Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with System Check virus & Google keeps redirecting.


  • This topic is locked This topic is locked
20 replies to this topic

#1 pbrangwynne

pbrangwynne

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 April 2012 - 12:57 AM

Several weeks back, my computer was infected with the Windows System Check virus. I utilized this website via Google to remove the virus and was successful at stopping the computer from acting up through the Malwarebytes software. For several days the computer operated smoothly. Unfortunately after starting the computer one evening, the screen went completely grey and all desktop icons and programs disappeared - later discovered to have been hidden by the virus. Even in Safe Mode with Networking all icons and programs were missing. I finally chose to restore the computer to a date prior to the initial incident occurring (I believe to March 12, 2012). After restoring the computer, I then ran Malwarebytes again and removed all infected files it discovered (including many PUPs). I also utilized unhide.exe to unhide all desktop icons and programs and purchased McAfee antivirus software. Now a week later, I've noticed the system check link appearing at the bottom of my desktop, my McAfee virus protection unable to run any scans (stating that an error has occurred even before starting), and several search engines - including Google, Bing, and Yahoo - redirecting me or not coming up at all. Please help me discover and destroy this problem once and for all! Thank you in advance.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Run by Sam at 20:14:20 on 2012-04-06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2263 [GMT -5:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: YTNavAssistPlugin Class: {81017ea9-9aa8-4a6a-9734-7af40e7d593f} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120324125553.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn4\YTSingleInstance.dll
TB: Neopets: {cd292324-974f-4224-d074-caca427aa030} - c:\progra~1\neopets\toolbar\Toolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [YSearchProtection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
dRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
dRun: [Update] rundll32.exe "c:\documents and settings\networkservice\application data\yahoo!\yahoo!\klzgc.dll",DllRegisterServer
StartupFolder: c:\docume~1\sam\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\sam\local settings\temp\{436213e5-cecd-4cfb-8149-6b56cd819a02}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\fortem~1.lnk - c:\program files\lg soft india\fortemanager\bin\Monitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Yahoo! Search - file:///c:\program files\yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\yahoo!\Common/ycsms.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {775879E2-7309-4619-BB02-AADE41F4B690} - hxxp://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{7743F982-AA26-42CA-A84B-C3ABC8682C52} : DhcpNameServer = 192.168.1.254
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\sam\application data\mozilla\firefox\profiles\1ssxrk2t.default\
FF - plugin: c:\progra~1\mcafee\msc\npMcSnFFPl.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
.
============= SERVICES / DRIVERS ===============
.
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2011-11-22 632792]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-22 136176]
S3 cpuz132;cpuz132;\??\c:\docume~1\sam\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\sam\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-22 136176]
S3 LGDDCDevice;LGDDCDevice;c:\program files\lg soft india\fortemanager\bin\I2CDriver.sys [2009-6-7 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\lg soft india\fortemanager\bin\PII2CDriver.sys [2009-6-7 18432]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
.
=============== Created Last 30 ================
.
2012-03-24 17:55:53 28760 ----a-w- c:\program files\mozilla firefox\ScriptFF.dll
2012-03-24 17:55:52 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2012-03-24 17:55:46 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2012-03-24 17:55:46 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2012-03-24 17:55:46 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2012-03-24 17:55:45 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2012-03-24 17:55:45 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
2012-03-24 17:55:45 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2012-03-24 17:55:38 -------- d-----w- c:\program files\common files\Mcafee
2012-03-24 17:55:37 -------- d-----w- c:\program files\McAfee.com
2012-03-24 17:41:25 150856 ----a-w- c:\windows\system32\mfevtps.exe
2012-03-24 02:53:44 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-03-24 01:53:54 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-24 01:53:54 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-23 23:23:35 84992 ----a-w- c:\documents and settings\all users\application data\3C5yLIGO.exe
2012-03-23 19:15:03 84992 ----a-w- c:\windows\system32\470CK0D.com
2012-03-22 23:13:17 84992 ----a-w- c:\windows\system32\470CK0D.com_
2012-03-18 18:28:54 -------- d-----w- c:\documents and settings\sam\application data\Malwarebytes
2012-03-18 18:28:39 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-18 18:28:38 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-18 18:28:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-03-04 00:41:08 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2007-12-27 02:11:21 774144 ----a-w- c:\program files\RngInterstitial.dll
.
============= FINISH: 20:15:14.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:29 AM

Posted 07 April 2012 - 03:26 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 pbrangwynne

pbrangwynne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 April 2012 - 01:43 PM

Problem before beginning: This morning I uninstalled McAfee Anti-Virus and Anti-Spyware as it was only a 90 day trial version and I did not want it to interfere with the Combofix program. The computer uninstalled the program and restarted when prompted. After the computer restarted I rechecked to verify that McAfee had been removed which it shows that it has. I then downloaded Combofix and began to run the program. Unfortunately, Combofix prompted me with a warning stating that it has detected McAfee Anti-Virus and Anti-Spyware to be active and that this may lead to unpredictable results or possibe machine damage. It then states that I should disable this program before proceeding. As one can imagine, I am both confused and concerned with this prompt. Any advice would be greatly appreciated. Thank you.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:29 AM

Posted 07 April 2012 - 05:48 PM

Hello


go ahead and run it and I will fix that later
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 pbrangwynne

pbrangwynne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 April 2012 - 06:59 PM

ComboFix 12-04-07.03 - Sam 04/07/2012 18:27:09.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2498 [GMT -5:00]
Running from: c:\documents and settings\Sam\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\3C5yLIGO.exe
c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\NetworkService\Application Data\Identities\Identities\oexuquj.dll
c:\documents and settings\Sam\Start Menu\Programs\System Check
c:\documents and settings\Sam\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Sam\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\Sam\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\SET100.tmp
c:\windows\system32\SET101.tmp
c:\windows\system32\SET105.tmp
c:\windows\system32\SET106.tmp
c:\windows\system32\SET107.tmp
c:\windows\system32\SET10B.tmp
c:\windows\system32\SET10D.tmp
c:\windows\system32\SET128.tmp
c:\windows\system32\SET12A.tmp
c:\windows\system32\SET138.tmp
c:\windows\system32\SET159.tmp
c:\windows\system32\SET212.tmp
c:\windows\system32\SET214.tmp
c:\windows\system32\SET220.tmp
c:\windows\system32\SET222.tmp
c:\windows\system32\SET229.tmp
c:\windows\system32\SET22A.tmp
c:\windows\system32\SET22B.tmp
c:\windows\system32\SET22E.tmp
c:\windows\system32\SETFF.tmp
c:\windows\wallpg.exe
D:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2012-03-07 to 2012-04-07 )))))))))))))))))))))))))))))))
.
.
2012-04-02 19:49 . 2012-04-02 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2012-03-24 02:53 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-03-24 01:53 . 2012-03-24 01:53 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-23 23:18 . 2012-03-23 23:18 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-03-23 23:18 . 2012-03-23 23:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2012-03-23 23:16 . 2012-03-23 23:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Neopets Toolbar
2012-03-23 23:15 . 2012-03-23 23:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
2012-03-23 19:15 . 2012-03-23 04:17 84992 ----a-w- c:\windows\system32\470CK0D.com
2012-03-22 23:14 . 2012-03-22 23:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2012-03-18 18:28 . 2012-03-18 18:28 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2012-03-18 18:28 . 2012-03-18 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-18 18:28 . 2012-03-24 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-18 18:28 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-12 22:23 . 2012-03-12 22:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-04 00:41 . 2011-07-02 15:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-05-26 19:30 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 03:48 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2004-05-26 20:20 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2007-12-27 02:11 . 2007-12-27 02:11 774144 ----a-w- c:\program files\RngInterstitial.dll
2012-03-13 04:39 . 2012-03-28 22:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn5\yt.dll" [2012-01-12 1517368]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-26 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\Sam\Start Menu\Programs\Startup\
RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Sam\Local Settings\Temp\{436213E5-CECD-4CFB-8149-6B56CD819A02}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2009-6-7 1687552]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\CivilizationV.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/22/2011 2:31 PM 632792]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 9:04 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 9:04 AM 136176]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [6/7/2009 7:01 PM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [6/7/2009 7:01 PM 18432]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-07 c:\windows\Tasks\At1.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-03-22 c:\windows\Tasks\At10.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-03-22 c:\windows\Tasks\At11.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-03-22 c:\windows\Tasks\At12.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-03-22 c:\windows\Tasks\At13.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-03-22 c:\windows\Tasks\At14.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-03-22 c:\windows\Tasks\At15.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-03-22 c:\windows\Tasks\At16.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-03-22 c:\windows\Tasks\At17.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-03-22 c:\windows\Tasks\At18.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-06 c:\windows\Tasks\At19.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At2.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-06 c:\windows\Tasks\At20.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-06 c:\windows\Tasks\At21.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-06 c:\windows\Tasks\At22.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-06 c:\windows\Tasks\At23.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-06 c:\windows\Tasks\At24.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At25.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At26.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At27.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At28.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At29.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At3.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At30.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At31.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At32.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At33.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At34.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At35.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At36.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At37.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At38.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At39.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At4.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At40.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At41.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At42.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At43.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At44.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At45.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At46.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-04-07 c:\windows\Tasks\At47.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\At48.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-03-22 c:\windows\Tasks\At5.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-03-22 c:\windows\Tasks\At6.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-03-22 c:\windows\Tasks\At7.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-03-22 c:\windows\Tasks\At8.job
- c:\windows\system32\470CK0D.com_ [2012-03-22 04:17]
.
2012-03-22 c:\windows\Tasks\At9.job
- c:\windows\system32\470CK0D.com [2012-03-23 04:17]
.
2012-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 14:04]
.
2012-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 14:04]
.
2012-04-07 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-11-22 16:02]
.
2012-04-07 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2011-11-22 19:23]
.
2012-04-07 c:\windows\Tasks\User_Feed_Synchronization-{8C9E88BB-9418-4D0A-BC6B-F4DD8A5991C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\1ssxrk2t.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-Steam - c:\program files\steam\steam.exe
HKLM-Run-SysTrayApp - c:\program files\IDT\WDM\sttray.exe
HKU-Default-Run-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
AddRemove-eTrust Anti-Spam - c:\windows\unezas.exe
AddRemove-eTrust EZ Firewall - c:\windows\unezfw.exe
AddRemove-{CF40ACC5-E1BB-4aff-AC72-04C2F616BCA7} - c:\program files\NOS\bin\getPlus_HelperSvc.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-07 18:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-04-07 18:47:40
ComboFix-quarantined-files.txt 2012-04-07 23:47
.
Pre-Run: 2,722,836,480 bytes free
Post-Run: 3,653,853,184 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 6F2343D1D3DDF33F849E2D74CD9A6796


