Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search Redirect Infection/Problem


  • This topic is locked This topic is locked
62 replies to this topic

#1 Leylan

Leylan

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 14 March 2011 - 08:52 PM

Hello. This is my dad's machine and I have to travel to get to it. He has been experiencing "intermittent" redirects for several weeks and finally called me to take a look. I have reached the end of my ability's to discover and fix the cause and am here in the hope that one of you fine people will be able to do what I am unable to.

From the symptoms of how the machine acts it appeared to be the search redirect virus/malware. Yet signs that many have, appear to be absent. The hosts file looks normal to me. The router appears to be holding information properly and no unknown dns within it and maintains its obtain ip automatically settings. The previous router was set to default logon and password. That router "died" on an attempted firmware update and the disk with the router was unable to restore it. So a new linksys router is in place and the redirects continued to happen. Upon installation of the new router I changed the password on it from the default. I have also removed the router out of the loop and redirects continue. The redirects don't always happen. There are times you can bring up from cold boot or do warm boot and it may or may not start redirecting. Once it does start redirecting it does not stop for that session. The redirects may be to another search engine displaying similar results as you originally sought or it may be something completely random and unrelated as to the page you get directed to. Hitting back on the browser produces yet another redirect elsewhere. If you spam the back button you will eventually get to the starting home page but it still tries to continuously redirect. Once it begins it doesn't seem to stop, though I found when I did ipconfig /flushdns and rebootthat seems to halt it for a time but a second warm reboot at that point will often see its return.

The system now has Nortons 360 installed. (Background on AV. Originally had Nortons installed. Then Vipre. Then back to Nortons 360.) Initially I did a scan with hitman pro 3.5. The only two things it found were: hitman quarantined ampehsoe.dll in c:/windows/system32 agent-alxe rtk engine b and deleted a media6ydegrees.com cookie.

Further scans with hitman pro found nothing. Scanned with MalwareBytes. Nothing picked up. Ran Kaspersky's TDSS killer. Again. Nothing found. My research indicated many had had success with those programs though many also had signs I have not seen on this machine such as several dns/ips within the host file or router settings changed. None of that appears on this machine that I am able to detect. This machine is part of a lan with 2 hardwired machines and one laptop via wireless connection to the router. I have not had time to see if the other hardwired or the wireless connected laptop are redirecting also. They are seldomly used. Also due to the nature of what is happening being intermittent i.e., machine may be used for a couple of hours and absolutely no redirects then when it starts they don't stop for that session. I have not nailed down the triggers. Though I did notice last night when I ipconfig /flushdns and rebooted and tried the browser for 10 minutes it did not redirect me. I then rebooted again and it started redirecting. Last night I decided to remove the router from the equation and hook the pc up direct to the modem. Even called the isp for their proper procedure on doing so. Once brought "online" the first browser attempt redirected me. At that point I ipconfig /flushdns and rebooted and was out of time to do more. Dad used the machine for browsing and had no redirects for that session.
Alright. Next evening I bring up the pc from power down. It doesn't appear that it's going to redirect, warm boot. Browser begins redirecting, this is with the router OUT of the loop and directly wired to modem. It appears that if you right click on the link and select open in new tab that the correct site is opened. But if you left click the hyper link to go to a site from the tab of the original search it is redirected. I did write down an ip address that popped up before the redirect was complete. Though not the only one I have seen in the url bar I have seen this one a few times before the redirect completes in the url address bar. It is 72.52.251.203. An IP lookup points to Lansing Michigan. Dad's ISP is suddenlink and we do not live in Michigan. I am going to go ahead and place the router back in service. Then attempt to get it to redirect and start the procedures outlined in the preparation guide.

This system is running windows 7 64 bit. So I won't be able to supply a gmer log. My hope is that one of you fine people here will be able to assist me in identifying and ridding the system of whatever is causing this. Again. This is my father's pc and I have to travel to it. Ideally if I can get the approximate hours of availability of the person who tackles this I will make the effort to travel in and perform what they need to assist with this in a more timely manner in the hopes that they do not become frustrated over delayed replies to them.

I am going to attempt to have the machine recently having redirected when I run the DDS in the hope that whatever is causing this will be more visible and that that will help whoever assists me more readily identify the problem.

Addendum: Brought the router back up online. Everything brought up from power down status. Browser did not redirect. Rebooted once and browser redirected right away. Left everything as it was and then launched the DDS utility.

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Leland at 20:19:42.40 on Mon 03/14/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8183.6538 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\ProgramData\EPSON\EPW!3 SSRP\E_S40RPB.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Windows\SysWOW64\PSIService.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
C:\Program Files (x86)\hp\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\taskeng.exe
c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Leland\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.msn.com
uWindow Title = Internet Explorer, optimized for Bing and MSN
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\coIEPlg.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
mRun: [hpsysdrv] c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe
mRun: [HP Remote Solution] %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
mRun: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
mRun: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [Corel File Shell Monitor] C:\Program Files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\PICTUR~1.LNK - C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
TB-X64: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe
mRun-x64: [SmartMenu] C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe /background
mRun-x64: [PC-Doctor for Windows localizer] C:\Program Files\PC-Doctor for Windows\localizer.exe
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\System32\drivers\PxHlpa64.sys [2010-6-1 55024]
R0 SymDS;Symantec Data Store;C:\Windows\System32\drivers\N360x64\0403000.005\symds64.sys [2011-2-11 433200]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\System32\drivers\N360x64\0403000.005\symefa64.sys [2011-2-11 221232]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx64.sys [2011-3-10 1124472]
R1 ccHP;Symantec Hash Provider;C:\Windows\System32\drivers\N360x64\0403000.005\cchpx64.sys [2011-2-11 615040]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110311.001\IDSviA64.sys [2011-3-12 476792]
R1 SBRE;SBRE;C:\Windows\System32\drivers\sbredrv.sys [2010-5-31 49752]
R1 SymIRON;Symantec Iron Driver;C:\Windows\System32\drivers\N360x64\0403000.005\ironx64.sys [2011-2-11 150064]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;C:\Windows\System32\drivers\N360x64\0403000.005\symtdiv.sys [2011-2-11 451120]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\System32\drivers\vwififlt.sys [2009-7-13 59904]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/03/19 09:29:17];C:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2010-3-19 146928]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;C:\Program Files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2010-3-19 202752]
R2 HPDrvMntSvc.exe;HP Quick Synchronization Service;C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-14 92216]
R2 N360;Norton 360;C:\Program Files (x86)\Norton 360\Engine\4.3.0.5\ccsvchst.exe [2011-2-11 126392]
R3 amdkmdag;amdkmdag;C:\Windows\System32\drivers\atipmdag.sys [2010-3-19 6368256]
R3 amdkmdap;amdkmdap;C:\Windows\System32\drivers\atikmpag.sys [2010-3-19 188416]
R3 e1yexpress;Intel® Gigabit Network Connections Driver;C:\Windows\System32\drivers\e1y62x64.sys [2010-3-19 287960]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-2-6 132656]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\System32\drivers\vwifimp.sys [2009-7-13 17920]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 fssfltr;fssfltr;C:\Windows\System32\drivers\fssfltr.sys [2010-10-20 48488]
S3 fsssvc;Windows Live Family Safety Service;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2010-9-23 1493352]
S3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;C:\Program Files\PC-Doctor for Windows\pcdsrvc_x64.pkms [2009-9-17 23536]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2010-5-31 1255736]
.
=============== Created Last 30 ================
.
2011-03-06 04:58:17 -------- d-----w- C:\PROGRA~3\Recovery
2011-03-06 00:16:33 -------- d-----w- C:\Program Files (x86)\Cisco Systems
2011-03-06 00:13:13 -------- d-----w- C:\PROGRA~3\Cisco Systems
2011-03-05 19:09:42 -------- d-----w- C:\Users\Leland\AppData\Roaming\Malwarebytes
2011-03-05 19:09:37 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-03-05 19:09:37 -------- d-----w- C:\PROGRA~3\Malwarebytes
2011-03-05 19:09:34 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-03-05 19:09:34 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-03-02 04:15:13 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2011-03-02 04:12:15 -------- d-----w- C:\Program Files\Hitman Pro 3.5
2011-03-02 04:08:13 19528 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-03-02 04:06:49 -------- d-----w- C:\PROGRA~3\Hitman Pro
2011-03-02 03:38:43 -------- d-----w- C:\PROGRA~3\{23D58E70-3B83-4B83-A227-68770F84F5EC}
2011-03-02 03:38:24 -------- d-----w- C:\Users\Leland\AppData\Roaming\hpqLog
2011-03-02 03:37:54 -------- d---a-w- C:\swsetup
2011-03-02 03:37:53 -------- d--h--w- C:\SYSTEM.SAV
2011-03-02 03:37:43 -------- d-----w- C:\Users\Leland\AppData\Roaming\WinBatch
2011-02-25 04:05:43 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2011-02-25 04:05:43 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2011-02-25 01:55:38 662528 ----a-w- C:\Windows\System32\XpsPrint.dll
2011-02-25 01:55:38 442880 ----a-w- C:\Windows\SysWow64\XpsPrint.dll
2011-02-25 01:55:37 475648 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-02-25 01:55:37 288256 ----a-w- C:\Windows\SysWow64\XpsGdiConverter.dll
2011-02-13 05:04:51 -------- d-----w- C:\Users\Leland\AppData\Local\CrashDumps
.
==================== Find3M ====================
.
2011-03-14 02:39:45 4388 --sha-w- C:\Windows\SysWow64\KGyGaAvL.sys
2011-03-13 22:56:30 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2011-02-19 06:37:44 1135104 ----a-w- C:\Windows\System32\FntCache.dll
2011-02-19 06:37:10 1540608 ----a-w- C:\Windows\System32\DWrite.dll
2011-02-19 06:36:49 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-02-19 05:32:48 1074176 ----a-w- C:\Windows\SysWow64\DWrite.dll
2011-02-19 05:32:35 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2011-02-06 20:18:38 173104 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-01-26 06:53:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-01-26 06:53:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
2011-01-26 06:31:20 144384 ----a-w- C:\Windows\System32\cdd.dll
2011-01-07 08:06:50 46080 ----a-w- C:\Windows\System32\atmlib.dll
2011-01-07 07:27:11 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
2011-01-07 05:49:20 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-01-07 05:33:11 294400 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-01-05 06:20:30 612352 ----a-w- C:\Windows\System32\vbscript.dll
2011-01-05 05:37:33 428032 ----a-w- C:\Windows\SysWow64\vbscript.dll
2011-01-05 04:00:16 3127808 ----a-w- C:\Windows\System32\win32k.sys
2010-12-23 06:07:50 1118720 ----a-w- C:\Windows\System32\sbe.dll
2010-12-23 06:07:49 961024 ----a-w- C:\Windows\System32\CPFilters.dll
2010-12-23 06:07:49 723968 ----a-w- C:\Windows\System32\EncDec.dll
2010-12-23 06:02:33 259072 ----a-w- C:\Windows\System32\mpg2splt.ax
2010-12-23 05:28:29 850432 ----a-w- C:\Windows\SysWow64\sbe.dll
2010-12-23 05:28:28 642048 ----a-w- C:\Windows\SysWow64\CPFilters.dll
2010-12-23 05:28:28 534528 ----a-w- C:\Windows\SysWow64\EncDec.dll
2010-12-23 05:24:02 199680 ----a-w- C:\Windows\SysWow64\mpg2splt.ax
2010-12-21 06:16:27 97280 ----a-w- C:\Windows\System32\wscsvc.dll
2010-12-21 06:16:27 62976 ----a-w- C:\Windows\System32\wscapi.dll
2010-12-21 06:16:16 214016 ----a-w- C:\Windows\System32\winsrv.dll
2010-12-21 06:16:14 442880 ----a-w- C:\Windows\System32\winhttp.dll
2010-12-21 06:16:14 1197056 ----a-w- C:\Windows\System32\wininet.dll
2010-12-21 06:16:09 258048 ----a-w- C:\Windows\System32\WebClnt.dll
2010-12-21 06:15:55 264192 ----a-w- C:\Windows\System32\upnp.dll
2010-12-21 06:15:31 15360 ----a-w- C:\Windows\System32\slwga.dll
2010-12-21 06:13:03 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2010-12-21 06:13:03 1880576 ----a-w- C:\Windows\System32\msxml3.dll
2010-12-21 06:10:22 100864 ----a-w- C:\Windows\System32\davclnt.dll
2010-12-21 05:38:24 51200 ----a-w- C:\Windows\SysWow64\wscapi.dll
2010-12-21 05:38:22 981504 ----a-w- C:\Windows\SysWow64\wininet.dll
2010-12-21 05:38:22 350720 ----a-w- C:\Windows\SysWow64\winhttp.dll
2010-12-21 05:38:21 204800 ----a-w- C:\Windows\SysWow64\WebClnt.dll
2010-12-21 05:38:19 204288 ----a-w- C:\Windows\SysWow64\upnp.dll
2010-12-21 05:38:16 14336 ----a-w- C:\Windows\SysWow64\slwga.dll
2010-12-21 05:36:17 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2010-12-21 05:36:16 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2010-12-21 05:34:12 80384 ----a-w- C:\Windows\SysWow64\davclnt.dll
2010-12-18 06:12:28 3138048 ----a-w- C:\Windows\System32\mstscax.dll
2010-12-18 06:11:41 57856 ----a-w- C:\Windows\System32\licmgr10.dll
2010-12-18 06:11:34 714752 ----a-w- C:\Windows\System32\kerberos.dll
2010-12-18 06:08:15 1097216 ----a-w- C:\Windows\System32\mstsc.exe
2010-12-18 05:30:20 2690560 ----a-w- C:\Windows\SysWow64\mstscax.dll
2010-12-18 05:29:40 44544 ----a-w- C:\Windows\SysWow64\licmgr10.dll
2010-12-18 05:29:31 541184 ----a-w- C:\Windows\SysWow64\kerberos.dll
2010-12-18 05:26:55 1034240 ----a-w- C:\Windows\SysWow64\mstsc.exe
2010-12-18 04:55:03 482816 ----a-w- C:\Windows\System32\html.iec
2010-12-18 04:20:55 386048 ----a-w- C:\Windows\SysWow64\html.iec
2010-12-18 04:13:40 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2010-12-18 03:47:59 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 20:20:28.60 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:07 AM

