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
8/22/2010 9:23:17 AM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).
8/22/2010 10:28:57 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: No more results can be returned by WSALookupServiceNext. (0x80072776)
8/18/2010 6:21:07 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.2 with the system having network hardware address 70:1A:04:D4:97:EB. Network operations on this system may be disrupted as a result.
8/18/2010 6:20:48 PM, error: Dhcp [1002] - The IP address lease 192.168.1.3 for the Network Card with network address 0026F28895D0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/17/2010 9:16:13 PM, error: Tcpip [4199] - The system detected an address conflict for IP address 192.168.1.3 with the system having network hardware address D4:9A:20:93:60:E7. Network operations on this system may be disrupted as a result.
8/17/2010 4:09:33 PM, error: Dhcp [1002] - The IP address lease 192.168.1.2 for the Network Card with network address 0026F28895D0 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
8/15/2010 5:23:52 PM, error: Service Control Manager [7022] - The HP CUE DeviceDiscovery Service service hung on starting.
8/15/2010 5:21:25 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/15/2010 5:20:21 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
8/15/2010 5:19:06 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
8/15/2010 5:16:54 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips IPSec MRxSmb NEOFLTR_600_12141 NEOFLTR_630_13881 NetBIOS NetBT Processor RasAcd Rdbss Tcpip tmtdi
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:16:54 PM, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
8/15/2010 5:11:56 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service lxcf_device with arguments "" in order to run the server: {323CE21C-A448-40AA-BA74-7FCF1E44106F}
8/15/2010 5:11:40 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the lxcf_device service to connect.
8/15/2010 5:11:40 PM, error: Service Control Manager [7000] - The lxcf_device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/15/2010 1:36:03 PM, error: System Error [1003] - Error code 1000000a, parameter1 00000000, parameter2 00000002, parameter3 00000000, parameter4 805345d2.
8/15/2010 1:29:27 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips Processor tmtdi

==== End Of File ===========================



#6 Novastang

Novastang
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 22 August 2010 - 10:35 AM

Also, FYI, when I opened up my browser to post these logs--the infomoneyservice windows attempted to open again.

#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:55 PM

Posted 22 August 2010 - 11:13 AM

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 Novastang

Novastang
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 22 August 2010 - 12:18 PM

Here is the requested log:

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe
Sun 08/22/2010 at 11:53:58.53

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 08/22/2010 at 12:16:07.73

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8563678A]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"4788:TCP"=4788:TCP:*:Enabled:Services
"8076:TCP"=8076:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"4788:TCP"=4788:TCP:*:Enabled:Services
"8076:TCP"=8076:TCP:*:Enabled:Services


~~ EOF ~~


#9 Novastang

Novastang
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 22 August 2010 - 12:20 PM

Forgot to do the -f one...stand by....

#10 Novastang

Novastang
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 22 August 2010 - 12:37 PM

My apologies...here's the correct log:

C:\Documents and Settings\Owner\Desktop\HelpAsst_mebroot_fix.exe
Sun 08/22/2010 at 12:21:04.82

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sun 08/22/2010 at 12:36:08.40

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8565478A]<<
kernel: MBR read successfully
user & kernel MBR OK

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"4788:TCP"=4788:TCP:*:Enabled:Services
"8076:TCP"=8076:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"4788:TCP"=4788:TCP:*:Enabled:Services
"8076:TCP"=8076:TCP:*:Enabled:Services


~~ EOF ~~


#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:55 PM

Posted 22 August 2010 - 02:45 PM

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Novastang

Novastang
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 22 August 2010 - 05:15 PM

Hello,

TDSSKill did find one backdoor trojan that it cured. Here is the log upon scanning again after the reboot:

2010/08/22 17:12:48.0000 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23
2010/08/22 17:12:48.0000 ================================================================================
2010/08/22 17:12:48.0000 SystemInfo:
2010/08/22 17:12:48.0000
2010/08/22 17:12:48.0000 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/22 17:12:48.0000 Product type: Workstation
2010/08/22 17:12:48.0000 ComputerName: JASON-PC
2010/08/22 17:12:48.0000 UserName: Owner
2010/08/22 17:12:48.0000 Windows directory: C:\WINDOWS
2010/08/22 17:12:48.0000 System windows directory: C:\WINDOWS
2010/08/22 17:12:48.0000 Processor architecture: Intel x86
2010/08/22 17:12:48.0000 Number of processors: 1
2010/08/22 17:12:48.0000 Page size: 0x1000
2010/08/22 17:12:48.0000 Boot type: Normal boot
2010/08/22 17:12:48.0000 ================================================================================
2010/08/22 17:12:48.0109 Initialize success
2010/08/22 17:13:08.0812 ================================================================================
2010/08/22 17:13:08.0812 Scan started
2010/08/22 17:13:08.0812 Mode: Manual;
2010/08/22 17:13:08.0812 ================================================================================
2010/08/22 17:13:09.0093 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/22 17:13:09.0171 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/22 17:13:09.0250 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/22 17:13:09.0296 AegisP (91f3df93f40a74d222cd166fe95db633) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2010/08/22 17:13:09.0359 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/22 17:13:09.0468 AgereSoftModem (994a42d273c35b43ee9d1e8a5d8bc639) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
2010/08/22 17:13:09.0859 ALCXWDM (071757a906c7b3500916548e6fd8870b) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2010/08/22 17:13:10.0078 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/22 17:13:10.0265 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/22 17:13:10.0343 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/22 17:13:10.0500 ati2mtag (7a6cf9f411a9c5bd5c442a1cd46af401) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/08/22 17:13:10.0609 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/22 17:13:10.0687 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/22 17:13:10.0781 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/22 17:13:11.0031 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/22 17:13:11.0125 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/22 17:13:11.0203 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/22 17:13:11.0296 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/22 17:13:11.0562 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/22 17:13:11.0656 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/22 17:13:11.0703 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/22 17:13:11.0765 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/22 17:13:11.0859 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/22 17:13:11.0921 DNINDIS5 (d2ee54cdbced01d48f2b18642be79a98) C:\WINDOWS\system32\DNINDIS5.SYS
2010/08/22 17:13:12.0031 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/22 17:13:12.0093 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/22 17:13:12.0156 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/22 17:13:12.0234 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/22 17:13:12.0296 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/22 17:13:12.0390 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/22 17:13:12.0421 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/22 17:13:12.0500 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/22 17:13:12.0578 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/08/22 17:13:12.0687 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/22 17:13:12.0765 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/22 17:13:12.0906 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/08/22 17:13:12.0968 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/08/22 17:13:13.0062 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/08/22 17:13:13.0140 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/22 17:13:13.0328 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/22 17:13:13.0390 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/22 17:13:13.0546 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/22 17:13:13.0609 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/22 17:13:13.0656 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/22 17:13:13.0750 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/22 17:13:13.0843 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/22 17:13:13.0890 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/22 17:13:13.0968 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/22 17:13:14.0062 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/22 17:13:14.0140 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/22 17:13:14.0187 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/22 17:13:14.0328 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys
2010/08/22 17:13:14.0406 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2010/08/22 17:13:14.0484 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/22 17:13:14.0562 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/22 17:13:14.0640 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/22 17:13:14.0703 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/22 17:13:14.0781 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/22 17:13:14.0875 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/22 17:13:14.0968 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/22 17:13:15.0015 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/22 17:13:15.0078 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/22 17:13:15.0156 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/22 17:13:15.0203 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/22 17:13:15.0250 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/22 17:13:15.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/22 17:13:15.0390 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/22 17:13:15.0453 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/22 17:13:15.0531 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/22 17:13:15.0593 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/22 17:13:15.0687 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/22 17:13:15.0765 NEOFLTR_600_12141 (f3b906bb6f7f44b16bd745f093c46ff2) C:\WINDOWS\system32\Drivers\NEOFLTR_600_12141.SYS