No problems occurred during the running of the Combofix program. However, the program still maintains that McAfee exists on my computer when I believe this to not be the case.
As for the computer's operation, the System Check shortcut still exists in the task bar. When attempting to connect to the Google search engine a message stating "503 Service Temporarily Unavailable" appears. Similar messages appear for both Yahoo and Bing pages. Other than these issues, the computer appears to be operating as before.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:29 AM

Posted 07 April 2012 - 08:27 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 pbrangwynne

pbrangwynne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 07 April 2012 - 11:49 PM

23:15:19.0593 2308 TDSS rootkit removing tool 2.7.26.0 Apr 4 2012 19:52:02
23:15:20.0046 2308 ============================================================
23:15:20.0046 2308 Current date / time: 2012/04/07 23:15:20.0046
23:15:20.0046 2308 SystemInfo:
23:15:20.0046 2308
23:15:20.0046 2308 OS Version: 5.1.2600 ServicePack: 3.0
23:15:20.0046 2308 Product type: Workstation
23:15:20.0046 2308 ComputerName: MY_ESCAPE
23:15:20.0046 2308 UserName: Sam
23:15:20.0046 2308 Windows directory: C:\WINDOWS
23:15:20.0046 2308 System windows directory: C:\WINDOWS
23:15:20.0046 2308 Processor architecture: Intel x86
23:15:20.0046 2308 Number of processors: 2
23:15:20.0046 2308 Page size: 0x1000
23:15:20.0046 2308 Boot type: Normal boot
23:15:20.0046 2308 ============================================================
23:15:22.0000 2308 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
23:15:22.0000 2308 \Device\Harddisk0\DR0:
23:15:22.0000 2308 MBR used
23:15:22.0000 2308 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xA0124D, BlocksNum 0x8B093B3
23:15:22.0000 2308 \Device\Harddisk0\DR0\Partition1: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0xA0120E
23:15:22.0031 2308 Initialize success
23:15:22.0031 2308 ============================================================
23:15:25.0562 0244 ============================================================
23:15:25.0562 0244 Scan started
23:15:25.0562 0244 Mode: Manual;
23:15:25.0562 0244 ============================================================
23:15:27.0093 0244 Abiosdsk - ok
23:15:27.0140 0244 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
23:15:27.0140 0244 abp480n5 - ok
23:15:27.0171 0244 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:15:27.0187 0244 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 25a0e4c6de3d09685fbb763fae90847b
23:15:27.0187 0244 ACPI ( Virus.Win32.Rloader.a ) - infected
23:15:27.0187 0244 ACPI - detected Virus.Win32.Rloader.a (0)
23:15:27.0203 0244 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:15:27.0203 0244 ACPIEC - ok
23:15:27.0218 0244 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
23:15:27.0218 0244 adpu160m - ok
23:15:27.0234 0244 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:15:27.0234 0244 aec - ok
23:15:27.0296 0244 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
23:15:27.0296 0244 AFD - ok
23:15:27.0328 0244 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
23:15:27.0328 0244 agp440 - ok
23:15:27.0328 0244 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
23:15:27.0328 0244 agpCPQ - ok
23:15:27.0343 0244 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
23:15:27.0343 0244 Aha154x - ok
23:15:27.0359 0244 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
23:15:27.0359 0244 aic78u2 - ok
23:15:27.0375 0244 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
23:15:27.0375 0244 aic78xx - ok
23:15:27.0406 0244 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
23:15:27.0406 0244 Alerter - ok
23:15:27.0421 0244 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
23:15:27.0421 0244 ALG - ok
23:15:27.0437 0244 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
23:15:27.0437 0244 AliIde - ok
23:15:27.0453 0244 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
23:15:27.0453 0244 alim1541 - ok
23:15:27.0484 0244 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
23:15:27.0484 0244 amdagp - ok
23:15:27.0484 0244 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
23:15:27.0500 0244 amsint - ok
23:15:27.0640 0244 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
23:15:27.0640 0244 Apple Mobile Device - ok
23:15:27.0671 0244 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
23:15:27.0671 0244 AppMgmt - ok
23:15:27.0687 0244 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
23:15:27.0687 0244 asc - ok
23:15:27.0703 0244 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
23:15:27.0703 0244 asc3350p - ok
23:15:27.0718 0244 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
23:15:27.0718 0244 asc3550 - ok
23:15:27.0796 0244 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
23:15:27.0796 0244 aspnet_state - ok
23:15:27.0859 0244 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:15:27.0859 0244 AsyncMac - ok
23:15:27.0890 0244 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:15:27.0890 0244 atapi - ok
23:15:27.0890 0244 Atdisk - ok
23:15:27.0953 0244 Ati HotKey Poller (dae9b06f344ae0f877d7ce3500c12342) C:\WINDOWS\system32\Ati2evxx.exe
23:15:27.0968 0244 Ati HotKey Poller - ok
23:15:28.0000 0244 ATI Smart (460741befbfc91c88934620bc546d172) C:\WINDOWS\system32\ati2sgag.exe
23:15:28.0015 0244 ATI Smart - ok
23:15:28.0203 0244 ati2mtag (bde0f5d73c04b3f16672a7e6ea9d2392) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
23:15:28.0234 0244 ati2mtag - ok
23:15:28.0296 0244 AtiHdmiService (d9bc8892b9440a2551b8148c57aa039e) C:\WINDOWS\system32\drivers\AtiHdmi.sys
23:15:28.0296 0244 AtiHdmiService - ok
23:15:28.0312 0244 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:15:28.0312 0244 Atmarpc - ok
23:15:28.0343 0244 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
23:15:28.0343 0244 AudioSrv - ok
23:15:28.0359 0244 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:15:28.0359 0244 audstub - ok
23:15:28.0390 0244 b57w2k (48bf91cffbcdd12a710207f2a08fec4d) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
23:15:28.0390 0244 b57w2k - ok
23:15:28.0406 0244 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:15:28.0406 0244 Beep - ok
23:15:28.0437 0244 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
23:15:28.0453 0244 BITS - ok
23:15:28.0515 0244 Bonjour Service (1c87705ccb2f60172b0fc86b5d82f00d) C:\Program Files\Bonjour\mDNSResponder.exe
23:15:28.0515 0244 Bonjour Service - ok
23:15:28.0546 0244 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
23:15:28.0546 0244 Browser - ok
23:15:28.0625 0244 catchme - ok
23:15:28.0718 0244 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
23:15:28.0718 0244 cbidf - ok
23:15:28.0718 0244 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:15:28.0718 0244 cbidf2k - ok
23:15:28.0734 0244 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
23:15:28.0734 0244 cd20xrnt - ok
23:15:28.0765 0244 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:15:28.0765 0244 Cdaudio - ok
23:15:28.0796 0244 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:15:28.0796 0244 Cdfs - ok
23:15:28.0812 0244 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:15:28.0812 0244 Cdrom - ok
23:15:28.0812 0244 Changer - ok
23:15:28.0843 0244 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
23:15:28.0843 0244 CiSvc - ok
23:15:28.0875 0244 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
23:15:28.0875 0244 ClipSrv - ok
23:15:28.0953 0244 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
23:15:28.0953 0244 clr_optimization_v2.0.50727_32 - ok
23:15:28.0968 0244 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
23:15:28.0968 0244 CmdIde - ok
23:15:28.0984 0244 COMSysApp - ok
23:15:29.0000 0244 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
23:15:29.0000 0244 Cpqarray - ok
23:15:29.0015 0244 cpuz132 - ok
23:15:29.0062 0244 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
23:15:29.0062 0244 CryptSvc - ok
23:15:29.0078 0244 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
23:15:29.0078 0244 dac2w2k - ok
23:15:29.0093 0244 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
23:15:29.0093 0244 dac960nt - ok
23:15:29.0109 0244 DC21x4 (bb005cb49d0638039703ac4f67fe0a05) C:\WINDOWS\system32\DRIVERS\dc21x4.sys
23:15:29.0109 0244 DC21x4 - ok
23:15:29.0156 0244 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
23:15:29.0156 0244 DcomLaunch - ok
23:15:29.0171 0244 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
23:15:29.0171 0244 Dhcp - ok
23:15:29.0203 0244 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:15:29.0203 0244 Disk - ok
23:15:29.0203 0244 dmadmin - ok
23:15:29.0265 0244 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:15:29.0265 0244 dmboot - ok
23:15:29.0328 0244 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:15:29.0328 0244 dmio - ok
23:15:29.0343 0244 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:15:29.0343 0244 dmload - ok
23:15:29.0375 0244 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
23:15:29.0375 0244 dmserver - ok
23:15:29.0390 0244 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:15:29.0390 0244 DMusic - ok
23:15:29.0421 0244 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
23:15:29.0421 0244 Dnscache - ok
23:15:29.0453 0244 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
23:15:29.0453 0244 Dot3svc - ok
23:15:29.0468 0244 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
23:15:29.0468 0244 dpti2o - ok
23:15:29.0500 0244 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:15:29.0500 0244 drmkaud - ok
23:15:29.0515 0244 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
23:15:29.0515 0244 EapHost - ok
23:15:29.0531 0244 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
23:15:29.0531 0244 ERSvc - ok
23:15:29.0562 0244 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
23:15:29.0562 0244 Eventlog - ok
23:15:29.0609 0244 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
23:15:29.0609 0244 EventSystem - ok
23:15:29.0625 0244 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:15:29.0625 0244 Fastfat - ok
23:15:29.0656 0244 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:15:29.0671 0244 FastUserSwitchingCompatibility - ok
23:15:29.0687 0244 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:15:29.0687 0244 Fdc - ok
23:15:29.0703 0244 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:15:29.0703 0244 Fips - ok
23:15:29.0734 0244 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:15:29.0734 0244 Flpydisk - ok
23:15:29.0796 0244 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:15:29.0796 0244 FltMgr - ok
23:15:29.0875 0244 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
23:15:29.0875 0244 FontCache3.0.0.0 - ok
23:15:29.0906 0244 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:15:29.0906 0244 Fs_Rec - ok
23:15:29.0921 0244 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:15:29.0921 0244 Ftdisk - ok
23:15:29.0953 0244 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
23:15:29.0953 0244 GEARAspiWDM - ok
23:15:30.0000 0244 getPlus® Helper - ok
23:15:30.0015 0244 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:15:30.0015 0244 Gpc - ok
23:15:30.0062 0244 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