Posted 19 March 2011 - 07:45 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 19 March 2011 - 08:12 AM

Hello Casey. Thank you for the response. This is the only forum I posted on and the problem is not resolved. The machine is an OEM and currently no original windows cd. The situation has not changed on the machine. Do you still desire a new log? The one posted and attached were done after I'd freshly recreated a redirect. As such, would it be best for me to try and trigger a redirect and then run another dds as previously, if required? The system is 64 bit so a Gmer log is not possible. The original downloaded dds is still on that machine. Defogger was used and there appeared to be no cd emulation installed. If a new log is required or and when further instructions are given I will travel to Dad's and obtain whatever is required this afternoon. Again. Thank you for the response.

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:07 PM

Posted 19 March 2011 - 10:39 AM

Hello Leylan,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


3.
We need to reset that Router as to rule out that it has been infected. It may not be the same router but resetting it will be similiar.
How to reset your Router.


Things to include in your next reply::
TDSSKILLER log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 19 March 2011 - 07:34 PM

Hello fireman4it! First. Thank you so very much for your assistance and time. It is greatly appreciated. I apologize for being a little later than I anticipated in getting in to Dad's. I had hoped to post for you a few hours ago. I have followed your instructions.

Downloaded TDSSkiller freshly from your provided link. Ran as admin. No threats found. Log pasted.
Downloaded and ran combofix from your provided link. Windows recovery must be installed as there was no prompt from Combofix to install it. Combofix did not reboot the machine and closed on its own after running and generating log report. It did appear to delete a couple of files which are shown in Log attached.
Machine behavior:
Opened browser and searched google for airline. Was one link, at top of results that showed continental.com, but not www.continental.com that resulted in a popup brower window that went to a site related to the search, sort of a discount shop multi airline fare site. It should have dawned on me to write the url down for you but it didn't and I failed to do so. The original browser window opened to continental's site however. Had to hit back button a couple of times to get to the original search. Closed the pop up window. When it had popped up it had showed as redirected. Pop ups are currently blocked though on investigation, the blocking level is set to Low:Allow pop ups from secure sites.
Other than the one anomaly described above I have so far been unable to trigger more redirecting behavior. Due to its orginal intermittent behavior, i.e. some sessions there would be no redirecting, often a warm reboot would result in redirecting, which once started didn't cease; I'm not positive it's been solved.
I do not know how long it will take you to go through the logs. I'll stay here an hour or so after posting tonight before returning home. I will of course check and have notify for the topic enabled. As soon as I see your response I will get in again as soon as possible to perform any additional procedures you may require.
Again, thank you so very much for your time and assistance. Logs follow. TDSS and then Combofix.
2011/03/19 17:25:41.0849 3912 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/19 17:25:42.0036 3912 ================================================================================
2011/03/19 17:25:42.0036 3912 SystemInfo:
2011/03/19 17:25:42.0036 3912
2011/03/19 17:25:42.0036 3912 OS Version: 6.1.7600 ServicePack: 0.0
2011/03/19 17:25:42.0036 3912 Product type: Workstation
2011/03/19 17:25:42.0036 3912 ComputerName: LELAND-PC
2011/03/19 17:25:42.0036 3912 UserName: Leland
2011/03/19 17:25:42.0036 3912 Windows directory: C:\Windows
2011/03/19 17:25:42.0036 3912 System windows directory: C:\Windows
2011/03/19 17:25:42.0036 3912 Running under WOW64
2011/03/19 17:25:42.0036 3912 Processor architecture: Intel x64
2011/03/19 17:25:42.0036 3912 Number of processors: 8
2011/03/19 17:25:42.0036 3912 Page size: 0x1000
2011/03/19 17:25:42.0036 3912 Boot type: Normal boot
2011/03/19 17:25:42.0036 3912 ================================================================================
2011/03/19 17:25:43.0487 3912 Initialize success
2011/03/19 17:25:49.0914 3780 ================================================================================
2011/03/19 17:25:49.0914 3780 Scan started
2011/03/19 17:25:49.0914 3780 Mode: Manual;
2011/03/19 17:25:49.0914 3780 ================================================================================
2011/03/19 17:25:50.0601 3780 1394ohci (1b00662092f9f9568b995902f0cc40d5) C:\Windows\system32\DRIVERS\1394ohci.sys
2011/03/19 17:25:50.0679 3780 ACPI (6f11e88748cdefd2f76aa215f97ddfe5) C:\Windows\system32\DRIVERS\ACPI.sys
2011/03/19 17:25:50.0741 3780 AcpiPmi (63b05a0420ce4bf0e4af6dcc7cada254) C:\Windows\system32\DRIVERS\acpipmi.sys
2011/03/19 17:25:50.0819 3780 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\DRIVERS\adp94xx.sys
2011/03/19 17:25:50.0866 3780 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\DRIVERS\adpahci.sys
2011/03/19 17:25:50.0897 3780 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\DRIVERS\adpu320.sys
2011/03/19 17:25:51.0006 3780 AFD (b9384e03479d2506bc924c16a3db87bc) C:\Windows\system32\drivers\afd.sys
2011/03/19 17:25:51.0053 3780 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\DRIVERS\agp440.sys
2011/03/19 17:25:51.0084 3780 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\DRIVERS\aliide.sys
2011/03/19 17:25:51.0115 3780 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\DRIVERS\amdide.sys
2011/03/19 17:25:51.0162 3780 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\DRIVERS\amdk8.sys
2011/03/19 17:25:51.0303 3780 amdkmdag (9337b5fabc03ca44cd355f700da9b25b) C:\Windows\system32\DRIVERS\atipmdag.sys
2011/03/19 17:25:51.0396 3780 amdkmdap (560688a447e7a87f43774a2ff23a3e52) C:\Windows\system32\DRIVERS\atikmpag.sys
2011/03/19 17:25:51.0427 3780 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
2011/03/19 17:25:51.0490 3780 amdsata (7a4b413614c055935567cf88a9734d38) C:\Windows\system32\DRIVERS\amdsata.sys
2011/03/19 17:25:51.0521 3780 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\DRIVERS\amdsbs.sys
2011/03/19 17:25:51.0537 3780 amdxata (b4ad0cacbab298671dd6f6ef7e20679d) C:\Windows\system32\DRIVERS\amdxata.sys
2011/03/19 17:25:51.0583 3780 AppID (42fd751b27fa0e9c69bb39f39e409594) C:\Windows\system32\drivers\appid.sys
2011/03/19 17:25:51.0630 3780 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\DRIVERS\arc.sys
2011/03/19 17:25:51.0693 3780 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\DRIVERS\arcsas.sys
2011/03/19 17:25:51.0708 3780 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/03/19 17:25:51.0755 3780 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\DRIVERS\atapi.sys
2011/03/19 17:25:51.0786 3780 athr (e0fabc10635c670bd7d89fd214a405d7) C:\Windows\system32\DRIVERS\athrx.sys
2011/03/19 17:25:51.0817 3780 AtiHdmiService (77c149e6d702737b2e372dee166faef8) C:\Windows\system32\drivers\AtiHdmi.sys
2011/03/19 17:25:51.0942 3780 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\DRIVERS\bxvbda.sys
2011/03/19 17:25:51.0973 3780 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
2011/03/19 17:25:52.0005 3780 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
2011/03/19 17:25:52.0129 3780 BHDrvx64 (0163c18a9ebc4a76542790cec49f5120) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx64.sys
2011/03/19 17:25:52.0223 3780 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
2011/03/19 17:25:52.0270 3780 bowser (91ce0d3dc57dd377e690a2d324022b08) C:\Windows\system32\DRIVERS\bowser.sys
2011/03/19 17:25:52.0301 3780 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\DRIVERS\BrFiltLo.sys
2011/03/19 17:25:52.0317 3780 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\DRIVERS\BrFiltUp.sys
2011/03/19 17:25:52.0348 3780 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
2011/03/19 17:25:52.0363 3780 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
2011/03/19 17:25:52.0379 3780 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
2011/03/19 17:25:52.0457 3780 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
2011/03/19 17:25:52.0488 3780 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\DRIVERS\bthmodem.sys
2011/03/19 17:25:52.0582 3780 ccHP (da66e851e76766d2c84502fe682ab175) C:\Windows\system32\drivers\N360x64\0403000.005\ccHPx64.sys
2011/03/19 17:25:52.0629 3780 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/03/19 17:25:52.0722 3780 cdrom (83d2d75e1efb81b3450c18131443f7db) C:\Windows\system32\DRIVERS\cdrom.sys
2011/03/19 17:25:52.0753 3780 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
2011/03/19 17:25:52.0785 3780 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
2011/03/19 17:25:52.0831 3780 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/03/19 17:25:52.0863 3780 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\DRIVERS\cmdide.sys
2011/03/19 17:25:52.0941 3780 CNG (f95fd4cb7da00ba2a63ce9f6b5c053e1) C:\Windows\system32\Drivers\cng.sys
2011/03/19 17:25:52.0987 3780 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\DRIVERS\compbatt.sys
2011/03/19 17:25:53.0019 3780 CompositeBus (f26b3a86f6fa87ca360b879581ab4123) C:\Windows\system32\DRIVERS\CompositeBus.sys
2011/03/19 17:25:53.0034 3780 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\DRIVERS\crcdisk.sys
2011/03/19 17:25:53.0081 3780 DfsC (3f1dc527070acb87e40afe46ef6da749) C:\Windows\system32\Drivers\dfsc.sys
2011/03/19 17:25:53.0097 3780 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
2011/03/19 17:25:53.0143 3780 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\DRIVERS\disk.sys
2011/03/19 17:25:53.0190 3780 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
2011/03/19 17:25:53.0237 3780 DXGKrnl (1633b9abf52784a1331476397a48cbef) C:\Windows\System32\drivers\dxgkrnl.sys
2011/03/19 17:25:53.0268 3780 e1yexpress (761b9edd97a021aa1922501b7a056635) C:\Windows\system32\DRIVERS\e1y62x64.sys
2011/03/19 17:25:53.0331 3780 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\DRIVERS\evbda.sys
