Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/bamital.p virus


  • This topic is locked This topic is locked
10 replies to this topic

#1 4on4off

4on4off

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 07 January 2012 - 09:17 PM

Hello,

I am running a 2005 Media Center Edition with win xp. I had the xp internet security 2012 virus. I was able to remove it and the associated rootkit with TDS Killer and Malwarebytes.

After performing the clean up and subsequent scans coming up clean, Microsoft Security Essentials detected several instances of an apparent self replicating virus called win32/bamital.p which it was able to remove a few of them but not all. After running a full scan with MSE it found 7 of them but was only able to remove 4 and the remaining 3 were listed as allowed.

That brought me to this site where I originally posted here: http://www.bleepingcomputer.com/forums/topic436823.html/page__gopid__2542464#entry2542464

After posting logs of before and after scans with TDS and MWB I followed the guide that I was linked to which brought me here to further post for assistance.

I first dowloaded DeFogger and disabled certain CD emulation programs. No problems running this.

I then downloaded DDS with no problems and saved the DDS.txt and Attach.txt files to my desktop.


Here is the DDS.txt result:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Joy at 14:21:28 on 2012-01-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1354 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Joy\Application Data\U3\0876920772D160CB\LaunchPad.exe
C:\Program Files\Java\jre6\bin\javaws.exe
C:\Program Files\Java\jre6\bin\javaw.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://portal.tds.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
Trusted Zone: intuit.com\ttlc
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1292171031140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{17BFB076-358D-4B15-BC71-F35177371881} : DhcpNameServer = 192.168.0.1 192.168.0.1
TCP: Interfaces\{B6F2FB76-6E59-44C8-A874-5791763A83B5} : NameServer = 216.165.129.157,216.170.153.146
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKslf0708c66;MpKslf0708c66;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1494de00-ba62-46d4-82a4-4c58f2617d19}\MpKslf0708c66.sys [2012-1-7 29904]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-5-27 632792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2005-8-16 39936]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-01-07 22:16:11 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1494de00-ba62-46d4-82a4-4c58f2617d19}\MpKslf0708c66.sys
2012-01-07 22:16:05 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1494de00-ba62-46d4-82a4-4c58f2617d19}\offreg.dll
2012-01-07 22:14:15 -------- d-----w- c:\documents and settings\joy\local settings\application data\PCHealth
2012-01-07 19:04:14 1058816 ----a-w- c:\windows\OLD15C.tmp
2012-01-07 19:04:08 1058816 ----a-w- c:\windows\OLD158.tmp
2012-01-07 19:04:02 1058816 ----a-w- c:\windows\OLD154.tmp
2012-01-07 19:03:57 1058816 ----a-w- c:\windows\OLD150.tmp
2012-01-07 18:41:31 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2012-01-07 18:41:16 6823496 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1494de00-ba62-46d4-82a4-4c58f2617d19}\mpengine.dll
2012-01-07 18:37:55 825 ----a-w- c:\documents and settings\all users\application data\hlnnaaa.tmp
2012-01-05 01:24:03 -------- d-----w- c:\documents and settings\joy\application data\ElevatedDiagnostics
2012-01-04 21:15:54 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-01-04 21:15:54 -------- d-----w- c:\program files\Belarc
2012-01-04 10:36:02 829 ----a-w- c:\documents and settings\all users\application data\qkknaaa.tmp
2012-01-04 10:35:57 823 ----a-w- c:\documents and settings\all users\application data\pkknaaa.tmp
2012-01-04 10:35:52 856 ----a-w- c:\documents and settings\all users\application data\okknaaa.tmp
2012-01-04 10:35:47 840 ----a-w- c:\documents and settings\all users\application data\nkknaaa.tmp
2012-01-04 10:35:42 802 ----a-w- c:\documents and settings\all users\application data\mkknaaa.tmp
2012-01-04 10:31:34 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-04 10:10:26 839 ----a-w- c:\documents and settings\all users\application data\qnwnaaa.tmp
2012-01-04 10:10:16 859 ----a-w- c:\documents and settings\all users\application data\onwnaaa.tmp
2012-01-04 10:09:36 800 ----a-w- c:\documents and settings\all users\application data\snwnaaa.tmp
2012-01-04 10:09:31 865 ----a-w- c:\documents and settings\all users\application data\rnwnaaa.tmp
2012-01-04 10:09:21 823 ----a-w- c:\documents and settings\all users\application data\pnwnaaa.tmp
2012-01-04 10:07:26 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2012-01-04 10:02:45 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-04 09:50:54 777 ----a-w- c:\documents and settings\all users\application data\tyonaaa.tmp
2012-01-04 09:50:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 09:49:59 846 ----a-w- c:\documents and settings\all users\application data\uyonaaa.tmp
2012-01-04 09:49:49 828 ----a-w- c:\documents and settings\all users\application data\syonaaa.tmp
2012-01-04 09:49:44 822 ----a-w- c:\documents and settings\all users\application data\ryonaaa.tmp
2012-01-04 09:49:40 823 ----a-w- c:\documents and settings\all users\application data\qyonaaa.tmp
2012-01-04 04:22:08 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-01-04 04:22:08 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
.
==================== Find3M ====================
.
2012-01-07 18:42:34 545280 ----a-w- c:\windows\system32\winlogon.exe
2012-01-07 18:42:34 39936 ----a-w- c:\windows\system32\svchost.exe
2012-01-07 18:42:34 1058816 ----a-w- c:\windows\explorer.exe
2012-01-04 10:12:12 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-12-10 23:24:06 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 22:29:56 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 13:54:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 11:27:10 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-15 01:38:00 456192 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 14:24:55.96 ===============

I have also attached the attach.txt file as instructed via the guide.

I then downloaded GMER with no problems and have attached the ark.txt file as instructed via the guide.

I looked this post over and I am pretty sure I haven't missed anything.

Thank you very much for your assistance and I will patiently await further instructions.

4

BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 PM

Posted 08 January 2012 - 12:52 AM

Hello 4on4off,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.



2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 08 January 2012 - 01:31 PM

Fireman4it,

Thank you for your assistance.

I already had TDSSkiller but I downloaded and replaced it anyway as you instructed. Here is the log:

09:12:50.0843 2632 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
09:12:51.0312 2632 ============================================================
09:12:51.0312 2632 Current date / time: 2012/01/08 09:12:51.0312
09:12:51.0312 2632 SystemInfo:
09:12:51.0312 2632
09:12:51.0312 2632 OS Version: 5.1.2600 ServicePack: 3.0
09:12:51.0312 2632 Product type: Workstation
09:12:51.0312 2632 ComputerName: HARRIS
09:12:51.0312 2632 UserName: Joy
09:12:51.0312 2632 Windows directory: C:\WINDOWS
09:12:51.0312 2632 System windows directory: C:\WINDOWS
09:12:51.0312 2632 Processor architecture: Intel x86
09:12:51.0312 2632 Number of processors: 2
09:12:51.0312 2632 Page size: 0x1000
09:12:51.0312 2632 Boot type: Normal boot
09:12:51.0312 2632 ============================================================
09:12:53.0093 2632 Initialize success
09:13:02.0796 3744 ============================================================
09:13:02.0796 3744 Scan started
09:13:02.0796 3744 Mode: Manual; SigCheck; TDLFS;
09:13:02.0796 3744 ============================================================
09:13:03.0953 3744 Abiosdsk - ok
09:13:04.0062 3744 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
09:13:04.0484 3744 abp480n5 - ok
09:13:04.0546 3744 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:13:04.0828 3744 ACPI - ok
09:13:04.0859 3744 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:13:05.0062 3744 ACPIEC - ok
09:13:05.0109 3744 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
09:13:05.0406 3744 adpu160m - ok
09:13:05.0468 3744 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
09:13:05.0718 3744 aec - ok
09:13:05.0765 3744 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
09:13:05.0843 3744 AFD - ok
09:13:06.0031 3744 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
09:13:06.0265 3744 agp440 - ok
09:13:06.0375 3744 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
09:13:06.0640 3744 agpCPQ - ok
09:13:06.0687 3744 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
09:13:06.0812 3744 Aha154x - ok
09:13:06.0828 3744 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
09:13:07.0125 3744 aic78u2 - ok
09:13:07.0156 3744 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
09:13:07.0437 3744 aic78xx - ok
09:13:07.0484 3744 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
09:13:07.0890 3744 AliIde - ok
09:13:07.0937 3744 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
09:13:08.0312 3744 alim1541 - ok
09:13:08.0359 3744 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
09:13:08.0703 3744 amdagp - ok
09:13:08.0750 3744 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
09:13:08.0937 3744 amsint - ok
09:13:08.0984 3744 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
09:13:09.0359 3744 asc - ok
09:13:09.0531 3744 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
09:13:09.0671 3744 asc3350p - ok
09:13:09.0734 3744 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
09:13:10.0000 3744 asc3550 - ok
09:13:10.0093 3744 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:13:10.0312 3744 AsyncMac - ok
09:13:10.0343 3744 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:13:10.0640 3744 atapi - ok
09:13:10.0656 3744 Atdisk - ok
09:13:10.0718 3744 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:13:11.0140 3744 Atmarpc - ok
09:13:11.0234 3744 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:13:11.0484 3744 audstub - ok
09:13:11.0531 3744 BANTExt (5d7be7b19e827125e016325334e58ff1) C:\WINDOWS\System32\Drivers\BANTExt.sys
09:13:11.0578 3744 BANTExt ( UnsignedFile.Multi.Generic ) - warning
09:13:11.0578 3744 BANTExt - detected UnsignedFile.Multi.Generic (1)
09:13:11.0609 3744 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:13:11.0843 3744 Beep - ok
09:13:11.0859 3744 bvrp_pci - ok
09:13:11.0906 3744 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
09:13:12.0140 3744 cbidf - ok
09:13:12.0156 3744 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:13:12.0375 3744 cbidf2k - ok
09:13:12.0421 3744 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
09:13:12.0656 3744 CCDECODE - ok
09:13:12.0703 3744 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
09:13:12.0875 3744 cd20xrnt - ok
09:13:13.0046 3744 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:13:13.0296 3744 Cdaudio - ok
09:13:13.0343 3744 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
09:13:13.0593 3744 Cdfs - ok
09:13:13.0640 3744 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:13:13.0890 3744 Cdrom - ok
09:13:13.0906 3744 Changer - ok
09:13:13.0968 3744 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
09:13:14.0187 3744 CmdIde - ok
09:13:14.0265 3744 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
09:13:14.0593 3744 Cpqarray - ok
09:13:14.0671 3744 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
09:13:15.0171 3744 dac2w2k - ok
09:13:15.0218 3744 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
09:13:15.0468 3744 dac960nt - ok
09:13:15.0531 3744 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
09:13:15.0812 3744 Disk - ok
09:13:15.0906 3744 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
09:13:16.0296 3744 dmboot - ok
09:13:16.0359 3744 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
09:13:16.0609 3744 dmio - ok
09:13:16.0796 3744 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:13:17.0015 3744 dmload - ok
09:13:17.0062 3744 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
09:13:17.0312 3744 DMusic - ok
09:13:17.0406 3744 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
09:13:17.0656 3744 dpti2o - ok
09:13:17.0718 3744 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
09:13:17.0984 3744 drmkaud - ok
09:13:18.0031 3744 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
09:13:18.0125 3744 drvmcdb ( UnsignedFile.Multi.Generic ) - warning
09:13:18.0125 3744 drvmcdb - detected UnsignedFile.Multi.Generic (1)
09:13:18.0140 3744 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
09:13:19.0578 3744 drvnddm ( UnsignedFile.Multi.Generic ) - warning
09:13:19.0578 3744 drvnddm - detected UnsignedFile.Multi.Generic (1)
09:13:19.0750 3744 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
09:13:19.0796 3744 DSproct ( UnsignedFile.Multi.Generic ) - warning
09:13:19.0796 3744 DSproct - detected UnsignedFile.Multi.Generic (1)
09:13:19.0859 3744 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
09:13:19.0906 3744 dsunidrv - ok
09:13:19.0968 3744 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
09:13:20.0062 3744 E100B - ok
09:13:20.0171 3744 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
09:13:20.0421 3744 Fastfat - ok
09:13:20.0484 3744 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
09:13:20.0750 3744 Fdc - ok
09:13:20.0968 3744 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
09:13:21.0171 3744 Fips - ok
09:13:21.0218 3744 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
09:13:21.0468 3744 Flpydisk - ok
09:13:21.0546 3744 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
09:13:21.0968 3744 FltMgr - ok
09:13:22.0046 3744 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:13:22.0453 3744 Fs_Rec - ok
09:13:22.0468 3744 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:13:22.0703 3744 Ftdisk - ok
09:13:22.0765 3744 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:13:23.0140 3744 Gpc - ok
09:13:23.0187 3744 GTNDIS5 (fc80052194d5708254a346568f0e77c0) C:\WINDOWS\system32\GTNDIS5.SYS
09:13:23.0250 3744 GTNDIS5 ( UnsignedFile.Multi.Generic ) - warning
09:13:23.0250 3744 GTNDIS5 - detected UnsignedFile.Multi.Generic (1)
09:13:23.0328 3744 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:13:23.0656 3744 HDAudBus - ok
09:13:23.0734 3744 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:13:23.0968 3744 HidUsb - ok
09:13:24.0015 3744 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
09:13:24.0250 3744 hpn - ok
09:13:24.0437 3744 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
09:13:24.0546 3744 HPZid412 - ok
09:13:24.0625 3744 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
09:13:24.0687 3744 HPZipr12 - ok
09:13:24.0781 3744 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
09:13:24.0843 3744 HPZius12 - ok
09:13:24.0875 3744 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
09:13:24.0968 3744 HSFHWBS2 - ok
09:13:25.0046 3744 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
09:13:25.0171 3744 HSF_DP - ok
09:13:25.0234 3744 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
09:13:25.0312 3744 HTTP - ok
09:13:25.0390 3744 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
09:13:25.0781 3744 i2omgmt - ok
09:13:25.0984 3744 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
09:13:26.0265 3744 i2omp - ok
09:13:26.0328 3744 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:13:26.0593 3744 i8042prt - ok
09:13:26.0703 3744 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
09:13:26.0812 3744 ialm - ok
09:13:26.0937 3744 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:13:27.0218 3744 Imapi - ok
09:13:27.0250 3744 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
09:13:27.0468 3744 ini910u - ok
09:13:27.0531 3744 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
09:13:27.0765 3744 IntelIde - ok