2010/08/22 17:13:15.0828 NEOFLTR_630_13881 (a22aa82f9ffc11cf716857ca855a0b9f) C:\WINDOWS\system32\Drivers\NEOFLTR_630_13881.SYS
2010/08/22 17:13:15.0890 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/22 17:13:15.0937 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/22 17:13:16.0062 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/22 17:13:16.0109 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/22 17:13:16.0203 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/22 17:13:16.0296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/22 17:13:16.0390 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/22 17:13:16.0437 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/22 17:13:16.0531 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/22 17:13:16.0593 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/22 17:13:16.0656 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/22 17:13:16.0750 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/22 17:13:16.0812 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/22 17:13:16.0906 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/08/22 17:13:16.0953 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/22 17:13:17.0265 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/22 17:13:17.0359 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/08/22 17:13:17.0406 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/22 17:13:17.0453 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/22 17:13:17.0531 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/22 17:13:17.0859 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/22 17:13:17.0921 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/22 17:13:18.0015 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/22 17:13:18.0062 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/22 17:13:18.0156 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/22 17:13:18.0187 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/22 17:13:18.0281 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/08/22 17:13:18.0375 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/22 17:13:18.0468 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/22 17:13:18.0609 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
2010/08/22 17:13:18.0687 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2010/08/22 17:13:18.0765 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2010/08/22 17:13:18.0906 RTL8023xp (e0cd8c78f70accb2f1f21343fbbd3b54) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2010/08/22 17:13:18.0968 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2010/08/22 17:13:19.0015 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2010/08/22 17:13:19.0125 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/22 17:13:19.0218 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2010/08/22 17:13:19.0296 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/22 17:13:19.0453 SMC2862W (389361ab493b381bd78d7d85c2fae6d2) C:\WINDOWS\system32\DRIVERS\2862WICB.sys
2010/08/22 17:13:19.0531 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/22 17:13:19.0625 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/22 17:13:19.0703 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/22 17:13:19.0781 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/22 17:13:19.0812 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/22 17:13:20.0125 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/22 17:13:20.0187 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/22 17:13:20.0281 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/22 17:13:20.0359 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/22 17:13:20.0421 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/22 17:13:20.0515 tmactmon (582f43830daa5d9aad7aa514843d8905) C:\WINDOWS\system32\drivers\tmactmon.sys
2010/08/22 17:13:20.0625 tmcfw (fcfa40e475ff5549f5cd335f4046aba4) C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
2010/08/22 17:13:20.0750 tmcomm (949ef0df929a71d6cc77494dfcb1ddeb) C:\WINDOWS\system32\drivers\tmcomm.sys
2010/08/22 17:13:20.0812 tmevtmgr (9d38ac83d56f9b5274a65d2666da9779) C:\WINDOWS\system32\drivers\tmevtmgr.sys
2010/08/22 17:13:20.0906 tmpreflt (c7c7959ec0940e0eddfc881fed8ec214) C:\WINDOWS\system32\DRIVERS\tmpreflt.sys
2010/08/22 17:13:21.0000 tmtdi (44c262c1b2412ded35078b6166d2acc2) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
2010/08/22 17:13:21.0046 tmxpflt (3e615f370f0c7db414b6bcd1c18399d4) C:\WINDOWS\system32\DRIVERS\tmxpflt.sys
2010/08/22 17:13:21.0156 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/22 17:13:21.0265 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/22 17:13:21.0343 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/08/22 17:13:21.0437 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/08/22 17:13:21.0500 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/22 17:13:21.0593 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/22 17:13:21.0656 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/08/22 17:13:21.0703 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/08/22 17:13:21.0781 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/08/22 17:13:21.0843 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/22 17:13:21.0890 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/22 17:13:22.0000 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/22 17:13:22.0109 vsapint (60dfbc34228ca36221b03460789f5d4e) C:\WINDOWS\system32\DRIVERS\vsapint.sys
2010/08/22 17:13:22.0203 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/22 17:13:22.0281 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/22 17:13:22.0437 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/08/22 17:13:22.0500 WPN111 (56fb00bec891a38b54c68e52bce2b0a4) C:\WINDOWS\system32\DRIVERS\WPN111.sys
2010/08/22 17:13:22.0625 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/22 17:13:22.0687 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/22 17:13:22.0734 xmasbus (ddd8286b88fe764ad2a8bd171e7b569a) C:\WINDOWS\system32\DRIVERS\xmasbus.sys
2010/08/22 17:13:22.0750 xmasscsi (2222677f06fb7fbe44b04316437585d2) C:\WINDOWS\system32\Drivers\xmasscsi.sys
2010/08/22 17:13:22.0812 ================================================================================
2010/08/22 17:13:22.0812 Scan finished
2010/08/22 17:13:22.0812 ================================================================================