2011/03/19 17:25:53.0455 3780 eeCtrl (066108ae4c35835081598827a1a7d08d) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys
2011/03/19 17:25:53.0533 3780 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\DRIVERS\elxstor.sys
2011/03/19 17:25:53.0596 3780 EraserUtilRebootDrv (12866876e3851f1e5d462b2a83e25578) C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/03/19 17:25:53.0627 3780 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\DRIVERS\errdev.sys
2011/03/19 17:25:53.0689 3780 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
2011/03/19 17:25:53.0736 3780 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
2011/03/19 17:25:53.0767 3780 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\DRIVERS\fdc.sys
2011/03/19 17:25:53.0799 3780 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
2011/03/19 17:25:53.0814 3780 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
2011/03/19 17:25:53.0845 3780 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/03/19 17:25:53.0892 3780 FltMgr (f7866af72abbaf84b1fa5aa195378c59) C:\Windows\system32\drivers\fltmgr.sys
2011/03/19 17:25:53.0970 3780 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
2011/03/19 17:25:54.0017 3780 fssfltr (6c06701bf1db05405804d7eb610991ce) C:\Windows\system32\DRIVERS\fssfltr.sys
2011/03/19 17:25:54.0033 3780 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
2011/03/19 17:25:54.0048 3780 fvevol (ae87ba80d0ec3b57126ed2cdc15b24ed) C:\Windows\system32\DRIVERS\fvevol.sys
2011/03/19 17:25:54.0079 3780 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\DRIVERS\gagp30kx.sys
2011/03/19 17:25:54.0126 3780 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/03/19 17:25:54.0204 3780 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
2011/03/19 17:25:54.0251 3780 HDAudBus (0a49913402747a0b67de940fb42cbdbb) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/03/19 17:25:54.0267 3780 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\DRIVERS\HidBatt.sys
2011/03/19 17:25:54.0282 3780 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\DRIVERS\hidbth.sys
2011/03/19 17:25:54.0298 3780 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
2011/03/19 17:25:54.0360 3780 HidUsb (b3bf6b5b50006def50b66306d99fcf6f) C:\Windows\system32\DRIVERS\hidusb.sys
2011/03/19 17:25:54.0485 3780 HpSAMD (0886d440058f203eba0e1825e4355914) C:\Windows\system32\DRIVERS\HpSAMD.sys
2011/03/19 17:25:54.0532 3780 HTTP (cee049cac4efa7f4e1e4ad014414a5d4) C:\Windows\system32\drivers\HTTP.sys
2011/03/19 17:25:54.0547 3780 hwpolicy (f17766a19145f111856378df337a5d79) C:\Windows\system32\drivers\hwpolicy.sys
2011/03/19 17:25:54.0610 3780 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/03/19 17:25:54.0641 3780 iaStor (1d004cb1da6323b1f55caef7f94b61d9) C:\Windows\system32\DRIVERS\iaStor.sys
2011/03/19 17:25:54.0719 3780 iaStorV (d83efb6fd45df9d55e9a1afc63640d50) C:\Windows\system32\DRIVERS\iaStorV.sys
2011/03/19 17:25:54.0828 3780 IDSVia64 (6f9b281bc4afff5fe784d7da699d347f) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110317.002\IDSvia64.sys
2011/03/19 17:25:54.0875 3780 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\DRIVERS\iirsp.sys
2011/03/19 17:25:54.0984 3780 IntcAzAudAddService (ef75c94792187a143871fbb87611b0b7) C:\Windows\system32\drivers\RTKVHD64.sys
2011/03/19 17:25:55.0031 3780 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\DRIVERS\intelide.sys
2011/03/19 17:25:55.0062 3780 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
2011/03/19 17:25:55.0109 3780 IpFilterDriver (722dd294df62483cecaae6e094b4d695) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/03/19 17:25:55.0140 3780 IPMIDRV (e2b4a4494db7cb9b89b55ca268c337c5) C:\Windows\system32\DRIVERS\IPMIDrv.sys
2011/03/19 17:25:55.0187 3780 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
2011/03/19 17:25:55.0218 3780 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
2011/03/19 17:25:55.0249 3780 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\DRIVERS\isapnp.sys
2011/03/19 17:25:55.0281 3780 iScsiPrt (fa4d2557de56d45b0a346f93564be6e1) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/03/19 17:25:55.0327 3780 JRAID (2224abc439d115a44edb5630a92c1d7e) C:\Windows\system32\DRIVERS\jraid.sys
2011/03/19 17:25:55.0343 3780 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/03/19 17:25:55.0359 3780 kbdhid (6def98f8541e1b5dceb2c822a11f7323) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/03/19 17:25:55.0390 3780 KSecDD (e8b6fcc9c83535c67f835d407620bd27) C:\Windows\system32\Drivers\ksecdd.sys
2011/03/19 17:25:55.0452 3780 KSecPkg (a8c63880ef6f4d3fec7b616b9c060215) C:\Windows\system32\Drivers\ksecpkg.sys
2011/03/19 17:25:55.0468 3780 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
2011/03/19 17:25:55.0530 3780 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
2011/03/19 17:25:55.0577 3780 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\DRIVERS\lsi_fc.sys
2011/03/19 17:25:55.0639 3780 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\DRIVERS\lsi_sas.sys
2011/03/19 17:25:55.0655 3780 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\DRIVERS\lsi_sas2.sys
2011/03/19 17:25:55.0671 3780 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\DRIVERS\lsi_scsi.sys
2011/03/19 17:25:55.0717 3780 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
2011/03/19 17:25:55.0780 3780 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\DRIVERS\megasas.sys
2011/03/19 17:25:55.0811 3780 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\DRIVERS\MegaSR.sys
2011/03/19 17:25:55.0873 3780 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
2011/03/19 17:25:55.0905 3780 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
2011/03/19 17:25:55.0920 3780 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
2011/03/19 17:25:55.0951 3780 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
2011/03/19 17:25:55.0998 3780 mountmgr (791af66c4d0e7c90a3646066386fb571) C:\Windows\system32\drivers\mountmgr.sys
2011/03/19 17:25:56.0029 3780 mpio (609d1d87649ecc19796f4d76d4c15cea) C:\Windows\system32\DRIVERS\mpio.sys
2011/03/19 17:25:56.0076 3780 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
2011/03/19 17:25:56.0107 3780 MRxDAV (30524261bb51d96d6fcbac20c810183c) C:\Windows\system32\drivers\mrxdav.sys
2011/03/19 17:25:56.0139 3780 mrxsmb (767a4c3bcf9410c286ced15a2db17108) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/03/19 17:25:56.0170 3780 mrxsmb10 (920ee0ff995fcfdeb08c41605a959e1c) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/03/19 17:25:56.0185 3780 mrxsmb20 (740d7ea9d72c981510a5292cf6adc941) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/03/19 17:25:56.0232 3780 msahci (5c37497276e3b3a5488b23a326a754b7) C:\Windows\system32\DRIVERS\msahci.sys
2011/03/19 17:25:56.0279 3780 msdsm (8d27b597229aed79430fb9db3bcbfbd0) C:\Windows\system32\DRIVERS\msdsm.sys
2011/03/19 17:25:56.0310 3780 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
2011/03/19 17:25:56.0341 3780 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
2011/03/19 17:25:56.0357 3780 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\DRIVERS\msisadrv.sys
2011/03/19 17:25:56.0404 3780 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
2011/03/19 17:25:56.0419 3780 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/03/19 17:25:56.0435 3780 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
2011/03/19 17:25:56.0466 3780 MsRPC (89cb141aa8616d8c6a4610fa26c60964) C:\Windows\system32\drivers\MsRPC.sys
2011/03/19 17:25:56.0497 3780 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/03/19 17:25:56.0544 3780 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
2011/03/19 17:25:56.0560 3780 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
2011/03/19 17:25:56.0591 3780 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
2011/03/19 17:25:56.0669 3780 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
2011/03/19 17:25:56.0778 3780 NAVENG (7be93dbb02b66e72872ff76d8a92e662) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110319.003\ENG64.SYS
2011/03/19 17:25:56.0841 3780 NAVEX15 (be99edbba322ca59b3f2fe17b9bf987a) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20110319.003\EX64.SYS
2011/03/19 17:25:56.0919 3780 NDIS (cad515dbd07d082bb317d9928ce8962c) C:\Windows\system32\drivers\ndis.sys
2011/03/19 17:25:57.0012 3780 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
2011/03/19 17:25:57.0043 3780 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/03/19 17:25:57.0059 3780 Ndisuio (f105ba1e22bf1f2ee8f005d4305e4bec) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/03/19 17:25:57.0090 3780 NdisWan (557dfab9ca1fcb036ac77564c010dad3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/03/19 17:25:57.0106 3780 NDProxy (659b74fb74b86228d6338d643cd3e3cf) C:\Windows\system32\drivers\NDProxy.sys
2011/03/19 17:25:57.0137 3780 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
2011/03/19 17:25:57.0168 3780 NetBT (9162b273a44ab9dce5b44362731d062a) C:\Windows\system32\DRIVERS\netbt.sys
2011/03/19 17:25:57.0231 3780 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\DRIVERS\nfrd960.sys
2011/03/19 17:25:57.0262 3780 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
2011/03/19 17:25:57.0293 3780 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
2011/03/19 17:25:57.0340 3780 Ntfs (356698a13c4630d5b31c37378d469196) C:\Windows\system32\drivers\Ntfs.sys
2011/03/19 17:25:57.0387 3780 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
2011/03/19 17:25:57.0433 3780 nvraid (3e38712941e9bb4ddbee00affe3fed3d) C:\Windows\system32\DRIVERS\nvraid.sys
2011/03/19 17:25:57.0465 3780 nvstor (477dc4d6deb99be37084c9ac6d013da1) C:\Windows\system32\DRIVERS\nvstor.sys
2011/03/19 17:25:57.0496 3780 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\DRIVERS\nv_agp.sys
2011/03/19 17:25:57.0527 3780 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/03/19 17:25:57.0574 3780 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\DRIVERS\parport.sys
2011/03/19 17:25:57.0605 3780 partmgr (7daa117143316c4a1537e074a5a9eaf0) C:\Windows\system32\drivers\partmgr.sys
2011/03/19 17:25:57.0699 3780 PCDSRVC{F36B3A4C-F95654BD-06000000}_0 (51209fbdb13a46e05c1b0077a9310264) c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms
2011/03/19 17:25:57.0948 3780 pci (f36f6504009f2fb0dfd1b17a116ad74b) C:\Windows\system32\DRIVERS\pci.sys
2011/03/19 17:25:57.0979 3780 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\DRIVERS\pciide.sys