09:13:27.0843 3744 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:13:28.0046 3744 intelppm - ok
09:13:28.0093 3744 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
09:13:28.0359 3744 Ip6Fw - ok
09:13:28.0390 3744 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:13:28.0593 3744 IpFilterDriver - ok
09:13:28.0625 3744 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:13:29.0015 3744 IpInIp - ok
09:13:29.0078 3744 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:13:29.0640 3744 IpNat - ok
09:13:29.0859 3744 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:13:30.0265 3744 IPSec - ok
09:13:30.0328 3744 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:13:30.0515 3744 IRENUM - ok
09:13:30.0578 3744 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:13:30.0875 3744 isapnp - ok
09:13:30.0906 3744 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:13:31.0125 3744 Kbdclass - ok
09:13:31.0187 3744 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
09:13:31.0421 3744 kbdhid - ok
09:13:31.0500 3744 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
09:13:31.0703 3744 kmixer - ok
09:13:31.0828 3744 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
09:13:31.0921 3744 KSecDD - ok
09:13:31.0937 3744 lbrtfdc - ok
09:13:32.0031 3744 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
09:13:32.0078 3744 mdmxsdk - ok
09:13:32.0125 3744 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
09:13:32.0156 3744 MHNDRV ( UnsignedFile.Multi.Generic ) - warning
09:13:32.0156 3744 MHNDRV - detected UnsignedFile.Multi.Generic (1)
09:13:32.0187 3744 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:13:32.0484 3744 mnmdd - ok
09:13:32.0578 3744 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
09:13:32.0921 3744 Modem - ok
09:13:32.0968 3744 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
09:13:33.0250 3744 MODEMCSA - ok
09:13:33.0296 3744 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:13:33.0562 3744 Mouclass - ok
09:13:33.0640 3744 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:13:33.0828 3744 mouhid - ok
09:13:34.0078 3744 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
09:13:34.0343 3744 MountMgr - ok
09:13:34.0421 3744 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
09:13:34.0500 3744 MpFilter - ok
09:13:34.0765 3744 MpKsld6413679 (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1494DE00-BA62-46D4-82A4-4C58F2617D19}\MpKsld6413679.sys
09:13:34.0843 3744 MpKsld6413679 - ok
09:13:34.0921 3744 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
09:13:35.0093 3744 mraid35x - ok
09:13:35.0140 3744 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:13:35.0406 3744 MRxDAV - ok
09:13:35.0484 3744 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:13:35.0546 3744 MRxSmb - ok
09:13:35.0656 3744 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
09:13:35.0921 3744 Msfs - ok
09:13:35.0953 3744 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:13:36.0312 3744 MSKSSRV - ok
09:13:36.0375 3744 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:13:36.0812 3744 MSPCLOCK - ok
09:13:36.0859 3744 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
09:13:37.0203 3744 MSPQM - ok
09:13:37.0484 3744 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:13:37.0796 3744 mssmbios - ok
09:13:37.0843 3744 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
09:13:38.0078 3744 MSTEE - ok
09:13:38.0125 3744 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
09:13:38.0171 3744 Mup - ok
09:13:38.0281 3744 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
09:13:38.0500 3744 NABTSFEC - ok
09:13:38.0562 3744 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
09:13:38.0859 3744 NDIS - ok
09:13:38.0906 3744 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
09:13:39.0125 3744 NdisIP - ok
09:13:39.0171 3744 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:13:39.0234 3744 NdisTapi - ok
09:13:39.0296 3744 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:13:39.0531 3744 Ndisuio - ok
09:13:39.0625 3744 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:13:40.0046 3744 NdisWan - ok
09:13:40.0125 3744 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
09:13:40.0265 3744 NDProxy - ok
09:13:40.0578 3744 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:13:40.0796 3744 NetBIOS - ok
09:13:40.0859 3744 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:13:41.0125 3744 NetBT - ok
09:13:41.0218 3744 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
09:13:41.0453 3744 Npfs - ok
09:13:41.0531 3744 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
09:13:41.0796 3744 Ntfs - ok
09:13:41.0828 3744 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:13:42.0031 3744 Null - ok
09:13:42.0125 3744 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
09:13:42.0437 3744 nv - ok
09:13:42.0515 3744 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:13:42.0750 3744 NwlnkFlt - ok
09:13:42.0765 3744 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:13:43.0031 3744 NwlnkFwd - ok
09:13:43.0093 3744 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
09:13:43.0546 3744 Parport - ok
09:13:43.0593 3744 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
09:13:44.0046 3744 PartMgr - ok
09:13:44.0109 3744 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:13:44.0468 3744 ParVdm - ok
09:13:44.0515 3744 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
09:13:44.0843 3744 PCI - ok
09:13:44.0859 3744 PCIDump - ok
09:13:44.0875 3744 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:13:45.0109 3744 PCIIde - ok
09:13:45.0312 3744 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:13:45.0531 3744 Pcmcia - ok
09:13:45.0625 3744 PDCOMP - ok
09:13:45.0640 3744 PDFRAME - ok
09:13:45.0656 3744 PDRELI - ok
09:13:45.0671 3744 PDRFRAME - ok
09:13:45.0703 3744 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
09:13:45.0937 3744 perc2 - ok
09:13:45.0984 3744 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
09:13:46.0218 3744 perc2hib - ok
09:13:46.0328 3744 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:13:46.0531 3744 PptpMiniport - ok
09:13:46.0562 3744 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
09:13:46.0812 3744 PSched - ok
09:13:46.0843 3744 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:13:47.0093 3744 Ptilink - ok
09:13:47.0156 3744 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
09:13:47.0234 3744 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
09:13:47.0234 3744 PxHelp20 - detected UnsignedFile.Multi.Generic (1)
09:13:47.0312 3744 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
09:13:47.0640 3744 ql1080 - ok
09:13:47.0671 3744 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
09:13:47.0937 3744 Ql10wnt - ok
09:13:47.0984 3744 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
09:13:48.0203 3744 ql12160 - ok
09:13:48.0281 3744 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
09:13:48.0515 3744 ql1240 - ok
09:13:48.0562 3744 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
09:13:48.0765 3744 ql1280 - ok
09:13:48.0812 3744 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:13:49.0031 3744 RasAcd - ok
09:13:49.0109 3744 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:13:49.0359 3744 Rasl2tp - ok
09:13:49.0390 3744 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:13:49.0656 3744 RasPppoe - ok
09:13:49.0828 3744 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:13:50.0031 3744 Raspti - ok
09:13:50.0109 3744 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:13:50.0515 3744 Rdbss - ok
09:13:50.0593 3744 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:13:51.0000 3744 RDPCDD - ok
09:13:51.0093 3744 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:13:51.0656 3744 rdpdr - ok
09:13:51.0750 3744 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
09:13:51.0843 3744 RDPWD - ok
09:13:51.0953 3744 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:13:52.0218 3744 redbook - ok
09:13:52.0296 3744 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:13:52.0500 3744 Secdrv - ok
09:13:52.0593 3744 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:13:52.0812 3744 serenum - ok
09:13:52.0859 3744 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
09:13:53.0140 3744 Serial - ok
09:13:53.0218 3744 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
09:13:53.0421 3744 Sfloppy - ok
09:13:53.0468 3744 Simbad - ok
09:13:53.0531 3744 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
09:13:53.0812 3744 sisagp - ok
09:13:53.0843 3744 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
09:13:54.0062 3744 SLIP - ok
09:13:54.0109 3744 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
09:13:54.0328 3744 Sparrow - ok
09:13:54.0609 3744 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
09:13:54.0937 3744 splitter - ok
09:13:55.0031 3744 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
09:13:55.0218 3744 sr - ok
09:13:55.0312 3744 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
09:13:55.0406 3744 Srv - ok
09:13:55.0437 3744 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
09:13:55.0484 3744 sscdbhk5 ( UnsignedFile.Multi.Generic ) - warning
09:13:55.0484 3744 sscdbhk5 - detected UnsignedFile.Multi.Generic (1)