23:15:30.0062 0244 gupdate - ok
23:15:30.0078 0244 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
23:15:30.0078 0244 gupdatem - ok
23:15:30.0093 0244 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:15:30.0093 0244 HDAudBus - ok
23:15:30.0140 0244 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
23:15:30.0140 0244 helpsvc - ok
23:15:30.0171 0244 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
23:15:30.0171 0244 HidServ - ok
23:15:30.0187 0244 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:15:30.0187 0244 HidUsb - ok
23:15:30.0218 0244 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
23:15:30.0218 0244 hkmsvc - ok
23:15:30.0234 0244 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
23:15:30.0234 0244 hpn - ok
23:15:30.0296 0244 HSFHWBS2 (b6b0721a86e51d141ec55c3cc1ca5686) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
23:15:30.0296 0244 HSFHWBS2 - ok
23:15:30.0375 0244 HSF_DP (b2dfc168d6f7512faea085253c5a37ad) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
23:15:30.0390 0244 HSF_DP - ok
23:15:30.0437 0244 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
23:15:30.0437 0244 HSF_DPV - ok
23:15:30.0484 0244 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
23:15:30.0484 0244 HTTP - ok
23:15:30.0531 0244 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
23:15:30.0531 0244 HTTPFilter - ok
23:15:30.0562 0244 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
23:15:30.0562 0244 i2omgmt - ok
23:15:30.0578 0244 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
23:15:30.0578 0244 i2omp - ok
23:15:30.0609 0244 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:15:30.0609 0244 i8042prt - ok
23:15:30.0718 0244 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
23:15:30.0718 0244 IDriverT - ok
23:15:30.0796 0244 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
23:15:30.0812 0244 idsvc - ok
23:15:30.0828 0244 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:15:30.0828 0244 Imapi - ok
23:15:30.0859 0244 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
23:15:30.0859 0244 ImapiService - ok
23:15:30.0890 0244 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
23:15:30.0890 0244 ini910u - ok
23:15:30.0937 0244 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
23:15:30.0937 0244 IntelIde - ok
23:15:30.0968 0244 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:15:30.0968 0244 intelppm - ok
23:15:31.0000 0244 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:15:31.0000 0244 Ip6Fw - ok
23:15:31.0015 0244 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:15:31.0015 0244 IpFilterDriver - ok
23:15:31.0046 0244 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:15:31.0046 0244 IpInIp - ok
23:15:31.0078 0244 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:15:31.0078 0244 IpNat - ok
23:15:31.0109 0244 iPod Service (f62c69376a95795fe7cdb1c778edaca4) C:\Program Files\iPod\bin\iPodService.exe
23:15:31.0109 0244 iPod Service - ok
23:15:31.0140 0244 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:15:31.0140 0244 IPSec - ok
23:15:31.0156 0244 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:15:31.0156 0244 IRENUM - ok
23:15:31.0187 0244 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:15:31.0187 0244 isapnp - ok
23:15:31.0312 0244 JavaQuickStarterService (9ae07549a0d691a103faf8946554bdb7) C:\Program Files\Java\jre6\bin\jqs.exe
23:15:31.0312 0244 JavaQuickStarterService - ok
23:15:31.0328 0244 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:15:31.0328 0244 Kbdclass - ok
23:15:31.0359 0244 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:15:31.0359 0244 kbdhid - ok
23:15:31.0375 0244 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:15:31.0375 0244 kmixer - ok
23:15:31.0375 0244 KodakCCS - ok
23:15:31.0406 0244 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
23:15:31.0406 0244 KSecDD - ok
23:15:31.0453 0244 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
23:15:31.0468 0244 lanmanserver - ok
23:15:31.0531 0244 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
23:15:31.0531 0244 lanmanworkstation - ok
23:15:31.0562 0244 lbrtfdc - ok
23:15:31.0593 0244 LGDDCDevice (9dcb9d9bdb7e3c0f66f86ee09a392cbb) C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys
23:15:31.0593 0244 LGDDCDevice - ok
23:15:31.0609 0244 LGII2CDevice (21a62a7a95b1905634e7c12e5158ec32) C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys
23:15:31.0609 0244 LGII2CDevice - ok
23:15:31.0640 0244 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
23:15:31.0640 0244 LmHosts - ok
23:15:31.0671 0244 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\WINDOWS\system32\drivers\MCSTRM.sys
23:15:31.0671 0244 MCSTRM - ok
23:15:31.0734 0244 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
23:15:31.0734 0244 mdmxsdk - ok
23:15:31.0765 0244 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
23:15:31.0765 0244 Messenger - ok
23:15:31.0796 0244 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:15:31.0796 0244 mnmdd - ok
23:15:31.0812 0244 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
23:15:31.0812 0244 mnmsrvc - ok
23:15:31.0828 0244 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:15:31.0828 0244 Modem - ok
23:15:31.0843 0244 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:15:31.0843 0244 Mouclass - ok
23:15:31.0890 0244 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:15:31.0890 0244 mouhid - ok
23:15:31.0890 0244 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:15:31.0890 0244 MountMgr - ok
23:15:31.0921 0244 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
23:15:31.0921 0244 mraid35x - ok
23:15:31.0937 0244 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:15:31.0937 0244 MRxDAV - ok
23:15:32.0000 0244 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:15:32.0015 0244 MRxSmb - ok
23:15:32.0031 0244 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
23:15:32.0046 0244 MSDTC - ok
23:15:32.0078 0244 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:15:32.0078 0244 Msfs - ok
23:15:32.0093 0244 MSIServer - ok
23:15:32.0125 0244 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:15:32.0125 0244 MSKSSRV - ok
23:15:32.0140 0244 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:15:32.0140 0244 MSPCLOCK - ok
23:15:32.0156 0244 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:15:32.0156 0244 MSPQM - ok
23:15:32.0187 0244 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:15:32.0203 0244 mssmbios - ok
23:15:32.0218 0244 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
23:15:32.0218 0244 Mup - ok
23:15:32.0250 0244 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
23:15:32.0250 0244 napagent - ok
23:15:32.0281 0244 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:15:32.0281 0244 NDIS - ok
23:15:32.0328 0244 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:15:32.0328 0244 NdisTapi - ok
23:15:32.0343 0244 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:15:32.0343 0244 Ndisuio - ok
23:15:32.0359 0244 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:15:32.0359 0244 NdisWan - ok
23:15:32.0390 0244 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
23:15:32.0390 0244 NDProxy - ok
23:15:32.0406 0244 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:15:32.0406 0244 NetBIOS - ok
23:15:32.0437 0244 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:15:32.0437 0244 NetBT - ok
23:15:32.0468 0244 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
23:15:32.0468 0244 NetDDE - ok
23:15:32.0468 0244 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
23:15:32.0468 0244 NetDDEdsdm - ok
23:15:32.0500 0244 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:15:32.0500 0244 Netlogon - ok
23:15:32.0531 0244 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
23:15:32.0531 0244 Netman - ok
23:15:32.0609 0244 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
23:15:32.0625 0244 NetTcpPortSharing - ok
23:15:32.0687 0244 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
23:15:32.0687 0244 Nla - ok
23:15:32.0718 0244 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:15:32.0718 0244 Npfs - ok
23:15:32.0750 0244 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:15:32.0765 0244 Ntfs - ok
23:15:32.0765 0244 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:15:32.0765 0244 NtLmSsp - ok
23:15:32.0812 0244 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
23:15:32.0812 0244 NtmsSvc - ok
23:15:32.0843 0244 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:15:32.0843 0244 Null - ok
23:15:32.0906 0244 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
23:15:32.0921 0244 nv - ok
23:15:32.0953 0244 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:15:32.0953 0244 NwlnkFlt - ok
23:15:32.0953 0244 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:15:32.0953 0244 NwlnkFwd - ok
23:15:33.0000 0244 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
23:15:33.0000 0244 P3 - ok
23:15:33.0015 0244 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:15:33.0015 0244 Parport - ok
23:15:33.0015 0244 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:15:33.0031 0244 PartMgr - ok
23:15:33.0046 0244 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:15:33.0046 0244 ParVdm - ok
23:15:33.0062 0244 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:15:33.0062 0244 PCI - ok
23:15:33.0062 0244 PciCon - ok
23:15:33.0078 0244 PCIDump - ok
23:15:33.0109 0244 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:15:33.0109 0244 PCIIde - ok
23:15:33.0125 0244 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:15:33.0125 0244 Pcmcia - ok
23:15:33.0281 0244 PCToolsSSDMonitorSvc (c98cd9ee0012df72206bd519db9780d4) C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
23:15:33.0281 0244 PCToolsSSDMonitorSvc - ok
23:15:33.0328 0244 PDCOMP - ok
23:15:33.0343 0244 PDFRAME - ok
23:15:33.0359 0244 PDRELI - ok
23:15:33.0359 0244 PDRFRAME - ok
23:15:33.0375 0244 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
23:15:33.0375 0244 perc2 - ok
23:15:33.0390 0244 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
23:15:33.0390 0244 perc2hib - ok
23:15:33.0437 0244 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
23:15:33.0453 0244 PlugPlay - ok
23:15:33.0468 0244 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:15:33.0468 0244 PolicyAgent - ok
23:15:33.0500 0244 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:15:33.0500 0244 PptpMiniport - ok
23:15:33.0546 0244 PrismXL (f3c8d6e59a36d4dd5729782015e685a8) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
23:15:33.0546 0244 PrismXL - ok
23:15:33.0562 0244 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:15:33.0562 0244 ProtectedStorage - ok
23:15:33.0593 0244 ProtexisLicensing (64e413ba0c529aa40c3924bbcc4153db) C:\WINDOWS\system32\PSIService.exe
23:15:33.0593 0244 ProtexisLicensing - ok
23:15:33.0625 0244 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:15:33.0625 0244 PSched - ok
23:15:33.0656 0244 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:15:33.0656 0244 Ptilink - ok
23:15:33.0671 0244 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
23:15:33.0671 0244 ql1080 - ok
23:15:33.0687 0244 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
23:15:33.0687 0244 Ql10wnt - ok
23:15:33.0703 0244 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
23:15:33.0703 0244 ql12160 - ok