2011/03/19 17:25:58.0011 3780 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\DRIVERS\pcmcia.sys
2011/03/19 17:25:58.0042 3780 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
2011/03/19 17:25:58.0073 3780 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
2011/03/19 17:25:58.0135 3780 PptpMiniport (27cc19e81ba5e3403c48302127bda717) C:\Windows\system32\DRIVERS\raspptp.sys
2011/03/19 17:25:58.0198 3780 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\DRIVERS\processr.sys
2011/03/19 17:25:58.0260 3780 Psched (ee992183bd8eaefd9973f352e587a299) C:\Windows\system32\DRIVERS\pacer.sys
2011/03/19 17:25:58.0307 3780 PxHlpa64 (fbf4db6d53585437e41a113300002a2b) C:\Windows\system32\Drivers\PxHlpa64.sys
2011/03/19 17:25:58.0354 3780 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\DRIVERS\ql2300.sys
2011/03/19 17:25:58.0401 3780 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\DRIVERS\ql40xx.sys
2011/03/19 17:25:58.0479 3780 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
2011/03/19 17:25:58.0494 3780 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
2011/03/19 17:25:58.0525 3780 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
2011/03/19 17:25:58.0557 3780 Rasl2tp (87a6e852a22991580d6d39adc4790463) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/03/19 17:25:58.0572 3780 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/03/19 17:25:58.0588 3780 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
2011/03/19 17:25:58.0603 3780 rdbss (3bac8142102c15d59a87757c1d41dce5) C:\Windows\system32\DRIVERS\rdbss.sys
2011/03/19 17:25:58.0635 3780 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\DRIVERS\rdpbus.sys
2011/03/19 17:25:58.0697 3780 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/03/19 17:25:58.0728 3780 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
2011/03/19 17:25:58.0744 3780 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
2011/03/19 17:25:58.0775 3780 RDPWD (8a3e6bea1c53ea6177fe2b6eba2c80d7) C:\Windows\system32\drivers\RDPWD.sys
2011/03/19 17:25:58.0806 3780 rdyboost (634b9a2181d98f15941236886164ec8b) C:\Windows\system32\drivers\rdyboost.sys
2011/03/19 17:25:58.0869 3780 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
2011/03/19 17:25:58.0947 3780 sbp2port (e3bbb89983daf5622c1d50cf49f28227) C:\Windows\system32\DRIVERS\sbp2port.sys
2011/03/19 17:25:59.0009 3780 SBRE (7e07d2a5b910c71d6474e9aa0eaa1825) C:\Windows\system32\drivers\SBREdrv.sys
2011/03/19 17:25:59.0056 3780 scfilter (c94da20c7e3ba1dca269bc8460d98387) C:\Windows\system32\DRIVERS\scfilter.sys
2011/03/19 17:25:59.0118 3780 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
2011/03/19 17:25:59.0212 3780 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\DRIVERS\serenum.sys
2011/03/19 17:25:59.0243 3780 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\DRIVERS\serial.sys
2011/03/19 17:25:59.0259 3780 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\DRIVERS\sermouse.sys
2011/03/19 17:25:59.0305 3780 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/03/19 17:25:59.0321 3780 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\DRIVERS\sffp_mmc.sys
2011/03/19 17:25:59.0337 3780 sffp_sd (5588b8c6193eb1522490c122eb94dffa) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/03/19 17:25:59.0352 3780 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\DRIVERS\sfloppy.sys
2011/03/19 17:25:59.0415 3780 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\DRIVERS\SiSRaid2.sys
2011/03/19 17:25:59.0430 3780 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\DRIVERS\sisraid4.sys
2011/03/19 17:25:59.0477 3780 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
2011/03/19 17:25:59.0508 3780 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
2011/03/19 17:25:59.0586 3780 SRTSP (96babc4906ecdb1c69d1176f8647ad8e) C:\Windows\System32\Drivers\N360x64\0403000.005\SRTSP64.SYS
2011/03/19 17:25:59.0664 3780 SRTSPX (c7f491a290e0e4222f5cdcd50eeb8167) C:\Windows\system32\drivers\N360x64\0403000.005\SRTSPX64.SYS
2011/03/19 17:25:59.0711 3780 srv (de6f5658da951c4bc8e498570b5b0d5f) C:\Windows\system32\DRIVERS\srv.sys
2011/03/19 17:25:59.0742 3780 srv2 (4d33d59c0b930c523d29f9bd40cda9d2) C:\Windows\system32\DRIVERS\srv2.sys
2011/03/19 17:25:59.0773 3780 srvnet (5a663fd67049267bc5c3f3279e631ffb) C:\Windows\system32\DRIVERS\srvnet.sys
2011/03/19 17:25:59.0820 3780 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\DRIVERS\stexstor.sys
2011/03/19 17:25:59.0883 3780 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
2011/03/19 17:25:59.0961 3780 SymDS (659b227a72b76115975a6a9491b2fe1f) C:\Windows\system32\drivers\N360x64\0403000.005\SYMDS64.SYS
2011/03/19 17:26:00.0007 3780 SymEFA (42c952d131eff724a9959bb6d78c1b63) C:\Windows\system32\drivers\N360x64\0403000.005\SYMEFA64.SYS
2011/03/19 17:26:00.0054 3780 SymEvent (3f9d5fe52585e2653e59fdbfdf09a94c) C:\Windows\system32\Drivers\SYMEVENT64x86.SYS
2011/03/19 17:26:00.0132 3780 SymIRON (f57588546e738db1583981d8f44e9bc2) C:\Windows\system32\drivers\N360x64\0403000.005\Ironx64.SYS
2011/03/19 17:26:00.0163 3780 SYMTDIv (8abb6e5b7d75cd3f0a988695d0d9186a) C:\Windows\System32\Drivers\N360x64\0403000.005\SYMTDIV.SYS
2011/03/19 17:26:00.0241 3780 Tcpip (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\drivers\tcpip.sys
2011/03/19 17:26:00.0304 3780 TCPIP6 (90a2d722cf64d911879d6c4a4f802a4d) C:\Windows\system32\DRIVERS\tcpip.sys
2011/03/19 17:26:00.0335 3780 tcpipreg (76d078af6f587b162d50210f761eb9ed) C:\Windows\system32\drivers\tcpipreg.sys
2011/03/19 17:26:00.0413 3780 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
2011/03/19 17:26:00.0429 3780 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
2011/03/19 17:26:00.0460 3780 tdx (079125c4b17b01fcaeebce0bcb290c0f) C:\Windows\system32\DRIVERS\tdx.sys
2011/03/19 17:26:00.0491 3780 TermDD (c448651339196c0e869a355171875522) C:\Windows\system32\DRIVERS\termdd.sys
2011/03/19 17:26:00.0522 3780 tssecsrv (61b96c26131e37b24e93327a0bd1fb95) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/03/19 17:26:00.0553 3780 tunnel (3836171a2cdf3af8ef10856db9835a70) C:\Windows\system32\DRIVERS\tunnel.sys
2011/03/19 17:26:00.0631 3780 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\DRIVERS\uagp35.sys
2011/03/19 17:26:00.0663 3780 udfs (d47baead86c65d4f4069d7ce0a4edceb) C:\Windows\system32\DRIVERS\udfs.sys
2011/03/19 17:26:00.0694 3780 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\DRIVERS\uliagpkx.sys
2011/03/19 17:26:00.0709 3780 umbus (eab6c35e62b1b0db0d1b48b671d3a117) C:\Windows\system32\DRIVERS\umbus.sys
2011/03/19 17:26:00.0756 3780 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\DRIVERS\umpass.sys
2011/03/19 17:26:00.0834 3780 usbaudio (77b01bc848298223a95d4ec23e1785a1) C:\Windows\system32\drivers\usbaudio.sys
2011/03/19 17:26:00.0865 3780 usbccgp (b26afb54a534d634523c4fb66765b026) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/03/19 17:26:00.0897 3780 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\DRIVERS\usbcir.sys
2011/03/19 17:26:00.0912 3780 usbehci (df9f9afc9aaabd8ed47975d44e38169a) C:\Windows\system32\DRIVERS\usbehci.sys
2011/03/19 17:26:00.0959 3780 usbhub (372a91bc3c6603080a793880b0873785) C:\Windows\system32\DRIVERS\usbhub.sys
2011/03/19 17:26:00.0990 3780 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\Windows\system32\DRIVERS\usbohci.sys
2011/03/19 17:26:01.0053 3780 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
2011/03/19 17:26:01.0084 3780 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
2011/03/19 17:26:01.0131 3780 USBSTOR (080d3820da6c046be82fc8b45a893e83) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/03/19 17:26:01.0146 3780 usbuhci (81fb2216d3a60d1284455d511797db3d) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/03/19 17:26:01.0193 3780 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\DRIVERS\vdrvroot.sys
2011/03/19 17:26:01.0209 3780 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/03/19 17:26:01.0271 3780 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
2011/03/19 17:26:01.0287 3780 vhdmp (c82e748660f62a242b2dfac1442f22a4) C:\Windows\system32\DRIVERS\vhdmp.sys
2011/03/19 17:26:01.0318 3780 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\DRIVERS\viaide.sys
2011/03/19 17:26:01.0349 3780 volmgr (2b1a3dae2b4e70dbba822b7a03fbd4a3) C:\Windows\system32\DRIVERS\volmgr.sys
2011/03/19 17:26:01.0365 3780 volmgrx (99b0cbb569ca79acaed8c91461d765fb) C:\Windows\system32\drivers\volmgrx.sys
2011/03/19 17:26:01.0411 3780 volsnap (58f82eed8ca24b461441f9c3e4f0bf5c) C:\Windows\system32\DRIVERS\volsnap.sys
2011/03/19 17:26:01.0474 3780 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\DRIVERS\vsmraid.sys
2011/03/19 17:26:01.0505 3780 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
2011/03/19 17:26:01.0536 3780 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
2011/03/19 17:26:01.0567 3780 vwifimp (6a638fc4bfddc4d9b186c28c91bd1a01) C:\Windows\system32\DRIVERS\vwifimp.sys
2011/03/19 17:26:01.0599 3780 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\DRIVERS\wacompen.sys
2011/03/19 17:26:01.0630 3780 WANARP (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/19 17:26:01.0630 3780 Wanarpv6 (47ca49400643effd3f1c9a27e1d69324) C:\Windows\system32\DRIVERS\wanarp.sys
2011/03/19 17:26:01.0723 3780 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\DRIVERS\wd.sys
2011/03/19 17:26:01.0755 3780 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
2011/03/19 17:26:01.0833 3780 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
2011/03/19 17:26:01.0864 3780 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
2011/03/19 17:26:01.0942 3780 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/03/19 17:26:02.0004 3780 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
2011/03/19 17:26:02.0035 3780 WudfPf (7cadc74271dd6461c452c271b30bd378) C:\Windows\system32\drivers\WudfPf.sys
2011/03/19 17:26:02.0051 3780 WUDFRd (3b197af0fff08aa66b6b2241ca538d64) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/03/19 17:26:02.0113 3780 {55662437-DA8C-40c0-AADA-2C816A897A49} (74983addca2d9618512c088d856d6615) c:\Program Files (x86)\Hewlett-Packard\Media\DVD\000.fcl
2011/03/19 17:26:02.0363 3780 ================================================================================
2011/03/19 17:26:02.0363 3780 Scan finished
2011/03/19 17:26:02.0363 3780 ================================================================================
2011/03/19 17:26:22.0019 0988 Deinitialize success