09:13:55.0515 3744 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
09:13:55.0609 3744 ssrtln ( UnsignedFile.Multi.Generic ) - warning
09:13:55.0609 3744 ssrtln - detected UnsignedFile.Multi.Generic (1)
09:13:55.0734 3744 STHDA (26eb7acf476a3461b85f5bce9a677a4a) C:\WINDOWS\system32\drivers\sthda.sys
09:13:55.0828 3744 STHDA - ok
09:13:55.0906 3744 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
09:13:56.0171 3744 streamip - ok
09:13:56.0218 3744 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:13:56.0421 3744 swenum - ok
09:13:56.0484 3744 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
09:13:56.0781 3744 swmidi - ok
09:13:56.0828 3744 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
09:13:57.0062 3744 symc810 - ok
09:13:57.0312 3744 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
09:13:57.0562 3744 symc8xx - ok
09:13:57.0593 3744 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
09:13:57.0968 3744 sym_hi - ok
09:13:58.0031 3744 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
09:13:58.0421 3744 sym_u3 - ok
09:13:58.0500 3744 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
09:13:58.0937 3744 sysaudio - ok
09:13:59.0031 3744 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:13:59.0171 3744 Tcpip - ok
09:13:59.0265 3744 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:13:59.0500 3744 TDPIPE - ok
09:13:59.0546 3744 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
09:13:59.0781 3744 TDTCP - ok
09:13:59.0875 3744 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:14:00.0109 3744 TermDD - ok
09:14:00.0187 3744 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
09:14:00.0234 3744 tfsnboio ( UnsignedFile.Multi.Generic ) - warning
09:14:00.0234 3744 tfsnboio - detected UnsignedFile.Multi.Generic (1)
09:14:00.0265 3744 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
09:14:00.0328 3744 tfsncofs ( UnsignedFile.Multi.Generic ) - warning
09:14:00.0328 3744 tfsncofs - detected UnsignedFile.Multi.Generic (1)
09:14:00.0390 3744 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
09:14:00.0421 3744 tfsndrct ( UnsignedFile.Multi.Generic ) - warning
09:14:00.0421 3744 tfsndrct - detected UnsignedFile.Multi.Generic (1)
09:14:00.0453 3744 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
09:14:00.0484 3744 tfsndres ( UnsignedFile.Multi.Generic ) - warning
09:14:00.0484 3744 tfsndres - detected UnsignedFile.Multi.Generic (1)
09:14:00.0734 3744 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
09:14:00.0875 3744 tfsnifs ( UnsignedFile.Multi.Generic ) - warning
09:14:00.0875 3744 tfsnifs - detected UnsignedFile.Multi.Generic (1)
09:14:00.0906 3744 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
09:14:00.0953 3744 tfsnopio ( UnsignedFile.Multi.Generic ) - warning
09:14:00.0953 3744 tfsnopio - detected UnsignedFile.Multi.Generic (1)
09:14:00.0968 3744 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
09:14:01.0015 3744 tfsnpool ( UnsignedFile.Multi.Generic ) - warning
09:14:01.0015 3744 tfsnpool - detected UnsignedFile.Multi.Generic (1)
09:14:01.0046 3744 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
09:14:01.0218 3744 tfsnudf ( UnsignedFile.Multi.Generic ) - warning
09:14:01.0218 3744 tfsnudf - detected UnsignedFile.Multi.Generic (1)
09:14:01.0265 3744 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
09:14:01.0421 3744 tfsnudfa ( UnsignedFile.Multi.Generic ) - warning
09:14:01.0421 3744 tfsnudfa - detected UnsignedFile.Multi.Generic (1)
09:14:01.0515 3744 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
09:14:01.0843 3744 TosIde - ok
09:14:01.0968 3744 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
09:14:02.0250 3744 Udfs - ok
09:14:02.0296 3744 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
09:14:02.0484 3744 ultra - ok
09:14:02.0687 3744 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
09:14:02.0921 3744 Update - ok
09:14:03.0062 3744 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
09:14:03.0281 3744 usbaudio - ok
09:14:03.0343 3744 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
09:14:03.0593 3744 usbccgp - ok
09:14:03.0671 3744 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:14:03.0906 3744 usbehci - ok
09:14:03.0953 3744 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:14:04.0296 3744 usbhub - ok
09:14:04.0359 3744 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:14:04.0625 3744 usbprint - ok
09:14:04.0718 3744 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:14:05.0031 3744 usbscan - ok
09:14:05.0093 3744 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:14:05.0484 3744 USBSTOR - ok
09:14:05.0625 3744 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:14:06.0078 3744 usbuhci - ok
09:14:06.0171 3744 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
09:14:06.0421 3744 usbvideo - ok
09:14:06.0468 3744 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
09:14:06.0718 3744 VgaSave - ok
09:14:06.0890 3744 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
09:14:07.0171 3744 viaagp - ok
09:14:07.0203 3744 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
09:14:07.0406 3744 ViaIde - ok
09:14:07.0484 3744 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
09:14:07.0750 3744 VolSnap - ok
09:14:07.0828 3744 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:14:08.0062 3744 Wanarp - ok
09:14:08.0093 3744 wanatw - ok
09:14:08.0109 3744 WDICA - ok
09:14:08.0156 3744 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
09:14:08.0421 3744 wdmaud - ok
09:14:08.0484 3744 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
09:14:08.0546 3744 winachsf - ok
09:14:08.0750 3744 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
09:14:09.0078 3744 WSTCODEC - ok
09:14:09.0187 3744 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
09:14:09.0312 3744 WudfPf - ok
09:14:09.0390 3744 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
09:14:09.0515 3744 WudfRd - ok
09:14:09.0640 3744 WUSB54GPV4SRV (70aeec67e87a2002e6b2cc353d56e222) C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
09:14:09.0734 3744 WUSB54GPV4SRV - ok
09:14:09.0765 3744 MBR (0x1B8) (5cb90281d1a59b251f6603134774eec3) \Device\Harddisk0\DR0
09:14:09.0875 3744 \Device\Harddisk0\DR0 - ok
09:14:09.0906 3744 Boot (0x1200) (ea3b843b8194640e612e6774ed8f5755) \Device\Harddisk0\DR0\Partition0
09:14:09.0906 3744 \Device\Harddisk0\DR0\Partition0 - ok
09:14:09.0906 3744 ============================================================
09:14:09.0906 3744 Scan finished
09:14:09.0906 3744 ============================================================
09:14:10.0015 2636 Detected object count: 18
09:14:10.0015 2636 Actual detected object count: 18
09:14:26.0421 2636 BANTExt ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0421 2636 BANTExt ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0421 2636 drvmcdb ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0421 2636 drvmcdb ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0437 2636 drvnddm ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0437 2636 drvnddm ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0437 2636 DSproct ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0437 2636 DSproct ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0437 2636 GTNDIS5 ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0437 2636 GTNDIS5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0437 2636 MHNDRV ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0437 2636 MHNDRV ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0437 2636 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0437 2636 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0437 2636 sscdbhk5 ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0437 2636 sscdbhk5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0437 2636 ssrtln ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0437 2636 ssrtln ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0437 2636 tfsnboio ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0437 2636 tfsnboio ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0453 2636 tfsncofs ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0453 2636 tfsncofs ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0453 2636 tfsndrct ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0453 2636 tfsndrct ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0453 2636 tfsndres ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0453 2636 tfsndres ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0453 2636 tfsnifs ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0453 2636 tfsnifs ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0453 2636 tfsnopio ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0453 2636 tfsnopio ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0453 2636 tfsnpool ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0453 2636 tfsnpool ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0453 2636 tfsnudf ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0453 2636 tfsnudf ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:14:26.0468 2636 tfsnudfa ( UnsignedFile.Multi.Generic ) - skipped by user
09:14:26.0468 2636 tfsnudfa ( UnsignedFile.Multi.Generic ) - User select action: Skip
09:15:11.0406 2820 Deinitialize success