23:15:33.0718 0244 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
23:15:33.0718 0244 ql1240 - ok
23:15:33.0734 0244 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
23:15:33.0734 0244 ql1280 - ok
23:15:33.0750 0244 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:15:33.0750 0244 RasAcd - ok
23:15:33.0781 0244 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
23:15:33.0781 0244 RasAuto - ok
23:15:33.0796 0244 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:15:33.0796 0244 Rasl2tp - ok
23:15:33.0828 0244 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
23:15:33.0828 0244 RasMan - ok
23:15:33.0843 0244 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:15:33.0859 0244 RasPppoe - ok
23:15:33.0859 0244 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:15:33.0859 0244 Raspti - ok
23:15:33.0890 0244 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:15:33.0890 0244 Rdbss - ok
23:15:33.0890 0244 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:15:33.0906 0244 RDPCDD - ok
23:15:33.0921 0244 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:15:33.0921 0244 rdpdr - ok
23:15:34.0015 0244 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
23:15:34.0015 0244 RDPWD - ok
23:15:34.0046 0244 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
23:15:34.0062 0244 RDSessMgr - ok
23:15:34.0093 0244 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:15:34.0093 0244 redbook - ok
23:15:34.0125 0244 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
23:15:34.0125 0244 RemoteAccess - ok
23:15:34.0156 0244 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
23:15:34.0156 0244 RemoteRegistry - ok
23:15:34.0171 0244 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
23:15:34.0171 0244 RpcLocator - ok
23:15:34.0203 0244 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
23:15:34.0218 0244 RpcSs - ok
23:15:34.0250 0244 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
23:15:34.0250 0244 RSVP - ok
23:15:34.0281 0244 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:15:34.0281 0244 SamSs - ok
23:15:34.0296 0244 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
23:15:34.0296 0244 SCardSvr - ok
23:15:34.0343 0244 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
23:15:34.0343 0244 Schedule - ok
23:15:34.0390 0244 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:15:34.0390 0244 Secdrv - ok
23:15:34.0421 0244 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
23:15:34.0421 0244 seclogon - ok
23:15:34.0453 0244 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
23:15:34.0453 0244 SENS - ok
23:15:34.0468 0244 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:15:34.0468 0244 Serenum - ok
23:15:34.0515 0244 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:15:34.0515 0244 Serial - ok
23:15:34.0546 0244 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:15:34.0546 0244 Sfloppy - ok
23:15:34.0578 0244 sfng32 (cecdd7cb5db385775790d30fa10f0507) C:\WINDOWS\system32\drivers\sfng32.sys
23:15:34.0578 0244 sfng32 - ok
23:15:34.0609 0244 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
23:15:34.0625 0244 SharedAccess - ok
23:15:34.0656 0244 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:15:34.0656 0244 ShellHWDetection - ok
23:15:34.0671 0244 Simbad - ok
23:15:34.0703 0244 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
23:15:34.0703 0244 sisagp - ok
23:15:34.0718 0244 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
23:15:34.0718 0244 Sparrow - ok
23:15:34.0750 0244 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:15:34.0750 0244 splitter - ok
23:15:34.0812 0244 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
23:15:34.0812 0244 Spooler - ok
23:15:34.0828 0244 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:15:34.0828 0244 sr - ok
23:15:34.0859 0244 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
23:15:34.0859 0244 srservice - ok
23:15:34.0906 0244 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
23:15:34.0906 0244 Srv - ok
23:15:34.0921 0244 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
23:15:34.0921 0244 SSDPSRV - ok
23:15:35.0015 0244 STHDA (6ad7569cc5e40b94932ec56097c5dccd) C:\WINDOWS\system32\drivers\sthda.sys
23:15:35.0031 0244 STHDA - ok
23:15:35.0093 0244 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
23:15:35.0093 0244 stisvc - ok
23:15:35.0109 0244 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:15:35.0109 0244 swenum - ok
23:15:35.0125 0244 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:15:35.0140 0244 swmidi - ok
23:15:35.0140 0244 SwPrv - ok
23:15:35.0156 0244 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
23:15:35.0156 0244 symc810 - ok
23:15:35.0171 0244 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
23:15:35.0171 0244 symc8xx - ok
23:15:35.0187 0244 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
23:15:35.0187 0244 sym_hi - ok
23:15:35.0203 0244 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
23:15:35.0203 0244 sym_u3 - ok
23:15:35.0234 0244 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:15:35.0234 0244 sysaudio - ok
23:15:35.0250 0244 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
23:15:35.0265 0244 SysmonLog - ok
23:15:35.0296 0244 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
23:15:35.0296 0244 TapiSrv - ok
23:15:35.0343 0244 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:15:35.0343 0244 Tcpip - ok
23:15:35.0375 0244 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:15:35.0375 0244 TDPIPE - ok
23:15:35.0390 0244 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:15:35.0390 0244 TDTCP - ok
23:15:35.0406 0244 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:15:35.0421 0244 TermDD - ok
23:15:35.0437 0244 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
23:15:35.0437 0244 TermService - ok
23:15:35.0484 0244 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
23:15:35.0484 0244 Themes - ok
23:15:35.0515 0244 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
23:15:35.0515 0244 TlntSvr - ok
23:15:35.0531 0244 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
23:15:35.0531 0244 TosIde - ok
23:15:35.0593 0244 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
23:15:35.0609 0244 TrkWks - ok
23:15:35.0625 0244 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:15:35.0625 0244 Udfs - ok
23:15:35.0640 0244 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
23:15:35.0640 0244 ultra - ok
23:15:35.0687 0244 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:15:35.0687 0244 Update - ok
23:15:35.0718 0244 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
23:15:35.0734 0244 upnphost - ok
23:15:35.0750 0244 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
23:15:35.0750 0244 UPS - ok
23:15:35.0796 0244 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:15:35.0796 0244 usbccgp - ok
23:15:35.0812 0244 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:15:35.0812 0244 usbehci - ok
23:15:35.0843 0244 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:15:35.0843 0244 usbhub - ok
23:15:35.0859 0244 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:15:35.0875 0244 usbprint - ok
23:15:35.0890 0244 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:15:35.0890 0244 usbscan - ok
23:15:35.0906 0244 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:15:35.0906 0244 USBSTOR - ok
23:15:35.0921 0244 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:15:35.0921 0244 usbuhci - ok
23:15:35.0937 0244 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:15:35.0937 0244 VgaSave - ok
23:15:35.0968 0244 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
23:15:35.0968 0244 viaagp - ok
23:15:35.0984 0244 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
23:15:35.0984 0244 ViaIde - ok
23:15:36.0000 0244 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:15:36.0000 0244 VolSnap - ok
23:15:36.0031 0244 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
23:15:36.0031 0244 VSS - ok
23:15:36.0062 0244 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
23:15:36.0062 0244 W32Time - ok
23:15:36.0125 0244 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:15:36.0125 0244 Wanarp - ok
23:15:36.0140 0244 WDICA - ok
23:15:36.0171 0244 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:15:36.0171 0244 wdmaud - ok
23:15:36.0187 0244 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
23:15:36.0203 0244 WebClient - ok
23:15:36.0265 0244 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
23:15:36.0265 0244 winachsf - ok
23:15:36.0328 0244 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
23:15:36.0328 0244 winmgmt - ok
23:15:36.0453 0244 wlidsvc (5144ae67d60ec653f97ddf3feed29e77) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
23:15:36.0453 0244 wlidsvc - ok
23:15:36.0531 0244 WmdmPmSN (051b1bdecd6dee18c771b5d5ec7f044d) C:\WINDOWS\system32\MsPMSNSv.dll
23:15:36.0531 0244 WmdmPmSN - ok
23:15:36.0578 0244 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
23:15:36.0578 0244 Wmi - ok
23:15:36.0609 0244 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
23:15:36.0609 0244 WmiApSrv - ok
23:15:36.0687 0244 WMPNetworkSvc (6bab4dc65515a098505f8b3d01fb6fe5) C:\Program Files\Windows Media Player\WMPNetwk.exe
23:15:36.0703 0244 WMPNetworkSvc - ok
23:15:36.0718 0244 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
23:15:36.0718 0244 WS2IFSL - ok
23:15:36.0750 0244 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
23:15:36.0765 0244 wscsvc - ok
23:15:36.0812 0244 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
23:15:36.0812 0244 wuauserv - ok
23:15:36.0859 0244 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
23:15:36.0859 0244 WudfPf - ok
23:15:36.0890 0244 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
23:15:36.0890 0244 WudfRd - ok
23:15:36.0921 0244 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
23:15:36.0921 0244 WudfSvc - ok
23:15:36.0953 0244 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
23:15:36.0968 0244 WZCSVC - ok
23:15:37.0234 0244 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
23:15:37.0234 0244 xmlprov - ok
23:15:37.0328 0244 YahooAUService (dd0042f0c3b606a6a8b92d49afb18ad6) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
23:15:37.0343 0244 YahooAUService - ok
23:15:37.0359 0244 MBR (0x1B8) (b20939cd98b7710036274839082ae757) \Device\Harddisk0\DR0
23:15:37.0390 0244 \Device\Harddisk0\DR0 - ok
23:15:37.0421 0244 Boot (0x1200) (19b07e9ae5c769c3043f70d8f19d2aa2) \Device\Harddisk0\DR0\Partition0
23:15:37.0421 0244 \Device\Harddisk0\DR0\Partition0 - ok
23:15:37.0421 0244 Boot (0x1200) (e1957779c0f52918edc72664361af87d) \Device\Harddisk0\DR0\Partition1
23:15:37.0421 0244 \Device\Harddisk0\DR0\Partition1 - ok
23:15:37.0437 0244 ============================================================
23:15:37.0437 0244 Scan finished
23:15:37.0437 0244 ============================================================
23:15:37.0453 2560 Detected object count: 1
23:15:37.0453 2560 Actual detected object count: 1
23:15:59.0640 2560 C:\WINDOWS\system32\DRIVERS\ACPI.sys - copied to quarantine
23:16:00.0890 2560 Backup copy found, using it..
23:16:00.0890 2560 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
23:16:00.0890 2560 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
23:16:24.0218 3188 Deinitialize success