****Combofix******
ComboFix 11-03-19.01 - Leland 03/19/2011 17:38:51.1.8 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8183.6693 [GMT -5:00]
Running from: c:\users\Leland\Desktop\ComboFix.exe
AV: Norton 360 *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton 360 *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\.wtav
c:\users\Leland\GoToAssistDownloadHelper.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-19 to 2011-03-19 )))))))))))))))))))))))))))))))
.
.
2011-03-19 22:43 . 2011-03-19 22:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-13 22:57 . 2011-03-13 22:57 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-03-13 22:56 . 2011-03-13 22:56 -------- d-----w- c:\program files (x86)\Java
2011-03-13 22:55 . 2011-03-13 22:55 -------- d-----w- c:\programdata\McAfee
2011-03-06 04:58 . 2011-03-06 04:58 -------- d-----w- c:\programdata\Recovery
2011-03-06 00:16 . 2011-03-06 01:22 -------- d-----w- c:\program files (x86)\Cisco Systems
2011-03-06 00:13 . 2011-03-06 00:13 -------- d-----w- c:\programdata\Cisco Systems
2011-03-05 19:09 . 2011-03-05 19:09 -------- d-----w- c:\users\Leland\AppData\Roaming\Malwarebytes
2011-03-05 19:09 . 2011-03-05 19:09 -------- d-----w- c:\programdata\Malwarebytes
2011-03-05 19:09 . 2010-12-21 00:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-03-05 19:09 . 2011-03-05 19:09 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-03-05 19:09 . 2010-12-21 00:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-02 04:15 . 2011-03-02 04:15 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-03-02 04:12 . 2011-03-02 04:12 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-03-02 04:08 . 2011-03-12 23:20 19528 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-02 04:06 . 2011-03-02 04:15 -------- d-----w- c:\programdata\Hitman Pro
2011-03-02 03:38 . 2011-03-02 03:38 -------- d-----w- c:\programdata\{23D58E70-3B83-4B83-A227-68770F84F5EC}
2011-03-02 03:38 . 2011-03-02 03:42 -------- d-----w- c:\users\Leland\AppData\Roaming\hpqLog
2011-03-02 03:37 . 2011-03-02 03:37 -------- d---a-w- C:\swsetup
2011-03-02 03:37 . 2011-03-02 03:38 -------- d-----w- C:\SYSTEM.SAV
2011-03-02 03:37 . 2011-03-02 03:37 -------- d-----w- c:\users\Leland\AppData\Roaming\WinBatch
2011-02-25 04:05 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-25 04:05 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-02-25 01:55 . 2011-01-07 08:07 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-25 01:55 . 2011-01-07 07:31 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-02-25 01:55 . 2011-01-07 08:07 475648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-25 01:55 . 2011-01-07 07:31 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 22:56 . 2010-06-04 22:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-03-10 03:01 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-06 20:18 . 2011-02-06 20:18 173104 ----a-w- c:\windows\system32\drivers\SYMEVENT64x86.SYS
2011-01-26 06:53 . 2011-02-12 03:07 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-26 06:53 . 2011-02-12 03:07 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-26 06:31 . 2011-02-12 03:07 144384 ----a-w- c:\windows\system32\cdd.dll
2011-01-07 08:06 . 2011-02-12 03:07 46080 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 07:27 . 2011-02-12 03:07 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-01-07 05:49 . 2011-02-12 03:07 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 05:33 . 2011-02-12 03:07 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-01-05 06:20 . 2011-02-12 03:07 612352 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 05:37 . 2011-02-12 03:07 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-01-05 04:00 . 2011-02-12 03:07 3127808 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 06:16 . 2011-02-12 03:07 97280 ----a-w- c:\windows\system32\wscsvc.dll
2010-12-21 06:16 . 2011-02-12 03:07 62976 ----a-w- c:\windows\system32\wscapi.dll
2010-12-21 06:16 . 2011-02-12 03:07 214016 ----a-w- c:\windows\system32\winsrv.dll
2010-12-21 06:16 . 2011-02-12 03:07 1197056 ----a-w- c:\windows\system32\wininet.dll
2010-12-21 06:16 . 2011-02-12 03:07 442880 ----a-w- c:\windows\system32\winhttp.dll
2010-12-21 06:16 . 2011-02-12 03:07 258048 ----a-w- c:\windows\system32\WebClnt.dll
2010-12-21 06:15 . 2011-02-12 03:07 264192 ----a-w- c:\windows\system32\upnp.dll
2010-12-21 06:15 . 2011-02-12 03:07 15360 ----a-w- c:\windows\system32\slwga.dll
2010-12-21 06:13 . 2011-02-12 03:07 2003968 ----a-w- c:\windows\system32\msxml6.dll
2010-12-21 06:13 . 2011-02-12 03:07 1880576 ----a-w- c:\windows\system32\msxml3.dll
2010-12-21 06:10 . 2011-02-12 03:07 100864 ----a-w- c:\windows\system32\davclnt.dll
2010-12-21 05:38 . 2011-02-12 03:07 51200 ----a-w- c:\windows\SysWow64\wscapi.dll
2010-12-21 05:38 . 2011-02-12 03:07 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2010-12-21 05:38 . 2011-02-12 03:07 350720 ----a-w- c:\windows\SysWow64\winhttp.dll
2010-12-21 05:38 . 2011-02-12 03:07 204800 ----a-w- c:\windows\SysWow64\WebClnt.dll
2010-12-21 05:38 . 2011-02-12 03:07 204288 ----a-w- c:\windows\SysWow64\upnp.dll
2010-12-21 05:38 . 2011-02-12 03:07 14336 ----a-w- c:\windows\SysWow64\slwga.dll
2010-12-21 05:36 . 2011-02-12 03:07 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2010-12-21 05:36 . 2011-02-12 03:07 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2010-12-21 05:34 . 2011-02-12 03:07 80384 ----a-w- c:\windows\SysWow64\davclnt.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2010-09-23 4240760]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 98304]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Corel File Shell Monitor"="c:\program files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-31 16200]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-09-17 23536]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360x64\0403000.005\SYMDS64.SYS [x]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360x64\0403000.005\SYMEFA64.SYS [x]
S1 BHDrvx64;BHDrvx64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110309.001\BHDrvx64.sys [2011-02-25 1124472]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360x64\0403000.005\ccHPx64.sys [x]
S1 IDSVia64;IDSVia64;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110317.002\IDSvia64.sys [2011-02-01 476792]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360x64\0403000.005\Ironx64.SYS [x]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360x64\0403000.005\SYMTDIV.SYS [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/03/19 09:29];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-18 00:41 146928]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-09 169312]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-14 92216]
S2 N360;Norton 360;c:\program files (x86)\Norton 360\Engine\4.3.0.5\ccSvcHst.exe [2010-02-26 126392]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atipmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y62x64.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-02-06 132656]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-05 c:\windows\Tasks\HPCeeScheduleForLeland.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
2010-05-31 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-14 610360]
"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
axsnmsvc