I downloaded, saved, disabled MSE and ran Combofix as you instructed. Here is the log:

ComboFix 12-01-07.03 - Joy 01/08/2012 9:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1600 [GMT -8:00]
Running from: c:\documents and settings\Joy\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\hlnnaaa.tmp
c:\documents and settings\All Users\Application Data\mkknaaa.tmp
c:\documents and settings\All Users\Application Data\nkknaaa.tmp
c:\documents and settings\All Users\Application Data\okknaaa.tmp
c:\documents and settings\All Users\Application Data\onwnaaa.tmp
c:\documents and settings\All Users\Application Data\pkknaaa.tmp
c:\documents and settings\All Users\Application Data\pnwnaaa.tmp
c:\documents and settings\All Users\Application Data\qkknaaa.tmp
c:\documents and settings\All Users\Application Data\qnwnaaa.tmp
c:\documents and settings\All Users\Application Data\qyonaaa.tmp
c:\documents and settings\All Users\Application Data\rnwnaaa.tmp
c:\documents and settings\All Users\Application Data\ryonaaa.tmp
c:\documents and settings\All Users\Application Data\snwnaaa.tmp
c:\documents and settings\All Users\Application Data\syonaaa.tmp
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\tyonaaa.tmp
c:\documents and settings\All Users\Application Data\uyonaaa.tmp
c:\documents and settings\Joy\WINDOWS
C:\install.exe
c:\program files\Internet Explorer\SET3CB.tmp
c:\program files\Internet Explorer\SET3D0.tmp
c:\program files\Internet Explorer\SET487.tmp
c:\windows\$NtUninstallKB32810$
c:\windows\$NtUninstallKB32810$\2234254598\@
c:\windows\$NtUninstallKB32810$\2234254598\bckfg.tmp
c:\windows\$NtUninstallKB32810$\2234254598\cfg.ini
c:\windows\$NtUninstallKB32810$\2234254598\Desktop.ini
c:\windows\$NtUninstallKB32810$\2234254598\keywords
c:\windows\$NtUninstallKB32810$\2234254598\kwrd.dll
c:\windows\$NtUninstallKB32810$\2234254598\L\pdmzmplg
c:\windows\$NtUninstallKB32810$\2234254598\lsflt7.ver
c:\windows\$NtUninstallKB32810$\2234254598\U\00000001.@
c:\windows\$NtUninstallKB32810$\2234254598\U\00000002.@
c:\windows\$NtUninstallKB32810$\2234254598\U\00000004.@
c:\windows\$NtUninstallKB32810$\2234254598\U\80000000.@
c:\windows\$NtUninstallKB32810$\2234254598\U\80000004.@
c:\windows\$NtUninstallKB32810$\2234254598\U\80000032.@
c:\windows\$NtUninstallKB32810$\620211533
c:\windows\expl.dat
c:\windows\kb913800.exe
c:\windows\OLD150.tmp
c:\windows\OLD154.tmp
c:\windows\OLD158.tmp
c:\windows\OLD15C.tmp
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\SET100.tmp
c:\windows\system32\SET101.tmp
c:\windows\system32\SET105.tmp
c:\windows\system32\SET106.tmp
c:\windows\system32\SET138.tmp
c:\windows\system32\SET13C.tmp
c:\windows\system32\SET187.tmp
c:\windows\system32\SET190.tmp
c:\windows\system32\SET194.tmp
c:\windows\system32\SET19B.tmp
c:\windows\system32\SET19CD.tmp
c:\windows\system32\SET19CE.tmp
c:\windows\system32\SET19CF.tmp
c:\windows\system32\SET19D0.tmp
c:\windows\system32\SET19D6.tmp
c:\windows\system32\SET19DA.tmp
c:\windows\system32\SET19DD.tmp
c:\windows\system32\SET19E6.tmp
c:\windows\system32\SET1B0.tmp
c:\windows\system32\SET1B1.tmp
c:\windows\system32\SET1B2.tmp
c:\windows\system32\SET1B3.tmp
c:\windows\system32\SET1B4.tmp
c:\windows\system32\SET1B5.tmp
c:\windows\system32\SET1B6.tmp
c:\windows\system32\SET1B7.tmp
c:\windows\system32\SET1B8.tmp
c:\windows\system32\SET1B9.tmp
c:\windows\system32\SET1BA.tmp
c:\windows\system32\SET1BB.tmp
c:\windows\system32\SET1BC.tmp
c:\windows\system32\SET1BD.tmp
c:\windows\system32\SET1BE.tmp
c:\windows\system32\SET1BF.tmp
c:\windows\system32\SET1C0.tmp
c:\windows\system32\SET1C1.tmp
c:\windows\system32\SET1C2.tmp
c:\windows\system32\SET1C3.tmp
c:\windows\system32\SET1C4.tmp
c:\windows\system32\SET1C5.tmp
c:\windows\system32\SET1C6.tmp
c:\windows\system32\SET1C7.tmp
c:\windows\system32\SET1C8.tmp
c:\windows\system32\SET1C9.tmp
c:\windows\system32\SET1CA.tmp
c:\windows\system32\SET1CB.tmp
c:\windows\system32\SET1CC.tmp
c:\windows\system32\SET1CD.tmp
c:\windows\system32\SET1CE.tmp
c:\windows\system32\SET1CF.tmp
c:\windows\system32\SET1D0.tmp
c:\windows\system32\SET1E.tmp
c:\windows\system32\SET1E8.tmp
c:\windows\system32\SET1EC.tmp
c:\windows\system32\SET1F0.tmp
c:\windows\system32\SET1F1.tmp
c:\windows\system32\SET1F2.tmp
c:\windows\system32\SET1F3.tmp
c:\windows\system32\SET1F4.tmp
c:\windows\system32\SET1F5.tmp
c:\windows\system32\SET1F6.tmp
c:\windows\system32\SET1F7.tmp
c:\windows\system32\SET1F8.tmp
c:\windows\system32\SET1F9.tmp
c:\windows\system32\SET1FA.tmp
c:\windows\system32\SET1FB.tmp
c:\windows\system32\SET1FC.tmp
c:\windows\system32\SET1FD.tmp
c:\windows\system32\SET201.tmp
c:\windows\system32\SET205.tmp
c:\windows\system32\SET206.tmp
c:\windows\system32\SET20A.tmp
c:\windows\system32\SET20B.tmp
c:\windows\system32\SET22.tmp
c:\windows\system32\SET22C.tmp
c:\windows\system32\SET247.tmp
c:\windows\system32\SET248.tmp
c:\windows\system32\SET249.tmp
c:\windows\system32\SET24A.tmp
c:\windows\system32\SET24B.tmp
c:\windows\system32\SET24C.tmp
c:\windows\system32\SET24D.tmp
c:\windows\system32\SET24E.tmp
c:\windows\system32\SET252.tmp
c:\windows\system32\SET25C.tmp
c:\windows\system32\SET25D.tmp
c:\windows\system32\SET25E.tmp
c:\windows\system32\SET25F.tmp
c:\windows\system32\SET260.tmp
c:\windows\system32\SET261.tmp
c:\windows\system32\SET262.tmp
c:\windows\system32\SET263.tmp
c:\windows\system32\SET264.tmp
c:\windows\system32\SET265.tmp
c:\windows\system32\SET266.tmp
c:\windows\system32\SET267.tmp
c:\windows\system32\SET268.tmp
c:\windows\system32\SET269.tmp
c:\windows\system32\SET26A.tmp
c:\windows\system32\SET26B.tmp
c:\windows\system32\SET271.tmp
c:\windows\system32\SET272.tmp
c:\windows\system32\SET273.tmp
c:\windows\system32\SET274.tmp
c:\windows\system32\SET275.tmp
c:\windows\system32\SET276.tmp
c:\windows\system32\SET277.tmp
c:\windows\system32\SET278.tmp
c:\windows\system32\SET27D.tmp
c:\windows\system32\SET281.tmp
c:\windows\system32\SET284.tmp
c:\windows\system32\SET285.tmp
c:\windows\system32\SET286.tmp
c:\windows\system32\SET287.tmp
c:\windows\system32\SET288.tmp
c:\windows\system32\SET289.tmp
c:\windows\system32\SET28A.tmp
c:\windows\system32\SET28B.tmp
c:\windows\system32\SET28C.tmp
c:\windows\system32\SET28D.tmp
c:\windows\system32\SET28E.tmp
c:\windows\system32\SET28F.tmp
c:\windows\system32\SET29.tmp
c:\windows\system32\SET290.tmp
c:\windows\system32\SET291.tmp
c:\windows\system32\SET292.tmp
c:\windows\system32\SET293.tmp
c:\windows\system32\SET294.tmp
c:\windows\system32\SET295.tmp
c:\windows\system32\SET296.tmp
c:\windows\system32\SET297.tmp
c:\windows\system32\SET298.tmp
c:\windows\system32\SET299.tmp
c:\windows\system32\SET29A.tmp
c:\windows\system32\SET29B.tmp
c:\windows\system32\SET29C.tmp
c:\windows\system32\SET29D.tmp
c:\windows\system32\SET29E.tmp
c:\windows\system32\SET29F.tmp
c:\windows\system32\SET2A.tmp
c:\windows\system32\SET2A0.tmp
c:\windows\system32\SET2A1.tmp
c:\windows\system32\SET2A2.tmp
c:\windows\system32\SET2A3.tmp
c:\windows\system32\SET2A4.tmp
c:\windows\system32\SET2A5.tmp
c:\windows\system32\SET2A6.tmp
c:\windows\system32\SET2A7.tmp
c:\windows\system32\SET2A8.tmp
c:\windows\system32\SET2A9.tmp
c:\windows\system32\SET2AA.tmp
c:\windows\system32\SET2AB.tmp
c:\windows\system32\SET2AC.tmp
c:\windows\system32\SET2AD.tmp
c:\windows\system32\SET2AE.tmp
c:\windows\system32\SET2AF.tmp
c:\windows\system32\SET2B.tmp
c:\windows\system32\SET2B0.tmp
c:\windows\system32\SET2B1.tmp
c:\windows\system32\SET2B2.tmp
c:\windows\system32\SET2B3.tmp
c:\windows\system32\SET2B4.tmp
c:\windows\system32\SET2B5.tmp
c:\windows\system32\SET2B6.tmp
c:\windows\system32\SET2B7.tmp
c:\windows\system32\SET2B8.tmp
c:\windows\system32\SET2B9.tmp
c:\windows\system32\SET2BA.tmp
c:\windows\system32\SET2BB.tmp
c:\windows\system32\SET2BC.tmp
c:\windows\system32\SET2BD.tmp
c:\windows\system32\SET2BE.tmp
c:\windows\system32\SET2BF.tmp
c:\windows\system32\SET2C.tmp
c:\windows\system32\SET2C0.tmp
c:\windows\system32\SET2C1.tmp
c:\windows\system32\SET2C2.tmp
c:\windows\system32\SET2C3.tmp
c:\windows\system32\SET2C4.tmp
c:\windows\system32\SET2C5.tmp
c:\windows\system32\SET2C6.tmp
c:\windows\system32\SET2C7.tmp
c:\windows\system32\SET2C8.tmp
c:\windows\system32\SET2C9.tmp
c:\windows\system32\SET2CA.tmp
c:\windows\system32\SET2CB.tmp
c:\windows\system32\SET2CC.tmp
c:\windows\system32\SET2CD.tmp
c:\windows\system32\SET2CE.tmp
c:\windows\system32\SET2CF.tmp
c:\windows\system32\SET2D.tmp
c:\windows\system32\SET2D0.tmp
c:\windows\system32\SET2D1.tmp
c:\windows\system32\SET2D2.tmp
c:\windows\system32\SET2D3.tmp
c:\windows\system32\SET2D4.tmp
c:\windows\system32\SET2D5.tmp
c:\windows\system32\SET2D6.tmp