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-07 23:26:09
-----------------------------
23:26:09.687 OS Version: Windows 5.1.2600 Service Pack 3
23:26:09.687 Number of processors: 2 586 0x404
23:26:09.687 ComputerName: MY_ESCAPE UserName: Sam
23:26:10.078 Initialize success
23:26:20.937 AVAST engine defs: 12040701
23:26:25.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
23:26:25.265 Disk 0 Vendor: WDC_WD800BD-22LRA0 06.01D06 Size: 76319MB BusType: 3
23:26:25.312 Disk 0 MBR read successfully
23:26:25.328 Disk 0 MBR scan
23:26:25.593 Disk 0 unknown MBR code
23:26:25.625 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 71186 MB offset 10490445
23:26:25.687 Disk 0 Partition 2 00 0B FAT32 RECOVERY 5122 MB offset 63
23:26:25.718 Disk 0 scanning sectors +156280320
23:26:25.875 Disk 0 scanning C:\WINDOWS\system32\drivers
23:26:44.015 Service scanning
23:27:00.046 Modules scanning
23:27:07.953 Disk 0 trace - called modules:
23:27:08.015 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
23:27:08.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b765ab8]
23:27:08.078 3 CLASSPNP.SYS[f7547fd7] -> nt!IofCallDriver -> \Device\00000088[0x8b7969e8]
23:27:08.109 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8b769b00]
23:27:08.421 AVAST engine scan C:\WINDOWS
23:27:31.390 AVAST engine scan C:\WINDOWS\system32
23:27:31.859 File: C:\WINDOWS\system32\470CK0D.com **INFECTED** Win32:Rootkit-gen [Rtk]
23:27:32.062 File: C:\WINDOWS\system32\470CK0D.com_ **INFECTED** Win32:Rootkit-gen [Rtk]
23:30:22.406 AVAST engine scan C:\WINDOWS\system32\drivers
23:30:37.609 AVAST engine scan C:\Documents and Settings\Sam
23:40:41.640 AVAST engine scan C:\Documents and Settings\All Users
23:42:01.140 Scan finished successfully
23:42:26.609 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Sam\Desktop\MBR.dat"
23:42:26.656 The log file has been saved successfully to "C:\Documents and Settings\Sam\Desktop\aswMBR.txt"