.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
LSP: mswsock.dll
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-HP Remote Solution - %ProgramFiles%\Hewlett-Packard\HP Remote Solution\HP_Remote_Solution.exe
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
AddRemove-_{707EB912-C597-49D8-9460-46CC9AB03EBE} - c:\program files (x86)\Corel\Corel Painter Photo Essentials 4\MSILauncher {707EB912-C597-49D8-9460-46CC9AB03EBE}
AddRemove-{08DB3902-2CE0-474D-BCE3-0177766CE9F1} - c:\program files (x86)\InstallShield Installation Information\{08DB3902-2CE0-474D-BCE3-0177766CE9F1}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files (x86)\Norton 360\Engine\4.3.0.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files (x86)\Norton 360\Engine\4.3.0.5\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1250537013-1872473647-3399992886-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1250537013-1872473647-3399992886-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2011-03-19 17:44:42
ComboFix-quarantined-files.txt 2011-03-19 22:44
.
Pre-Run: 915,243,196,416 bytes free
Post-Run: 915,198,033,920 bytes free
.
- - End Of File - - 781457505B96002E66BDCA0FA3C2FB00

#6 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 19 March 2011 - 07:58 PM

UPDATE: I had attempted to trigger the redirect behavior by reboots prior to posting the logs. Other than the anomaly listed in that post, it didn't redirect at that time. After posting the logs for you. I warm rebooted and about the 4th hyper link on the search page, instead of taking me to orbitz took me to www.metafares.com hitting back on the browser one time then took me to another search engine with results. I was able to navigate back to the original google search and clicking on the orbitz link took me to orbitz. So the redirecting would appear to still be there but so far does not seem as bad as previously. Will continue testing.

Edit. Continued testing this same session. Priceline.com link redirected to PLOmedia which then immediately redirected to a media6 findstuff.com search engine. Attempting to hit the back button produced number redirects to other places until "spammed" and eventually was able to return to original google search. Which reclicking the link to priceline took me there instead of being redirected. I don't know how much this helps or confuses but thought I should post what I'm seeing.

Edit TWO: This might be important. There is something I finally noticed during this session of redirecting. He uses Nortons 360. On a google search window you have results. At the end of each hyper link is a magnifying glass. What I am seeing though is after one link gets clicked anywhere on the page a redirect occurs. When I spam the back button and am returned to the page the link was clicked from I then see Nortons green check mark at the end then followed by the magnifying glass. The nortons green check mark is supposed to represent that the site is safe. Once those show up, ANY link clicked on that page of results appears to direct properly. If you hit next page for the search. The green check marks from Nortons are not at the end, just the magnifying glass. It seems that clicking any link at that point, before Nortons site safe check mark is present, that the browser redirects randomly, hitting back once causes yet another redirect, unless spammed, which it still tries to redirect, but spamming will get you back to the google search, which at that point all the links on the page will have the Nortons site safe check mark and clicking any of them appear to redirect properly. I'm wondering, in lieu of you discovering or seeing a more malicious cause, if this is somehow connected to the AV? Or is it something that the AV is blocking once it "checks" that pages search results?

Edited by Leylan, 19 March 2011 - 08:21 PM.


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:07 PM

Posted 20 March 2011 - 02:23 AM

Hello,

Is your dad's computer connected to the internet using a router?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 20 March 2011 - 02:32 AM

Hi Fireman4it.

Yes it is. I also reset the router as you requested. As stated in the first post on this thread I had removed the router from the equation as part of my own troubleshooting before I posted here and was still being redirected. Also. Router is brand new. Changed the default password. All settings within the router appear correct. i.e. obtain dns automatically no dns inside that should not be. His ISP does wind up filling those in when communicating with the router and the two that are there point to them as it should. Verified this with the ISP as well. Still, it is set to obtain ip automatically.

#9 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 20 March 2011 - 02:33 AM

I'm back at my house now. Waited a few hours but didn't really expect to hear from you tonight. Still up and watching tv when I saw that you responded. Will be up for a while yet but I'm not at Dad's.