c:\windows\system32\SET2D7.tmp
c:\windows\system32\SET2D8.tmp
c:\windows\system32\SET2D9.tmp
c:\windows\system32\SET2DA.tmp
c:\windows\system32\SET2DB.tmp
c:\windows\system32\SET2DC.tmp
c:\windows\system32\SET2DD.tmp
c:\windows\system32\SET2DE.tmp
c:\windows\system32\SET2DF.tmp
c:\windows\system32\SET2E.tmp
c:\windows\system32\SET2E0.tmp
c:\windows\system32\SET2E1.tmp
c:\windows\system32\SET2E2.tmp
c:\windows\system32\SET2E3.tmp
c:\windows\system32\SET2E4.tmp
c:\windows\system32\SET2E5.tmp
c:\windows\system32\SET2E6.tmp
c:\windows\system32\SET2E7.tmp
c:\windows\system32\SET2E8.tmp
c:\windows\system32\SET2E9.tmp
c:\windows\system32\SET2EA.tmp
c:\windows\system32\SET2EB.tmp
c:\windows\system32\SET2EBF.tmp
c:\windows\system32\SET2EC.tmp
c:\windows\system32\SET2ED.tmp
c:\windows\system32\SET2EE.tmp
c:\windows\system32\SET2EF.tmp
c:\windows\system32\SET2F.tmp
c:\windows\system32\SET2F0.tmp
c:\windows\system32\SET2F1.tmp
c:\windows\system32\SET2F2.tmp
c:\windows\system32\SET2F3.tmp
c:\windows\system32\SET2F4.tmp
c:\windows\system32\SET2F5.tmp
c:\windows\system32\SET2F5B.tmp
c:\windows\system32\SET2F6.tmp
c:\windows\system32\SET2F65.tmp
c:\windows\system32\SET2F66.tmp
c:\windows\system32\SET2F67.tmp
c:\windows\system32\SET2F69.tmp
c:\windows\system32\SET2F6E.tmp
c:\windows\system32\SET2F6F.tmp
c:\windows\system32\SET2F7.tmp
c:\windows\system32\SET2F70.tmp
c:\windows\system32\SET2F71.tmp
c:\windows\system32\SET2F76.tmp
c:\windows\system32\SET2F78.tmp
c:\windows\system32\SET2F79.tmp
c:\windows\system32\SET2F7B.tmp
c:\windows\system32\SET2F8.tmp
c:\windows\system32\SET2F80.tmp
c:\windows\system32\SET2F84.tmp
c:\windows\system32\SET2F9.tmp
c:\windows\system32\SET2FA.tmp
c:\windows\system32\SET2FB.tmp
c:\windows\system32\SET2FC.tmp
c:\windows\system32\SET2FD.tmp
c:\windows\system32\SET2FE.tmp
c:\windows\system32\SET2FF.tmp
c:\windows\system32\SET30.tmp
c:\windows\system32\SET300.tmp
c:\windows\system32\SET301.tmp
c:\windows\system32\SET302.tmp
c:\windows\system32\SET303.tmp
c:\windows\system32\SET304.tmp
c:\windows\system32\SET305.tmp
c:\windows\system32\SET306.tmp
c:\windows\system32\SET307.tmp
c:\windows\system32\SET308.tmp
c:\windows\system32\SET309.tmp
c:\windows\system32\SET30A.tmp
c:\windows\system32\SET30B.tmp
c:\windows\system32\SET30C.tmp
c:\windows\system32\SET30D.tmp
c:\windows\system32\SET30E.tmp
c:\windows\system32\SET30F.tmp
c:\windows\system32\SET31.tmp
c:\windows\system32\SET310.tmp
c:\windows\system32\SET311.tmp
c:\windows\system32\SET312.tmp
c:\windows\system32\SET313.tmp
c:\windows\system32\SET314.tmp
c:\windows\system32\SET315.tmp
c:\windows\system32\SET316.tmp
c:\windows\system32\SET317.tmp
c:\windows\system32\SET318.tmp
c:\windows\system32\SET319.tmp
c:\windows\system32\SET31A.tmp
c:\windows\system32\SET31B.tmp
c:\windows\system32\SET31C.tmp
c:\windows\system32\SET31D.tmp
c:\windows\system32\SET31E.tmp
c:\windows\system32\SET31F.tmp
c:\windows\system32\SET32.tmp
c:\windows\system32\SET320.tmp
c:\windows\system32\SET321.tmp
c:\windows\system32\SET322.tmp
c:\windows\system32\SET323.tmp
c:\windows\system32\SET324.tmp
c:\windows\system32\SET325.tmp
c:\windows\system32\SET326.tmp
c:\windows\system32\SET327.tmp
c:\windows\system32\SET328.tmp
c:\windows\system32\SET329.tmp
c:\windows\system32\SET32A.tmp
c:\windows\system32\SET32B.tmp
c:\windows\system32\SET32C.tmp
c:\windows\system32\SET32D.tmp
c:\windows\system32\SET32E.tmp
c:\windows\system32\SET32F.tmp
c:\windows\system32\SET33.tmp
c:\windows\system32\SET330.tmp
c:\windows\system32\SET331.tmp
c:\windows\system32\SET332.tmp
c:\windows\system32\SET333.tmp
c:\windows\system32\SET334.tmp
c:\windows\system32\SET335.tmp
c:\windows\system32\SET336.tmp
c:\windows\system32\SET337.tmp
c:\windows\system32\SET338.tmp
c:\windows\system32\SET339.tmp
c:\windows\system32\SET33A.tmp
c:\windows\system32\SET33B.tmp
c:\windows\system32\SET33C.tmp
c:\windows\system32\SET33D.tmp
c:\windows\system32\SET33E.tmp
c:\windows\system32\SET33F.tmp
c:\windows\system32\SET34.tmp
c:\windows\system32\SET340.tmp
c:\windows\system32\SET341.tmp
c:\windows\system32\SET342.tmp
c:\windows\system32\SET343.tmp
c:\windows\system32\SET344.tmp
c:\windows\system32\SET345.tmp
c:\windows\system32\SET346.tmp
c:\windows\system32\SET347.tmp
c:\windows\system32\SET348.tmp
c:\windows\system32\SET349.tmp
c:\windows\system32\SET34A.tmp
c:\windows\system32\SET34B.tmp
c:\windows\system32\SET34C.tmp
c:\windows\system32\SET34D.tmp
c:\windows\system32\SET34E.tmp
c:\windows\system32\SET34F.tmp
c:\windows\system32\SET35.tmp
c:\windows\system32\SET350.tmp
c:\windows\system32\SET351.tmp
c:\windows\system32\SET352.tmp
c:\windows\system32\SET353.tmp
c:\windows\system32\SET354.tmp
c:\windows\system32\SET355.tmp
c:\windows\system32\SET356.tmp
c:\windows\system32\SET357.tmp
c:\windows\system32\SET358.tmp
c:\windows\system32\SET359.tmp
c:\windows\system32\SET35A.tmp
c:\windows\system32\SET35B.tmp
c:\windows\system32\SET35C.tmp
c:\windows\system32\SET35D.tmp
c:\windows\system32\SET35E.tmp
c:\windows\system32\SET35F.tmp
c:\windows\system32\SET360.tmp
c:\windows\system32\SET361.tmp
c:\windows\system32\SET362.tmp
c:\windows\system32\SET363.tmp
c:\windows\system32\SET364.tmp
c:\windows\system32\SET365.tmp
c:\windows\system32\SET366.tmp
c:\windows\system32\SET367.tmp
c:\windows\system32\SET368.tmp
c:\windows\system32\SET369.tmp
c:\windows\system32\SET36A.tmp
c:\windows\system32\SET36B.tmp
c:\windows\system32\SET36C.tmp
c:\windows\system32\SET36D.tmp
c:\windows\system32\SET36E.tmp
c:\windows\system32\SET36F.tmp
c:\windows\system32\SET370.tmp
c:\windows\system32\SET371.tmp
c:\windows\system32\SET372.tmp
c:\windows\system32\SET373.tmp
c:\windows\system32\SET374.tmp
c:\windows\system32\SET375.tmp
c:\windows\system32\SET376.tmp
c:\windows\system32\SET377.tmp
c:\windows\system32\SET378.tmp
c:\windows\system32\SET379.tmp
c:\windows\system32\SET37A.tmp
c:\windows\system32\SET37B.tmp
c:\windows\system32\SET37C.tmp
c:\windows\system32\SET37D.tmp
c:\windows\system32\SET37E.tmp
c:\windows\system32\SET37F.tmp
c:\windows\system32\SET380.tmp
c:\windows\system32\SET381.tmp
c:\windows\system32\SET382.tmp
c:\windows\system32\SET383.tmp
c:\windows\system32\SET384.tmp
c:\windows\system32\SET38A.tmp
c:\windows\system32\SET390.tmp
c:\windows\system32\SET391.tmp
c:\windows\system32\SET3C7.tmp
c:\windows\system32\SET3CB.tmp
c:\windows\system32\SET3CF.tmp
c:\windows\system32\SET3D0.tmp
c:\windows\system32\SET3D1.tmp
c:\windows\system32\SET3D2.tmp
c:\windows\system32\SET3D3.tmp
c:\windows\system32\SET3D4.tmp
c:\windows\system32\SET3D5.tmp
c:\windows\system32\SET3D6.tmp
c:\windows\system32\SET3D7.tmp
c:\windows\system32\SET3D8.tmp
c:\windows\system32\SET3D9.tmp
c:\windows\system32\SET3DA.tmp
c:\windows\system32\SET3DB.tmp
c:\windows\system32\SET3E4.tmp
c:\windows\system32\SET3E5.tmp
c:\windows\system32\SET3E6.tmp
c:\windows\system32\SET3E7.tmp
c:\windows\system32\SET3E8.tmp
c:\windows\system32\SET3E9.tmp
c:\windows\system32\SET3EA.tmp
c:\windows\system32\SET3EB.tmp
c:\windows\system32\SET3EC.tmp
c:\windows\system32\SET3ED.tmp
c:\windows\system32\SET3EE.tmp
c:\windows\system32\SET3F3.tmp
c:\windows\system32\SET3F4.tmp
c:\windows\system32\SET3F5.tmp
c:\windows\system32\SET3F6.tmp
c:\windows\system32\SET3FD.tmp
c:\windows\system32\SET3FF.tmp
c:\windows\system32\SET400.tmp
c:\windows\system32\SET402.tmp
c:\windows\system32\SET404.tmp
c:\windows\system32\SET405.tmp
c:\windows\system32\SET40A.tmp
c:\windows\system32\SET40B.tmp
c:\windows\system32\SET40E.tmp
c:\windows\system32\SET410.tmp
c:\windows\system32\SET411.tmp
c:\windows\system32\SET412.tmp
c:\windows\system32\SET416.tmp
c:\windows\system32\SET417.tmp
c:\windows\system32\SET418.tmp
c:\windows\system32\SET41A.tmp
c:\windows\system32\SET41B.tmp
c:\windows\system32\SET41C.tmp
c:\windows\system32\SET47.tmp
c:\windows\system32\SET476.tmp
c:\windows\system32\SET477.tmp
c:\windows\system32\SET47A.tmp
c:\windows\system32\SET47B.tmp
c:\windows\system32\SET47C.tmp
c:\windows\system32\SET47D.tmp
c:\windows\system32\SET48.tmp
c:\windows\system32\SET481.tmp
c:\windows\system32\SET482.tmp
c:\windows\system32\SET483.tmp
c:\windows\system32\SET488.tmp
c:\windows\system32\SET48E.tmp
c:\windows\system32\SET49.tmp
c:\windows\system32\SET494.tmp
c:\windows\system32\SET495.tmp
c:\windows\system32\SET496.tmp
c:\windows\system32\SET497.tmp
c:\windows\system32\SET49D.tmp
c:\windows\system32\SET49E.tmp
c:\windows\system32\SET49F.tmp
c:\windows\system32\SET4A.tmp
c:\windows\system32\SET4A3.tmp
c:\windows\system32\SET4A5.tmp
c:\windows\system32\SET4A6.tmp
c:\windows\system32\SET4A8.tmp
c:\windows\system32\SET4AD.tmp
c:\windows\system32\SET4B.tmp