Just as a note: the computer automatically shut down while in the middle of running the Avast software the first time. After the computer restarted, I had to run the program again.

Thanks again Gringo!

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:29 AM

Posted 07 April 2012 - 11:59 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::
AtJob::
File::
c:\windows\system32\470CK0D.com_
c:\windows\system32\470CK0D.com

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 pbrangwynne

pbrangwynne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 08 April 2012 - 12:31 PM

ComboFix 12-04-07.03 - Sam 04/08/2012 12:07:43.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2460 [GMT -5:00]
Running from: c:\documents and settings\Sam\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Sam\Desktop\CFScript.txt.txt
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
FILE ::
"c:\windows\system32\470CK0D.com"
"c:\windows\system32\470CK0D.com_"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\470CK0D.com
c:\windows\system32\470CK0D.com_
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
.
((((((((((((((((((((((((( Files Created from 2012-03-08 to 2012-04-08 )))))))))))))))))))))))))))))))
.
.
2012-04-08 04:15 . 2012-04-08 04:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-02 19:49 . 2012-04-02 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2012-03-24 02:53 . 2011-10-15 17:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2012-03-24 01:53 . 2012-03-24 01:53 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-23 23:18 . 2012-03-23 23:18 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2012-03-23 23:18 . 2012-03-23 23:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Yahoo
2012-03-23 23:16 . 2012-03-23 23:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Neopets Toolbar
2012-03-23 23:15 . 2012-03-23 23:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Threat Expert
2012-03-22 23:14 . 2012-03-22 23:14 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2012-03-18 18:28 . 2012-03-18 18:28 -------- d-----w- c:\documents and settings\Sam\Application Data\Malwarebytes
2012-03-18 18:28 . 2012-03-18 18:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-18 18:28 . 2012-03-24 01:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-18 18:28 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-12 22:23 . 2012-03-12 22:23 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-08 04:17 . 2004-08-04 06:07 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-03-04 00:41 . 2011-07-02 15:18 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2004-05-26 19:30 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 03:48 3072 ------w- c:\windows\system32\iacenc.dll
2007-12-27 02:11 . 2007-12-27 02:11 774144 ----a-w- c:\program files\RngInterstitial.dll
2012-03-13 04:39 . 2012-03-28 22:53 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn5\yt.dll" [2012-01-12 1517368]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2005-07-20 7090176]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-13 1121792]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-04-17 196608]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-04-13 69632]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-08-26 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2010-03-04 311296]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2011-05-10 49208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
c:\documents and settings\Sam\Start Menu\Programs\Startup\
RollerCoaster Tycoon 3 Registration.lnk - c:\documents and settings\Sam\Local Settings\Temp\{436213E5-CECD-4CFB-8149-6B56CD819A02}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
forteManager.lnk - c:\program files\LG Soft India\forteManager\bin\Monitor.exe [2009-6-7 1687552]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\CivilizationV.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\amd driver updater, xp, 32 bit\\Setup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\sid meier's civilization v\\Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [11/22/2011 2:31 PM 632792]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 9:04 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/22/2011 9:04 AM 136176]
S3 LGDDCDevice;LGDDCDevice;c:\program files\LG Soft India\forteManager\bin\I2CDriver.sys [6/7/2009 7:01 PM 14336]
S3 LGII2CDevice;LGII2CDevice;c:\program files\LG Soft India\forteManager\bin\PII2CDriver.sys [6/7/2009 7:01 PM 18432]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 14:04]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-22 14:04]
.
2012-04-08 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-11-22 16:02]
.
2012-04-08 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2011-11-22 19:23]
.
2012-04-08 c:\windows\Tasks\User_Feed_Synchronization-{8C9E88BB-9418-4D0A-BC6B-F4DD8A5991C6}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Sam\Application Data\Mozilla\Firefox\Profiles\1ssxrk2t.default\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-52121820.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-08 12:17
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(400)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2012-04-08 12:23:41 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-08 17:23
ComboFix2.txt 2012-04-07 23:47
.
Pre-Run: 3,454,500,864 bytes free
Post-Run: 3,558,813,696 bytes free
.
- - End Of File - - 1C2DF6F2DC08987329E3E3D20951B5B4

No problems occurred during the running of Combofix other than it still recognizing McAfee as being on the computer.

I am now able to access all search engines - Google, Yahoo, and Bing - I was unable to search prior to this latest scan. However, the System Check shortcut still exists in the taskbar. Thanks!

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:29 AM

Posted 08 April 2012 - 01:27 PM

Hello

Lets get a deeper look into the system and see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 pbrangwynne

pbrangwynne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 08 April 2012 - 02:02 PM

Hey Gringo,

Here is the log produced from running the Old Timer program:

OTL logfile created on: 4/8/2012 1:54:41 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Sam\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.24 Gb Available Physical Memory | 74.59% Memory free
4.34 Gb Paging File | 3.77 Gb Available in Paging File | 86.91% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 69.52 Gb Total Space | 3.50 Gb Free Space | 5.04% Space Free | Partition Type: NTFS
Drive D: | 4.99 Gb Total Space | 2.53 Gb Free Space | 50.67% Space Free | Partition Type: FAT32
Drive E: | 4.60 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF

Computer Name: MY_ESCAPE | User Name: Sam | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Sam\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe (PC Tools)
PRC - C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
PRC - C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe ()
PRC - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\PSIService.exe ()
PRC - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Mozilla Firefox\mozjs.dll ()
MOD - C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\c14e58265386feb509cc61bb5e8dd296\System.Runtime.Remoting.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\9ebb674380eb192f367cad855f17a5d9\System.Web.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\94a40f415bfa947e251888bbe88bb973\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\77e1279cbf4eecfb0284b63316fe43fe\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ad99ac6b5666edb8ee742dd64f9578af\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\9351cf29bb1ba951e45a9b3b0edab937\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\9e3803cd2a11f056291862e306a8e2b2\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d86a3346c3d90ff12d0df9d7726f3ece\Accessibility.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\ca87ba84221991839abbe7d4bc9c6721\mscorlib.ni.dll ()
MOD - c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll ()
MOD - c:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll ()
MOD - c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\AxInterop.WBOCXLib.dll ()
MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe ()
MOD - C:\Program Files\LG Soft India\forteManager\bin\MonitorEngRes.dll ()
MOD - C:\Program Files\LG Soft India\forteManager\bin\ApplicationManager.dll ()
MOD - C:\Program Files\LG Soft India\forteManager\bin\ACRHook.dll ()
MOD - C:\Program Files\LG Soft India\forteManager\bin\ProtocolEngine.dll ()
MOD - C:\Program Files\LG Soft India\forteManager\bin\DeviceManager.dll ()
MOD - C:\Program Files\LG Soft India\forteManager\bin\ErrorHandler.dll ()
MOD - C:\WINDOWS\system32\PSIService.exe ()


========== Win32 Services (SafeList) ==========

SRV - (KodakCCS) -- C:\WINDOWS\system32\drivers\KodakCCS.exe File not found
SRV - (getPlus® Helper) getPlus® -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe File not found
SRV - (PCToolsSSDMonitorSvc) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe (PC Tools)
SRV - (YahooAUService) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (Yahoo! Inc.)
SRV - (ProtexisLicensing) -- C:\WINDOWS\system32\PSIService.exe ()
SRV - (PrismXL) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS (New Boundary Technologies, Inc.)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (PciCon) -- E:\PciCon.sys File not found
DRV - (mbr) -- C:\DOCUME~1\Sam\LOCALS~1\Temp\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (cpuz132) -- C:\DOCUME~1\Sam\LOCALS~1\Temp\cpuz132\cpuz132_x32.sys File not found
DRV - (Changer) -- File not found
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (LGII2CDevice) -- C:\Program Files\LG Soft India\forteManager\bin\PII2CDriver.sys ()
DRV - (LGDDCDevice) -- C:\Program Files\LG Soft India\forteManager\bin\I2CDriver.sys ()
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (IDT, Inc.)
DRV - (MCSTRM) -- C:\WINDOWS\System32\drivers\mcstrm.sys (RealNetworks, Inc.)
DRV - (HSF_DPV) -- C:\WINDOWS\system32\drivers\HSF_DPV.sys (Conexant Systems, Inc.)
DRV - (HSFHWBS2) -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys (Conexant Systems, Inc.)
DRV - (winachsf) -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys (Conexant Systems, Inc.)
DRV - (sfng32) -- C:\WINDOWS\system32\drivers\sfng32.sys (Sonic Focus, Inc)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (HSF_DP) -- C:\WINDOWS\system32\drivers\HSF_DP.sys (Conexant Systems, Inc.)
DRV - (DC21x4) -- C:\WINDOWS\system32\drivers\dc21x4.sys (Intel Corporation.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://news.yahoo.com [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaults/cs/msgr8/*http://www.yahoo.com/ext/search/search.html
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{34C707A6-D243-4FB1-8E39-466D3DE4ABA0}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=yie7c
IE - HKLM\..\SearchScopes\{A1D25952-2051-4FB7-8CBB-5CBCBF468932}: "URL" = http://news.search.yahoo.com/search/news?p={searchTerms}&fr=yie7c
IE - HKLM\..\SearchScopes\{A7337C49-AA53-42E1-8FD7-2B1033AC9418}: "URL" = http://shopping.yahoo.com/search?p={searchTerms}&fr=yie7c
IE - HKLM\..\SearchScopes\{C9E8CD1B-8430-4604-83D6-B0CC3D96B4A9}: "URL" = http://answers.yahoo.com/search/search_result?p={searchTerms}&fr=yie7c
IE - HKLM\..\SearchScopes\{D37E6E48-415A-4481-849E-D2E9789AB7BF}: "URL" = http://video.yahoo.com/video/search?p={searchTerms}&fr=yie7c
IE - HKLM\..\SearchScopes\{D8EE9AAE-9652-4C85-B532-1796784035D5}: "URL" = http://images.search.yahoo.com/search/images?p={searchTerms}&fr=yie7c
IE - HKLM\..\SearchScopes\{EA7A176D-0439-41F9-8860-A7C7FAD588A1}: "URL" = http://local.yahoo.com/results?stx={searchTerms}&fr=yie7c


IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\URLSearchHook: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes,DefaultScope = {D6AF34B3-837C-49AD-AB45-682218A68A8F}
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{0A741BDB-9357-4ACD-AE89-19DBCA57C20A}: "URL" = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{378FB169-A404-44D9-838A-14DE2774B49D}: "URL" = http://images.search.yahoo.com/search/images?p={searchTerms}&fr=yie7c
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{6BC1D08A-0B55-4462-93B3-A0191D9CC8F5}: "URL" = http://shopping.yahoo.com/search?p={searchTerms}&fr=yie7c
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{90125FC7-98E3-42E3-9EA4-ED2033100E7F}: "URL" = http://answers.yahoo.com/search/search_result?p={searchTerms}&fr=yie7c
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{9829354F-7107-4F32-985D-AF0540FF0130}: "URL" = http://local.yahoo.com/results?stx={searchTerms}&fr=yie7c
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{C44B9BBB-43C6-483F-9622-00070DEE4E11}: "URL" = http://news.search.yahoo.com/search/news?p={searchTerms}&fr=yie7c
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{CBD5E6DB-4217-41A5-8A0F-92D3FED2AD2D}: "URL" = http://video.yahoo.com/video/search?p={searchTerms}&fr=yie7c
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\SearchScopes\{D6AF34B3-837C-49AD-AB45-682218A68A8F}: "URL" = http://search.yahoo.com/search?p={searchTerms}&fr=yie7c
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost;*.local

========== FireFox ==========

FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/npracplug;version=1.0.0.0: C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll (RealNetworks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll File not found
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKLM\Software\MozillaPlugins\yaxmpb@yahoo.com/YahooActiveXPluginBridge;version=1.0.0.1: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/03/28 17:53:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 11.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/10/13 22:45:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Extensions
[2012/03/22 18:09:23 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Sam\Application Data\Mozilla\Firefox\Profiles\1ssxrk2t.default\extensions
[2012/03/28 17:53:32 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
() (No name found) -- C:\DOCUMENTS AND SETTINGS\SAM\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\1SSXRK2T.DEFAULT\EXTENSIONS\TBRMZWFDQQ@TBRMZWFDQQ.ORG.XPI
[2011/11/16 20:19:06 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2012/03/12 23:39:39 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/03/12 23:38:32 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/03/12 23:38:32 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/04/08 12:17:32 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Neopets) - {CD292324-974F-4224-D074-CACA427AA030} - C:\Program Files\Neopets\Toolbar\toolbar.dll (Velocity Services, Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Neopets) - {CD292324-974F-4224-D074-CACA427AA030} - C:\Program Files\Neopets\Toolbar\toolbar.dll (Velocity Services, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
O3 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\Toolbar\WebBrowser: (Neopets) - {CD292324-974F-4224-D074-CACA427AA030} - C:\Program Files\Neopets\Toolbar\toolbar.dll (Velocity Services, Inc.)
O3 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [ATICustomerCare] c:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [IntelAudioStudio] C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe (Intel Corporation)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\creator\remind_xp.exe (SoftThinks)
O4 - HKLM..\Run: [StartCCC] c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (Yahoo! Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\forteManager.lnk = C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe ()
O4 - Startup: C:\Documents and Settings\Sam\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk = File not found
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: &Yahoo! Search - C:\Program Files\Yahoo!\Common [2011/06/13 19:46:00 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Dictionary - C:\Program Files\Yahoo!\Common [2011/06/13 19:46:00 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &Maps - C:\Program Files\Yahoo!\Common [2011/06/13 19:46:00 | 000,000,000 | ---D | M]
O8 - Extra context menu item: Yahoo! &SMS - C:\Program Files\Yahoo!\Common [2011/06/13 19:46:00 | 000,000,000 | ---D | M]
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://www.apple.com/qtactivex/qtplugin.cab (QuickTime Object)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll (Installation Support)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} http://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab (CPlayFirstdreamControl Object)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab (get_atlcom Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe (Virtools WebPlayer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7743F982-AA26-42CA-A84B-C3ABC8682C52}: DhcpNameServer = 192.168.1.254
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Sam\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Sam\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/05/26 15:25:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2010/04/20 15:37:17 | 000,054,544 | R--- | M] (Electronic Arts) - E:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2010/03/26 23:03:00 | 000,000,049 | R--- | M] () - E:\Autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/08 13:52:40 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2012/04/08 12:15:53 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/04/07 23:20:00 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Sam\Desktop\aswMBR.exe
[2012/04/07 23:15:59 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/04/07 23:14:37 | 002,073,136 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sam\Desktop\tdsskiller.exe
[2012/04/07 18:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2012/04/07 18:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Chrome
[2012/04/07 18:24:53 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2012/04/07 13:20:44 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/04/07 13:20:44 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/04/07 13:20:44 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/04/07 13:20:44 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/04/07 13:20:36 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/04/07 13:19:57 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/04/06 20:29:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Desktop\gmer
[2012/04/06 20:12:51 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Sam\Desktop\dds(1).scr
[2012/04/02 14:49:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\HP Product Assistant
[2012/03/24 10:35:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\PC Tools Security
[2012/03/24 10:35:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Norton Security Scan
[2012/03/23 21:53:44 | 000,083,856 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2012/03/23 20:50:03 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Sam\Recent
[2012/03/23 18:18:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Yahoo
[2012/03/23 18:16:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Neopets Toolbar
[2012/03/23 18:16:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Google
[2012/03/23 18:15:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Threat Expert
[2012/03/22 18:14:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2012/03/22 18:13:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2012/03/22 18:12:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2012/03/22 18:12:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2012/03/18 13:28:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Sam\Application Data\Malwarebytes
[2012/03/18 13:28:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/03/18 13:28:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/03/18 13:28:38 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/03/18 13:28:38 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/03/18 13:23:58 | 009,604,712 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sam\Desktop\mbam-setup.exe
[2012/03/18 13:12:16 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012/03/17 11:25:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2012/03/12 17:23:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Mozilla
[2012/03/12 17:23:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Mozilla
[2012/03/12 17:22:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/03/10 16:00:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/03/10 16:00:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/08 13:57:00 | 000,000,418 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8C9E88BB-9418-4D0A-BC6B-F4DD8A5991C6}.job
[2012/04/08 13:52:40 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Sam\Desktop\OTL.exe
[2012/04/08 13:31:00 | 000,000,448 | ---- | M] () -- C:\WINDOWS\tasks\RMSmartUpdate.job
[2012/04/08 13:22:00 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/08 12:17:50 | 000,001,170 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/08 12:17:32 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/04/08 12:17:24 | 000,000,876 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/08 12:17:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/08 12:17:16 | 3218,702,336 | -HS- | M] () -- C:\hiberfil.sys
[2012/04/08 12:04:45 | 000,000,768 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\Shortcut to ComboFix.lnk
[2012/04/07 23:42:26 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\MBR.dat
[2012/04/07 23:22:17 | 000,441,552 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/07 23:22:17 | 000,071,488 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/07 23:20:14 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Sam\Desktop\aswMBR.exe
[2012/04/07 23:14:42 | 002,073,136 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Sam\Desktop\tdsskiller.exe
[2012/04/07 19:00:00 | 000,000,250 | ---- | M] () -- C:\WINDOWS\tasks\RMSchedule.job
[2012/04/07 18:24:59 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2012/04/07 12:05:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/04/06 20:21:01 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\gmer.zip
[2012/04/06 20:12:52 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Sam\Desktop\dds(1).scr
[2012/04/06 20:09:06 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Sam\defogger_reenable
[2012/03/28 17:53:34 | 000,000,742 | ---- | M] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/03/28 17:53:33 | 000,000,724 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/03/24 10:12:05 | 000,226,408 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/03/24 10:09:55 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/03/23 21:49:30 | 000,001,984 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/03/23 19:45:11 | 000,001,813 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2012/03/23 18:54:18 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe.d
[2012/03/23 18:23:37 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe_.b
[2012/03/23 18:23:37 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe.b
[2012/03/23 14:21:28 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/22 23:26:04 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\bv7E2m.dat
[2012/03/19 14:54:34 | 000,024,430 | ---- | M] () -- C:\Documents and Settings\Sam\Application Data\wklnhst.dat
[2012/03/18 13:28:41 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/18 13:26:13 | 009,604,712 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Sam\Desktop\mbam-setup.exe
[2012/03/18 13:18:47 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Sam\Desktop\iExplore.exe
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/04/08 12:04:45 | 000,000,768 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\Shortcut to ComboFix.lnk
[2012/04/07 23:42:26 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\MBR.dat
[2012/04/07 18:29:58 | 000,001,813 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Google Chrome.lnk
[2012/04/07 18:29:58 | 000,001,791 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/04/07 18:24:59 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2012/04/07 18:24:55 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2012/04/07 13:20:44 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/04/07 13:20:44 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/04/07 13:20:44 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/04/07 13:20:44 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/04/07 13:20:44 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/04/06 20:21:00 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\gmer.zip
[2012/04/06 20:09:06 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Sam\defogger_reenable
[2012/03/28 17:53:34 | 000,000,742 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\Mozilla Firefox.lnk
[2012/03/28 17:53:33 | 000,000,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Mozilla Firefox.lnk
[2012/03/28 17:53:33 | 000,000,724 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2012/03/24 10:35:02 | 000,001,839 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Sims™ 3 Ambitions.lnk
[2012/03/24 10:35:02 | 000,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2012/03/24 10:35:02 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2012/03/24 10:35:02 | 000,001,570 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Shockwave Games.lnk
[2012/03/24 10:35:02 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2012/03/24 10:35:02 | 000,001,471 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\Yahoo! Mail.lnk
[2012/03/24 10:35:02 | 000,001,000 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\The Treasures Of Mystery Island 3.lnk
[2012/03/24 10:35:02 | 000,000,990 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Phantasmat - Collector's Edition.lnk
[2012/03/24 10:35:02 | 000,000,984 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\HP Solution Center.lnk
[2012/03/24 10:35:02 | 000,000,979 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Norton Security Scan.lnk
[2012/03/24 10:35:02 | 000,000,970 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Farmscapes Collector's Edition.lnk
[2012/03/24 10:35:02 | 000,000,930 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Farm Frenzy - Gone Fishing.lnk
[2012/03/24 10:35:02 | 000,000,930 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Farm Frenzy - Ancient Rome.lnk
[2012/03/24 10:35:02 | 000,000,900 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mystery of Shark Island.lnk
[2012/03/24 10:35:02 | 000,000,815 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2012/03/24 10:35:02 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Registry Mechanic.lnk
[2012/03/24 10:35:02 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/03/24 10:35:02 | 000,000,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Guild Wars.lnk
[2012/03/24 10:35:02 | 000,000,079 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
[2012/03/24 10:35:01 | 000,001,808 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
[2012/03/24 10:35:01 | 000,001,730 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
[2012/03/24 10:35:01 | 000,001,665 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\forteManager.lnk
[2012/03/24 10:35:01 | 000,001,459 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Yahoo! Mail.lnk
[2012/03/24 10:35:01 | 000,001,077 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Live ID.lnk
[2012/03/24 10:35:01 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2012/03/24 10:35:00 | 000,002,489 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Word.lnk
[2012/03/24 10:35:00 | 000,002,024 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Streets & Trips.lnk
[2012/03/24 10:35:00 | 000,001,924 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Office PowerPoint Viewer 2003.lnk
[2012/03/24 10:35:00 | 000,001,701 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Works Task Launcher.lnk
[2012/03/24 10:35:00 | 000,001,578 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Play My Games.lnk
[2012/03/24 10:35:00 | 000,001,184 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\More Great Games.lnk
[2012/03/24 10:35:00 | 000,001,004 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Money 2005.lnk
[2012/03/24 10:34:57 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Apple Software Update.lnk
[2012/03/24 10:34:57 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader 9.lnk
[2012/03/23 20:51:19 | 3218,702,336 | -HS- | C] () -- C:\hiberfil.sys
[2012/03/23 20:30:57 | 000,000,853 | ---- | C] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
[2012/03/23 18:54:18 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe.d
[2012/03/23 18:23:37 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe_.b
[2012/03/23 18:23:37 | 000,000,001 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe.b
[2012/03/22 18:13:23 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\bv7E2m.dat
[2012/03/18 13:19:14 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Sam\Desktop\iExplore.exe
[2012/02/14 22:48:55 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/11/22 14:31:23 | 000,037,336 | ---- | C] () -- C:\WINDOWS\System32\CleanMFT32.exe
[2011/10/04 14:39:42 | 000,000,221 | ---- | C] () -- C:\WINDOWS\HP_RedboxHprblog_HPSU.ini
[2011/10/03 13:48:10 | 000,078,866 | ---- | C] () -- C:\WINDOWS\hpfins05.dat
[2011/10/03 13:48:10 | 000,001,395 | ---- | C] () -- C:\WINDOWS\hpfmdl05.dat
[2011/10/03 13:47:52 | 000,372,736 | ---- | C] () -- C:\WINDOWS\System32\hpzidi01.dll
[2011/10/03 13:47:52 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\hpzids01.dll
[2011/04/21 19:07:50 | 000,000,000 | ---- | C] () -- C:\WINDOWS\CastleMalloy.INI
[2010/10/11 18:53:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\ResortingToDanger.INI