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:07 PM

Posted 20 March 2011 - 01:37 PM

Hello,

We have only started we will eventually figure this out. Once we have ran all the steps below can you please unhook the router from the system and run the direct connect to the machine. We want to eliminate the router being the problem. So try it with the router and without.


1.
Your norton installation seems to be corrupted. We need to uninstall it. You can reinstall it when we are finished or I can give you a couple good free Antivirus.

Uninstall Norton


  • Download the Norton Removal Tool to your desktop.
  • On the Windows desktop, double-click the Norton Removal Tool icon.
  • Follow the on-screen instructions.
    Note:Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts
Norton should now be removed from your PC.


For illustrated instructions please refer to here:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyOverride = *.local

Driver::
vwifimp
e1yexpress
amdkmdag
amdkmdap
AMD External Events Utility
vwififlt
SYMTDIv
SymIRON
SBRE
ccHP
SymEFA
SymDS
PxHlpa64

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"=-
"EnableUIADesktopToggle"=-

Reglockdel::
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Posted Image
Click the "Scan" button to start scan


Posted Image
On completion of the scan click save log, save it to your desktop and post in your next reply

3.
Please download Malwarebytes' Anti-Malware (v1.50) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes' when done.
Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

4.
Go to start> run> type in cmd then press enter. Next at the blinking cursor type in ipconfig /flushdns (note the space after ipconfig) then press enter and exit.


Things to include in your next reply::
Combofix.txt
AswMBR.exe
MBAM log
How is the machine running now.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 20 March 2011 - 06:35 PM

Comments: Step one Uninstall Nortons. Followed norton's steps per your link. Downloaded BUDump.exe and ran. Then ran Norton removal tool. Machine rebooted once.

Step 2. Run CFScript. Copied your script to Notepad. Saved as CFScript. Drug and dropped onto Combofix. Combofix launched and immediately detected a newer version and prompted to update. I allowed it to update. The program continued to run after updating. I do NOT know if this could have interfered with your script. I had thought combofix would update to newer version and I'd have to redrag and drop your script. Instead it updated to newer version and continued running. I only drug and dropped your script one time in the beginning.
At this point things went a little unexpectedly. Combofix rebooted the machine. When the machine came up the previous resolution had been dropped to 800x600. Also the computer did not have its hardwired connection available and was disconnected from the internet. It did show the wireless was available but no hardwired connection was present as it was prior to the combofix reboot. I already had all the programs required for all steps downloaded so I proceeded with aswMBR.exe.

At this point I was forced to correct the resolution setting that combofix changed from 800x600 to 1600x1200 as aswMBR window would not allow resizing and I was unable to see the scan/fixmbr/fix/savelog buttons. So I changed the resolution only at this point. aswMBR ran. I saved the log and then clicked exit.

Step 3. I had freshly downloaded Malwarebytes. But, as per the instructions an internet connection is required. Again after combofix rebooted the machine the hardwired connection no longer existed. The wireless was available but not connected. Instead of trying to figure out what happened to the wired connection and to minimize any changes on my own I connected via the wireless connection and ran Malwarebytes which found no infected items.

Step 4. I flushed the dns per your instructions.
The rest of your instructions seem to indicate to test with and without router in place. With the loss of the wired connection, I am not positive how you would like me to proceed. Go ahead and remove router reestablishing the lost hardwired connection directly or attempt to reestablish the hardwired connection with router in place, test, then remove router and test. Please advise. If I don't see you soon on the forum I will make a choice and update with additional replies. I want to go ahead and get the logs up for you though.
Thank you once again for your time and assistance. It is appreciated.

**EDIT Added next post here too**
Major Problems.

After post rebooted machine and noticed fan running louder. Attempted to launch ATI catalist. It said no driver installed or not functinoning.
Shutdown computer router and modem.Disconnected pc from router and hardwired to modem waited 30 seconds and powered up modem and pc. On cold boot powerup received error message about ATI graphics driver. Computer did not detect wired connection OR wireless. Went to control panel/system/device manager

DEVICE Manager has Yellow exclamations beside Display adapaters ATI Radeon HD 5770. Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19) The same error appears for the DVD/Cd Rom drives hp BDDVDRW CH20L; Network Adapters Intel® 82567V-2 Gigabit Network connection; Portable devices F, G, H and I.

Shut down computer and modem, put router back into the loop and powered up all to be able to access wireless connection to post this.