c:\windows\system32\SET4B1.tmp
c:\windows\system32\SET4B5.tmp
c:\windows\system32\SET4B6.tmp
c:\windows\system32\SET4B7.tmp
c:\windows\system32\SET4C.tmp
c:\windows\system32\SET4C4.tmp
c:\windows\system32\SET4C8.tmp
c:\windows\system32\SET4CC.tmp
c:\windows\system32\SET4CD.tmp
c:\windows\system32\SET4CE.tmp
c:\windows\system32\SET4CF.tmp
c:\windows\system32\SET4D.tmp
c:\windows\system32\SET4D0.tmp
c:\windows\system32\SET4D1.tmp
c:\windows\system32\SET4D2.tmp
c:\windows\system32\SET4D3.tmp
c:\windows\system32\SET4D4.tmp
c:\windows\system32\SET4D5.tmp
c:\windows\system32\SET4D6.tmp
c:\windows\system32\SET4D7.tmp
c:\windows\system32\SET4D8.tmp
c:\windows\system32\SET4D9.tmp
c:\windows\system32\SET4DD.tmp
c:\windows\system32\SET4E.tmp
c:\windows\system32\SET4E1.tmp
c:\windows\system32\SET4E2.tmp
c:\windows\system32\SET4E3.tmp
c:\windows\system32\SET4E4.tmp
c:\windows\system32\SET4E5.tmp
c:\windows\system32\SET4E6.tmp
c:\windows\system32\SET4E7.tmp
c:\windows\system32\SET4E8.tmp
c:\windows\system32\SET4E9.tmp
c:\windows\system32\SET4EA.tmp
c:\windows\system32\SET4EB.tmp
c:\windows\system32\SET4EC.tmp
c:\windows\system32\SET4ED.tmp
c:\windows\system32\SET4F6.tmp
c:\windows\system32\SET4F7.tmp
c:\windows\system32\SET4FB.tmp
c:\windows\system32\SET4FC.tmp
c:\windows\system32\SET50D.tmp
c:\windows\system32\SET50E.tmp
c:\windows\system32\SET518.tmp
c:\windows\system32\SET519.tmp
c:\windows\system32\SET525.tmp
c:\windows\system32\SET529.tmp
c:\windows\system32\SET52D.tmp
c:\windows\system32\SET52E.tmp
c:\windows\system32\SET52F.tmp
c:\windows\system32\SET530.tmp
c:\windows\system32\SET532.tmp
c:\windows\system32\SET533.tmp
c:\windows\system32\SET534.tmp
c:\windows\system32\SET535.tmp
c:\windows\system32\SET536.tmp
c:\windows\system32\SET537.tmp
c:\windows\system32\SET538.tmp
c:\windows\system32\SET539.tmp
c:\windows\system32\SET53A.tmp
c:\windows\system32\SET563.tmp
c:\windows\system32\SET57.tmp
c:\windows\system32\SET577.tmp
c:\windows\system32\SET5A1.tmp
c:\windows\system32\SET5F.tmp
c:\windows\system32\SET69.tmp
c:\windows\system32\SET750.tmp
c:\windows\system32\SET795.tmp
c:\windows\system32\SET7A6.tmp
c:\windows\system32\SET7F.tmp
c:\windows\system32\SET80C.tmp
c:\windows\system32\SET80D.tmp
c:\windows\system32\SET80E.tmp
c:\windows\system32\SET80F.tmp
c:\windows\system32\SET815.tmp
c:\windows\system32\SET816.tmp
c:\windows\system32\SET817.tmp
c:\windows\system32\SET81B.tmp
c:\windows\system32\SET81E.tmp
c:\windows\system32\SET81F.tmp
c:\windows\system32\SET821.tmp
c:\windows\system32\SET826.tmp
c:\windows\system32\SET82A.tmp
c:\windows\system32\SET83.tmp
c:\windows\system32\SETE3.tmp
c:\windows\system32\SETE7.tmp
c:\windows\system32\SETEB.tmp
c:\windows\system32\SETEC.tmp
c:\windows\system32\SETED.tmp
c:\windows\system32\SETEE.tmp
c:\windows\system32\SETEF.tmp
c:\windows\system32\SETF0.tmp
c:\windows\system32\SETF1.tmp
c:\windows\system32\SETF2.tmp
c:\windows\system32\SETF3.tmp
c:\windows\system32\SETF4.tmp
c:\windows\system32\SETF5.tmp
c:\windows\system32\SETF6.tmp
c:\windows\system32\SETF7.tmp
c:\windows\system32\SETFB.tmp
c:\windows\system32\SETFF.tmp
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 )))))))))))))))))))))))))))))))
.
.
2012-01-08 17:36 . 2012-01-08 17:58 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1494DE00-BA62-46D4-82A4-4C58F2617D19}\offreg.dll
2012-01-07 22:14 . 2012-01-07 22:14 -------- d-----w- c:\documents and settings\Joy\Local Settings\Application Data\PCHealth
2012-01-07 18:41 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-07 18:41 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1494DE00-BA62-46D4-82A4-4C58F2617D19}\mpengine.dll
2012-01-05 01:24 . 2012-01-05 01:24 -------- d-----w- c:\documents and settings\Joy\Application Data\ElevatedDiagnostics
2012-01-04 21:57 . 2012-01-04 21:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-04 21:57 . 2012-01-04 21:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-04 21:15 . 2012-01-04 21:15 -------- d-----w- c:\program files\Belarc
2012-01-04 21:15 . 2008-02-27 21:49 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-01-04 10:31 . 2012-01-04 10:33 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-04 10:07 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2012-01-04 10:02 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-04 09:50 . 2012-01-04 09:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 06:27 . 2012-01-04 06:27 -------- d-sh--w- c:\documents and settings\Spencer\IECompatCache
2012-01-04 05:47 . 2012-01-04 05:47 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2012-01-04 05:26 . 2012-01-04 05:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2012-01-04 05:09 . 2012-01-04 05:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-04 04:22 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-01-04 04:22 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-07 18:42 . 2005-08-16 10:18 545280 ----a-w- c:\windows\system32\winlogon.exe
2012-01-07 18:42 . 2005-08-16 10:18 1058816 ----a-w- c:\windows\explorer.exe
2012-01-04 10:12 . 2005-08-16 10:35 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-12-10 23:24 . 2010-12-12 06:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2005-08-16 10:18 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 22:29 . 2010-12-12 08:36 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 13:54 . 2010-12-12 20:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 11:27 . 2007-05-29 03:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2005-08-16 10:18 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2005-08-16 10:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-08-16 10:18 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-15 01:38 . 2005-08-16 10:18 456192 ----a-w- c:\windows\system32\encdec.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2012-01-07 . D407C5F2424C0891DB8A40A588AA5990 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2004-08-10 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
[-] 2012-01-07 . C921497CA89B781DA93E20219EC15044 . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2004-08-10 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-25 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-24 98304]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-24 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 20:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-14 01:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 16:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-01-24 15:48 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2010-04-08 16:15 3233752 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-10-12 00:49 14940040 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-18 03:41 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"0274091292133016mcinstcleanup"=2 (0x2)
"CiSvc"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [5/27/2010 6:39 PM 632792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 9:46 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 9:46 AM 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/16/2005 2:18 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 17:46]
.
2012-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 17:46]
.
2012-01-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 23:39]
.
2011-12-30 c:\windows\Tasks\RMSchedule_219.job
- c:\program files\Registry Mechanic\Launcher.exe [2010-05-28 16:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portal.tds.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B6F2FB76-6E59-44C8-A874-5791763A83B5}: NameServer = 216.165.129.157,216.170.153.146
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe
Notify-WgaLogon - (no file)
SafeBoot-61923011.sys
MSConfigStartUp-jdiNQqhyasYS - c:\documents and settings\All Users\Application Data\jdiNQqhyasYS.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-YSearchProtection - c:\program files\Yahoo!\Search Protection\YspService.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-08 09:59
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,6d,5e,9e,20,63,95,4e,8d,79,16,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,6d,5e,9e,20,63,95,4e,8d,79,16,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3312)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dlcccoms.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Completion time: 2012-01-08 10:08:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-08 18:08
.
Pre-Run: 125,411,594,240 bytes free
Post-Run: 126,304,374,784 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - ED69805B44BE00964AB1F1CEC2F9652A