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:55 PM

Posted 22 August 2010 - 11:38 PM

Hi,

Please run ComboFix again (let it update itself) and post back its report.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Novastang

Novastang
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:03:55 PM

Posted 23 August 2010 - 05:57 AM

Hello, here's the latest log:

ComboFix 10-08-22.05 - Owner 08/23/2010 5:19.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.564 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-22 22:06 . 2010-08-22 22:12 -------- d-----w- C:\TDSKiller
2010-08-22 16:21 . 2010-08-22 16:21 -------- d-----w- C:\HelpAsst_backup
2010-07-24 21:39 . 2010-07-24 21:39 -------- d-----w- c:\program files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-16 01:43 . 2008-08-08 07:55 -------- d-----w- c:\documents and settings\Owner\Application Data\HPAppData
2010-07-24 21:39 . 2007-09-28 05:23 -------- d-----w- c:\program files\Common Files\Apple
2010-07-24 21:32 . 2010-07-24 21:32 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-20 09:29 . 2008-04-24 21:27 -------- d-----w- c:\program files\Lx_cats
2010-07-07 15:53 . 2007-09-28 05:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2010-06-30 12:31 . 2004-08-10 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 00:05 . 2010-06-25 21:47 -------- d-----w- c:\documents and settings\Owner\Application Data\DVD Flick
2010-06-25 22:00 . 2010-06-25 21:59 -------- d-----w- c:\documents and settings\Owner\Application Data\ImgBurn
2010-06-25 21:54 . 2010-06-25 21:54 -------- d-----w- c:\program files\ImgBurn
2010-06-24 12:22 . 2004-08-10 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-10 12:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-10 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2007-09-24 02:32 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-06 21:49 . 2010-06-06 21:49 126280 ---ha-w- c:\windows\system32\mlfcache.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-08-22_15.20.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-23 10:16 . 2010-08-23 10:16 16384 c:\windows\Temp\Perflib_Perfdata_a88.dat
+ 2010-08-23 10:16 . 2010-08-23 10:16 16384 c:\windows\Temp\Perflib_Perfdata_710.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-14 344064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"UfSeAgnt.exe"="c:\trend micro\Internet Security\UfSeAgnt.exe" [2010-01-26 1020248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"iTunesHelper"="c:\itunes\iTunesHelper.exe" [2010-07-21 141608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BSA Print.lnk - c:\bsaprint\Bsaprint.exe [2008-12-22 232960]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WPN111 Smart Wizard.lnk - c:\netgear\WPN111\wpn111.exe [2010-1-9 884795]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=c:\windows\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\BSAPRINT\\Bsaprint.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"4788:TCP"= 4788:TCP:Services
"8076:TCP"= 8076:TCP:Services

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [9/30/2008 2:27 PM 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [9/30/2008 2:27 PM 5504]
R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);c:\windows\system32\drivers\NEOFLTR_600_12141.sys [10/2/2007 6:51 PM 63024]
R1 NEOFLTR_630_13881;Juniper Networks TDI Filter Driver (NEOFLTR_630_13881);c:\windows\system32\drivers\NEOFLTR_630_13881.sys [1/23/2009 2:51 AM 64480]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2/23/2010 6:30 AM 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2/23/2010 8:39 AM 339984]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/24/2010 11:49 AM 50704]
R3 TmPfw;Trend Micro Personal Firewall;c:\trend micro\Internet Security\TmPfw.exe [2/24/2010 11:50 AM 497008]
R3 TmProxy;Trend Micro Proxy Service;c:\trend micro\Internet Security\TmProxy.exe [2/24/2010 11:50 AM 689416]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [1/9/2010 1:51 AM 384608]
S0 rhoikio;rhoikio;c:\windows\system32\drivers\xutrfide.sys --> c:\windows\system32\drivers\xutrfide.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [1/9/2010 1:51 AM 17149]
S3 SMC2862W;SMC2862W-G EZ Connect g 2.4Ghz 802.11g Wireless USB 2.0 Adapter Driver;c:\windows\system32\drivers\2862WICB.sys [11/23/2007 10:43 AM 357632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mybsa.org/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: {689ff870-2ac0-11d5-b634-00c04faedb18}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\59tg2xy3.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://gmail.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - plugin: c:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 05:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86148008]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7694f28
\Driver\ACPI -> ACPI.sys @ 0xf74e4cb8
\Driver\atapi -> 0x86148008
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x025429800
malicious code @ sector 0x025429803 !
PE file found in sector at 0x025429819 !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1384)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-23 05:42:36
ComboFix-quarantined-files.txt 2010-08-23 10:42
ComboFix2.txt 2010-08-22 15:23

Pre-Run: 93,065,363,456 bytes free
Post-Run: 93,903,679,488 bytes free

- - End Of File - - 69EE4E6E8AAD1E78DF85D9BD48CFDC64


#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:11:55 PM

Posted 23 August 2010 - 12:32 PM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

CODE
Driver::
rhoikio
Rootkit::
c:\windows\system32\drivers\xutrfide.sys
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride = <local>;*.local
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-
"4788:TCP"=-
"8076:TCP"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Install update 8.3.4 for Adobe Reader here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 21.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. Does the issue still occur?


Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users