***ComboFix Log***
ComboFix 11-03-19.04 - Leland 03/20/2011 17:30:07.2.8 - x64
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8183.6723 [GMT -5:00]
Running from: c:\users\Leland\Desktop\ComboFix.exe
Command switches used :: c:\users\Leland\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMDKMDAG
-------\Legacy_CCHP
-------\Legacy_SBRE
-------\Legacy_SYMDS
-------\Legacy_SYMEFA
-------\Legacy_SYMIRON
-------\Legacy_SYMTDIV
-------\Legacy_VWIFIFLT
-------\Service_AMD External Events Utility
-------\Service_amdkmdag
-------\Service_amdkmdap
-------\Service_e1yexpress
-------\Service_PxHlpa64
-------\Service_SBRE
-------\Service_vwififlt
-------\Service_vwifimp
.
.
((((((((((((((((((((((((( Files Created from 2011-02-20 to 2011-03-20 )))))))))))))))))))))))))))))))
.
.
2011-03-20 22:33 . 2011-03-20 22:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-20 22:22 . 2011-02-23 15:34 7947600 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{20FDDAA8-F399-483A-8DFD-1BA7ADE2D1E4}\mpengine.dll
2011-03-13 22:57 . 2011-03-13 22:57 -------- d-----w- c:\program files (x86)\Common Files\Java
2011-03-13 22:56 . 2011-03-13 22:56 -------- d-----w- c:\program files (x86)\Java
2011-03-13 22:55 . 2011-03-13 22:55 -------- d-----w- c:\programdata\McAfee
2011-03-06 04:58 . 2011-03-06 04:58 -------- d-----w- c:\programdata\Recovery
2011-03-06 00:16 . 2011-03-06 01:22 -------- d-----w- c:\program files (x86)\Cisco Systems
2011-03-06 00:13 . 2011-03-06 00:13 -------- d-----w- c:\programdata\Cisco Systems
2011-03-05 19:09 . 2011-03-05 19:09 -------- d-----w- c:\users\Leland\AppData\Roaming\Malwarebytes
2011-03-05 19:09 . 2011-03-05 19:09 -------- d-----w- c:\programdata\Malwarebytes
2011-03-05 19:09 . 2010-12-21 00:09 38224 ----a-w- c:\windows\SysWow64\drivers\mbamswissarmy.sys
2011-03-05 19:09 . 2011-03-05 19:09 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2011-03-05 19:09 . 2010-12-21 00:08 24152 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-02 04:15 . 2011-03-02 04:15 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-03-02 04:12 . 2011-03-02 04:12 -------- d-----w- c:\program files\Hitman Pro 3.5
2011-03-02 04:08 . 2011-03-12 23:20 19528 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-03-02 04:06 . 2011-03-02 04:15 -------- d-----w- c:\programdata\Hitman Pro
2011-03-02 03:38 . 2011-03-02 03:38 -------- d-----w- c:\programdata\{23D58E70-3B83-4B83-A227-68770F84F5EC}
2011-03-02 03:38 . 2011-03-02 03:42 -------- d-----w- c:\users\Leland\AppData\Roaming\hpqLog
2011-03-02 03:37 . 2011-03-02 03:37 -------- d---a-w- C:\swsetup
2011-03-02 03:37 . 2011-03-02 03:38 -------- d-----w- C:\SYSTEM.SAV
2011-03-02 03:37 . 2011-03-02 03:37 -------- d-----w- c:\users\Leland\AppData\Roaming\WinBatch
2011-02-25 04:05 . 2010-09-14 06:45 367104 ----a-w- c:\windows\system32\wcncsvc.dll
2011-02-25 04:05 . 2010-09-14 06:07 276992 ----a-w- c:\windows\SysWow64\wcncsvc.dll
2011-02-25 01:55 . 2011-01-07 08:07 662528 ----a-w- c:\windows\system32\XpsPrint.dll
2011-02-25 01:55 . 2011-01-07 07:31 442880 ----a-w- c:\windows\SysWow64\XpsPrint.dll
2011-02-25 01:55 . 2011-01-07 08:07 475648 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-25 01:55 . 2011-01-07 07:31 288256 ----a-w- c:\windows\SysWow64\XpsGdiConverter.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-13 22:56 . 2010-06-04 22:38 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2011-03-10 03:01 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-02-02 23:11 . 2010-05-31 22:11 270720 ------w- c:\windows\system32\MpSigStub.exe
2011-01-26 06:53 . 2011-02-12 03:07 982912 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-26 06:53 . 2011-02-12 03:07 265088 ----a-w- c:\windows\system32\drivers\dxgmms1.sys
2011-01-26 06:31 . 2011-02-12 03:07 144384 ----a-w- c:\windows\system32\cdd.dll
2011-01-07 08:06 . 2011-02-12 03:07 46080 ----a-w- c:\windows\system32\atmlib.dll
2011-01-07 07:27 . 2011-02-12 03:07 34304 ----a-w- c:\windows\SysWow64\atmlib.dll
2011-01-07 05:49 . 2011-02-12 03:07 366080 ----a-w- c:\windows\system32\atmfd.dll
2011-01-07 05:33 . 2011-02-12 03:07 294400 ----a-w- c:\windows\SysWow64\atmfd.dll
2011-01-05 06:20 . 2011-02-12 03:07 612352 ----a-w- c:\windows\system32\vbscript.dll
2011-01-05 05:37 . 2011-02-12 03:07 428032 ----a-w- c:\windows\SysWow64\vbscript.dll
2011-01-05 04:00 . 2011-02-12 03:07 3127808 ----a-w- c:\windows\system32\win32k.sys
2010-12-21 06:16 . 2011-02-12 03:07 97280 ----a-w- c:\windows\system32\wscsvc.dll
2010-12-21 06:16 . 2011-02-12 03:07 62976 ----a-w- c:\windows\system32\wscapi.dll
2010-12-21 06:16 . 2011-02-12 03:07 214016 ----a-w- c:\windows\system32\winsrv.dll
2010-12-21 06:16 . 2011-02-12 03:07 1197056 ----a-w- c:\windows\system32\wininet.dll
2010-12-21 06:16 . 2011-02-12 03:07 442880 ----a-w- c:\windows\system32\winhttp.dll
2010-12-21 06:16 . 2011-02-12 03:07 258048 ----a-w- c:\windows\system32\WebClnt.dll
2010-12-21 06:15 . 2011-02-12 03:07 264192 ----a-w- c:\windows\system32\upnp.dll
2010-12-21 06:15 . 2011-02-12 03:07 15360 ----a-w- c:\windows\system32\slwga.dll
2010-12-21 06:13 . 2011-02-12 03:07 2003968 ----a-w- c:\windows\system32\msxml6.dll
2010-12-21 06:13 . 2011-02-12 03:07 1880576 ----a-w- c:\windows\system32\msxml3.dll
2010-12-21 06:10 . 2011-02-12 03:07 100864 ----a-w- c:\windows\system32\davclnt.dll
2010-12-21 05:38 . 2011-02-12 03:07 51200 ----a-w- c:\windows\SysWow64\wscapi.dll
2010-12-21 05:38 . 2011-02-12 03:07 981504 ----a-w- c:\windows\SysWow64\wininet.dll
2010-12-21 05:38 . 2011-02-12 03:07 350720 ----a-w- c:\windows\SysWow64\winhttp.dll
2010-12-21 05:38 . 2011-02-12 03:07 204800 ----a-w- c:\windows\SysWow64\WebClnt.dll
2010-12-21 05:38 . 2011-02-12 03:07 204288 ----a-w- c:\windows\SysWow64\upnp.dll
2010-12-21 05:38 . 2011-02-12 03:07 14336 ----a-w- c:\windows\SysWow64\slwga.dll
2010-12-21 05:36 . 2011-02-12 03:07 1389568 ----a-w- c:\windows\SysWow64\msxml6.dll
2010-12-21 05:36 . 2011-02-12 03:07 1236992 ----a-w- c:\windows\SysWow64\msxml3.dll
2010-12-21 05:34 . 2011-02-12 03:07 80384 ----a-w- c:\windows\SysWow64\davclnt.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-19_22.43.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-14 04:54 . 2011-03-19 23:57 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-03-19 21:25 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2011-03-19 21:25 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2011-03-19 23:57 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-03-19 21:25 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-03-19 23:57 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-19 16:18 . 2011-03-20 22:19 49820 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-07-14 05:10 . 2011-03-19 22:23 33224 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2011-03-20 22:19 33224 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-05-31 21:58 . 2011-03-20 22:19 16150 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1250537013-1872473647-3399992886-1000_UserData.bin
- 2010-05-31 21:51 . 2011-03-19 22:22 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-31 21:51 . 2011-03-20 22:37 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-31 21:51 . 2011-03-19 22:22 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-31 21:51 . 2011-03-20 22:37 49152 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2011-03-19 22:22 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2011-03-20 22:37 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-31 22:12 . 2011-03-20 22:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-31 22:12 . 2011-03-19 22:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-05-31 22:12 . 2011-03-20 22:17 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-05-31 22:12 . 2011-03-19 22:22 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-31 22:12 . 2011-03-20 22:17 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2010-05-31 22:12 . 2011-03-19 22:22 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-31 22:00 . 2011-03-20 22:17 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-31 22:00 . 2011-03-19 22:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-05-31 22:00 . 2011-03-19 22:22 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-31 22:00 . 2011-03-20 22:17 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-07-04 21:56 . 2011-03-20 05:01 4440 c:\windows\SysWOW64\KGyGaAvL.sys
- 2011-03-19 22:21 . 2011-03-19 22:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-03-20 22:36 . 2011-03-20 22:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-03-19 22:21 . 2011-03-19 22:21 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-03-20 22:36 . 2011-03-20 22:36 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 02:36 . 2011-03-19 22:25 623940 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2011-03-20 22:21 623940 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2011-03-19 22:25 106316 c:\windows\system32\perfc009.dat
+ 2009-07-14 02:36 . 2011-03-20 22:21 106316 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2011-03-19 22:20 372912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2011-03-20 22:33 372912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2010-05-31 22:21 . 2011-03-19 22:20 1003502 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1250537013-1872473647-3399992886-1000-8192.dat
+ 2010-05-31 22:21 . 2011-03-20 22:33 1003502 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-1250537013-1872473647-3399992886-1000-8192.dat
- 2009-07-14 02:34 . 2011-03-19 21:57 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
+ 2009-07-14 02:34 . 2011-03-20 22:32 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe" [2008-11-20 62768]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 98304]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"Corel File Shell Monitor"="c:\program files (x86)\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2007-10-31 16200]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2009-6-3 430080]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 PCDSRVC{F36B3A4C-F95654BD-06000000}_0;PCDSRVC{F36B3A4C-F95654BD-06000000}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms [2009-09-17 23536]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2010/03/19 09:29];c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl [2009-09-18 00:41 146928]
S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files (x86)\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-09 169312]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-14 92216]
.
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-05 c:\windows\Tasks\HPCeeScheduleForLeland.job
- c:\program files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-07 11:22]
.
2010-05-31 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdrcui.exe [2009-09-18 07:11]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF20363.cfxxe" [X]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-05 186904]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2009-09-14 610360]
"PC-Doctor for Windows localizer"="c:\program files\PC-Doctor for Windows\localizer.exe" [2009-09-17 95728]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
axsnmsvc

.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{F36B3A4C-F95654BD-06000000}_0]
"ImagePath"="\??\c:\program files\pc-doctor for windows\pcdsrvc_x64.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files (x86)\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1250537013-1872473647-3399992886-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1250537013-1872473647-3399992886-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10n.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\windows\SysWOW64\PSIService.exe
c:\program files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
.
**************************************************************************
.
Completion time: 2011-03-20 17:39:45 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-20 22:39
ComboFix2.txt 2011-03-19 22:44
.
Pre-Run: 915,239,047,168 bytes free
Post-Run: 914,474,496,000 bytes free
.
- - End Of File - - 208B111E8755A188FC49C4194AE21A15

****AswMBR log***
aswMBR version 0.9.4 Copyright© 2011 AVAST Software
Run date: 2011-03-20 17:45:26
-----------------------------
17:45:26.407 OS Version: Windows x64 6.1.7600
17:45:26.407 Number of processors: 8 586 0x1A05
17:45:26.407 ComputerName: LELAND-PC UserName: Leland
17:45:28.326 Initialize success
17:48:59.301 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:48:59.301 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 8
17:48:59.316 Disk 0 MBR read successfully
17:48:59.316 Disk 0 MBR scan
17:48:59.316 Service scanning
17:49:00.096 Disk 0 trace - called modules:
17:49:00.112 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
17:49:00.112 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8007b5d060]
17:49:00.112 3 CLASSPNP.SYS[fffff8800120143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa800785e050]
17:49:00.174 Scan finished successfully

***MBAM LOG****
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6113

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

3/20/2011 5:58:23 PM
mbam-log-2011-03-20 (17-58-23).txt

Scan type: Quick scan
Objects scanned: 168284
Time elapsed: 1 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by Leylan, 20 March 2011 - 07:27 PM.


#12 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 20 March 2011 - 07:17 PM

Major Problems.

After post rebooted machine and noticed fan running louder. Attempted to launch ATI catalist. It said no driver installed or not functinoning.
Shutdown computer router and modem.Disconnected pc from router and hardwired to modem waited 30 seconds and powered up modem and pc. On cold boot powerup received error message about ATI graphics driver. Computer did not detect wired connection OR wireless. Went to control panel/system/device manager

DEVICE Manager has Yellow exclamations beside Display adapaters ATI Radeon HD 5770. Windows cannot start this hardware device because its configuration information (in the registry) is incomplete or damaged. (Code 19) The same error appears for the DVD/Cd Rom drives hp BDDVDRW CH20L; Network Adapters Intel® 82567V-2 Gigabit Network connection; Portable devices F, G, H and I.

Shut down computer and modem, put router back into the loop and powered up all to be able to access wireless connection to post this.

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:09:07 PM

Posted 20 March 2011 - 09:01 PM

Hello,

Please do the following:

Restoring Erunt though Recovery console

1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

cd erdnt\subs


6. At the next prompt, type the following bolded text, and press Enter:

batch erdnt.con

7. The erunt backups will begin copying.
8. At the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading.

How is the machine running now?

Edited by fireman4it, 20 March 2011 - 10:34 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 20 March 2011 - 09:11 PM

Hello. Was the "Retoring Erunt through recovery console" supposed to be a hyper link? I can't click on it.

#15 Leylan

Leylan
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:09:07 PM

Posted 20 March 2011 - 09:33 PM

Search on Erunt appears to be a utility that I do not know is installed or am unsure how to access.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users