< End of report >

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:29 AM

Posted 08 April 2012 - 02:38 PM

Hello

Run this custom script and when it is complete I need to know how the computer is doing

Run OTL Script

  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word Code
    :OTL
    IE - HKU\.DEFAULT\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    IE - HKU\S-1-5-18\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - No CLSID value found
    FF - user.js - File not found
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll File not found
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-2249135694-1289101630-2934927763-1006\..\Toolbar\WebBrowser: (no name) - {472734EA-242A-422B-ADF8-83D1E48CC825} - No CLSID value found.
    O4 - Startup: C:\Documents and Settings\Sam\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk = File not found
    O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab (Reg Error: Key error.)
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
    [2012/03/23 18:54:18 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe.d
    [2012/03/23 18:23:37 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe_.b
    [2012/03/23 18:23:37 | 000,000,001 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe.b
    [2012/03/23 14:21:28 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
    :Files
    ipconfig /flushdns /c
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    
  • Then click the Run Fix button at the top.
  • Click Posted Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

Let me know How things are doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 pbrangwynne

pbrangwynne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 08 April 2012 - 03:03 PM

Great news! The System Check icon finally disappeared from the task bar. I can access all search engines and the computer appears to be running smoothly. Thanks again!


========== OTL ==========
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\URLSearchHooks\\{472734EA-242A-422b-ADF8-83D1E48CC825} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422b-ADF8-83D1E48CC825}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@Apple.com/iTunes,version=\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=3\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\@tools.google.com/Google Update;version=9\ deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-2249135694-1289101630-2934927763-1006\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.
C:\Documents and Settings\Sam\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk moved successfully.
Starting removal of ActiveX control {31435657-9980-0010-8000-00AA00389B71}
C:\WINDOWS\Downloaded Program Files\wvc1dmo.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{31435657-9980-0010-8000-00AA00389B71}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{31435657-9980-0010-8000-00AA00389B71}\ not found.
Starting removal of ActiveX control {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
C:\WINDOWS\Downloaded Program Files\mcinsctl.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe.d moved successfully.
C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe_.b moved successfully.
C:\Documents and Settings\All Users\Application Data\3C5yLIGO.exe.b moved successfully.
C:\Documents and Settings\Sam\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Sam\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Sam\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYJAVA]

User: Administrator

User: All Users

User: Default User

User: LocalService
->Java cache emptied: 0 bytes

User: NetworkService
->Java cache emptied: 0 bytes

User: Owner

User: Sam
->Java cache emptied: 0 bytes

Total Java Files Cleaned = 0.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 705 bytes

User: All Users

User: Default User
->Flash cache emptied: 56504 bytes

User: LocalService
->Flash cache emptied: 8303 bytes

User: NetworkService
->Flash cache emptied: 63326 bytes

User: Owner

User: Sam
->Flash cache emptied: 1602237 bytes

Total Flash Files Cleaned = 2.00 mb


OTL by OldTimer - Version 3.2.39.2 log created on 04082012_145445

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:29 AM

Posted 08 April 2012 - 03:48 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 9.5.0
Haunted House Screen Saver
Java™ 6 Update 22
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 08 April 2012 - 03:48 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 pbrangwynne

pbrangwynne
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:29 AM

Posted 08 April 2012 - 05:34 PM

Hello Gringo,

Below are the logs for both the Malwarebytes quick scan and the Hijackthis scan. No problems occurred while following any of the steps for which you called. The computer appears to be running rather smoothly without any major hiccups. As always, thank you.


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.08.06

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Sam :: MY_ESCAPE [administrator]

4/8/2012 5:10:42 PM
mbam-log-2012-04-08 (17-10-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 210085
Time elapsed: 3 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\NetworkService\Application Data\Macromedia\Macromedia\oexuquj.dll (Trojan.Tracur) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\Macromedia\Macromedia\vubjh.dll (Trojan.Tracur) -> Quarantined and deleted successfully.

(end)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:22:38 PM, on 4/8/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
R3 - URLSearchHook: YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dll
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn5\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartCCC] "c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "c:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: forteManager.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://www.shockwave.com/content/dreamchronicles/sis/dreamweb.1.0.0.10.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus® Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - Unknown owner - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10918 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users