As to your query as to how the pc is running. Absolutely better. Before following your instructions IE would freeze up shortly after running every time. Before posting this reply I surfed the web for ten minutes or so and it never froze up. Since it is football playoff time I went to nfl.com and videos are smooth, some of the normal texts and links at the top are not viewable but no big deal there. Other than that it is running better for sure.

Again, thank you for your assistance.

4

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 PM

Posted 08 January 2012 - 02:07 PM

Hello,

Glad to hear your machine is running much better. We still have a little work to do though, but we are getting closer.



1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\$NtServicePackUninstall$\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\$NtUninstallKB938828$\explorer.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


2.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


3.
ESET Online Scanner:

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

  • Please go here then click on: Posted Image

    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Posted Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Posted Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on: Posted Image
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!



Things to include in your next reply::
Combofix.txt
MBAM log
Eset log
How is your machine running now?

Edited by fireman4it, 08 January 2012 - 02:07 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 08 January 2012 - 04:32 PM

Fireman4it,

As instructed I ran a CFScript, here is the log:

ComboFix 12-01-07.03 - Joy 01/08/2012 11:15:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1465 [GMT -8:00]
Running from: c:\documents and settings\Joy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Joy\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
--------------- FCopy ---------------
.
c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\$NtServicePackUninstall$\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2011-12-08 to 2012-01-08 )))))))))))))))))))))))))))))))
.
.
2012-01-08 18:13 . 2012-01-08 18:13 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{536362CA-948C-4483-A02A-19EC504EBF1F}\offreg.dll
2012-01-08 18:13 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{536362CA-948C-4483-A02A-19EC504EBF1F}\mpengine.dll
2012-01-07 22:14 . 2012-01-07 22:14 -------- d-----w- c:\documents and settings\Joy\Local Settings\Application Data\PCHealth
2012-01-07 18:41 . 2011-11-21 10:47 6823496 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-01-05 01:24 . 2012-01-05 01:24 -------- d-----w- c:\documents and settings\Joy\Application Data\ElevatedDiagnostics
2012-01-04 21:57 . 2012-01-04 21:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-01-04 21:57 . 2012-01-04 21:57 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2012-01-04 21:15 . 2012-01-04 21:15 -------- d-----w- c:\program files\Belarc
2012-01-04 21:15 . 2008-02-27 21:49 3840 ----a-w- c:\windows\system32\drivers\BANTExt.sys
2012-01-04 10:31 . 2012-01-04 10:33 -------- d-----w- c:\program files\Microsoft Security Client
2012-01-04 10:07 . 2011-06-24 14:10 139656 ------w- c:\windows\system32\dllcache\rdpwd.sys
2012-01-04 10:02 . 2011-07-08 14:02 10496 ------w- c:\windows\system32\dllcache\ndistapi.sys
2012-01-04 09:50 . 2012-01-04 09:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-04 06:27 . 2012-01-04 06:27 -------- d-sh--w- c:\documents and settings\Spencer\IECompatCache
2012-01-04 05:47 . 2012-01-04 05:47 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2012-01-04 05:26 . 2012-01-04 05:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2012-01-04 05:09 . 2012-01-04 05:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2012-01-04 04:22 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-01-04 04:22 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\dllcache\hidserv.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 10:12 . 2005-08-16 10:35 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2011-12-10 23:24 . 2010-12-12 06:52 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-23 13:25 . 2005-08-16 10:18 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-15 22:29 . 2010-12-12 08:36 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-11-10 13:54 . 2010-12-12 20:37 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 11:27 . 2007-05-29 03:35 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-04 19:20 . 2005-08-16 10:18 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2005-08-16 10:18 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2005-08-16 10:18 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2005-08-16 10:18 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2005-08-16 10:18 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2005-08-16 10:18 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2005-08-16 10:18 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2004-08-04 04:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-15 01:38 . 2005-08-16 10:18 456192 ----a-w- c:\windows\system32\encdec.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2006-02-25 73728]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-01-24 98304]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-24 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 20:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 18:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
2008-08-14 01:32 206064 ----a-w- c:\program files\Dell Support Center\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
2007-11-15 16:24 16384 ----a-w- c:\program files\Dell Support Center\gs_agent\custom\dsca.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 22:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2006-01-24 15:48 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
2010-04-08 16:15 3233752 ----a-w- c:\program files\Registry Mechanic\RegMech.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-10-12 00:49 14940040 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-06-18 03:41 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"0274091292133016mcinstcleanup"=2 (0x2)
"CiSvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [5/27/2010 6:39 PM 632792]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 9:46 AM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 9:46 AM 135664]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/16/2005 2:18 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 17:46]
.
2012-01-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 17:46]
.
2012-01-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 23:39]
.
2011-12-30 c:\windows\Tasks\RMSchedule_219.job
- c:\program files\Registry Mechanic\Launcher.exe [2010-05-28 16:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://portal.tds.net/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{B6F2FB76-6E59-44C8-A874-5791763A83B5}: NameServer = 216.165.129.157,216.170.153.146
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-08 11:22
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,6d,5e,9e,20,63,95,4e,8d,79,16,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,45,6d,5e,9e,20,63,95,4e,8d,79,16,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4032)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-01-08 11:24:08
ComboFix-quarantined-files.txt 2012-01-08 19:24
ComboFix2.txt 2012-01-08 18:08
.
Pre-Run: 126,264,582,144 bytes free
Post-Run: 126,283,489,280 bytes free
.
- - End Of File - - 63570D1664769B5D585F3301CFC4D09C

As instructed I downloaded,renamed MWB and ran a quick scan. Here is the log:

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.08.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Joy :: HARRIS [administrator]

1/8/2012 11:29:52 AM
mbam-log-2012-01-08 (11-29-52).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 215866
Time elapsed: 6 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

As instructed I downloaded ESET, checked and unchecked appropriate boxes and ran the scan. Here is the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=0c19bb3a6f46f141a7f276fd005e971d
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-01-08 09:08:34
# local_time=2012-01-08 01:08:34 (-0800, Pacific Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5891 16776869 42 87 0 22804122 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=115610
# found=3
# cleaned=0
# scan_time=4862
C:\Documents and Settings\Joy\Application Data\Sun\Java\Deployment\cache\6.0\41\47f8b769-52f57753 Java/Agent.AC trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Joy\Application Data\Sun\Java\Deployment\cache\6.0\43\402b2b-2a87331e a variant of Java/Agent.DZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\Documents and Settings\Spencer\Local Settings\Temporary Internet Files\Content.IE5\8XMB4TY7\movie[1].htm JS/TrojanDownloader.Agent.CZM trojan (unable to clean) 00000000000000000000000000000000 I

As for your query as to how the pc is running now. Near as I can tell it is running about the same since the combofix was ran.

Thank you for your assistance.

4

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 PM

Posted 08 January 2012 - 05:17 PM

Hello, 4on4off.
Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.




One of the most common questions found when cleaning malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are not practicing Safe Internet, you are not running the proper security software or that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer to help reduce the chance of being infected again in the future.

Do not use P2P programs
Peer-to-peer or file-sharing programs (such as uTorrent, Limewire and Bitorrent) are probably the primary route of infection nowadays. These programs allow file sharing between users as the name(s) suggest. It is almost impossible to know whether the file you’re downloading through P2P programs is safe.

It is therefore possible to be infected by downloading infected files via peer-to-peer programs and so I recommend that you do not use these programs. Should you wish to use them, they must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

In addition, P2P programs facilitate cyber crime and help distribute pirated software, movies and other illegal material.

Practice Safe Internet
Another one of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.

Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know who is themselves infected with malware which is trying to infect everyone in their address book. A key thing to look out for here is: does the email sound as though it’s from the person you know? Often, the email may simply have a web link or a “Run this file to make your PC run fast” message in it.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop-ups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. Removal instructions for a lot of these "rogues" can be found here.
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you, or will download a file to your PC without your knowledge. You can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake. DO NOT click on these windows, instead close them by finding the open window on your http://en.wikipedia.org/wiki/Taskbar#Screenshots '>Taskbar, right click and chose close.
  • Do not visit pornographic websites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do, as this can often form part of their funding.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link you should message back to the person asking if it is legit.
  • Stay away from Warez and Crack sites! As with Peer-2-Peer programs, in addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download files from a site, and are not sure if they are legitimate, you can use tools such as BitDefender Traffic Light, Norton Safe Web, or McAfee SiteAdvisor to look up info on the site and stay protected against malicious sites. Please be sure to only choose and install one of those tool bars.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
    Sometimes even legitimate programs will try to bundle extra, unwanted, software with the program you want - this is done to raise money for the program. Be sure to untick any boxes which may indicate that other programs will be downloaded.

Keep Windows up-to-date
Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure.

  • Windows XP users
    You should visit Windows Update to check for the latest updates to your system. The latest service pack (SP3) can be obtained directly from Microsoft here.
  • Windows Vista users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP2) can be obtained directly from Microsoft here.
  • Windows 7 users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP1) can be obtained directly from Microsoft here


Keep your browser secure
Most modern browsers have come on in leaps and bounds with their inbuilt, default security. The best way to keep your browser secure nowadays is simply to keep it up-to-date.

The latest versions of the three common browsers can be found below:

Use an AntiVirus Software
It is very important that your computer has an up-to-date anti-virus software on it which has a real-time agent running. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources, a couple of free Anti-Virus programs you may be interested in are Microsoft Security Essentials and Avast.

It is imperative that you update your Antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

All versions of Windows starting from XP have an in-built firewall. With Windows XP this firewall will protect you from incoming traffic (i.e. hackers). Starting with Windows Vista, the firewall was beefed up to also protect you against outgoing traffic (i.e. malicious programs installed on your machine should be blocked from sending data, such as your bank details and passwords, out).

In addition, if you connect to the internet via a router, this will normally have a firewall in-built.

Some people will recommend installing a different firewall (instead of the Windows’ built one), this is personal choice, but the message is to definitely have one! For a tutorial on Firewalls and a listing of some available ones see this link: Understanding and Using Firewalls

Install an Anti-Malware program
Recommended, and free, Anti-Malware programs are Malwarebytes Anti-Malware and SuperAntiSpyware.

You should regularly (perhaps once a week) scan your computer with an Anti-Malware program just as you would with an antivirus software.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is very important to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities (such as Adobe Reader and Java). You can check these by visiting Secunia Software Inspector.

Follow this list and your potential for being infected again will reduce dramatically.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 08 January 2012 - 05:24 PM

Fireman4it,

Thank you soooo much. I do have one question tho. What about the 3 items found by ESET that were detected but not removed?

I will follow up with the instructions you provided for cleaning up our mess.

Thanks again so so much, you have been a great help!

4

#8 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 08 January 2012 - 05:33 PM

Sorry but one other thing.

On some pages I visit including the ESET site and on this site as well some images do not show up. I right click and select show picture but it does not show up. Probably a setting I can find eventually but just mentioning it in case it is a side affect that you have come across before due to the clean up.

Thanks again.

4

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 PM

Posted 08 January 2012 - 05:42 PM

Thank you soooo much. I do have one question tho. What about the 3 items found by ESET that were detected but not removed?

Those don't worry me.



On some pages I visit including the ESET site and on this site as well some images do not show up. I right click and select show picture but it does not show up. Probably a setting I can find eventually but just mentioning it in case it is a side affect that you have come across before due to the clean up.

Probably some setting you have. Maybe no script or no popups.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 4on4off

4on4off
  • Topic Starter

  • Members
  • 402 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:11 AM

Posted 08 January 2012 - 06:06 PM

Okay and thank you thank you thank you!

4

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:12:11 PM

Posted 08 January 2012 - 06:56 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users